GitBook: [master] 27 pages modified

Author: scumdestroy

SUMMARY.md

@@ -11,6 +11,8 @@
 * [HTTP Methods Vulns.](bug-bounty-web-hacking/http-methods-vulns..md)
 * [IDORs / Auth. Bugs](bug-bounty-web-hacking/untitled.md)
 * [SSRF](bug-bounty-web-hacking/ssrf.md)
+* [SSTI](bug-bounty-web-hacking/ssti.md)
+* [PHP : grep Payloads](bug-bounty-web-hacking/php-grep-payloads.md)
 
 ## Burp Suite
 

bug-bounty-web-hacking/http-methods-vulns..md

@@ -12,5 +12,28 @@
 
 or you can manually send requests via netcat, telnet, postman, burp's repeater or any client that can access SOAP/REST.
 
-
+**HTTP HEADERS**
+
+`X-Forwarded-Host   
+X-Forwarded-Port   
+X-Forwarded-Scheme   
+Origin: null   
+Origin: [siteDomain].attacker.com   
+X-Frame-Options: Allow   
+X-Forwarded-For: 127.0.0.1   
+X-Client-IP: 127.0.0.1   
+Client-IP: 127.0.0.1`   
+  
+**---For injecting BXSS\(blind XSS\) \|\| SQLI payloads---**   
+  
+`Referer   
+X-Wap-Profile   
+X-Original-Url   
+Forwarded   
+X-Originated-IP   
+X-Client-IP   
+From User Agent`
+
+**---Possible File upload vulnerabilities---**   
+X-HTTP-Method-Override: PUT
 

bug-bounty-web-hacking/php-grep-payloads.md

@@ -0,0 +1,62 @@
+---
+description: 'If the source code gets leaky, dig through the spaghetti a little.'
+---
+
+# PHP : grep Payloads
+
+PHP Vulnerabilities could fill a library and will likely continue to fill evermore through the years of this language's livelihood on the web.  If you do get a chance to see the source code of a web app; be it open-source on github, a white-box test or just a poorly implemented leaky framework, here are some golden nuggets to grep for.
+
+**XSS:**   
+grep -Ri "echo" .   
+grep -Ri "$_" . \| grep "echo"   
+grep -Ri "$\_GET" . \| grep "echo"   
+grep -Ri "$\_POST" . \| grep "echo"   
+grep -Ri "$\_REQUEST" . \| grep "echo"   
+  
+**Command execution:**   
+grep -Ri "shell\_exec\(" .   
+grep -Ri "system\(" .   
+grep -Ri "exec\(" .   
+grep -Ri "popen\(" .   
+grep -Ri "passthru\(" .   
+grep -Ri "proc\_open\(" .   
+grep -Ri "pcntl\_exec\(" .   
+  
+**Code execution:**   
+grep -Ri "eval\(" .   
+grep -Ri "assert\(" .   
+grep -Ri "preg\_replace" . \| grep "/e"   
+grep -Ri "create\_function\(" .   
+  
+**SQL Injection:**   
+grep -Ri "$sql" .   
+grep -Ri "$sql" . \| grep "$_"   
+  
+**SQLMAP Cheatsheet for WordPress:**   
+`sqlmap -u "`[`http://target.tld/?paramater=1`](http://target.tld/?paramater=1)`" -p "parameter" --technique=B --dbms=mysql --suffix=")--" --string="Test" --sql-query="select user`_`login,user_pass from wp_users"`   
+  
+**Information leak via phpinfo:**   
+grep -Ri "phpinfo" .   
+  
+**Find dev and debug modes:**   
+grep -Ri "debug" .   
+grep -Ri "$\_GET\['debug'\]" .   
+grep -Ri "$\_GET\['test'\]" .   
+  
+**RFI/LFI:**   
+grep -Ri "file\_include" .   
+grep -Ri "include\(" .   
+grep -Ri "require\(" .   
+grep -Ri "require\($file\)" .   
+grep -Ri "include\_once\(" .   
+grep -Ri "require\_once\(" .   
+grep -Ri "require\_once\(" . \| grep "$_"   
+  
+**Misc:**   
+grep -Ri "header\(" . \| grep "$\_"   
+grep -Ri '$\_SERVER\["HTTP\_USER\_AGENT"\]' .   
+  
+**Path Traversal:**   
+grep -Ri file\_get\_contents .   
+RATS Auditing tool for C, C++, Perl, PHP and Python
+

