Want to find RCE on Web Applications? 🚀
Here are some ways to escalate or direct RCEs in Bug Bounties
A thread🧵
#bugbounty #bugbounties #wapt #rce #zeroday
Here are some ways to escalate or direct RCEs in Bug Bounties
A thread🧵
#bugbounty #bugbounties #wapt #rce #zeroday
1. LFI with Log Poisoning :
➼ Apache Log: hackingarticles.in/apache-log-poi…
➼ SSH Log:hackingarticles.in/rce-with-lfi-a…
➼ SMTP Log:liberty-shell.com/sec/2018/05/19…
➼ FTP Log: secnhack.in/ftp-log-poison…
(2/n)
➼ Apache Log: hackingarticles.in/apache-log-poi…
➼ SSH Log:hackingarticles.in/rce-with-lfi-a…
➼ SMTP Log:liberty-shell.com/sec/2018/05/19…
➼ FTP Log: secnhack.in/ftp-log-poison…
(2/n)
2. Via File Upload :
➼ Upload .php reverse shell
➼ If not, Bypass Restrictions :
(a) Double Extension
(b) Random Upper & Lower Case Names
(c) Changing Mime Type
(d) Null Byte
(e) Magic Byte
➼ If image allowed, use ExifTool and add PHP reverse shell in comment metadata
(3/n)
➼ Upload .php reverse shell
➼ If not, Bypass Restrictions :
(a) Double Extension
(b) Random Upper & Lower Case Names
(c) Changing Mime Type
(d) Null Byte
(e) Magic Byte
➼ If image allowed, use ExifTool and add PHP reverse shell in comment metadata
(3/n)
➼ Add SQLi,XSS,Command Injection, SSTI, LFI, SSRF payloads in file name like "><script>alert(1)</script>.jpg"
➼ And Many More
3. Check Versions of CMS, Services, and Components running on Web Application and search for CVEs on cve.mitre.org/cve/search_cve…
(4/n)
➼ And Many More
3. Check Versions of CMS, Services, and Components running on Web Application and search for CVEs on cve.mitre.org/cve/search_cve…
(4/n)
4. Use Bugs to Escalate
➼ SQL to RCE: infosecwriteups.com/sql-injection-…
➼ SSTI to RCE: medium.com/r3d-buck3t/rce…
➼ SVG Upload to XSS: naveenroy008.medium.com/xss-attacks-vi…
➼ SVG to XXE to RCE: github.com/swisskyrepo/Pa…, airman604.medium.com/from-xxe-to-rc…
➼ SSRF to RCE: medium.com/@GeneralEG/esc…
(5/n)
➼ SQL to RCE: infosecwriteups.com/sql-injection-…
➼ SSTI to RCE: medium.com/r3d-buck3t/rce…
➼ SVG Upload to XSS: naveenroy008.medium.com/xss-attacks-vi…
➼ SVG to XXE to RCE: github.com/swisskyrepo/Pa…, airman604.medium.com/from-xxe-to-rc…
➼ SSRF to RCE: medium.com/@GeneralEG/esc…
(5/n)
5. FUZZ FUZZ FUZZ: Fuzz endpoints and parameters sometimes disclose sensitive stuff or bugs too.
6. Read the Source Code of an application to understand much better to know what could be tested here
(6/n)
6. Read the Source Code of an application to understand much better to know what could be tested here
(6/n)
7. There are many ways to find RCEs but I tried to show you the easiest ways to get RCEs and I'll add more to this thread🧵
(7/n)
(7/n)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
