目录导航
可用来搜索writeup、payload、漏洞挖掘技巧等文章。
Bug Bounty Hunting Search Engine
网址
https://www.bugbountyhunting.com
截图
示例
例如搜索RCE,可得到以下清单:
✍️ Making Clouds Rain :: Remote Code Execution in Microsoft Office 365
✍️ Cookie Tossing to RCE on Google Cloud JupyterLab
✍️ Write Up: Google VRP N/A – Sandboxed Rce As Root On Apigee API Proxies
✍️ How I dumped PII information of customers in an ecommerce site?
✍️ RCE via LFI Log Poisoning – The Death Potion
✍️ Out of Band XXE in an E-commerce IOS app
✍️ RCE via Server-Side Template Injection
✍️ Smuggling an (Un)exploitable XSS
✍️ Leaked .git folder leads to RCE
✍️ Wormable remote code execution in Alien Swarm
✍️ Samsung S20 – RCE via Samsung Galaxy Store App
✍️ GitHub Pages – Multiple RCEs via insecure Kramdown configuration – $25,000 Bounty
✍️ GitHub – RCE via git option injection (almost) – $20,000 Bounty
✍️ Leveraging LFI to RCE in a website with +20000 users
✍️ Write Up – Google Bug Bounty: XSS To Cloud Shell Instance Takeover (Rce As Root) – $5,000 USD
✍️ Res-block: Extension Resources Block Attack on Chrome’s Incognito Mode
✍️ How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM
✍️ From Android Static Analysis to RCE on Prod
✍️ How_i_was_able_to_pawned_website_via_escilating_webcache deception to rce
✍️ Django debug mode to RCE in Microsoft acquisition
✍️ Open Sesame: Escalating Open Redirect to RCE with Electron Code Review
✍️ Crowdsource Success Story: From an Out-of-Scope Open Redirect to CVE-2020-1323
✍️ CVE-2020-11518: how I bruteforced my way into your Active Directory
✍️ The feature works as intended, but what’s in the source?
✍️ XSS, RCE & HTML File Upload in same endpoint
✍️ RCE via image upload functionality
✍️ Exploiting Bitdefender Antivirus: RCE from any website
✍️ It took me only 5 minutes to find an RCE on Bentley
✍️ Account Takeover via OTP Bruteforce (Apigee API)
✍️ Guest Blog: From File Upload to RCE
✍️ Hunting on ASPX Application For P1’s [Unauthenticated SOAP,RCE, Info Disclosure]
✍️ Bug Hunting Stories: Schneider Electric & The Andover Continuum Web.Client
✍️ How Source code reading helped me find an IDOR
✍️ RCE in Google Cloud Deployment Manager
✍️ My first 10k bdt bounty from an e-commerce site
✍️ Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC
✍️ OTP Bruteforce- Account Takeover
✍️ Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study
✍️ Remote Image Upload Leads to RCE (Inject Malicious Code to PHP-GD Image)
✍️ Ability to bruteforce Instagram account’s password due to lack of rate limitation protection
✍️ Finding a P1 in one minute with Shodan.io (RCE)
✍️ RCE via Apache Struts2 – Still out there.
✍️ Uploading Backdoor For Fun And Profit.
✍️ Responsible Disclosure: Breaking out of a Sandboxed Editor to perform RCE
✍️ My First RCE (Stressed Employee gets me 2x bounty)
✍️ How I found a Privilege Escalation Bug in a private Ecommerce?
✍️ Microsoft Edge (Chromium) – EoP via XSS to Potential RCE
✍️ Abusing ImageMagick to obtain RCE
✍️ #BugBounty — How Snapdeal (India’s Popular E-commerce Website) Kept their Users Data at Risk!
✍️ My first RCE: a tale of good ideas and good friends
✍️ BugBounty: How I Cracked 2FA (Two-Factor Authentication) with Simple Factor Brute-force !!! 😎
✍️ How I found RCE But Got Duplicated
✍️ From Multiple IDORs leading to Code Execution on a different Host Container
✍️ How to get RCE on AEM instance without Java knowledge
✍️ [Bug Bounty] Exploiting Cookie Based XSS by Finding RCE
✍️ RCE with Flask Jinja Template Injection
✍️ Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE.
