Intigriti

Bug Bytes #153 – New PHP LFI technique, Cache poisoning at scale & Null byte attacks are still alive!

By Anna Hammond

January 5, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from December 20, 2021 to January 03, 2022.

Intigriti news

Visma’s “Mother of Hackers” speaks to Intigriti about running a successful virtual live hacking event

Our favorite 5 hacking items

1. Article of the week

PHP LFI with Nginx Assistance

Bruno Bierbaumer discovered a new LFI technique while creating CTF challenges.
The conditions is that the app is deployed with PHP-FPM and Nginx, and Nginx runs as the same user as PHP. Both are very common.

The attack exploits temporary files that Nginx creates for buffering. A GET request for a non-existent page, with a huge parameter value will force Nginx to create a temporary file containing that value.
The attack, basically, is to put a PHP shell in that parameter, then bruteforce Nginx’s temporary file names/paths to find the one where the web shell was written before its deletion. Reading it will execute the shell and result in RCE.

If you want to practice, there are links to two challenges, and to an additional example in the article.

For an additional explanation of the technique, you can also check out this CTF writeup.

2. Writeups of the week

Cache Poisoning at Scale
Turning bad SSRF to good SSRF: Websphere Portal

@iustinBB shares the techniques he used to find and report more than 70 web cache poisoning vulnerabilities, for about $40,000 bounties. This is amazing research if you want to know more about this topic.

@assetnote‘s writeup is a great read if you are interested in SSRF, Open redirect, XXE or RCE via Zip Based Directory Traversal. It is full of details not only about the vulnerabilities but, most importantly, the process for finding them (code review, failed attempts, etc).

3. Video of the week

Multi-host payloads in Burp Intruder

If you are a Burp user, there is a great feature that was added in a recent update that is worth knowing. Starting Burp Pro and Community 2021.12, it is possible to run a single Intruder attack against several hosts.
The video demonstrates how to do that, with the example of a login brute force attack run against different subdomains.

4. Tool of the week

Osmedeus Next Generation & Documentation

@j3ssiejjj completely rewrote Osmedeus and this new version looks lit. It allows you to write custom recon workflows using YAML files.
If you are looking for a way to efficiently organize your recon process, leveraging both custom and public tools / wordlists, with multiple workflows, Osmedeus might be what you need.

5. Tweet of the week

Mini writeup of Instapage and HubSpot vulnerabilities

@samwcyo shares a couple of interesting vulnerabilities discovered by him, @bbuerhaus, @sshell_ and @xEHLE_ on Hubspot and Instapage.
They discovered a legacy API that allowed uploading HTML files to Hubspot’s CDN, exploited it to serve XSS payloads, and coud steal HTTPOnly cookies using a diagnostics endpoint that reflects all cookies.
The other bug is that any Instapage live domain could be claimed by registering a domain with the same name to which you append a null byte. Null byte attacks are still alive!

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Webinars

Conferences

Tutorials

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Log4J

Tools

  • Sourcerer: Ruby utility to apply rules to URL datasources and filter interesting content

  • fq: jq for binary formats

  • elasticpwn & Intro: Quickly collect data from thousands of exposed Elasticsearch or Kibana instances and generate a report to be reviewed

  • vortex: All-in-one tool to attack Microsoft OWA/ADFS/LYNC/O365, vendor specific VPN Web Logins and more

  • Needle & Intro: A Python tool to find Windows registry files in a blob of data

  • ADExplorerSnapshot.py: An AD Explorer snapshot ingestor for BloodHound

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

Challenges

Bug bounty & Pentest news

Non technical

You may also like