Local / Remote File Inclusion

​
​Wildcard bypass & LFI 1. Intercepted a POST req that pointed to a local file "/usr/local/redacted/filename" 2. tried "/etc/passwd" -> bad request 3. "/user/local/../../etc/passwd" -> bad request 4. "/user/local/redacted/../../../etc/passwd" -> OK 5. LFI & bounty​
​Yay, I was awarded a $5,000 bounty [email protected] ! https://hackerone.com/patrik #TogetherWeHitHarder Thank you so [email protected] for the amazing bypass :] /..;/..;/ can only recommend following her :) Vogel #dreamworkmakestheteamwork​
​#BugBountyTip - If you find a LFI ignore /etc/passwd and go for /var/run/secrets/kubernetes.io/serviceaccount this will raise the severity when you hand them a kubernetes token or cert.​
​#BugBountyTip time: I've got a RCE by using this tip: while testing for malicious file uploads, if .php extension is blacklisted you can try .PhP , .php5 and .php3 Sometime this fools the backend and you get shell! RTs & comments are appreciated. Follow #bugbountytips #pentest​
​Browser-Based application LFI file:///etc/passwd blacklisted? Use "view-source:file:///etc/passwd" "view-source" is often forgotten by developers in blacklists. #BugBounty #BugBountyTip #BugBountyTips​
​
If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE.
https://twitter.com/j1t35h/status/1292406847496888320?s=20
XXE
Authentication / Authorization
Last modified 2yr ago