✍️ H1-4420: From Quiz to Admin – Chaining Two 0-Days to Compromise An Uber WordPress
✍️ Oculus identity verification bypass through brute-force
✍️ Exposed Jenkins to RCE on 8 Adobe Experience Managers
✍️ HTML to PDF converter bug leads to RCE in Facebook server
✍️ Private bug bounty \(,\)$ USD: “RCE as root on Marathon-Mesos instance”
✍️ Two Easy RCE in Atlassian Products
✍️ RCE in Ruby using Mustache Templates
✍️ About a Sucuri RCE…and How Not to Handle Bug Bounty Reports
✍️ Source Code disclose Vulnerability
✍️ How did I bypass a Custom Brute Force protection and why that solution is not a good idea?
✍️ Facebook’s Burglary Shopping List
✍️ PDFReacter SSRF to ROOT Level Local File Read which led to RCE
✍️ [RCE] Remote code execution at api.PrivateProgram.com (CVE-2017-5638)
✍️ Dell KACE K1000 Remote Code Execution — the Story of Bug K1–18652
✍️ Handlebars template injection and RCE in a Shopify app
✍️ Leaked Salesforce API access token at IKEA.com
✍️ Comma is forbidden! No worries!! Inject in insert/update queries without it
✍️ Discovering a zero day and getting code execution on Mozilla’s AWS Network
✍️ WordPress 5.1 CSRF to Remote Code Execution
✍️ Fixed : Brute-force Instagram account’s passwords
✍️ Bug Bounty 101 — Always Check The Source Code
✍️ Magento – RCE & Local File Read with low privilege admin rights
✍️ Change payment account of any Facebook commerce page
✍️ Expose business email and payment account balance of any Facebook commerce page.
✍️ Bruteforce Instagram account’s passwords (lack of rate limiting protection).
✍️ Story of my two (but actually three) RCEs in SharePoint in 2018
✍️ Second bite on GitLab, and some interesting Ruby functions/features
✍️ Token Brute-Force to Account Take-over to Privilege Escalation to Organization Take-Over
✍️ RCE in Hubspot with EL injection in HubL
✍️ Pwning eBay – How I Dumped eBay Japan’s Website Source Code
✍️ Facebook Source Code Disclosure in ads API
✍️ XS-Searching Google’s bug tracker to find out vulnerable source code
✍️ HackenProof Customer Story: Uklon
✍️ WordPress Design Flaw Leads to WooCommerce RCE
✍️ Path traversal while uploading results in RCE
✍️ Microsoft Edge Remote Code Execution
✍️ RCE Unsecure Jenkins Instance | Bug Bounty POC
✍️ Simple Login Brute Force / Current Password Requirement Bypass
✍️ How I could download the source code of an Indian e-commerce website!!
✍️ How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System
✍️ Latex to RCE, Private Bug Bounty Program
✍️ [PayPal BBP] I could’ve deleted All SMC messages. Using Brute-Force technique.
✍️ How I got hall of fame in two fortune 500 companies — An RCE story…
✍️ RCE by uploading a web.config
✍️ How I found 2.9 RCE at Yahoo! Bug Bounty program
✍️ Source Code Analysis in YSurvey — Luminate bug
✍️ No RCE? Then SSH to the box!
✍️ RCE Vulnerabilite in Yahoo Subdomain! ( Yahoo! RCE via Spring Engine SSTI ) By tghawkins
✍️ Content Injection in DuoLingo’s TinyCards App for Android [CVE-2017-16905]
✍️ Unrestricted File Upload to RCE | Bug Bounty POC
✍️ Taking note: XSS to RCE in the Simplenote Electron client
✍️ Sensitive data exposure by requesting a resource with a different content type
✍️ Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net
✍️ Upgrade from LFI to RCE via PHP Sessions
✍️ How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
✍️ May the Shells be with You – A Star Wars RCE Adventure!
✍️ CVE-2017-10711: Reflected XSS vulnerability in SimpleRisk – Open Source Risk Management System
✍️ How I got 5500$ from Yahoo for RCE
✍️ Pivoting from blind SSRF to RCE with HashiCorp Consul
✍️ Ok Google, Give Me All Your Internal DNS Information!
✍️ [demo.paypal.com] Node.js code injection (RCE)
✍️ Remote Code Execution (RCE) on Microsoft’s ‘signout.live.com’
✍️ Twitter’s Vine Source code dump – $10080
✍️ InstaBrute: Two Ways to Brute-force Instagram Account Credentials
✍️ Hacking Magento eCommerce For Fun And 17.000 USD
✍️ Ubiquiti Bug Bounty: UniFi v3.2.10 Generic CSRF Protection Bypass
✍️ [manager.paypal.com] Remote Code Execution Vulnerability
✍️ Instagram’s Million Dollar Bug
✍️ CVE-2014-7216: A Journey Through Yahoo’s Bug Bounty Program
✍️ Flickr API Explorer – Force users to execute any API request.
