Wildcard bypass & LFI 1. Intercepted a POST req that pointed to a local file "/usr/local/redacted/filename" 2. tried "/etc/passwd" -> bad request 3. "/user/local/../../etc/passwd" -> bad request 4. "/user/local/redacted/../../../etc/passwd" -> OK 5. LFI & bounty
Yay, I was awarded a $5,000 bounty [email protected] ! https://hackerone.com/patrik #TogetherWeHitHarder Thank you so [email protected] for the amazing bypass :] /..;/..;/ can only recommend following her :) Vogel #dreamworkmakestheteamwork
#BugBountyTip - If you find a LFI ignore /etc/passwd and go for /var/run/secrets/kubernetes.io/serviceaccount this will raise the severity when you hand them a kubernetes token or cert.
#BugBountyTip time: I've got a RCE by using this tip: while testing for malicious file uploads, if .php extension is blacklisted you can try .PhP , .php5 and .php3 Sometime this fools the backend and you get shell! RTs & comments are appreciated. Follow #bugbountytips #pentest
Browser-Based application LFI file:///etc/passwd blacklisted? Use "view-source:file:///etc/passwd" "view-source" is often forgotten by developers in blacklists. #BugBounty #BugBountyTip #BugBountyTips
If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE.