Bipin Jitiya win3zz

Google Cloud Shell Takeover: 3 Auto Execution Bugs

A few weeks ago, I came across an interesting security vulnerability inside Google Cloud Shell. While analyzing how Cloud Shell Editor (Code OSS) loads projects, I observed that simply opening a specially crafted project within the editor triggers silent and automatic code execution. The user doesn't need to type any commands, or run any tasks manually. Simply open the project and the payload will be executed.

The root cause was that many components/processes executes inside the Cloud Shell Editor during workspace load. Tools like the Gradle language server, the Clang language server, and the VS Code tasks system evaluate config files or build scripts as soon as the folder is opened. This seems simple in a normal development workflow, but it breaks a very basic assumption/principle we all rely on: cloning a repo or opening a project in an editor will never execute a command without user action.

I understood this behavior, the attack scenario was

Weird, surprising, sometimes scary language/parser/compiler quirks across major programming languages.

1. Unicode Escape Shenanigans

Language	Example	What Happens	Impact
Java	`// \u000d System.out.println("exec");`	Unicode processed before comment → newline injected → code runs	Comment-bypass, hidden payload
JS/TS	`var a\uFF0Eb = 1;`	Fullwidth dot makes variable look like `a.b`	Identifier spoofing
Python	`print("x")` (EN QUAD)	Invisible indentation → syntax changes	Hidden code flow
Go/Rust	`var рassword` (Cyrillic р)	Identifiers look identi

Logout Endpoint Redirection Fuzz List

Many applications use inconsistent or custom parameter names to handle post-logout redirection, and this is where open redirect, forced navigation, and privilege-related issues often hide. Whenever you encounter a /logout, /signout, /endSession, or similar endpoint — fuzz it with this list.

Burp Intruder / Turbo Intruder

/logout?§PARAM§=https://attacker.com

Google Colab: Cloud-Based Python Execution

Google Colab (short for Colaboratory) is a powerful, browser-based platform that allows you to write and execute Python code with zero configuration.

At its core, Colab operates through Notebooks, where you can run code cells independently. Gain free access to powerful GPUs (like the T4) and TPUs, making it ideal for training heavy deep learning models. Read more at https://research.google.com/colaboratory/faq.html

How to Access

Web: Visit https://colab.research.google.com/ and sign in with your Google account.
Google Drive: Right-click in any folder, select More, and choose Google Colaboratory to create a new notebook.

ReconX – Full-Scope External Attack Surface Mapping Framework

ReconX is an end-to-end automated external security assessment framework designed for professional penetration testers, bug bounty hunters, and enterprise red teams. It performs deep recon, enumeration, vulnerability scanning, OSINT, exposure discovery, and reporting across multiple targets at scale.

🚀 Key Features

🔹 Asset Discovery

Automated subdomain enumeration

CVE-2025-55183 - Proof of Concept (PoC)

Description

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Steps to Reproduce

1. Obtain Action IDs

CVE-2025-9523 - Stack-Based Buffer Overflow in Tenda Wi-Fi 5 Router AC1206

Discovered by: xxricardoxkk (xxricardoxkk@gmail.com)
Vendor: Shenzhen Jixiang Tenda Technology Co., Ltd.
Affected Version: AC1206V1.0RTL_V15.03.06.23
Severity: High (unauthenticated DoS, potential RCE risk).

	#!/usr/bin/env python3
	import urllib.request
	import urllib.error
	import socket

	BASE_URL = "http://metadata.google.internal/computeMetadata/v1"
	HEADER = {"Metadata-Flavor": "Google"}
	OUTPUT = "gcp_metadata_dump.txt"

	# ---- HTTP Helper -----------------------------------------------------------

	#!/usr/bin/env bash
	# cos_audit.sh
	# Container-Optimized OS (COS) guest audit script (read-only)
	# Produces a PASS / FAIL / INFO style report for many guest-side hardening checks.
	#
	# Usage:
	# sudo ./cos_audit.sh \| tee cos_audit_$(date +%F_%T).log
	#
	# Author: Generated by ChatGPT for Bipin Jitiya (auditor)
	set -u

	#!/usr/bin/env bash
	# container_recon.sh
	# A safe, non-destructive container reconnaissance script for advanced users.
	# Purpose: gather capability, namespace, cgroup, mount, device, network and quick secrets hints.
	# Usage: ./container_recon.sh [-o /path/to/output] [-d] [-v]
	# -o OUTPUT : write report to OUTPUT (default: /tmp/container_recon_<ts>.txt)
	# -d : deep scan mode (may take longer and search deeper for writable dirs and secrets)
	# -v : verbose (prints progress markers to stderr)
	# -h : help