Image for post
Image for post

Summary :

I was invited on a private program on HackerOne and there were so many domains in scope so I thought of testing some of them. In one of the domain I found this vulnerability which is Cross Site Request Forgery, when combined with Insecure Direct Object Reference was able to delete anyone’s account.

I was searching for different vulnerabilities on that domain and I saw that there are two different types of account you can register yourself with :

  1. Open Source Account
  2. Trial Account

In trial account you get the trail of 29 days and you also have the option to cancel it, so I thought of trying Insecure Direct Object Reference attack first but it didn't work so moving on with CSRF it was successful but with the help of IDOR. …


Image for post
Image for post

Hello everyone, I would like to share one of my recent findings on a Vulnerability Disclosure Program. It is related to how I escalated to Remote Code Execution using Local File Inclusion with Log Poisoning.

What is RCE ?

In basic words Remote Code Execution is a vulnerability that allows attackers to access a system and read or delete their contents, make changes etc.

What is LFI ?

In basic words Local File Inclusion is used by attackers to trick the web application into exposing or running files on the web server. It can lead to information disclosure, remote code execution, or XSS. LFI occurs when an application uses the path to a file as input. …


Image for post
Image for post

Summary :

I would like to enlighten you guys about my recent finding. It was my luck that I by mistakenly clicked the Reload button on a 404 page and got an information disclosure. The vulnerability is resolved properly now.


Image for post
Image for post

Hello everyone I wanted to share one of my finding related to Blind SSRF on a private program on HackerOne for which they paid me $400.


Image for post
Image for post

Hello everyone I thought of sharing my recent finding of Double P1 which recently got solved and they are sending me Goodie Pack for it. It was a Responsible Disclosure program on which I found this. I found SQLi first and it was a normal database version disclosure so they said we can accept it only when you find something interesting, so I tried to exploit more and got the admin credentials, this SQLi was tough for me. Later after 3 days I enumerated one of its subdomain and found phpmyadmin, I randomly tried the credentials that I obtained using SQLi and I got the access. …


Image for post
Image for post

I would like to share one of my findings related to Jenkins which I exploited using Groovy Script and got a shell back to my system.

Summary :

Jenkins is a self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software. Jenkins can be installed through native system packages, Docker, or even run standalone by any machine with a Java Runtime Environment (JRE) installed.

The Jenkins project was started in 2004 (originally called Hudson) by Kohsuke Kawaguchi, while he worked for Sun Microsystems. He created Jenkins as a way to perform Continuous Integration (CI) that is, to test his code before he did an actual commit to the repository, to be sure all was well. …


Image for post
Image for post

Summary :

ShellShock is a serious security bug in Bash. It is a “shell” commonly used in computers running Linux, UNIX and OS X. ShellShock could allow an attacker to execute malicious commands across the Internet on remote computers.

What is bash ?

Bash is a Unix shell written for the GNU Project as a free software replacement for the Bourne shell. It is often installed as the system’s default command-line interface and it provides end users an interface to issue system commands and execute scripts.

Bash functions can be used in .sh …


Image for post
Image for post

Summary :

Everyone knows what is SQL Injection, but just to give you a brief about SQL Injection, it is a code injection technique that might destroy your database. It usually occurs when you ask user for input, like their username or userid, and instead of a name or id, the user gives you SQL statement that you will unknowingly run on your database.

Example :

In SQL Injection 1=1 is always a true condition. If there is nothing to prevent a user from entering wrong input, a user can enter something like this :


Image for post
Image for post

Summary :

HTTP Parameter Pollution (HPP) means to pollute the HTTP parameters of a web application for achieving a specific malicious task. It refers to manipulating how a website treats parameters it receives during HTTP requests. It changes a website’s behaviour from its intended one. HTTP
parameter pollution is a simple kind of attack but it is an effective one.

When you pollute any parameter the code runs only on the server-side which is invisible to use, but we can see the results on our screen. The process in between is a black box.

For example, there is a URL https://www.anybank.com/send which has three parameters…


Image for post
Image for post

Hello everyone, I know that my speed of writing blogs has been decreased it’s because I’m busy with some other stuff. Doesn’t matter I have came up with this great blog as a part of recon because everywhere recon is important and I hope you guys will like it.

Summary :

Everyone knows what a github is but let me give you a brief about it.

What is GitHub ?

GitHub is a Git repository hosting service, but it adds many of its own features. While Git is a command line tool, GitHub provides a Web-based graphical interface.

Apart from this it also contains API keys, passwords, customer data etc. Basically it contains a lot of sensitive information which can be useful for an attacker. This sensitive information leaks can cost a company thousand dollars of damage. Let’s see the basic concept first of github recon. …

About

Shrey Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store