Jul 30, 2019

SQL Injection in private-site.com/login.php





SQL Injection in Login.php at Private Program

Program : Private on HackerOne
Method : POST
Affected Path : Login.php
Affected Parameter : username
Bounty : Out Of Scope
-----------------------------------------------

Vulnerable url was 
private-site.com/login.php

Tool

Site was Shown to me 2 login Places 
( Username & Password) 

in Username I've put only ( ' )

Then It shows me this error
This mean This site is vulnerable to SQL injection 

Now I just capture the request 
and Add it in list.txt file 

Then Used SQLMAP to dump the database








Jul 28, 2019

Old GitHub Profile Takeover!





Old GitHub Profile Takeover! 

Program : Private on HackerOne
Bounty : 1000$
Fix : by cooperate with company.

---------------------------------------------------------

Describe 
This bug was so simple and was a nice catch so I want to Write about it 

Simply what I've found ! 
When I searching for bugs in company code on GitHub.


There was many repositories & Codes mention a Old Github Profile which was worked well.


Example of work
---------------------------------
when you try to download some files from this link 
https://github.com/OldCOMPANYPROFILE/reponame/archive/master.zip

The link will redirect to 

https://github.com/NewCOMPANYPROFILE/reponame/archive/master.zip

And download will start Normally 

So what was the Bug here ? 
When I go to 
https://github.com/OldCOMPANYPROFILE/
an error was shown to me Not Found Profile


So I able to create any profile with the old company profile name !
And change some repositories to vulnerable files to prove poc

Not Found profile takeover can lead to disable migrate new Profile with Old Profile






-----------------------------------------------------------



Jun 11, 2019

Can I takeover XYZ ( Steps )

Can I takeover XYZ ( Steps ) ?

Based on can-i-take-over-xyz

_______________________________________________________________________

Service : HeroKu 
Fingerprint: No Such app

There is two Types of Takeover in this Service 
1) HerokuDNS ( Edgecase
2) HeroKuapp

Steps to Takeover : 
Please note : This takeover Edgecase ( HeroKuDns ) cause dns of this webiste is an Ip address belong to Heroku
 HeroKuapp takeover is the same steps but the dns of the domain or subdomain is example : haronapplication.herokuapp.com so you only will create anew app called haronapplication




_____________________________________________________________________

Service : Wufoo
FingerPrint : Profile Not found.
Steps: 
Subdomain cname will be like 
haronsurvey.wufoo.com
and full steps is here 


__________________________________________________________________________

Service : Unbounce 
Fingerprint: The requested url was not found on this server.

Takeover Steps : 
Still possible for old clients
Steps here 

_____________________________________________________________________________

Service : HubSpot
Fingerprint : Domain Not found.
Takeover Steps :
Possible 
Soon will be added.

info here 

____________________________________________________________________________

Service : Shopify 
FingerPrint : Sorry, this shop is currently unavailable.


Takeover Steps :
here

________________________________________________________________________

Service : Campaign Monitor
FingerPrint : Trying to access your account?

Takeover Steps : 

__________________________________________________________________________

Service : Fastly 
FingerPrint: Fastly error: unknown domain

Takeover Steps: 
Create your Fastly account for free and Do this steps in video




                                           

___________________________________________________________________________





Apr 13, 2019

[ Special Case ] HerkoKuDns is Still vulnerable to Subdomain Takeovers ( Live PoC )




Today I will Share a New Found about 
Subdomain Takeovers
Via HeroKuDNS 
[ Edge Case ]

Many Blogs says You can't takeover from herokudns any more 
because now they use a Random cname generator 

In this blog I will explain How could I takeover this Domain 
And Adding it to my Custom Domains List on my heroku dashboard
-----------------------------------------------
Explain 
Simply 
1) if you see the this pic 
which Show you in Title " No Such App "


2) Now Go to see DNS of the Subdomain 
if you found it like this ( IPS) 

