1.为什么侦察是 漏洞挖掘挣钱的关键？

链接： https://twitter.com/osiryszzz/status/1378540350281687044

步骤：

1 – the sqlis were damn easy to identify – discovering the resources affected, not so much. lots of recon (gau, google dorking, spidering, url guessing) on target. discovered a number of web services, however no vulns

SQL注入非常容易识别，发现受影响的资源不容易。大量的侦察(gau,google daring, spidering ， url guessing ) ，发现一些网络服务，但是不会有漏洞。

2 – kept URL guessing and found a zip file containing web.config – several creds leaked – more interesting was the URLs disclosed in there as they point to asmx web services – turns out 90% of these are on sites out of scope

继续进行网址猜测，发现了一个包含web.config的zip文件。有几个信息泄露，包括了指向asmx的网络服务。但是多数不在测试范围内。

3 – the paths of these web services were somehow similar to other folders and couple web services that existed on the main target, so I created several dictionaries to be used in an attack with permutations to see if the site had these endpoints just in different folders

发现web服务的路径在某种程序上与其他的文件夹类似，并存在于主目标的几个web服务上。所以我创建了一个字典用于攻击，看看是否存在不同的文件夹的端点。

4.- dict1 known folders on target. dict2, dict3 both had paths extracted from the urls in web.config, with some permutations based on names similarities I inferred; dict4 endpoints from web.config. ran ffuf cluster-bomb style out of 35k possibilities, found 10+

测试了3个文件夹的，从web.config中的url提取路径，还有一些推断的相似的排列，从35000中可能性中使用ffuf找到了10+以上。

5.- 10+ web services that supposedly were on OOS sites, however available in different locations on target in scope. each web service had many endpoints (some even 30-40). moral of the story, these had more holes than swiss cheese. that’s were all sqlis were

在10个以上的web服务中，有OOS网站，但是不在可接受范围内。每一个web服务有很多的端点，意味着漏洞比较多。

6 – TLDR; would i have reported the web.config finding immediately, other people would have seen the URLs and perhaps locate these web services on the target; i didn’t report it and worked until i found their location and reported as many sqlis as i could.

我立即报告了web.config查找的结果，其他人可能看到了url，并在目标上定位这些web服务。我主要是想找到竟可能多的SQL注入。

7 – my take away and tip for the reader: don’t report a bug as soon as you find it, especially if it shows that it can be used to further own a target. keep the intel for yourself and hack. if after a while it doesn’t lead to anything, report the bug and move on.

给读者的建议，一旦发现了bug，不要马上报告。特别是有可能有收获的时候，把情报留给自己。如果没有进展，过一段时间再报告。

2.I Built a TV That Plays All of Your Private YouTube Videos

链接： https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/

3.Breaking GitHub Private Pages for $35k

链接： https://robertchen.cc/blog/2021/04/03/github-pages-xss

4.BugBountyTip

链接： https://twitter.com/intigriti/status/1379044920074375175

1.推特的缩放图功能的问题

链接： https://twitter.com/David3141593/status/1368957384471810048

推特的缩放图测试，确实可以利用这个东西来隐藏一些东西。不知道微博有没有这种问题。还没有去测试。

2.复现漏洞-Google的SSRF 旁路

链接： http://omespino.com/write-up-google-vrp-n-a-ssrf-bypass-with-quadzero-in-google-cloud-monitoring/

每日复现一个漏洞的内容会专门发文章

3.一个GraphQL漏洞的报告

链接：https://infosecwriteups.com/somebody-call-the-plumber-graphql-is-leaking-again-654bf1a38d26

4.Github的README项目： 如何管理一个开源项目的安全

链接： https://github.com/readme/octoverse-security

5.Git clone的漏洞

Git clone vulnerability announced

6.发现悬空DNS记录漏洞

链接： https://gist.github.com/TheBinitGhimire/9ebcd27086a11df1d7ec925e5f604e03

主要是自动化了整个步骤

1.依赖关系混淆攻击

链接： https://redhuntlabs.com/blog/dependency-confusion-attack-what-why-and-how.html

