Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from January 17 to 24, 2022.
Our favorite 5 hacking items
1. Vulnerability of the week
Python NaN Injection, Repo & Decipher Podcast: Robert Hansen Returns
It’s strange that this new Python vulnerability class went unnoticed. It may be complex and difficult to identify but it is also novel and an interesting area to explore.
For the anecdote, Robert Hansen / @RSnake is one of the first hackers I followed when I started in 2012. Among other things, he created the old ha.ckers.org XSS Cheat Sheet on which the OWASP XSS Filter Evasion Cheat Sheet was based.
2. Writeups of the week
Hacking the Apple Webcam (again) (Apple, $100,500)
CVE-2021-45467: CWP CentOS Web Panel – preauth RCE
The Tale of a Click leading to RCE
Ryan Pickren discovered a UXSS and other issues on Safari that could give an attacker access to victims’ camera and any website they visited, bypassing Gatekeeper.
@0xLupin‘s writeup is an amazing red teaming story that demonstrates how SSRF can be upgraded to RCE in a real-world (but CTF-like) scenario.
The third writeup is about a curious RCE via local file write on CentOS Web Panel.
In @PaulosYibelo‘s words,
.%00./ is the new
3. Tutorials of the week
Creating easy proof-of-concept scripts with Python and Curl.
Debugging a Java application with decompiled source code
It can be handy if you are short on time or struggle with creating custom scripts/curl commands.
The second tutorial is about dynamic analysis of Java apps using IntelliJ IDEA. If you perform static analysis of Java apps and find it difficult to trace sinks and sources, this debugging method by @dozernz can make the process much easier.
4. Resource of the week
Free SQL injection section of Bug Bounty – An Advanced Guide to Finding Good Bugs
@HusseiN98D gave an advanced bug bounty workshop at THREAT CON and published the recording on Udemy.
It is not free ($49.99 until the end of the week, then $139.99) but the SQL injection section is. It is more than one hour on SQL injection with a couple of advanced bug bounty use cases that may teach you some useful tricks.
Note that it is extremely rare for me to feature paid content in this newsletter. The only reason I am making this exception is its quality and the juicy hour long free video it includes.
5. Tip of the week
A tip for exploiting tricky blind SQL injections
If you find a blind SQL injection and have a hard time exfiltrating data, try @mcipekci‘s technique (adapted to your context of course) to force the app to return an error.
Other amazing things we stumbled upon this week
- Finding security vulnerabilities with GitHub’s new code search
- RACE CONDITION BUGS explained with test cases
- 🐛 Bug Bounty Recap 🐜 January 13-19
- Easy IDOR hunting with Autorize? (GIVEAWAY)
- Web App Penetration Testing – Course Introduction & Introduction To HTTP
- DEP Bypass using ROP Chains & Blog post
- Injecting code into any Homebrew Cask by attacking GitHub Actions script
- Demystifying JA3: One Handshake at a Time & Other ways a site can block Burp traffic
- An attempt to understand container runtime
- Art of Creating Machines
- Vulnerable AWS Lambda function – Initial access in cloud attacks
- A Beginner’s guide into Router Hacking and Firmware Emulation
- WMI for Script Kiddies
- XXE to SSH access?! – Mustacchio by @Try Hack Me
- HackTheBox – Forge
- Web Shell via Polyglot File Upload!
- Tiki Walkthrough with S1REN
- Some SANS Holiday Hack 2021 Solutions
Responsible(ish) disclosure writeups
- Solarwinds Web Help Desk: When the Helpdesk is too Helpful #Web #CodeReview
- Blind Server-Side Request Forgery & Unsafe Object Deserialization in Html2Pdf <= 5.2.3 #Web #CodeReview
- Cisco Prime 3.9.1 – RCE #Web #SNMP
- Paranoids’ Vulnerability Research: PrinterLogic Issues Security Alert #Printer
- ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central (Zoho)
- The Cat Escaped from the Chrome Sandbox #Browser #MemoryCorruption
Bug bounty writeups
- HOW I hacked thousand of subdomains
- Finding vulnerabilities in Swiss Post’s future e-voting system – Part 1 (Swiss Post)
- CVE-2022-21661: Exposing Database Info Via WordPress SQL Injection (WordPress)
- Zooming in on Zero-click Exploits (Zoom)
See more writeups on The list of bug bounty writeups.
- ripgen: Rust-based high performance domain permutation generator
- ShadowClone: Allows you to distribute your long running tasks dynamically across thousands of serverless functions
- jo: JSON output from a shell
- Chrome Bandit: Programmatically extract saved passwords from Google Chrome
- TREVORproxy, TREVORspray 2.0 & Intro: Increasing the speed and effectiveness of password sprays
Tips & Tweets
- Search for credentials in the public Postman API network
- Gnarly pentest stories
- java.net.URL DNS leak
- Log4j / log4shell explained for the rest of us
Misc. pentest & bug bounty resources
- New InternetDB API by Shodan that lets you do fast IP lookups for free without an API key
- PinataHub & Intro
- HOUDINI: Hundreds of Offensive and Useful Docker Images for Network Intrusion
- OWASP Mobile Security Testing Guide v1.4.0
- Customising Blacklist3r for OWIN OAuth Access Tokens
- Captain Hook – How (Not) To Look For Vulnerabilities In Java Applications
- The best free, open-source supply-chain security tool? The lockfile
- Adding DCSync Permissions from Linux
- Capturing RDP NetNTLMv2 Hashes (even if NLA is enforced)
- SeeYouCM-Thief: Exploiting Common Misconfigurations In Cisco Phone Systems & SeeYouCM Thief
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- IWCon 2022 (February 26-27)
- Bounty Hunters Hackathon (Deadline is February 20)
- HTB giveaway (January 24 to February 4)
- Tool updates