bl4de

Tools of The Bug Hunters Methodology V2

NOTE: The following list has been created based on the PPT "The Bug Hunters Methodology V2 by @jhaddix"

Discovery

• Sublist3r (Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT).
• Brutesubs (An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose).
• Cloudflare_enum (Cloudflare DNS Enumeration Tool for Pentesters).
• Censys.py (Quick and Dirty script to use the Censys API to query subdomains of a target domain).
• massdns (A high-performance DNS stub resolver).

bl4de

<?php

/**
 * This file contains functions to retrieve system information and display it in a single file server dashboard.
 * The functions include generating a safe ID, parsing lines, getting CPU info, load average, basic server info,
 * CPU usage, memory usage, disk usage, and disk space.
 *
 * @author Zxce3
 * @version 1.1
 */

bl4de

Intro

Any information required by PROGRAM, like 'keywords' used by Concrete5, Phabricator etc.

Summary

summary of the vulnerability - where, what, why :)

Steps to reproduce

bl4de

# Table mapping response codes to messages; entries have the
# form {code: (shortmessage, longmessage)}.
responses = {
    100: ('Continue', 'Request received, please continue'),
    101: ('Switching Protocols',
          'Switching to new protocol; obey Upgrade header'),

    200: ('OK', 'Request fulfilled, document follows'),
    201: ('Created', 'Document created, URL follows'),
    202: ('Accepted',

bl4de

Command Execution

exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec - Executes a program

bl4de

#!/bin/bash

# Written by Frans Rosén (twitter.com/fransrosen)
_debug="$2" #turn on debug
_timeout="20"
#you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key
_aws_key="AKIA..."
H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3"
H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"

bl4de

#!/usr/bin/python

# Author: Adam Jordan
# Date: 2019-02-15
# Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
# PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)


import argparse
import jenkins

bl4de

FROM python:3.7-stretch as base

RUN mkdir /base
WORKDIR /base

RUN apt-get update
RUN apt-get install -y wget
RUN apt-get -y install libnss3

RUN apt -y install chromium

bl4de

(() => {
  let gadgets = [];

  if (typeof _satellite !== 'undefined') {
    gadgets.push('Adobe Dynamic Tag Management');
  }

  if (typeof BOOMR !== 'undefined') {
    gadgets.push('Akamai Boomerang');
  }

bl4de

#!/bin/bash

# 1) save it as xssaminer
# 2) allow execution: chmod +x xssaminer
# 3) run it & check usage: ./xssaminer

if [ -z $1 ]
then
	echo -e "Usage:\n$0 FILE\n$0 -r FOLDER"
	exit