bug-bounty-web-hacking/ssti.md

@@ -0,0 +1,11 @@
+---
+description: Server Side Template Injection
+---
+
+# SSTI
+
+Another vulnerability that falls victim to flawed input sanitization.  Though not as common as XSS or SQLI, due to the fact that the functionality of providing a template engine that renders static template files, replacing the built-in variables with actual values is not as common as a basic user input, or reliance on back-end database.  In addition, there are generally only certain frameworks that are vulnerable, though a successful attack on these can lead from private information disclosure to a full on RCE. 
+
+Generally pretty simple to test for and understand if the vulnerability is present.  Just drop a payload like `${{7*7}}` or `#${7*7}` and if the web app parses it into a 49, the bounty gates will open for you and dazzle you with riches \(hopefully\).     
+_Also, you can of course test for XSS, SQLI and any other input madness of interest to you._
+

tools/nmap.md

@@ -1,2 +1,8 @@
 # Nmap
 
+Nmap really one of the goats.  Absolutely still use this for almost every CTF, Bug Bounty, Pentest, etc.. and pretty much right away.  If you're not using the NSE scripts deeply and often, you aren't using it beyond 15%  of its awesome potential, so take the deep dive and take it right now.  
+
+Kinda went overboard with this list but here are my favorite NSE scripts for bug bounty \(and I guess anything really\).
+
+* allseeingeye-info.nse  asn-query.nse  auth-owners.nse  banner-nse  broadcast-dropbox-discover.nse  braodcast-jenkins-discover.nse  citrix-enum-apps.nse  citrix-enum-servers.nse  citrix-user-enum  citrix-user-brute  couchdb-databases  dns-cache-snoop.nse  dns-brute.nse  dns-blacklist.nse  dns-service-discovery  dns-srv-enum  finger  firewalk  firewall-bypass  ftp-anon  ftp-bounce  ftp-brute  gopher-ls  http-apache-negotiation  http-aspnet-debug.nse  http-auth  http-auth-finder  http-backup-finder  http-bigip-cookie  http-brute  http-cisco-anyconnect  http-csrf  http-cors  http-dlink-backdoor  http-dombased-xss  http-drupal-enum  http-drupal-enum-users  http-exif-spider  http-favicon  http-form-brute  http-form-fuzzer  http-grep  http-joomla-brute  http-methods  http-method-tamper  http-open-redirect  http-passwd  http-rfi-spider  http-shellshock  https-redirect  http-sql-injection  http-trace  http-traceroute  http-stored-xss  http-waf-fingerprint  http-xssed  mongodb-brute  mongodb-databases  mongodb-info  ms-sql-brute\(info, query, dump-hashes, config, tableds\)  mysql-audit \(brute, databases, enum, info, query, users, variables\)  nessus-brute  oracle-brute  oracle-enum-users  oracle-sid-brute  oracle-brute-stealth  pgsql-brute  pop3-brute  redis-info  redis-brute  smb-enum-groups\(domains, services,sessions, shares, users\)  smb-flood  smb-os-discovery  smtp-brute \(commands, enum-users, strangeport\)  sniffer-detect  snmp-brute \(info, interfaces, netstat, processss\)  socks-brute  ssh-brute  ssh-auth-methods  ssh-run  ssh-publickey-acceptance  ssl-cert  sstp-discover  svn-brute  targets-asn  targets-sniffer  telnet-brute  tftp-enum  vulners  whois-up  xmpp-brute  whois-domains
+