Hints
Below are twitter handles
@D0rkerDevil
Webarchive > internet.domain.com > dirsearch > found .git/index file used gin to read the index file
opened > full of credentials access to their mysql database
connect using:
@Sh_O_A1b
Might find hidden misconfigured S3 Buckets, if have write permissions, you can takeover the bucket and report as High/P2
Twitter - PhpMyAdmin Account Takeover
1. Found a Wordpress Website with Search Parameter
2. Got an Easy SS on the same parameter
3. While looking for making more impact with XSS, Application Crached Unexpectedly.
4. Error Message REvealed “Database Connection String” revealing the DB name, Username, Password, etc
5. Did some more research, directory brute force got me “phymyadmin” directory in /c/soft/phpmyadmin.
6. Used the credentials revealed from "Connection String and Looged in Succefully.
Takeaway
If you get XSS on Wordpress, try some random other payloads.
Application's logic may break and reveal internal information.
Recon, Recon & Recon to see the use of the information
@Wh11teW0lf
“Jenkinsfile” can give you passwords from Jenkins instance. Add this to your wordlist
anydomain.com:8080/Jenkinsfile
@PortSwiggerRes
Firefox is the only browser which allows self closing script.
@HusseiN98D
XXE by injected METADATA in Image bytes → Blind SSRF via local dtd → grabbed AWS EC2 credentials blindly → Powned
@GochaOkradze
Bypass F5-Big WAF with XSS payload
Interesting is %5k converted to “P” characted
Payload
@Enesdex
Easy Automation XSS Tip
@rez0__
Use ffuf for vhosting on every new domain to find hidden servers/admin panels:
Pro-tip: do both “Hosts: FUZZ” and “Host: FULL.target.com”
@pwntheweb
Fuzzing list to FIND SSRF
@faizalabroni
Just found and triaged private program for bypass HTTP auth. CHange Method from GET to POST
@hussein98d
Testing Password REset Functionalities:
1) Include your mail as a second parameter (you might receive the reset link):
2) Brute force reset token if it is numeric. YOu can use IP Rotator on Burpsuite to bypass rate limit in case it's IP baed:
3) Try to use reset token on target's account:
4) Host header injection : change website.com to hacker.com (victim might receive the reset link with your host instead of the original website's)
5) Try to figure out how the tokens are generated. Example can be:
-Generate based on TimeStamp
-Generate based on the ID of the user
-Generate based on the email of the user
@xlocux
1- Completely remove the token
2- change it to 000000000000
3- use null/nil value
4- try expired token
5- try an array of old tokens
6- look for race conditions
7- change 1 char at the begin/end to see if the token is evaluated
8- use unicode char jutzu to spoof email address
9- try victim@email.com&attacker@email.com use %20 or | as a seperators
10- try to register the same mail with different tld .eu.net,etc
11- don't add the domain locu@
12- try sqli bypass and wildcard or, %, *
13- request smuggler
14- change request method (get,put,post,etc) and/or content type (xml<>json)
15- match ba response and replace with good one 16- use super long string
@akita_zen
with CLRF /resetPassword?0a%0dHost:atracker.tld (x-host,true-client-ip,x-forwarded...)
@11xuxx credit to @joohoi
Using ffuf right way and gaining admina ccess
1. “ffuf -u ... --mc all
” -> match all responses codes
2. ctrl+c after 5 sec
3. "ffuf -u ... --mc all -fw ...
”
4. found a backdoor developer used to login as admin (response code 404)
@z33_5h4n
Filter bypass
@rodoassis
Bootsrap payload bypassing WAF filters
@Random_Robbie
Got a SSRF inside a company ASN?
Not Cloud metadata endpoint to hit?
Don't forget to scan for internal hosts and try sqlmap
sqlmap via ssrf!
@RockyBandana
Arbitrary file read
Last updated