比较有感想，比如 opencv-python 导入的时候 是import cv2 但是很多人会直接pip install cv2 这给了一些人攻击的机会

供应链攻击：https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

2.QuickXSS 新工具

链接： https://github.com/theinfosecguy/QuickXSS

看了一下是一个bash脚本，安装了一些库，然后生成payload

3.目标侦查的一些资源

https://github.com/ffuf/ffuf​

https://hackingpassion.com/shodan-com…​

https://github.com/tomnomnom​

https://github.com/projectdiscovery​

https://github.com/michenriksen/aquatone​

https://pentest-tools.com/information…​

https://github.com/jobertabma/virtual…​

https://github.com/EnableSecurity/waf…​

https://github.com/danielmiessler/Sec…​

https://github.com/yasinS/sandcastle​

https://digi.ninja/projects/bucket_fi…​

https://youtu.be/1Kg0_53ZEq8

4.API安全测试的一些资料

简单看了一下，发现都是例子，非常好。

5.接管微软账号的那个文章

How I Might Have Hacked Any Microsoft Account

这篇文章，我在不同的地方看到了几次，5万美元其实不算多。

加密的请求被破解之后，内部的WAF 也是有限制的，看看作者怎么突破限制。

所以需要的是请求的代码必须是同时到达，才不会被WAF封IP，那作者是怎么做的呢

作者攻击的只是凭用户名和密码登录的，二次验证开启的用户是不能完成的。作者用了大量的计算资源和1000个IP才完成了攻击。

其实大多数都会去测试用户名和密码，但是要找到绕过系统的一些限制确实还是很难。

6.查找隐藏登录表达的客户端id

链接：https://ahmdhalabi.medium.com/finding-hidden-login-endpoint-exposing-secret-client-id-88c3c2a1af45

作者开始无意发现了一个登陆表单，但是提示没有clientID，然后作者就直接在google搜索，找到了这种clientID，直接就登陆了。

Dorking:site:accounts.redacted.com inurl:client_id.

作者还从和内部团队的沟通中，发现了存在这个值，才去google搜索出来的，直接把严重程度往上提了一个档次。

今日重点：

1.Finding Your Next Bug: GraphQL

漏洞挖掘资料

1.浅谈攻防演练中的信息收集

https://xz.aliyun.com/t/8578

2.渗透测试之Docker逃逸

https://xz.aliyun.com/t/8558

3.从webpack开始发现的漏洞大礼包

https://xz.aliyun.com/t/8547

漏洞报告学习

1.Hacking 1Password | Episode 4 – Two Simple Bugs that Worth $3,300

2.Finding Your Next Bug: GraphQL

Rust安全

1.Rust写的Fuzzer

https://github.com/SunHao-0/healer

今日重点：子域名劫持与自动化扫描

hackerone漏洞列表：

https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPSUBDOMAINTAKEOVER.md

漏洞原理

1.web 安全系列-15-subdomain takeover 子域劫持

https://houbb.github.io/2020/08/09/web-safe-15-subdomain-takeover

2.深入解析子域名接管（Subdomain Takeover）漏洞

https://www.secpulse.com/archives/94973.html

3.HackerOne | 子域名劫持漏洞的挖掘指南

https://www.freebuf.com/articles/web/183254.html

4.技术分析 | 我们来“劫持”个GitHub自定义域名玩吧！

https://www.freebuf.com/articles/web/171952.html

5.Domain takeover

https://book.hacktricks.xyz/pentesting-web/domain-subdomain-takeover

6.A GUIDE TO SUBDOMAIN TAKEOVERS

https://www.hackerone.com/blog/Guide-Subdomain-Takeovers

7.Subdomain takeovers

https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers

8.How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes

https://medium.com/@hakluke/how-to-setup-an-automated-sub-domain-takeover-scanner-for-all-bug-bounty-programs-in-5-minutes-3562eb621db3

