Bug Bytes #153 – New PHP LFI technique, Cache poisoning at scale & Null byte attacks are still alive!
By Anna Hammond
January 5, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from December 20, 2021 to January 03, 2022.
Intigriti news
Our favorite 5 hacking items
1. Article of the week
Bruno Bierbaumer discovered a new LFI technique while creating CTF challenges.
The conditions is that the app is deployed with PHP-FPM and Nginx, and Nginx runs as the same user as PHP. Both are very common.
The attack exploits temporary files that Nginx creates for buffering. A GET request for a non-existent page, with a huge parameter value will force Nginx to create a temporary file containing that value.
The attack, basically, is to put a PHP shell in that parameter, then bruteforce Nginx’s temporary file names/paths to find the one where the web shell was written before its deletion. Reading it will execute the shell and result in RCE.
If you want to practice, there are links to two challenges, and to an additional example in the article.
For an additional explanation of the technique, you can also check out this CTF writeup.
2. Writeups of the week
Cache Poisoning at Scale
Turning bad SSRF to good SSRF: Websphere Portal
@iustinBB shares the techniques he used to find and report more than 70 web cache poisoning vulnerabilities, for about $40,000 bounties. This is amazing research if you want to know more about this topic.
@assetnote‘s writeup is a great read if you are interested in SSRF, Open redirect, XXE or RCE via Zip Based Directory Traversal. It is full of details not only about the vulnerabilities but, most importantly, the process for finding them (code review, failed attempts, etc).
3. Video of the week
Multi-host payloads in Burp Intruder
If you are a Burp user, there is a great feature that was added in a recent update that is worth knowing. Starting Burp Pro and Community 2021.12, it is possible to run a single Intruder attack against several hosts.
The video demonstrates how to do that, with the example of a login brute force attack run against different subdomains.
4. Tool of the week
Osmedeus Next Generation & Documentation
@j3ssiejjj completely rewrote Osmedeus and this new version looks lit. It allows you to write custom recon workflows using YAML files.
If you are looking for a way to efficiently organize your recon process, leveraging both custom and public tools / wordlists, with multiple workflows, Osmedeus might be what you need.
5. Tweet of the week
Mini writeup of Instapage and HubSpot vulnerabilities
@samwcyo shares a couple of interesting vulnerabilities discovered by him, @bbuerhaus, @sshell_ and @xEHLE_ on Hubspot and Instapage.
They discovered a legacy API that allowed uploading HTML files to Hubspot’s CDN, exploited it to serve XSS payloads, and coud steal HTTPOnly cookies using a diagnostics endpoint that reflects all cookies.
The other bug is that any Instapage live domain could be claimed by registering a domain with the same name to which you append a null byte. Null byte attacks are still alive!
Other amazing things we stumbled upon this week
Videos
Webinars
Conferences
HITBCyberWeek 2021 – Hack Track, Break Track, Make Track & Build Track
Bsides London 2021 Rookie Track, Clappy Monkey Track & Track 2
Tutorials
Ultimate Reconnaissance RoadMap for Bug Bounty Hunters & Pentesters
Console Wars Part 1: Hacks for Hackers & Part 2: SQL injection
How to leverage security frameworks and libraries for secure code
Writeups
Challenge writeups
Pentest writeups
Responsible(ish) disclosure writeups
Proctorio Chrome extension Universal Cross-Site Scripting #BrowserExtension #Web
Yes, fun browser extensions can have vulnerabilities too! #BrowserExtension #Web
Phishing With Spoofed Cloud Attachments #Cloud #Phishing
Bug bounty writeups
Fixing the Unfixable: Story of a Google Cloud SSRF (Google, $4133.70)
MS Teams: 1 feature, 4 vulnerabilities (Microsoft)
NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories (Microsoft, $7,500)
Bounty Evaluation GitHub = $15,000 US Dollars | Rate Limit (GitHub, $15,000)
Here’s How I Could Read Anyone’s Apple ID Metrics Remotely. (Apple)
See more writeups on The list of bug bounty writeups.
Log4J
CVE-2021-44832 – Apache Log4j 2.17.0 Arbitrary Code Execution Via JDBCAppender Datasource Element: New variant of Log4J
How to exploit Log4j vulnerabilities in VMWare vCenter & Log4jCenter
Exploiting CVE-2021-44228 using PDFs as delivery channel – PoC
Log4J 2.15 TOCTOU Vulnerability Illustrated by GoSecure Researchers
Examining Log4j Vulnerabilities in Connected Cars and Charging Stations
Google: Understanding the Impact of Apache Log4j Vulnerability
Tools
Sourcerer: Ruby utility to apply rules to URL datasources and filter interesting content
fq: jq for binary formats
elasticpwn & Intro: Quickly collect data from thousands of exposed Elasticsearch or Kibana instances and generate a report to be reviewed
vortex: All-in-one tool to attack Microsoft OWA/ADFS/LYNC/O365, vendor specific VPN Web Logins and more
Needle & Intro: A Python tool to find Windows registry files in a blob of data
ADExplorerSnapshot.py: An AD Explorer snapshot ingestor for BloodHound
Tips & Tweets
How to see the issues (in Burp) pertaining to a specific set of hosts
Quickly detect CVE-2021-45232 Apache APISIX Dashboard Unauth Vulnerability using fofax and httpx
Tips for beginner bug hunters:
@Samm0uda: Learn and read a lot, apply by doing serious CTFs and labs for some time then do VDP hunting then do Bug Bounty Hunting. Focus on quality/severity over quantity. Do what no one is doing.
@jtcsec: Build a repeatable methodology for your target. Do a lot of content discovery. Watch videos from people like @InsiderPhD and @stokfredrik. Practice on @bugbountyhunt3r.
@mcipekci: Do not rely on automated scans, do not run default configurations and create your own methodology. It’s not just about 0-days, very old issues are often found on targets.
@nnwakelam: Go through @PentesterLab and get curious from there. Read writeups from people like @samwcyo and @infosec_au.
@nnwakelam: Learn to be persistent.
Misc. pentest & bug bounty resources
learngo: A Huge Number of Go Examples, Exercises and Quizzes
Articles
Challenges
Bug bounty & Pentest news
Bug bounty
Cybersecurity
Tool updates
Non technical
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023