Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from December 20, 2021 to January 03, 2022.
Our favorite 5 hacking items
1. Article of the week
PHP LFI with Nginx Assistance
Bruno Bierbaumer discovered a new LFI technique while creating CTF challenges.
The conditions is that the app is deployed with PHP-FPM and Nginx, and Nginx runs as the same user as PHP. Both are very common.
The attack exploits temporary files that Nginx creates for buffering. A GET request for a non-existent page, with a huge parameter value will force Nginx to create a temporary file containing that value.
The attack, basically, is to put a PHP shell in that parameter, then bruteforce Nginx’s temporary file names/paths to find the one where the web shell was written before its deletion. Reading it will execute the shell and result in RCE.
If you want to practice, there are links to two challenges, and to an additional example in the article.
For an additional explanation of the technique, you can also check out this CTF writeup.
2. Writeups of the week
Cache Poisoning at Scale
Turning bad SSRF to good SSRF: Websphere Portal
@iustinBB shares the techniques he used to find and report more than 70 web cache poisoning vulnerabilities, for about $40,000 bounties. This is amazing research if you want to know more about this topic.
@assetnote‘s writeup is a great read if you are interested in SSRF, Open redirect, XXE or RCE via Zip Based Directory Traversal. It is full of details not only about the vulnerabilities but, most importantly, the process for finding them (code review, failed attempts, etc).
3. Video of the week
Multi-host payloads in Burp Intruder
If you are a Burp user, there is a great feature that was added in a recent update that is worth knowing. Starting Burp Pro and Community 2021.12, it is possible to run a single Intruder attack against several hosts.
The video demonstrates how to do that, with the example of a login brute force attack run against different subdomains.
Osmedeus Next Generation & Documentation
@j3ssiejjj completely rewrote Osmedeus and this new version looks lit. It allows you to write custom recon workflows using YAML files.
If you are looking for a way to efficiently organize your recon process, leveraging both custom and public tools / wordlists, with multiple workflows, Osmedeus might be what you need.
Mini writeup of Instapage and HubSpot vulnerabilities
@samwcyo shares a couple of interesting vulnerabilities discovered by him, @bbuerhaus, @sshell_ and @xEHLE_ on Hubspot and Instapage.
They discovered a legacy API that allowed uploading HTML files to Hubspot’s CDN, exploited it to serve XSS payloads, and coud steal HTTPOnly cookies using a diagnostics endpoint that reflects all cookies.
The other bug is that any Instapage live domain could be claimed by registering a domain with the same name to which you append a null byte. Null byte attacks are still alive!
Other amazing things we stumbled upon this week
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- Sourcerer: Ruby utility to apply rules to URL datasources and filter interesting content
- fq: jq for binary formats
- elasticpwn & Intro: Quickly collect data from thousands of exposed Elasticsearch or Kibana instances and generate a report to be reviewed
- vortex: All-in-one tool to attack Microsoft OWA/ADFS/LYNC/O365, vendor specific VPN Web Logins and more
- Needle & Intro: A Python tool to find Windows registry files in a blob of data
- ADExplorerSnapshot.py: An AD Explorer snapshot ingestor for BloodHound
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
- Bug bounty
- Tool updates