Local / Remote File Inclusion

• Wildcard bypass & LFI 1. Intercepted a POST req that pointed to a local file "/usr/local/redacted/filename" 2. tried "/etc/passwd" -> bad request 3. "/user/local/../../etc/passwd" -> bad request 4. "/user/local/redacted/../../../etc/passwd" -> OK 5. LFI & bounty

• Yay, I was awarded a $5,000 bounty on@Hacker0x01 ! https://hackerone.com/patrik #TogetherWeHitHarder Thank you so much@umr4n6 for the amazing bypass :] /..;/..;/ can only recommend following her :) Vogel #dreamworkmakestheteamwork

• #BugBountyTip - If you find a LFI ignore /etc/passwd and go for /var/run/secrets/kubernetes.io/serviceaccount this will raise the severity when you hand them a kubernetes token or cert.

• #BugBountyTip time: I've got a RCE by using this tip: while testing for malicious file uploads, if .php extension is blacklisted you can try .PhP , .php5 and .php3 Sometime this fools the backend and you get shell! RTs & comments are appreciated. Follow #bugbountytips #pentest

• Browser-Based application LFI file:///etc/passwd blacklisted? Use "view-source:file:///etc/passwd" "view-source" is often forgotten by developers in blacklists. #BugBounty #BugBountyTip #BugBountyTips

If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE.

https://twitter.com/j1t35h/status/1292406847496888320?s=20