This Bug Got Me A $30,000 Bounty
HTML-код
- Опубликовано: 9 окт 2024
- LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍
📚 If you want to learn bug bounty hunting from me: bugbounty.naha...
💻 If you want to practice some of my free labs and challenges: app.hackinghub.io
💵 FREE $200 DigitalOcean Credit:
m.do.co/c/3236...
🔗 LINKS:
📖 MY FAVORITE BOOKS:
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities -amzn.to/3Re8Pa2
Hacking APIs: Breaking Web Application Programming Interfaces - amzn.to/45g4bOr
Black Hat GraphQL: Attacking Next Generation APIs - amzn.to/455F9l3
🍿 WATCH NEXT:
If I Started Bug Bounty Hunting in 2024, I'd Do this - • If I Started Bug Bount...
2023 How to Bug Bounty - • How to Bug Bounty in 2023
Bug Bounty Hunting Full Time - youtu.be/watch...
Hacking An Online Casino - youtu.be/watch...
WebApp Pentesting/Hacking Roadmap - youtu.be/watch...
MY OTHER SOCIALS:
🌍 My website - www.nahamsec.com/
👨💻 My free labs - app.hackinghub...
🐦 Twitter - / nahamsec
📸 Instagram - / nahamsec
👨💻 Linkedin - / nahamsec
WHO AM I?
If we haven't met before, hey 👋! I'm Ben, most people online know me online as NahamSec. I'm a hacker turned content creator. Through my videos on this channel, I share my experience as a top hacker and bug bounty hunter to help you become a better and more efficient hacker.
FYI: Some of the links I have in the description are affiliate links that I get a a percentage from.
🔗Links:
💸Purchase my code at a discounted rate using code 'RCE'👉🏼 hhub.io/Mt32ZHP4790
👀Free Remote Command Execution (RCE) Lab: shorturl.at/1QATs
💬Join the discord 👉🏼 Discord.gg/NahamSec
Cool video! Other methods of exploiting blind RCE to exfiltrate data:
* Write to a text file somewhere under the web site folder, then access this file from the web site.
* Use curl to send internal traffic to the website to imitate a public user feedback, like comments or post (if the site provides such functionality) and access it later from the web.
The first one is a good idea, but that requires you to find out where the web directories are and if you have access to write in those folders. Will make a video on this later, maybe.
nice catch bro,
the ideas of exfiltrating data u have explained is also provided by portswiger in sqli labs
i didn't thought of that we could do the same but in bash environment instead , so
thanks for this infos
Thanks for watching!
This is also possible with Blind sql attacks, and is a very common attack vector.
Your videos are so helpful thnk you Behrooz❤❤
My pleasure 😊
Great Approach .! Is it possible to determine the length of the string first and then applying the character bruteforcing
You can with
if [ $(whoami | wc - c) = X ]
where X is the length + 1.
I see no reason for doing that. You do the approach in the video until you don't get any matches.
as a software eng, i was seriously mind blown when it clicked what you were doing with `sleep`, this is wild OMG 😳😳
Thank you!
Basically a time based SQLi, but with RCE. Cool.
Unbelievable, how did you even think there could be an RCE in stock checking app?
This is a made up scenario to show the exploitation process. Sorry about the confusion.
Hey @nahamsec
Why is rate limiting not a valid bug even though the server is exhausted from handling multiple requests?
could the output of a command be redirected to a file which the server is serving, as an alternative to using sleep?
awesome. I enjoyed very much.tnx
Please a make video on sql injection zero to hero
google and learning zero to hero :3
This is Crazyyyy!! 😍
The point is, how did you spot the vulnerability?
When we were working on this program, we had documentation that allowed us to know how the application worked. The scenario wasn't the same as this but the exploitation route was the same. A lot of times, you have throw sh*t at the wall and see what sticks.
Amazing Content ;
Wow thats smart idea 💡
BRO I AM DEEPLY LOOKING FOR OS COMMAND INJECTION BUT FINDING SOME ISSUE HAVE DONE PORTSWIGGER BUT I WANT DIFFER APPROACH INSTEAD OF FORMS TESTING COULD YOU HELP
that RCE helper url isn't working, is it possible to self host or..?
We haven't had any issues reported with the lab and I just tested it out as well. Seems to be working.
@@NahamSec Getting 'hub not started'
I wonder, can burp scan pick this up?
Sometimes, yeah. In my instance, we had to upload a file that was rendered server-side where we invoked a function that allowed us to RCE. So burp wouldn't be able to catch it. But something like this where you are injecting a command, burp may be able to pick it up
Thanks for you free content
How do you capture dnslookup results?
I dont understand this part how can you see the result from nslookup
@@abdelrahmanmostafa9489 nslookup is like dig, they send dns queries.
I'm capturing the results using interact.sh that has that capability for me. It has the ability to capture DNS and HTTP requests.
At 8:40.... 15:23:30 to 15:23:56 is not one second... Still don't get why no one saw that
Observer that wheever nahamsec clicks enter at that moment only the timer get prints. you can consider it as a timer/clock is not getting the packet latency it just get prints whever he enters, enter button is the trigger not the request time.
Yes sqli
awsomeee
Now Hacker in Urdu , ❤
❤
its arabic
its Arabic bro
@@0xlol64 thanks, ( ہیکر ) I know brother
It's Farsi :P but I guess the same letters, right?
هكر ؟؟
shit this is an amzaing
هكر
First 🎉
amazing