Book of BugBounty Tips
  • Introduction
  • OSINT / Recon
  • API
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Sensitive Information Disclosure
  • Cross Site Scripting (XSS)
  • CRLF
  • Remote Code Execution (RCE)
  • Email Bypass
  • File Upload
  • Open Redirect
  • Insecure Direct Object Reference (IDOR)
  • Injection
  • XXE
  • Local / Remote File Inclusion
  • Authentication / Authorization
  • Account Takeover
  • Application Login
  • Clickjacking
  • Parameter Pollution
  • Fuzzing
  • Application Logic Bypasses
  • Bypasses
  • Mobile
  • Password Reset
  • Web Cache
  • Server Side Template Injection
  • Tips from @EdOverflow
  • Tips From @intigriti
  • Hackpack From @yeswehack
  • Tips from @YogoshaOfficial
  • Tips from @Jhaddix
  • Tips from Ben (@nahamsec)
  • Tips from Other Sources
  • Tips from Blog posts / other hunters
  • Others
  • Bugbounty Related Websites / Blogs
  • Docker and k8s
  • Tweets Collection by @Pentesterland
  • Windows
  • Linux
  • Burp suite
  • Scope Based Recon Tips
Powered by GitBook
On this page

Local / Remote File Inclusion

PreviousXXENextAuthentication / Authorization

Last updated 4 years ago

If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE.

Wildcard bypass & LFI 1. Intercepted a POST req that pointed to a local file "/usr/local/redacted/filename" 2. tried "/etc/passwd" -> bad request 3. "/user/local/../../etc/passwd" -> bad request 4. "/user/local/redacted/../../../etc/passwd" -> OK 5. LFI & bounty
Yay, I was awarded a $5,000 bounty on@Hacker0x01 ! https://hackerone.com/patrik #TogetherWeHitHarder Thank you so much@umr4n6 for the amazing bypass :] /..;/..;/ can only recommend following her :) Vogel #dreamworkmakestheteamwork
#BugBountyTip - If you find a LFI ignore /etc/passwd and go for /var/run/secrets/kubernetes.io/serviceaccount this will raise the severity when you hand them a kubernetes token or cert.
#BugBountyTip time: I've got a RCE by using this tip: while testing for malicious file uploads, if .php extension is blacklisted you can try .PhP , .php5 and .php3 Sometime this fools the backend and you get shell! RTs & comments are appreciated. Follow #bugbountytips #pentest
Browser-Based application LFI file:///etc/passwd blacklisted? Use "view-source:file:///etc/passwd" "view-source" is often forgotten by developers in blacklists. #BugBounty #BugBountyTip #BugBountyTips
https://twitter.com/j1t35h/status/1292406847496888320?s=20