This Bug Got Me A $30,000 Bounty

Рет қаралды 19,519

Күн бұрын

Пікірлер: 69

@NahamSec 3 ай бұрын

🔗Links: 💸Purchase my code at a discounted rate using code 'RCE'👉🏼 hhub.io/Mt32ZHP4790 👀Free Remote Command Execution (RCE) Lab: shorturl.at/1QATs 💬Join the discord 👉🏼 Discord.gg/NahamSec

@geetub9073 3 ай бұрын

Cool video! Other methods of exploiting blind RCE to exfiltrate data: * Write to a text file somewhere under the web site folder, then access this file from the web site. * Use curl to send internal traffic to the website to imitate a public user feedback, like comments or post (if the site provides such functionality) and access it later from the web.

@NahamSec 2 ай бұрын

The first one is a good idea, but that requires you to find out where the web directories are and if you have access to write in those folders. Will make a video on this later, maybe.

@dukedud9743 3 ай бұрын

nice catch bro, the ideas of exfiltrating data u have explained is also provided by portswiger in sqli labs i didn't thought of that we could do the same but in bash environment instead , so thanks for this infos

@NahamSec 2 ай бұрын

Thanks for watching!

@Saeed-ko9wp 3 ай бұрын

Your videos are so helpful thnk you Behrooz❤❤

@NahamSec 2 ай бұрын

My pleasure 😊

@MianHizb 3 ай бұрын

This is also possible with Blind sql attacks, and is a very common attack vector.

@Jarling-so4oi 2 ай бұрын

Watched the video, very good, I like how it is designed sort of like DVWA with options of a firewall or no

@parthshukla1216 3 ай бұрын

This is Crazyyyy!! 😍

@alizareii8307 2 ай бұрын

awesome. I enjoyed very much.tnx

@mohittirkey7889 3 ай бұрын

Great Approach .! Is it possible to determine the length of the string first and then applying the character bruteforcing

@manufaleschini 2 ай бұрын

You can with if [ $(whoami | wc - c) = X ] where X is the length + 1. I see no reason for doing that. You do the approach in the video until you don't get any matches.

@abdirahmann 3 ай бұрын

as a software eng, i was seriously mind blown when it clicked what you were doing with `sleep`, this is wild OMG 😳😳

@NahamSec 2 ай бұрын

Thank you!

@tonyr8888 3 ай бұрын

could the output of a command be redirected to a file which the server is serving, as an alternative to using sleep?

@lorenzociavatti7238 3 ай бұрын

Basically a time based SQLi, but with RCE. Cool.

@elwi655 2 ай бұрын

Hi Ben, I may have missed it if you've mentioned it before; but am I correct to assume that your course on hackinghub is updated vs the one on udemy? Thanks in advance

@kosacimadri3386 3 ай бұрын

Hey @nahamsec Why is rate limiting not a valid bug even though the server is exhausted from handling multiple requests?

@MustafaGains 3 ай бұрын

Wow thats smart idea 💡

@averagedailycontent Ай бұрын

رفیق، تو عالی هستی ... دستت درد نکنه. کورس فارسی میذاری ؟

@SD-Geek 2 ай бұрын

this video shows how much smart you have become to become a hacker

@leghdaf 3 ай бұрын

Amazing Content ;

@Mo5_483 2 ай бұрын

هکر پارسیش قشنگه❤❤❤

@Mohacks Ай бұрын

That's freaking smart

@NauSikhiya-sf3gf 3 ай бұрын

BRO I AM DEEPLY LOOKING FOR OS COMMAND INJECTION BUT FINDING SOME ISSUE HAVE DONE PORTSWIGGER BUT I WANT DIFFER APPROACH INSTEAD OF FORMS TESTING COULD YOU HELP

@SumanRoy.official 3 ай бұрын

Unbelievable, how did you even think there could be an RCE in stock checking app?

@NahamSec 2 ай бұрын

This is a made up scenario to show the exploitation process. Sorry about the confusion.

@mohadjermohamed3439 2 ай бұрын

WHY NOT TRYING DIRECT REVERSE SHELL ?

@fnulnu5645 3 ай бұрын

that RCE helper url isn't working, is it possible to self host or..?

@NahamSec 2 ай бұрын

We haven't had any issues reported with the lab and I just tested it out as well. Seems to be working.

@fnulnu5645 2 ай бұрын

@@NahamSec Getting 'hub not started'

@HexRo0t 2 ай бұрын

Comando curl ajuda muito ,ética heck

@TravelVInee 2 ай бұрын

@NahamSec please give us more discount on your bug bounty course in this festive season

@Exploit5lover 3 ай бұрын

Thanks for you free content

@SumherShankal 3 ай бұрын

The point is, how did you spot the vulnerability?

@NahamSec 2 ай бұрын

When we were working on this program, we had documentation that allowed us to know how the application worked. The scenario wasn't the same as this but the exploitation route was the same. A lot of times, you have throw sh*t at the wall and see what sticks.

@ashhl9826 2 ай бұрын

I wonder, can burp scan pick this up?

@NahamSec 2 ай бұрын

Sometimes, yeah. In my instance, we had to upload a file that was rendered server-side where we invoked a function that allowed us to RCE. So burp wouldn't be able to catch it. But something like this where you are injecting a command, burp may be able to pick it up

@abdelrahmanmostafa9489 3 ай бұрын

How do you capture dnslookup results?

@abdelrahmanmostafa9489 3 ай бұрын

I dont understand this part how can you see the result from nslookup

@hussamalamza4531 2 ай бұрын

@@abdelrahmanmostafa9489 nslookup is like dig, they send dns queries.

@NahamSec 2 ай бұрын

I'm capturing the results using interact.sh that has that capability for me. It has the ability to capture DNS and HTTP requests.

@AdedayoEnoch 3 ай бұрын

At 8:40.... 15:23:30 to 15:23:56 is not one second... Still don't get why no one saw that

@Bug-Boss 3 ай бұрын

Observer that wheever nahamsec clicks enter at that moment only the timer get prints. you can consider it as a timer/clock is not getting the packet latency it just get prints whever he enters, enter button is the trigger not the request time.