Founder of
@Cuberks
. Maker, hacker, security researcher. Love nature and psithurism. Tweets mostly about hacking, tech, entrepreneurship, and other geeky stuff.
As I previously promised I would publish a writeup on how I managed to find the SSRF bug on the biggest social media website, Facebook.
So I wrote a blog about that finding. I hope you like it. 🍷
#BugBounty
#Infosec
I wonder why some sys-admins configure the server with sudo privileges! 🤔
Tip: Always test for Expression Language Injection like OGNL when you see *.do and *.action file extensions.
#security
#bugbountytip
#hacking
Find leaked API Keys and Secrets using a single GitHub search query
Tip: Never commit your keys/secrets to your public repository
#Security
#DataLeak
#Hacking
CVE-2024-25600: Unauth. RCE vulnerability caused by PHP code injection in Bricks Builder, a WordPress site builder with over 25,000+ active installations.
Severity: Critical (CVSS 9.8)
Root cause analysis:
PoC:
Mitigation: Upgrade
If an unsafe logger is used, an attacker can inject code and execute arbitrary commands, even if the page being accessed is a 404 page.
Always test HTTP request headers to make sure the application is handling the headers correctly.
#Security
#bugbountytips
#Hacking
#OOB_RCE
New write-up alert. My second write-up is out.
This is about the reflected cross-site scripting (rXSS) vulnerabilities I found on Facebook. I hope you like it. 🥂
#BugBounty
#Infosec
Testers! Add "ui_config.properties" and "" files to your wordlist, these files contain juicy info like secret tokens and passwords. Excitingly, discovered two on production servers of multinational telecom and IT giants!
#security
#Pentesting
#Hacking
PHP developers commonly create .inc files with PHP code for inclusion in other scripts using include or require statements. However, if the server doesn't parse .inc files as PHP, attackers can view your source code by accessing the file directly.
This is what happens when your JWT signature key is exposed.
Remember, don't hardcode or commit sensitive keys/tokens in public repositories.
#Security
#vulnerability
#Hacking
PoC - Privilege Escalation in Ubuntu/Kali Linux (CVE-2023-2640 and CVE-2023-32629)
Code is available at:
For more details, refer to the original research article:
- POST HTTP request possible with any non-existent path after "/console/" (e.g., /console/any/non-existent/path/xyz.html)
- Arbitrary Content-Type & POST body content reflects in response without output encoding
- UAT also affected -
PHP extract() & Dynamic Function Lead to RCE. While functions like system(), exec(), and shell_exec() are often sanitized, extract() is different because it can overwrite existing variables. This unique behavior can enable hackers to create undetectable backdoors.
#Security
#PHP
I recently found an information disclosure bug in a live application.
Some REST API follow a convention where singular endpoints (/api/v1/user/12345) return information about a single entity, while plural endpoints (/api/v1/users) return collections of entities.
RCE in Traccar GPS Tracking System (4.4k GitHub stars).
Authenticated users can upload and overwrite velocity templates (.vm). An attacker can overwrite 'passwordReset.vm' with malicious content, and trigger execution via '/api/password/reset' with a valid email ID as POST param
Auth. Bypass (CVE-2024-28255) and SpEL Injection (CVE-2024-28254) in OpenMetadata lead to a critical RCE (OOB Data Exfiltration).
Technical details & PoC:
Mitigation: Update to Patched v1.2.4 or newer.
Credit for the original discovery goes to
@pwntester
I've spent a long time finding security vulnerabilities in Facebook.
Today, I'm sharing interesting IT assets I came across during security testing.
I'm excited about contributions and hope this will save the time of many pen-testers.
#Security
#Facebook
From code execution to S3 data leak, my latest blog post is on the journey of discovering a bug in Meta (Facebook).
You don't want to miss this!
#infosec
#hacking
#pentesting
If you come across a target that hosts Zendesk, don't forget to fuzz their API endpoints for potential misconfigurations and information leaks. But be cautious! The list includes various deletion endpoints as well.
List of Zendesk API endpoints:
I seen that many people are very excited for writeup.
As I promised earlier, I will publish it.
It will take time, because I have other similar findings (on Facebook) that are not yet resolved.
CVE-2024-1212: Unauth. Command Injection in Progress Kemp LoadMaster
Severity: Critical
Root cause analysis:
Mitigation: Upgrade to patched version 7.2.59.2.22338 or later.
