Day048

1.为什么侦察是 漏洞挖掘挣钱的关键?

链接: https://twitter.com/osiryszzz/status/1378540350281687044

步骤:

1 – the sqlis were damn easy to identify – discovering the resources affected, not so much. lots of recon (gau, google dorking, spidering, url guessing) on target. discovered a number of web services, however no vulns

SQL注入非常容易识别,发现受影响的资源不容易。大量的侦察(gau,google daring, spidering , url guessing ) ,发现一些网络服务,但是不会有漏洞。

2 – kept URL guessing and found a zip file containing web.config – several creds leaked – more interesting was the URLs disclosed in there as they point to asmx web services – turns out 90% of these are on sites out of scope

继续进行网址猜测,发现了一个包含web.config的zip文件。有几个信息泄露,包括了指向asmx的网络服务。但是多数不在测试范围内。

3 – the paths of these web services were somehow similar to other folders and couple web services that existed on the main target, so I created several dictionaries to be used in an attack with permutations to see if the site had these endpoints just in different folders

发现web服务的路径在某种程序上与其他的文件夹类似,并存在于主目标的几个web服务上。所以我创建了一个字典用于攻击,看看是否存在不同的文件夹的端点。

4.- dict1 known folders on target. dict2, dict3 both had paths extracted from the urls in web.config, with some permutations based on names similarities I inferred; dict4 endpoints from web.config. ran ffuf cluster-bomb style out of 35k possibilities, found 10+

测试了3个文件夹的,从web.config中的url提取路径,还有一些推断的相似的排列,从35000中可能性中使用ffuf找到了10+以上。

5.- 10+ web services that supposedly were on OOS sites, however available in different locations on target in scope. each web service had many endpoints (some even 30-40). moral of the story, these had more holes than swiss cheese. that’s were all sqlis were

在10个以上的web服务中,有OOS网站,但是不在可接受范围内。每一个web服务有很多的端点,意味着漏洞比较多。

6 – TLDR; would i have reported the web.config finding immediately, other people would have seen the URLs and perhaps locate these web services on the target; i didn’t report it and worked until i found their location and reported as many sqlis as i could.

我立即报告了web.config查找的结果,其他人可能看到了url,并在目标上定位这些web服务。我主要是想找到竟可能多的SQL注入。

7 – my take away and tip for the reader: don’t report a bug as soon as you find it, especially if it shows that it can be used to further own a target. keep the intel for yourself and hack. if after a while it doesn’t lead to anything, report the bug and move on.

给读者的建议,一旦发现了bug,不要马上报告。特别是有可能有收获的时候,把情报留给自己。如果没有进展,过一段时间再报告。

2.I Built a TV That Plays All of Your Private YouTube Videos

链接: https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/

3.Breaking GitHub Private Pages for $35k

链接: https://robertchen.cc/blog/2021/04/03/github-pages-xss

4.BugBountyTip

链接: https://twitter.com/intigriti/status/1379044920074375175

Day047

1.推特的缩放图功能的问题

链接: https://twitter.com/David3141593/status/1368957384471810048

推特的缩放图测试,确实可以利用这个东西来隐藏一些东西。不知道微博有没有这种问题。还没有去测试。

2.复现漏洞-Google的SSRF 旁路

链接: http://omespino.com/write-up-google-vrp-n-a-ssrf-bypass-with-quadzero-in-google-cloud-monitoring/

每日复现一个漏洞的内容会专门发文章

3.一个GraphQL漏洞的报告

链接:https://infosecwriteups.com/somebody-call-the-plumber-graphql-is-leaking-again-654bf1a38d26

4.Github的README项目: 如何管理一个开源项目的安全

链接: https://github.com/readme/octoverse-security

5.Git clone的漏洞

6.发现悬空DNS记录漏洞

链接: https://gist.github.com/TheBinitGhimire/9ebcd27086a11df1d7ec925e5f604e03

主要是自动化了整个步骤

Day046

1.依赖关系混淆攻击

链接: https://redhuntlabs.com/blog/dependency-confusion-attack-what-why-and-how.html

比较有感想,比如 opencv-python 导入的时候 是import cv2 但是很多人会直接pip install cv2 这给了一些人攻击的机会

供应链攻击:https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

2.QuickXSS 新工具

链接: https://github.com/theinfosecguy/QuickXSS

看了一下是一个bash脚本,安装了一些库,然后生成payload

3.目标侦查的一些资源

https://github.com/ffuf/ffuf

https://hackingpassion.com/shodan-com…

https://github.com/tomnomnom

https://github.com/projectdiscovery

https://github.com/michenriksen/aquatone

https://pentest-tools.com/information…

https://github.com/jobertabma/virtual…

https://github.com/EnableSecurity/waf…

https://github.com/danielmiessler/Sec…

https://github.com/yasinS/sandcastle

https://digi.ninja/projects/bucket_fi…

https://youtu.be/1Kg0_53ZEq8

4.API安全测试的一些资料

简单看了一下,发现都是例子,非常好。

5.接管微软账号的那个文章

这篇文章,我在不同的地方看到了几次,5万美元其实不算多。

加密的请求被破解之后,内部的WAF 也是有限制的,看看作者怎么突破限制。

所以需要的是请求的代码必须是同时到达,才不会被WAF封IP,那作者是怎么做的呢

作者攻击的只是凭用户名和密码登录的,二次验证开启的用户是不能完成的。作者用了大量的计算资源和1000个IP才完成了攻击。

其实大多数都会去测试用户名和密码,但是要找到绕过系统的一些限制确实还是很难。

6.查找隐藏登录表达的客户端id

链接:https://ahmdhalabi.medium.com/finding-hidden-login-endpoint-exposing-secret-client-id-88c3c2a1af45

作者开始无意发现了一个登陆表单,但是提示没有clientID,然后作者就直接在google搜索,找到了这种clientID,直接就登陆了。

Dorking:site:accounts.redacted.com inurl:client_id.

