Recon using a questionable source of information — pastebin.com
2020-10-12 20:57:24 Author: medium.com(查看原文) 阅读量:261 收藏

Vuk Ivanovic

Image for post

I took a break from writing or rather hitting Publish button for a little while, had a lot of recon stuff to go through, I guess that could be a topic for another article, but this is something I figured to be useful.

While github is great to find leaked credentials and apikeys, and for subdomains, there is another place, a darker place, at times, and that is pastebin.com

The dark place that pastebin.com can be
It has been known that pastebin.com is where you can find all sorts of private data that gets leaked by the bad guys. But, pastebin.com isn’t the source of only bad stuff, questionable information, and such. It is also a place that people use to share bits and pieces of their code, among other things. But, how to use that information in bug hunting?

The light in the dark
The old school hacking involved learning about the system being hacked. Most of that idea continues today. When during your bug hunting journeys you identify that certain website is using wordpress version X, the most obvious next step is to check if wordpress version X has any known bugs. But, what if the website isn’t wordpress, or joomla, etc. but is some custom cms? Using google to search for that particular cms won’t provide much info, most of the time. But, what if that cms has an endpoint that looks interesting, but you don’t have access to any documentation about it? That’s where pastebin.com can help, provided that someone who knows how to interact with that endpoint ends up putting the code there.

Showcase
In my, so far brief time (thus finding my success with it could increase over time) of using this technique I have stumbled on leaked PII data, and of course valid credentials, but there was also an instance where I found a very useful snippet of code.
The process was fairly straightforward: I discovered an interesting endpoint on subdomain api.target.com, and GET request showed 405 Method not allowed. POST request resulted in an error in xml format. The immediate thought was to try xml xxe. But, the familiar xxe code didn’t work. That’s when I turned to pastebin.com, and I only used subdomain sans endpoint to avoid missing anything (which has proved useful in many cases):

Image for post

and it turned out that someone, for whatever reason, posted a correct xml format for the POST request in question, and the reason why the usual xml xxe wasn’t working had to do with soap :) I mean SOAP.

Image for post

Obviously, I had to add xxe part to that harmless SOAP request. And, it worked. Sort of. I got 500 Internal Server Error, but I also got http pingback.
Due to the bug bounty program’s policy, I was not allowed to attempt any data extraction so the attack/PoC ended with that.

Do you need to know how to code?
Quick answer, related to this article specifically: not really. Recognizing patterns should be enough, especially with xml where the pattern is pretty obvious.
The longer, more general answer:
As someone who always tries to fill all the blanks in my knowledge, I often spend time listening/reading interviews with top bug bounty hunters including also just 101 beginner type of stuff (you never can tell when K.I.S.S. makes that big difference). And one of the frequent questions that ends up being discussed at various lengths is whether you need to know how to code in order to succeed as a bug bounty hunter.
Sometimes those questions go into which programming language is the one (as if there is the one). But, the answer is you need to understand the code. Which isn’t the same as knowing how to code. For that, you need to learn just the basics. Sometimes there will be snippets or whole source code of android apps. While android apps are java based, if you know the basics of any programming language, the logic should be good enough to find interesting stuff. Obviously, if you want to reverse engineer code, to find bugs in the code itself, that’s whole other series of articles if not books.


文章来源: https://medium.com/bugbountywriteup/recon-using-a-questionable-source-of-information-pastebin-com-29a57414f1a6?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh