🔗Links: 💸Purchase my code at a discounted rate using code 'RCE'👉🏼 hhub.io/Mt32ZHP4790 👀Free Remote Command Execution (RCE) Lab: shorturl.at/1QATs 💬Join the discord 👉🏼 Discord.gg/NahamSec
Cool video! Other methods of exploiting blind RCE to exfiltrate data: * Write to a text file somewhere under the web site folder, then access this file from the web site. * Use curl to send internal traffic to the website to imitate a public user feedback, like comments or post (if the site provides such functionality) and access it later from the web.
The first one is a good idea, but that requires you to find out where the web directories are and if you have access to write in those folders. Will make a video on this later, maybe.
nice catch bro, the ideas of exfiltrating data u have explained is also provided by portswiger in sqli labs i didn't thought of that we could do the same but in bash environment instead , so thanks for this infos
Hi Ben, I may have missed it if you've mentioned it before; but am I correct to assume that your course on hackinghub is updated vs the one on udemy? Thanks in advance
You can with if [ $(whoami | wc - c) = X ] where X is the length + 1. I see no reason for doing that. You do the approach in the video until you don't get any matches.
When we were working on this program, we had documentation that allowed us to know how the application worked. The scenario wasn't the same as this but the exploitation route was the same. A lot of times, you have throw sh*t at the wall and see what sticks.
Sometimes, yeah. In my instance, we had to upload a file that was rendered server-side where we invoked a function that allowed us to RCE. So burp wouldn't be able to catch it. But something like this where you are injecting a command, burp may be able to pick it up
BRO I AM DEEPLY LOOKING FOR OS COMMAND INJECTION BUT FINDING SOME ISSUE HAVE DONE PORTSWIGGER BUT I WANT DIFFER APPROACH INSTEAD OF FORMS TESTING COULD YOU HELP
Observer that wheever nahamsec clicks enter at that moment only the timer get prints. you can consider it as a timer/clock is not getting the packet latency it just get prints whever he enters, enter button is the trigger not the request time.
🔗Links:
💸Purchase my code at a discounted rate using code 'RCE'👉🏼 hhub.io/Mt32ZHP4790
👀Free Remote Command Execution (RCE) Lab: shorturl.at/1QATs
💬Join the discord 👉🏼 Discord.gg/NahamSec
Cool video! Other methods of exploiting blind RCE to exfiltrate data:
* Write to a text file somewhere under the web site folder, then access this file from the web site.
* Use curl to send internal traffic to the website to imitate a public user feedback, like comments or post (if the site provides such functionality) and access it later from the web.
The first one is a good idea, but that requires you to find out where the web directories are and if you have access to write in those folders. Will make a video on this later, maybe.
nice catch bro,
the ideas of exfiltrating data u have explained is also provided by portswiger in sqli labs
i didn't thought of that we could do the same but in bash environment instead , so
thanks for this infos
Thanks for watching!
Your videos are so helpful thnk you Behrooz❤❤
My pleasure 😊
Watched the video, very good, I like how it is designed sort of like DVWA with options of a firewall or no
Hi Ben,
I may have missed it if you've mentioned it before; but am I correct to assume that your course on hackinghub is updated vs the one on udemy?
Thanks in advance
This is also possible with Blind sql attacks, and is a very common attack vector.
Great Approach .! Is it possible to determine the length of the string first and then applying the character bruteforcing
You can with
if [ $(whoami | wc - c) = X ]
where X is the length + 1.
I see no reason for doing that. You do the approach in the video until you don't get any matches.
as a software eng, i was seriously mind blown when it clicked what you were doing with `sleep`, this is wild OMG 😳😳
Thank you!
Basically a time based SQLi, but with RCE. Cool.
This is Crazyyyy!! 😍
awesome. I enjoyed very much.tnx
this video shows how much smart you have become to become a hacker
Hey @nahamsec
Why is rate limiting not a valid bug even though the server is exhausted from handling multiple requests?
could the output of a command be redirected to a file which the server is serving, as an alternative to using sleep?
That's freaking smart
Unbelievable, how did you even think there could be an RCE in stock checking app?
This is a made up scenario to show the exploitation process. Sorry about the confusion.
Comando curl ajuda muito ,ética heck
Wow thats smart idea 💡
@NahamSec please give us more discount on your bug bounty course in this festive season
Amazing Content ;
The point is, how did you spot the vulnerability?
When we were working on this program, we had documentation that allowed us to know how the application worked. The scenario wasn't the same as this but the exploitation route was the same. A lot of times, you have throw sh*t at the wall and see what sticks.
I thought companies have stopped paying bounties.
WHY NOT TRYING DIRECT REVERSE SHELL ?
that RCE helper url isn't working, is it possible to self host or..?
We haven't had any issues reported with the lab and I just tested it out as well. Seems to be working.
@@NahamSec Getting 'hub not started'
هکر پارسیش قشنگه❤❤❤
I wonder, can burp scan pick this up?
Sometimes, yeah. In my instance, we had to upload a file that was rendered server-side where we invoked a function that allowed us to RCE. So burp wouldn't be able to catch it. But something like this where you are injecting a command, burp may be able to pick it up
BRO I AM DEEPLY LOOKING FOR OS COMMAND INJECTION BUT FINDING SOME ISSUE HAVE DONE PORTSWIGGER BUT I WANT DIFFER APPROACH INSTEAD OF FORMS TESTING COULD YOU HELP
Thanks for you free content
At 8:40.... 15:23:30 to 15:23:56 is not one second... Still don't get why no one saw that
Observer that wheever nahamsec clicks enter at that moment only the timer get prints. you can consider it as a timer/clock is not getting the packet latency it just get prints whever he enters, enter button is the trigger not the request time.
How do you capture dnslookup results?
I dont understand this part how can you see the result from nslookup
@@abdelrahmanmostafa9489 nslookup is like dig, they send dns queries.
I'm capturing the results using interact.sh that has that capability for me. It has the ability to capture DNS and HTTP requests.
awsomeee
Yes sqli
Please a make video on sql injection zero to hero
google and learning zero to hero :3
peace
All these hackers
TOMMYBOYDUPING!!!
هكر
هكر ؟؟
noice
هکر🫀
shit this is an amzaing
Now Hacker in Urdu , ❤
❤
its arabic
its Arabic bro
@@0xlol64 thanks, ( ہیکر ) I know brother
It's Farsi :P but I guess the same letters, right?
First 🎉
amazing