Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
mehdisadir Profile picture
@silentgh00st
Apr 21 13 tweets 4 min read Twitter logo Read on Twitter
🧵NEW Thread🧵

Here is how I found the easiest SQLi and possible RCE in less than 30 min of recon and dorking

1. I was invited to a private program at @Hacker0x01 and the first thing I usually do is to look at the scope and see if it is a wildcard domain or just a small scope. ImageImage
2. Found that the program accepts all vulnerabilities related to their assets and of course third party assets are OOS
3. I used @leak_ix search engine at leakix.net and used this dork [+target_name ++plugin:"GitConfigHttpPlugin"]
Note : this is used to search for already scanned websites that have /.git exposed
4. I visited the website and the /.git repository was downloadable and I dumped the source code using gitdumper.sh (you can find it at Github)
5. This was not the way I found the SQLi but when i visited the homepage there was a simple login page with username and password fields
6. I tried admin:admin to see if I could easily login as admin but no luck, but then I fired the burp and intercepted the login request and I injected a simple quote inside the username's field which was admin_username
7. I noticed that the app returned a different response code and I sent the request to Sqlmap tool to see what would happen
8. Using sqlmap with both params --risk 5 --level 3 --random-agent , the tool easily found that the field is vulnerable to time-based SQLi Image
9. I reported the finding immediately after listing the databases, and I tried to escalate it to RCE
10. I verified to see if the user is a DBA and have FILE privileges using sqlmap by adding this param --is-dba and the result was true, which means the user could write files to the server
11. Unfortunately, I was not able to escalate it since I could not know where the file is written exactly inside the server, but the H1 team were able to escalate it, but they updated the severity to CRITICAL😁 even if i was not able to escalate it myself 🤷‍♂️ Image
12. That's it for this finding, the idea here is to use different search engines for recon and don't rely only on known ones like shodan zoomeye ...
Always verify the username field for SQLi and try different tools for testings (sqlmap, ghauri...)
#bugbountytips #bugbountytip
I was paid $2000 for this finding which is the maximum payout in this program.

#hackerone #BugBounty

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with mehdisadir

mehdisadir Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @silentgh00st

mehdisadir Profile picture
Mar 11
Here is how I chained two bugs to exploit a UUID based IDOR and gained access to admin panel.

🧵THREAD🧵
1. How I knew that the target uses the same panel for both (normal users and admins)?! This is because of two things, the first one is through subdomain enumeration
The second one is from the JS files.
After enumerating the subdomains, no admin panel was found for the main app.
But when reading the main JS file of the target, there was some keywords like is_admin or administration or anything related to the super users privileges.
Then I started digging to find what should I have to access the admin panel.
Read 9 tweets
mehdisadir Profile picture
Feb 28
Here is short writeup on how I found some hardcoded credentials inside of an exe file and got paid 2000$ even the asset was OUT OF SCOPE!

📌THREAD📌

1. I got invited to a private program with new assets
2. The asset was a web application for an Electron desktop app ImageImage
3. I tried to find the executable for the In scope app just to understand what the app will looks like when installed in the machine
4. I finally downloaded the app from the official website lf the target and tried to extract the Exe with tools like Winzip (Electron app can be easily extracted)
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(