One technique to detect "Blind Command Injection" is time-based detection ... like SQLi Following are three Linux-based commands to get a 10-second timeout from the target server...

[*] RCE exploit tip... If you have a "Blind RCE" and you can get HTTP interactions using `curl` command... You can steal local files from the server by using the `-d` flag with the `@` symbol at the beginning of the target file name and send the full content to your OOB server

Sometimes you may find it at <anything>.php, so don't miss... Match: <title>phpinfo()</title>

[*] Bug Hunting Wisdom... Don't underestimate a bug ... Why? Because it's not about the bug, it's all about the impact... This case was plain text usernames and passwords due to a simple misconfiguration

I like the UI updates by bugcrowd

Building "AI Hacking Agents" from pure Python...

[*] Bug Bounty Skills... (More Parameters = More Vulnerabilities) Did you know that there are 4 types of discovery techniques: 1. Website Crawling (Active) 2. Hidden Parameter Fuzzing (Active) 3. JavaScript Mining (Passive) 4. Searching Public Archives (Passive) 🧵Thread...

Pluto You send the payload in the parameters part or the fragment part of the URL, to be a part of the document.URL source

🧵Bug Bounty Diaries ( D2 ) Today, I found my first "Prototype Pollution" vulnerability in the wild, but it can't be a valid bug to be reported on its own, so when you find a PP, you should dig deeper to combine it with a gadget in order to build a valid report...

Sometimes, it just happens...

🧵Bug Bounty Diaries ( D3 ) This was an EPIC hack... TTMG, In this report, I was able to combine 2 vulnerabilities to bypass the login page of an admin portal and log in as an admin, without any username or password Maybe more details in the future...

🧵Bug Bounty Diaries ( D4 ) How to escalate an "Open Redirect" from P5 to P3 or P1 Yesterday, I found an Open Redirect in a public VDP, and I wanted to teach you the exploitation process that you should take before reporting the bug as a P5 ... thread...

I wanted to add some information about Exploit 1. After testing the exploit on live targets and a local lab, I validated that the XSS payload will work only if it is a DOM-Based Open Redirect, and if it were a Server-Based Open Redirect, the browser will stop the XSS from running

🧵Bug Bounty Diaries ( D6 ) It's still a VDP, but the chain was EPIC => From CSTI (Client-Side Template Injection) to XSS Gadget + WAF Bypass => From XSS to CSP Bypass => From CSP Bypass to fetch requests => From fetch requests to Cookie hijacking

The bug get fixed, so I wanted to share the story... Write-up Link: 7-th.github.io/posts/admin-pr…