漏洞分析

1.挖洞经验 | 通过域名劫持实现Azure DevOps账户劫持

https://www.freebuf.com/articles/web/242727.html

2.挖洞经验 | 看我如何通过子域名接管绕过Uber单点登录认证机制

https://www.freebuf.com/news/141630.html

3.挖洞经验 | 看我如何在前期踩点过程中发现价值$4500的漏洞

https://www.freebuf.com/articles/network/171219.html

4.挖洞经验 | 看我如何在短时间内对Shopify五万多个子域名进行劫持

https://www.freebuf.com/articles/web/186411.html

5.Exploiting Subdomain Takeover on S3

https://gupta-bless.medium.com/exploiting-subdomain-takeover-on-s3-6115730d01d7

自动化工具

1.Osmedeus

https://github.com/j3ssie/Osmedeus

2.OneForAll

https://github.com/shmilylty/OneForAll

3.second-order

https://github.com/mhmdiaa/second-order

4.SubOver

https://github.com/Ice3man543/SubOver

5.more

https://github.com/search?q=Subdomain+Takeover&type=

视频教程

1.Live Stream Subdomain Takeovers for Bug Bounties

2.Subdomain Takeover Step by Step | Bug Bounty 2020

重点：开发自动化工具

开发进度： https://pxiaoer.blog/2020/12/01/subdomain-takeover/

今日重点：

1.Recox-用于Web侦察的主脚本

https://hakin9.org/recox-master-script-for-web-reconnaissance/

漏洞学习资源

1.ida ticks 教学视频

https://www.reverse-engineer.net/ida-pro

2.security-notes

https://github.com/jaybosamiya/security-notes

3.ProjectDiscovery Reel

漏洞报告学习

1.Absence of Token expiry leads to Unauthorized login Access

https://hackerone.com/reports/766578

今日重点：

1.Bheem 侦察平台，聚合了很多的工具

https://github.com/harsh-bothra/Bheem

漏洞挖掘资源

1.bug-bounty-dorks

https://github.com/sushiwushi/bug-bounty-dorks

2.dirsearch

https://github.com/maurosoria/dirsearch

3.gin – a Git index file parser

https://github.com/sbp/gin

4.KingOfBugBountyTips

https://github.com/KingOfBugbounty/KingOfBugBountyTips

漏洞报告学习

1.The YouTube bug that allowed unlisted uploads to any channel

https://medium.com/bugbountywriteup/the-youtube-bug-that-allowed-uploads-to-any-channel-3b41c7b7902a

2.Subdomain Takeovers, beyond the basics for Pentesters and Bug Bounty Hunters

3.Account Takeover(ATO) and Email verification bypass in 2mins

https://medium.com/@karthiksoft007/account-takeover-ato-and-email-verification-bypass-in-2mins-5a6c8cb692a7

4.Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata

https://hackerone.com/reports/530974

5.Bcrypt — Account TakeOver Due To Weak Encryption — #HR51KDB

https://medium.com/bugbountywriteup/bcrypt-account-takeover-due-to-weak-encryption-hr51kdb-4418f6e65907

今日重点：

1.侦查工具 3klCon

https://github.com/eslam3kl/3klCon

漏洞挖掘资源

1.Bug Hunting Tactics

https://speakerdeck.com/harshbothra/bug-hunting-tactics

2.Bounty Thursdays – Wordlists for content discovery and API bugs!

3.Beginner’s Guide to CTFs

https://medium.com/bugbountywriteup/beginners-guide-to-ctfs-c934a0d7f5f9

漏洞报告学习

1.My bug bounty journey. The middle-class boy who wanted everything for free.

https://vivekps143.medium.com/my-bug-bounty-journey-the-mind-of-a-middle-class-boy-who-wanted-everything-for-free-1456e160817c

重点：用Rust开发Fuzzing tools

Github: https://github.com/pxiaoer/rfuss2

文章：

1.Build simple fuzzer – part 1

https://carstein.github.io/2020/04/18/writing-simple-fuzzer-1.html

2.Build simple fuzzer – part 2

https://carstein.github.io/2020/04/25/writing-simple-fuzzer-2.html

3.Build simple fuzzer – part 3

https://carstein.github.io/2020/05/02/writing-simple-fuzzer-3.html

4.Build simple fuzzer – part 4

https://carstein.github.io/2020/05/21/writing-simple-fuzzer-4.html