Escalating Self-XSS for Riches
I have a bit of a love hate relationship with Self XSS. I find them somewhat regularly, and while I do think programs should pay a bounty for them (the lowest they offer), I’m…
tag
27 posts
I have a bit of a love hate relationship with Self XSS. I find them somewhat regularly, and while I do think programs should pay a bounty for them (the lowest they offer), I’m…
After I created TemplateSearch.io, I was testing it out by searching for random things and I came across several templates for YesWiki. So I Googled it to see exactly what it is…
I was tired of manually searching for the right Nuclei templates to use. The one existing site that lets you search them — while interestingly designed and certainly more stylish…
I went to install Tailscale on a Wifi Pineapple, and the normal pipe to bash (lol) script didn't work. I had to do it manually like this. YMMV attempt at your own risk . I'm…
I received an email saying I'm a top 25 researcher in the California VDP from 2024. Not too bad from the thousands of reports they get, I'm sure.
A while back the illustrious team over at Project Discovery wrote about the discovery of an SQLi in Masa/Mura CMS . It's a good writeup, so go check it out for the technical…
If you're a pentester or bug bounty hunter that is trying to do some iOS mobile application testing, half the battle is getting a phone properly jailbroken so you can proxy HTTP…
Note: disregard any layout/content/formatting errors as this post was migrated from wordpress to jekyll As mentioned in a previous post, I was the July RotM for the DoD VDP…
I was recently awarded the DoD Researcher of the Month for July, 2023 . Between moving across the country and other hacking duties, I still had time to hammer away at a particular…
I found a textbook SQLi in the Eufy Security application. Don't mind the heavy use of red blocks to redact. The first, normal request. Everything looks fine. Notice the response…
Organizr is a self hosted application written in PHP that basically helps you self host other services at your home. It's nifty application with a surprisingly large amount of…
I've continued my quest to translate exploits into Golang. Here is an RCE in Webmin due to broken access controls. Please see the following links for more information.…
These were given CVE 2022 43263 and CVE 2022 43264. I found these vulnerabilities in the latest version of Guitar Pro (1.10.2) on the iPad and iPhone. Neither one is that great of…
I was doing a security review of CrushFTP , a multi platform FTP application, and I came across a DoS stemming from lack of validation of user input. Originally, I thought there…
Once again, I decided to rewrite an exploit in Golang. Once again, I did thirty seconds of searching to find if someone had already written this one in Golang. Once again, I did…
Let's say you're doing a pentest, and you run across access to AWS Lambda. I recently learned you can get a persistent shell (for 15 minutes, at least) via Lambda, which seemed…
The weather station issues were given CVE 2022 35122 . I contacted the manufacturer in regards to these issues. They responded quickly. I wasn't expecting anything to be done…
This was given CVE 2022 35122. I recently purchased the ECOWITT GW1102 Home Weather Station . It's exactly what it sounds like a mini weather station for your house. It has all…
Prerequisites and Getting Started I sometimes like to spin up a virutal machine in the cloud, do some testing, and then tear it down. It doesn't even have to be for bug bounty…
This was given CVE 2022 25568. As mentioned in my previous posts here and here , I've done a little digging into the conditions that are required for the MotioneEye config file to…
I was given CVE 2021 44255 for this authenticated RCE via a malicious tasks (python pickle) file. So that's fun. Even though it is authenticated, the default username is admin and…
Newer versions of Linux may not come with any sort of Python 2 installed. I recently wanted to run Sharpshooter , which is a "payload creation framework for the retrieval and…
I've been wanting to learn Go, and I learn by doing, so I decided to write a POC for CVE 2021 22205, which is fairly straightforward RCE in Gitlab that dropped a few weeks ago. My…
Getting Started with MotionEye MotionEye is an open source, web based GUI for the popular Motion CLI application found on Linux. I've known of the Motion command line app for…
I've been testing some new Python based CMSs and CMS like software. I've heard of Plone before, but I never had a chance to check it out until now. I was a couple of days into my…
A pull request has been submitted to remove this functionality and to depricate the old pickled settings, which is a wise security decision. Edit: This vulnerability has been…
TLDR: Read the code before you install random qbittorent plug ins. qBittorrent has a feature that allows you to install a search plugin to search for torrents on your favorite…