Credit for the original discovery goes to
@daveysec
of
@RhinoSecurity
Tools that make my
#InfoSec
life easy🕵️♂️
AFL
Burp Suite
checkov
dirsearch
Frida
httpx
IDA
jadx-gui
John The Ripper
Linux utilities (Netcat/nc, curl, gdb, sed, man, BusyBox, nohup, etc)
Metasploit
mimikatz
MobSF
Nessus
ngrok
Nmap
SQLmap
WireShark
Ysoserial
Know more tools? Reply👇
Execute OS commands in stealth mode, 🕵️♀️✨ No traces of Runtime.exec(), ProcessBuilder, Apache Commons Exec.
Power of custom class loaders and bytecode magic!
#infosec
#Pentesting
#Hacking
#JavaUnderground
CVE-2023-47218: QNAP QTS and QuTS Hero Unauth. Command Injection
Blog:
Security Advisory:
Mitigation: Upgrade Firmware (Control Panel > System > Firmware Update)
Credit for the original discovery goes to
@stephenfewer
of
@rapid7
Alert ⚠️
vm2, a widely used Node.js library, has severe security flaws (CVSS 9.8/10) allowing attackers to escape sandboxes and run malicious code.
Project is discontinued. DO NOT use in production apps.
Check PoCs by
@0x10n
1.
2.
CVE-2024-3116: Remote Code Execution (RCE) in pgAdmin version 8.4 or below.
Severity: HIGH
Mitigation: Upgrade
Proof of Concept: .
Patch Commit:
Advisory:
Credit for the original discovery goes to
@aessadek
It is a telecom website that handles highly confidential information, so I can't share other details. Further exploitation depends on server configuration. For more information, please refer to a highly informative presentation by
@orange_8361
at BlackHat.
Check out my latest blog on how I compromised a banking server by exploiting some vulnerabilities.
The journey from AFR to RCE.
I hope you'll like it. 🥂
#security
#infosec
#hacking
CVE-2023-38545: A heap buffer overflow vulnerability in cURL, which gained attention due to an early patch exposure.
Exploitation requires certain conditions, like the use of SOCKS proxies and certain redirect settings.
This cannot be used to convert SSRF into RCE.
#infosec
I just earned $1000 by found a SSRF in Facebook production servers.
I would like to thanks Facebook Security Team for rewarding me with this great bounty, thank you guys.
#writeup
soon
Security Research != Bug Bounty Hunting
...but they share a common goal of identifying and mitigating vulnerabilities
Do you agree? Share your thoughts in the comment section!
Do you know the first SQL injection, discovered in 1998 by Jeff Forristal (pseudonym "Rain Forest Puppy"), detailed in the hacker zine Phrack, demonstrated how to inject SQL payloads into legitimate commands to extract sensitive information from databases?
Merry Christmas everyone🎄
Just published a new article on Testing Online Exam/Quiz Software (thick client).
Check it out! I hope you'll learn something new. 🙌
#Security
#infosec
#Hacking
Post-Authentication Command Injection in CHAOS (Remote Administration Tool)
Attackers can exploit this flaw via the "filename" parameter in a multipart/form-data HTTP POST request sent to
http://CHAOS_RAT_IP:8080/generate
Reference:
Sysadmins & Devs: Resist the temptation to stash Azure creds (plaintext) in /etc 🔴
- Use token-based authentication (temporary credentials) for specific services and implement token rotation policies to regularly refresh and expire access tokens. ✅
I reported similar CSS injection and JavaScript injection issues to GitHub around six months ago. However, the JavaScript code was not executed due to CSP, and the issues were marked as duplicates.
@AhmedMa07846126
Sometimes, you may get OS command injection on the target website, but the payload may be blocked by the Web Application Firewall (WAF) due to restricted keywords like "echo", "/etc/", "cat", "passwd", etc. This is a WAF bypass technique to successfully deliver the payload.
To configure Apache to parse ".inc" files as PHP:
1. Open your Apache configuration file (httpd.conf).
2. Add the following line within the <IfModule mod_php.c> section:
AddType application/x-httpd-php .inc
3. Restart Apache.
Get ready for an inside look into the journey from code execution to S3 data leak. Stay tuned for my upcoming blog post about a bug that I discovered in the world's biggest social media platform!
#cybersecurity
#bugbounty
#infosec