✍️ Google Bug Bounty: Nice Catch on Google Cloud Platform Live
✍️ Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS)
✍️ PayPal Bug Bounty: PayPaltech.com E-Mail Injection
✍️ PayPal Bug Bounty: PayPaltech.com XSS
搜索IDOR:
✍️ CSRF with IDOR – A Deadly Combo
✍️ API based IDOR to leaking Private IP address of 6000 businesses
✍️ Sensitive data leak using IDOR in integration service
✍️ Worth $1,500 IDOR (Access Unauthorize Data)
✍️ How i could take over any Account on a USA Department of Defense Website due to a simple IDOR
✍️ Accidental Observation to Critical IDOR
✍️ 6k$ Worth Account Takeover via IDOR in Starbucks Singapore
✍️ The Art of IDOR: 7 IDORs in Edm0d0
✍️ PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover
✍️ #Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$
✍️ Authentication_token_bypass Leads Too_idor
✍️ A Simple IDOR which should not be missed on dating site 😉
✍️ Taking Over Files in a chat —IDOR in Microsoft Teams
✍️ All About Getting First Bounty with IDOR
✍️ [IDOR] Delete saved credit cards from any Business Manager Account — Facebook Bug Bounty
✍️ IDOR in session cookie leading to Mass Account Takeover
✍️ Chaining an IDOR with a business-logic error to achieve critical impact
✍️ How Source code reading helped me find an IDOR
✍️ Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs
✍️ Blind IDOR in LinkedIn iOS application
✍️ A Simple IDOR to Account Takeover
✍️ IDOR leads to Data leakage and Profile Update
✍️ Accidental IDOR that Deleted Admin Account.
✍️ A Less Known Attack Vector, Second Order IDOR Attacks
✍️ Exploiting a Self Stored XSS with an IDOR
✍️ Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)
✍️ GraphQL IDOR leads to information disclosure
✍️ Inf0rM@tion Disclosure via IDOR
✍️ HTTP Request Smuggling + IDOR
✍️ Chains on Chains!! Chaining several IDOR’s into Account Takeover(PART ONE)
✍️ Inf0rM@tion Disclosure via IDOR
✍️ From Multiple IDORs leading to Code Execution on a different Host Container
✍️ One Way to Find Hidden IDOR Vulnerability
✍️ IDOR in One plus leads to leak User personal Info.
✍️ 1st Bounty Story | Rewarded 300$ (IDOR)
✍️ Account takeover using IDOR and the misleading case of error 403.
✍️ IDOR Leads To Project Takeover
✍️ Edmodo — IDOR to view private files of any class
✍️ EdM0d0 IDOR Vulnerabilities
✍️ My very first bug: a dreaded dupe and then an IDOR jackpot!
✍️ How I was able to Extract Information of Other Users- Exploiting IDOR
✍️ AntiHack IDOR on Create Submission
✍️ How I was able to delete Google Gallery Data [IDOR]
✍️ Change Anyone’s profile picture-Exploiting IDOR
✍️ IDOR in JWT and the shortest token you will ever see {}.{“uid”: “1234567890”}
✍️ Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR)
✍️ IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent
✍️ IDOR User Account Takeover By Connecting My Facebook Account with victims Account
✍️ IDOR FACEBOOK: malicious person add people to the “Top Fans”
✍️ YAHOO IDOR -elimination of any comment
✍️ IDOR leads to account takeover
✍️ IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo
✍️ IDOR FACEBOOK: malicious person add people to the “Top Fans”
✍️ Gsuite Hangouts Chat 5k IDOR
✍️ Simple IDOR to reject a to-be users invitation via their notification
✍️ How I was able to see any private album passwrod in Picturepush — IDOR
✍️ Ribose — IDOR with Simple CSRF Bypass — Unrestricted Changes and Deletion to other Photo Profile
✍️ IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks
✍️ How I found IDOR on Twitter’s Acquisition – Mopub.com
✍️ Abusing internal API to achieve IDOR in New Relic
✍️ How I Pwned a company using IDOR & Blind XSS
✍️ Taking over every Ad on OLX (automated), an IDOR story
✍️ IDOR – Execute JavaScript into anyone account
✍️ IDOR on HackerOne Hacker Review “What Program Say”
✍️ IDOR While Connecting Social Account in Hackster.io
✍️ How a simple IDOR become a $4K User Impersonation vulnerability
✍️ Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages
✍️ IDOR in Facebook’s Acquisition (Parse)
✍️ Access developer tasks list of any Facebook Application (GraphQL IDOR)
转载请注明出处及链接