Day048

1.为什么侦察是 漏洞挖掘挣钱的关键?

链接: https://twitter.com/osiryszzz/status/1378540350281687044

步骤:

1 – the sqlis were damn easy to identify – discovering the resources affected, not so much. lots of recon (gau, google dorking, spidering, url guessing) on target. discovered a number of web services, however no vulns

SQL注入非常容易识别,发现受影响的资源不容易。大量的侦察(gau,google daring, spidering , url guessing ) ,发现一些网络服务,但是不会有漏洞。

2 – kept URL guessing and found a zip file containing web.config – several creds leaked – more interesting was the URLs disclosed in there as they point to asmx web services – turns out 90% of these are on sites out of scope

继续进行网址猜测,发现了一个包含web.config的zip文件。有几个信息泄露,包括了指向asmx的网络服务。但是多数不在测试范围内。

3 – the paths of these web services were somehow similar to other folders and couple web services that existed on the main target, so I created several dictionaries to be used in an attack with permutations to see if the site had these endpoints just in different folders

发现web服务的路径在某种程序上与其他的文件夹类似,并存在于主目标的几个web服务上。所以我创建了一个字典用于攻击,看看是否存在不同的文件夹的端点。

4.- dict1 known folders on target. dict2, dict3 both had paths extracted from the urls in web.config, with some permutations based on names similarities I inferred; dict4 endpoints from web.config. ran ffuf cluster-bomb style out of 35k possibilities, found 10+

测试了3个文件夹的,从web.config中的url提取路径,还有一些推断的相似的排列,从35000中可能性中使用ffuf找到了10+以上。

5.- 10+ web services that supposedly were on OOS sites, however available in different locations on target in scope. each web service had many endpoints (some even 30-40). moral of the story, these had more holes than swiss cheese. that’s were all sqlis were

在10个以上的web服务中,有OOS网站,但是不在可接受范围内。每一个web服务有很多的端点,意味着漏洞比较多。

6 – TLDR; would i have reported the web.config finding immediately, other people would have seen the URLs and perhaps locate these web services on the target; i didn’t report it and worked until i found their location and reported as many sqlis as i could.

我立即报告了web.config查找的结果,其他人可能看到了url,并在目标上定位这些web服务。我主要是想找到竟可能多的SQL注入。

7 – my take away and tip for the reader: don’t report a bug as soon as you find it, especially if it shows that it can be used to further own a target. keep the intel for yourself and hack. if after a while it doesn’t lead to anything, report the bug and move on.

给读者的建议,一旦发现了bug,不要马上报告。特别是有可能有收获的时候,把情报留给自己。如果没有进展,过一段时间再报告。

2.I Built a TV That Plays All of Your Private YouTube Videos

链接: https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/

3.Breaking GitHub Private Pages for $35k

链接: https://robertchen.cc/blog/2021/04/03/github-pages-xss

4.BugBountyTip

链接: https://twitter.com/intigriti/status/1379044920074375175

发表评论

Fill in your details below or click an icon to log in:

WordPress.com 徽标

您正在使用您的 WordPress.com 账号评论。 注销 /  更改 )

Google photo

您正在使用您的 Google 账号评论。 注销 /  更改 )

Twitter picture

您正在使用您的 Twitter 账号评论。 注销 /  更改 )

Facebook photo

您正在使用您的 Facebook 账号评论。 注销 /  更改 )

Connecting to %s