Want to find RCE on Web Applications? 🚀

Here are some ways to escalate or direct RCEs in Bug Bounties

A thread🧵

#bugbounty #bugbounties #wapt #rce #zeroday
1. LFI with Log Poisoning :
➼ Apache Log: hackingarticles.in/apache-log-poi…
➼ SSH Log:hackingarticles.in/rce-with-lfi-a…
➼ SMTP Log:liberty-shell.com/sec/2018/05/19…
➼ FTP Log: secnhack.in/ftp-log-poison…

(2/n)
2. Via File Upload :
➼ Upload .php reverse shell
➼ If not, Bypass Restrictions :
(a) Double Extension
(b) Random Upper & Lower Case Names
(c) Changing Mime Type
(d) Null Byte
(e) Magic Byte
➼ If image allowed, use ExifTool and add PHP reverse shell in comment metadata
(3/n)
➼ Add SQLi,XSS,Command Injection, SSTI, LFI, SSRF payloads in file name like "><script>alert(1)</script>.jpg"
➼ And Many More

3. Check Versions of CMS, Services, and Components running on Web Application and search for CVEs on cve.mitre.org/cve/search_cve…

(4/n)
4. Use Bugs to Escalate
➼ SQL to RCE: infosecwriteups.com/sql-injection-…
➼ SSTI to RCE: medium.com/r3d-buck3t/rce…
➼ SVG Upload to XSS: naveenroy008.medium.com/xss-attacks-vi…
➼ SVG to XXE to RCE: github.com/swisskyrepo/Pa…, airman604.medium.com/from-xxe-to-rc…
➼ SSRF to RCE: medium.com/@GeneralEG/esc…

(5/n)
5. FUZZ FUZZ FUZZ: Fuzz endpoints and parameters sometimes disclose sensitive stuff or bugs too.

6. Read the Source Code of an application to understand much better to know what could be tested here

(6/n)
7. There are many ways to find RCEs but I tried to show you the easiest ways to get RCEs and I'll add more to this thread🧵

(7/n)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Purab Parihar

Purab Parihar Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @purab_parihar

Feb 1
Wanna Learn Azure in 30 Days? 🚀
Here's Day 5 of 30 and will be learning today💯:

🪣 Azure Storage Services
🕸️Azure Virtual Networks

Let's go!
#azure #learningazure #cybersecurity #AzStorage
(1/n)
🪣 Azure Storage Services : Azure provides scalable data objects for different sorts of service like Disk Storage for VMs, File Systems, Messaging Storages and NoSQL.

➼ AZ Storage Objects are managed by Storage A/c

➼ Azure Storage Account contains all data objects

(2/n)
➼ Storage Account comes with different performance types, these includes :
➼ Standard : Comes with General Purpose V2
➼ Premium : Comes with -
(a) Block Blobs : High Transfer Rate & Low Latency
(b) File Shares : High Performance & Scalable
(3/n)
Read 10 tweets
Jan 31
Wanna Learn Azure in 30 Days? 🚀
Here's Day 4 of 30 and will be learning today💯:

👨‍💼Azure Resource Manager (ARM)
🖥️Core Compute Services

(1/n)
#azure #cybersec #az #cloud #LearnAzure #learningazure
🧑‍💼Azure Resource Manager (ARM) : It provides management layer for all resources in Azure.

➼ All platforms from where we can manage cloud resources such as Portal, Az Module, AZ CLI, Rest API or SDKs, all communicate with ARM to perform actions in environment

(2/n)
➼ When request from any platform is sent to ARM then performs authentication and then forward request to resources providers for actions.

➼ ARM also includes templates known as (ARM Templates) for deploying resources repeatable and consistently.

(3/n)
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(