3) You can Add it Directly to your Heroku Account to any App as a Custom domain 
Yes When You add it you will get a Random Cname Like what happen when I added dns-scratch.me to my account 



4)  Domain or Subdomain is now Connected 



---------------------------------------------------------

Apr 12, 2019

[RCE] Remote code execution at api.PrivateProgram.com (CVE-2017-5638)





Apache Struts CVE-2017-5638 
Remote Code Execution Vulnerability
Program : Private on HackerOne
Bounty : 2000$ and 250$ Bouns
Subdomain : Api.Private.com


Today I will Post my new Find 
Remote code execution
in Api Subdomain of Private Program 
which was used a Vulnerable version of Apache Struts
(CVE-2017-5638)

CVE-2017-5638 Describe : 
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Poc was : 


References : 





----------------------------------------------------------

Mar 19, 2019

Feb 26, 2019

[Still work] Redirect Yahoo Subdomain XSS Reflected from americangreetings.com






Bug Type : Reflected XSS
Affected Site : americangreetings.com 
Yahoo Subdomain : greetings.yahoo.com


Description 
I've reported this to yahoo and Greeting but was marked as infromative 
so they don't mind to disclose it.

This XSS  still work 

I've found that yahoo subdomain greetings.yahoo.com can be redirect to any path americangreetings.com 

So I tried to get a reflected XSS at americangreetings.com in paths

The XSS was affected this path 
/search-results/{xss payload}

************************************
Suggested fix to yahoo was
to make fix like 
greetings.yahoo.ca
it redirect only to site home only 

***************************************

Poc link : 

http://greetings.yahoo.com/search-results/'"--><Details Open OnToggle=confirm`Haron`>

https://www.americangreetings.com/search-results/'%22--%3e%3cDetails%20Open%20OnToggle=confirm%60Haron%60%3e


*************************************


Feb 22, 2019

AWS s3 Buckets Create





Amazon aws s3 buckets are Simple and Can be created by everyone

************************
Steps to create a S3 bucket 

1) you must create an amazon aws account first ( Required Credit Card ) 
 your payment information so we can verify your identity. They will not charge you unless your usage exceeds the AWS Free Tier Limits.


3) create Bucket is simple here as you see in pic 

2) Enter you Bucket name 
I've choose HaronBucket 
Please remember this will be your bucket link 
exmaple as mine 
haronbucket.s3.amazonaws.com
s3.amazonaws.com/haronbucket


Click Next Then Next if you don't need a special config or permissions



After clicking Create Bucket
Your Bucket will be Shown in Buckets Home


**********************************
Now Upload your files is very easy 
1) go to your buckets home
2) choose your bucket which you want to upload files 
or you can go to this link ( add your bucket )
https://s3.console.aws.amazon.com/s3/buckets/your-bucket/


3) Click on get Start and Choose your files you want to upload :) then click upload

4 ) Your upload file will be shown in your bucket home files click on the file which you upload




5) click on Make Public and scroll down you will see your file link Public


Subdomain Misconfiguration lead to AWS S3 Buckets Reader




Bug Type : Subdomain misconfiguration
Program : Private on HackerOne
Severity : P2 ( High
Bounty : 600$ + 200$ Bouns
Subdomain : images.example.com

************************************
How I found this Bug 
it was simple When I go direct to https://images.example.com I found it redirect to https://aws.amazon.com/s3/

So now I started to found the cname and it was
images.example.com  >  s3.amazon.com

Here was the bug I saw many companies use the same error 
Developers must add a white s3 Buckets list 

So now I can call any bucket on images.example.com

example : images.example.com/haron-bucket/




************************
Steps to find This error very simple
 if the subdomain has this alias s3.amazonaws.com 
Try to add your bucket directly to subdomain 
example : subdomain.site.com/yourbucket/yourfile.html
if it run this is vulnerable if not so this mean developers added a white buckets list

******************************************


Please see this Write Up for create your Bucket 
https://www.mohamedharon.com/2019/02/aws-s3-buckets-create.html




*********************************************************