作者还从和内部团队的沟通中,发现了存在这个值,才去google搜索出来的,直接把严重程度往上提了一个档次。

Day044

今日重点:子域名劫持与自动化扫描

hackerone漏洞列表:

https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPSUBDOMAINTAKEOVER.md

漏洞原理

1.web 安全系列-15-subdomain takeover 子域劫持

https://houbb.github.io/2020/08/09/web-safe-15-subdomain-takeover

2.深入解析子域名接管(Subdomain Takeover)漏洞

https://www.secpulse.com/archives/94973.html

3.HackerOne | 子域名劫持漏洞的挖掘指南

https://www.freebuf.com/articles/web/183254.html

4.技术分析 | 我们来“劫持”个GitHub自定义域名玩吧!

https://www.freebuf.com/articles/web/171952.html

5.Domain takeover

https://book.hacktricks.xyz/pentesting-web/domain-subdomain-takeover

6.A GUIDE TO SUBDOMAIN TAKEOVERS

https://www.hackerone.com/blog/Guide-Subdomain-Takeovers

7.Subdomain takeovers

https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers

8.How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes

https://medium.com/@hakluke/how-to-setup-an-automated-sub-domain-takeover-scanner-for-all-bug-bounty-programs-in-5-minutes-3562eb621db3

漏洞分析

1.挖洞经验 | 通过域名劫持实现Azure DevOps账户劫持

https://www.freebuf.com/articles/web/242727.html

2.挖洞经验 | 看我如何通过子域名接管绕过Uber单点登录认证机制

https://www.freebuf.com/news/141630.html

3.挖洞经验 | 看我如何在前期踩点过程中发现价值$4500的漏洞

https://www.freebuf.com/articles/network/171219.html

4.挖洞经验 | 看我如何在短时间内对Shopify五万多个子域名进行劫持

https://www.freebuf.com/articles/web/186411.html

5.Exploiting Subdomain Takeover on S3

https://gupta-bless.medium.com/exploiting-subdomain-takeover-on-s3-6115730d01d7

自动化工具

1.Osmedeus

https://github.com/j3ssie/Osmedeus

2.OneForAll

https://github.com/shmilylty/OneForAll

3.second-order

https://github.com/mhmdiaa/second-order

4.SubOver

https://github.com/Ice3man543/SubOver

5.more

https://github.com/search?q=Subdomain+Takeover&type=

视频教程

1.Live Stream Subdomain Takeovers for Bug Bounties

2.Subdomain Takeover Step by Step | Bug Bounty 2020

重点:开发自动化工具

开发进度: https://pxiaoer.blog/2020/12/01/subdomain-takeover/

Day042

今日重点:

1.Bheem 侦察平台,聚合了很多的工具

https://github.com/harsh-bothra/Bheem

漏洞挖掘资源

1.bug-bounty-dorks

https://github.com/sushiwushi/bug-bounty-dorks

2.dirsearch

https://github.com/maurosoria/dirsearch

3.gin – a Git index file parser

https://github.com/sbp/gin

4.KingOfBugBountyTips

https://github.com/KingOfBugbounty/KingOfBugBountyTips

漏洞报告学习

1.The YouTube bug that allowed unlisted uploads to any channel

https://medium.com/bugbountywriteup/the-youtube-bug-that-allowed-uploads-to-any-channel-3b41c7b7902a

2.Subdomain Takeovers, beyond the basics for Pentesters and Bug Bounty Hunters

3.Account Takeover(ATO) and Email verification bypass in 2mins

https://medium.com/@karthiksoft007/account-takeover-ato-and-email-verification-bypass-in-2mins-5a6c8cb692a7

4.Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata

https://hackerone.com/reports/530974

5.Bcrypt — Account TakeOver Due To Weak Encryption — #HR51KDB

https://medium.com/bugbountywriteup/bcrypt-account-takeover-due-to-weak-encryption-hr51kdb-4418f6e65907

Day041

今日重点:

1.侦查工具 3klCon

https://github.com/eslam3kl/3klCon

漏洞挖掘资源

1.Bug Hunting Tactics

https://speakerdeck.com/harshbothra/bug-hunting-tactics

2.Bounty Thursdays – Wordlists for content discovery and API bugs!

3.Beginner’s Guide to CTFs

https://medium.com/bugbountywriteup/beginners-guide-to-ctfs-c934a0d7f5f9

漏洞报告学习

1.My bug bounty journey. The middle-class boy who wanted everything for free.

https://vivekps143.medium.com/my-bug-bounty-journey-the-mind-of-a-middle-class-boy-who-wanted-everything-for-free-1456e160817c

Day040

重点:用Rust开发Fuzzing tools

Github: https://github.com/pxiaoer/rfuss2

文章:

1.Build simple fuzzer – part 1

https://carstein.github.io/2020/04/18/writing-simple-fuzzer-1.html

2.Build simple fuzzer – part 2

https://carstein.github.io/2020/04/25/writing-simple-fuzzer-2.html

3.Build simple fuzzer – part 3

https://carstein.github.io/2020/05/02/writing-simple-fuzzer-3.html

4.Build simple fuzzer – part 4

https://carstein.github.io/2020/05/21/writing-simple-fuzzer-4.html