Bug Bytes #173 – JDBC attacks reloaded, RCE via email & Benchmarking port scanners
By Anna Hammond
June 8, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from May 30 to June 6.
Intigriti news
The Ethical Hacker Insights Report 2022
Keep up with Intigriti’s events in June
Apply to Intel’s Project Circuit Breaker live hacking event
Our favorite 5 hacking items
1. Articles of the week
Arbitrary File Upload Tricks In Java
Make JDBC Attacks Brilliant Again II
Port Scanner Shootout
In the first article, @pyn3rd shares some tricks to bypass WAFs when testing for file upload vulnerabilities in Java apps. One of them is also useful for SSRF and XXE.
The second article is a new addition to @pyn3rd‘s research on JDBC attacks. It focuses on PostgreSQL databases which were not included in the “Make JDBC Attacks Brilliant Again” talk .
“Port Scanner Shootout” is a benchmark of port scanning tools by @s0cm0nkeysec. They compare nmap, masscan, naabu and rustcan, with details on each tool’s capabilities and pros/cons.
2. Writeup of the week
Horde Webmail – Remote Code Execution via Email
@SonarSource‘s R&D team describe a cool RCE they discovered in Horde Webmail’s default configuration.
It is triggered when a user authenticated on the webmail server opens the attacker’s email (containing a CSRF exploit), and results in RCE on the server and stealing the victim’s clear-text credentials.
3. Video of the week
Could I Hack into Google Cloud?
Google recently announced the winners of the 2021 GCP VRP Prize.
In this video, @LiveOverflow dissects their writeups, trying to understand the bugs, if he could’ve found them, and what differentiates the winning writeup.
4. Challenge of the week
@notsosecure released this new playground for practicing insecure deserialization. It includes four web apps vulnerable to Java, PHP, Python and Node deserialization, with solutions.
If you want to play with this trendy vulnerability, import the VM in VirtualBox and put your hacker detective hat on!
5. Vulnerability of the week
CVE-2022-26134 – Confluence Server and Data Center unauthenticated RCE
New week, new critical 0-day. CVE-2022-26134 is an unauthenticated RCE in all versions of Confluence. It was first discovered as a 0-day being exploited in the wild.
If you are new to OGNL injection, this is a good opportunity to learn about it with this real-life example.
Other amazing things we stumbled upon this week
Videos
Webinars
Conferences
The Hitchhiker’s Guide to Pod Security – Lachlan Evenson, Microsoft & A Treasure Map of Hacking (and Defending) Kubernetes
Introducing the Latest Ghostwriter v2.3.0 @ Black Hat Asia 2022 – Christopher Maddalena & BloodHound @ Black Hat Asia 2022 – Andy Robbins
SSTIC 2022 (Click on talk titles to see slides and videos)
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
Prototype pollution is everywhere! Solution to May ’22 XSS Challenge & Challenge winners and community writeups
CA CTF 2022: Exploiting LFR and forging Cookies – Mutation Lab
AASLR: Antisyphon Address Space Layout Randomization (MetaCTF walkthrough)
Pentest writeups
Responsible(ish) disclosure writeups
PoC for a Post-Auth SQL-Injection (CVE-2022-0757) in Nexpose Vulnerability Scanner <= 6.6.128 #Web
Multiple vulnerabilities in Zyxel zysh #MemoryCorruption #LPE
Bug bounty writeups
Microsoft Dynamics Container Sandbox RCE via Unauthenticated Docker Remote API 20,000$ Bounty (Microsoft, $20,000)
Bug bounty reports from Core Rule Set live hacking event (Core Rule Set)
Hijacking Over 100k GoDaddy Websites (GoDaddy)
Is Exploiting A Null Pointer Deref For LPE Just A Pipe Dream? (Microsoft)
Steal private objects of other projects via project import & Bypass (GitLab, $40,000)
See more writeups on The list of bug bounty writeups.
Tools
npmdomainchecker: Checks all maintainers of all NPM packages for hijackable domains
websitewatcher: Monitor sites for changes with email notifications
dsieve: Take a list of urls and filter or extract domains by level
Astra-Bot: Python based Discord bot which allows you to run tools like nmap and amass from Discord
Reverse SSH: SSH based reverse shell
Tips & Tweets
Don’t limit yourself to Git when checking for exposed source code
How to tag each request with the corresponding browser profile (within Burp’s embedded browser) & Using Sharpener
See more tips on this week’s Twitter collection.
Misc. pentest & bug bounty resources
trickest/containers & Intro: Automated privilege escalation of the world’s most popular Docker images
Container security Learning Path bundle by AppSecEngineer ($59 until June 17)
Articles
Leveraging AWS QuickSight dashboards to visualize recon data
Abuse and replay of Azure AD refresh token from Microsoft Edge in macOS Keychain
Reports
Challenges
Bug bounty & Pentest news
Bug bounty
Cybersecurity
Tech
Upcoming events
Tool updates
Non technical
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023