Bug Bytes #159 – GitBleed, BigQuery SQL injection & Salesforce Recon and Exploitation Toolkit

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from February 07 to 14.

Intigriti news

Our favorite 5 hacking items

1. Article of the week

GitBleed – Finding Secrets in Mirrored Git Repositories & GitBleed Tools

@nightwatchcyber noticed that tools that scan for secrets in Git repositories will miss some secrets if they clone repos without the --mirror option.
They share how to looks for these secrets, some Bash scripts that automate the process and a couple of intentionally vulnerable repos.

2. Writeup of the week

BigQuery SQL Injection Cheat Sheet ($50k+)

@ozgur_bbh and @anilyukk discovered and exploited a BigQuery SQL injection on a bug bounty target. They share the syntax and queries they used, which is valuable considering the lack of resources on SQL injections targetting this specific type of DBMS.

3. Tutorial of the week

Bypassing the AWS WAF protection with an 8KB bullet

@riyazwalikar describes a known limitation of AWS WAF: It only inspects the first 8KB of the web request body. This allows bypassing AWS WAF by placing payloads after 8KB of junk data.
Actually, this issue is not new. @securityfu wrote about it in AWS WAF’s Dangerous Defaults, but this tutorial serves as a good reminder of this interesting behavior.

4. Tool of the week

Salesforce Recon and Exploitation Toolkit (SRET) & Intro

While learning about Salesforce vulnerabilities, @uraniumhacker created this tool to automate testing for and exploiting misconfigurations in Salesforce instances.
He used it to report multiple Critical and High impact information disclosure bugs.

5. Non technical item of the week

It is Okay to Use Writeups

Being stuck on a challenge for too long can result in loosing interest or unnecessarily wasting time in one’s learning journey. So, if you are struggling with Hack The Box machines/challenges or certifications like the OSCP, make sure to read and apply this advice by @ippsec and @0xdf_.
It will help you make consistent progress, and know when to try harder and when to look at solutions.

Other amazing things we stumbled upon this week

Videos

• 🐛 Bug Bounty Recap 🐜 February 3 – 9
• Bug Bounty Live Recon – Grabbing Domains!
• Chrome and FireFox don’t agree on this!
• Polkit – 12-year-old Security Vulnerability to Privilege Escalation | PolicyKit | Linux | #Explained
• Reverse Engineering 101 – Introduction to IDA Free on Linux: Reversing 2 crackmes
• Sudo Exploit for (old) Ubuntu 20.04 LTS
• Windows Privilege Escalation series by @HackerSploit
• Create Your Own Python DNS ENUMERATION TOOL & Create Your Own Python SUBDOMAIN ENUMERATION TOOL

Podcasts / Audio

• Bug Bounty Community Chats #1

Webinars

• Progressive Web Applications Architecture And Security Risks

Conferences

• A Tale of making Internet Pollution Free
• Power of Community

Tutorials

• Introduction to Spring Boot Related Vulnerabilities
• How to integrate Nuclei with Interactsh and Notify
• Improving the impact of a mouse-related XSS with styling and CSS-gadgets
• How does UTF-8 turn “😂” into “F09F9882”?
• Using Power Automate for Covert Data Exfiltration in Microsoft 365
• Vulnerabilities that aren’t. Unquoted Spaces

Writeups

Challenge writeups

• Extremely Short XSS?! Solution to February ’22 XSS Challenge & Winners
• HackTheBox – EarlyAccess
• Heap Tricks Never Get Old – Insomni’Hack Teaser 2022
• XSS via HTTP Parameter Pollution! & SQL Injection to Retrieve Hidden Data!
• HTB: SteamCloud #Kubernetes

Responsible(ish) disclosure writeups

• Oracle Server Side Request Forgery (SSRF) Metadata (Oracle)
• impressCMS – unauthenticated code execution #Web #CodeReview
• Multiple Vulnerabilities In Concrete CMS – Part2 (PrivEsc/SSRF/etc) #Web
• A Zero-Click RCE Exploit for the Peloton Bike (And Also Every Other Unpatched Android Device) #MemoryCorruption
• From Stored XSS to Code Execution using SocEng, BeEF and elFinder CVE-2021-45919 #Web

Bug bounty writeups

• “Zero-Days” Without Incident – Compromising Angular via Expired npm Publisher Email Domains (GitHub) & Related paper
• WordPress < 5.8.3 – Object Injection Vulnerability (WordPress)
• How i made 15k$ from Remote Code Execution Vulnerability ($15,000)
• How Docker Made Me More Capable and the Host Less Secure (Microsoft)
• Mindshare: When Mysql Cluster Encounters Taint Analysis (Oracle)
• SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022-21999) & SpoolFool (Microsoft)

See more writeups on The list of bug bounty writeups.

Tools

• Ghostbuster & Introhttps://blog.assetnote.io/2022/02/13/dangling-eips/: Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts
• Copy Regex Matches: Burp extension to copy regex matches from selected requests and/or responses to the clipboard
• Nuclei – Burp Extension: Simple Burp extension to run Nuclei directly from Burp, transforming JSON results into issues
• OAUTHScan: Burp extension useful to verify OAUTHv2 and OpenID security
• JWT Editor: A Burp Suite extension and standalone application for creating and editing JSON Web Tokens
• hardCIDR: Bash script to discover an organization’s netblocks or ranges (in CIDR notation)

Tips & Tweets

• Why you should check the default amass config.ini file regularly
• Something to check when testing Chrome extensions
• HTTP response “Content-type: image/png, text/html” will render the “text/html” even if the content type is actually “image/png”
• PoC for evading MS default setting and smuggling VBA macros back in
• One of @_nwodtuhs’s latest paths to Domain Admin

Misc. pentest & bug bounty resources

• trickest/cve
• HTTP header smuggling mindmap
• The Art of Attack: Attacker Mindset for Security Professionals ($22.49)
• Practical Phishing Assessments (New TCM course) ($29.99)
• Reversing Golang
• s0cm0nkey’s Security Reference Guide

Articles

• Top 10 web hacking techniques of 2021
• PostgreSQL Driver Logger Injection
• Dropping Files on a Domain Controller Using CVE-2021-43893 & Blank Space
• SPN-jacking: An Edge Case in WriteSPN Abuse
• AD CS: from ManageCA to RCE
• Gaining the upper hand(le)
• PPE — Poisoned Pipeline Execution

Challenges

• SecurityLabs challenge
• FernbachAPI
• KustomizeGoat: Vulnerable by design Kustomize deployment

Bug bounty & Pentest news

• Bug bounty
  • Google kCTF VRP: 🌹 Roses are red, Violets are blue 💙 Giving leets 🧑‍💻 more sweets 🍭 All of 2022!
  • Google Vulnerability Reward Program: 2021 Year in Review
  • iOS jailbreak dev wins $2M bounty for finding critical Optimism bug
• Cybersecurity
  • Missouri prosecutor declines to file charges over ‘hacker’ allegation against reporter
• Upcoming events
  • @stokfredrik’s Bounty Thursdays – Live (Thursday 16:00 CET)
  • Apply to learn how to hack Intel® SGX
  • IWCon 2022 (February 26-27, $5)
• Tool updates
  • Evolving How We Share Rapid7 Research Data (Project Sonar no longer publicly available)
  • Kali Linux 2022.1 Release (Visual Updates, Kali Everything ISOs, Legacy SSH)
  • Introducing BloodHound 4.1 — The Three Headed Hound
  • OWASP ZAP: All New Networking
  • Burp Professional / Community 2022.1.1

Non technical

• Reflections on Failure, Part One & Part 2
• Manage Pentest in Time