Bug Bytes #26 – File upload to SQLi, Google’s CTF & Data Breach 101

By intigriti_inti

July 9, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 28 of June to 05 of July.

Intigriti news

We partnered up with PwnFunction to create a writeup video on Google’s 2019 CTF.
We’ll be releasing more content soon, so make sure to subscribe to our channel!

Very excited to announce that we've partnered up with @PwnFunction to create snackable video content for security researchers! 🤓
Check out our first video on how to solve @Google's CTF here 👇#HackWithIntigriti

— Intigriti (@intigriti) July 8, 2019

Our favorite 5 hacking items

1. Webinar of the week

Intro to Cloud for Pentesters and Bug hunters | Security and Research Company (SECARMY)

This is an excellent introduction to cloud security for pentesters and bug hunters. If you’ve ever felt intimidated by AWS testing, this is a perfect opportunity to tackle this topic.
You’ll learn about cloud computing, the difference between IaaS, PaaS and SaaS, common misconfigurations of four components of AWS (including AWS S3 and IAM) with examples and links to writeups.

2. Writeup of the week

File upload blind SQL injection

I’ve never thought that the file name specified during a file upload could be saved to a database, and so potentially vulnerable to SQL injection!
It seems like an unusual entry point for this kind of attacks. So it’s good to know and add to one’s list of locations to fuzz for SQL injection.

3. Conference of the week

Pass the SALT 2019 videos & all slides, especially:
Hacking Jenkins & Slides
Time-efficient assessment of open-source projects for Red Teamers & Slides
Better curl ! & Slides
Dexcalibur – automate your android app reverse & Slides
Mini-Internet using LXC (MI-LXC): A first step towards a free CyberRange ? & Slides
JWAT… Attacking JSON Web Tokens & Slides
KILL MD5 – Demystifying hash collisions & Slides

When I first saw the name of this conference, I thought it was only about passwords, hashes and crypto (because of the word “SALT”).
But it’s actually very eclectic with talks on interesting offensive security topics like: reversing Android apps, why MD5 is so weak, JSON Web tokens, Curl, red teaming & open source, Jenkins security, etc.
And with brilliant speakers like Orange Tsai and Louis Nyffenegger, I’m sure quality is there too.

4. Tool of the week

Asset Discover & Introduction

Asset Discover is a Burp Suite extension that passively collects asset-related information. While you’re browsing the target app, it parses responses and extracts the following assets: domains, subdomains, IP addresses, S3 buckets, DigitalOcean space URLs and Azure Blob URLs.
Having this kind of information passively gathered and easily accessible is interesting. It’s worth testing.

5. Article of the week

Data Breaches are on the Rise — Is it too hard to p̶r̶e̶v̶e̶n̶t̶ control data breaches?

Being obsessed with offensive security, defense is not my forte. But it’s interesting to consider both to be able to understand the other side (developers, clients, bug bounty programs…) and, if necessary, advise them on how to remedy bugs or up their security.
This article provides multiple practices that can help avoid breaches, with links to resources (tools, checklists, people to follow, articles, etc).
It’s good to know for both hackers and defenders.

Other amazing things we stumbled upon this week



Webinars & Webcasts


Slides only


Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

More tools, if you have time

  • CollabOzark: A simple tool which helps the researchers track SSRF, RCE, Blind XSS, XXE, External Resource Access payloads triggers

  • Slothy: Open source information gathering tool from publicly available sites against a target domain

  • CRLF-Injection-Scanner: Command line tool for testing CRLF injection on list of domains

  • KNOXSS Community Edition

  • Recon: Easy Fast recon script

  • Hershell: Multiplatform reverse shell generator

Misc. pentest & bug bounty resources




Bug bounty news


Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/28/2019 to 07/05/2019.

The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.Curated by Pentester Land &Sponsored by Intigriti

You may also like