Bug Bounty catches part -1

Catch the bounty before others

Hi hunters , again I gonna share some of my findings which I found few month ago . This article have divided into 3 parts , each part describe about my finding . So , not taking your time anymore lets jump into our 1st finding . I added some bug bounty tips in the end of the blog . Please forgive me if I’ve made any mistake.

1st Bug : Not-arbitrary File upload :

From the title you can assume that it’s not fully arbitrary file upload but able to upload image files(only) to the main site from admin panel uploader, where I bypassed login to access the file uploader .

So , when I was testing private bounty site (lets take it as privateBB.com) , I run dirsearch over one of subdomain app.privateBB.com , and I got 302 response on /admin directory and it was redirect to privateBB.oldCMS.com/login , So I try to bypass by giving default credentials but not working . Again I ran dirsearch over privateBB.oldCMS.com and guess what !! I found CKfinder file uploader and able to access it without any type of authentication .

CKfinder file uploader

But it only accept image files , I try to temper every file extension with bypass extension like shell.php%00.jpg but it turns into —> shell.php%00_.jpg , Try every extension bypass but failed every time . BTW all image files are hosted on privateBB.com/__data/uploads/files/[HERE] . I finally gather and combine bugs and submit report about Authentication bypass to not-arbitrary file upload on main domain . They marked as P3😔 and awarded bounty .

2nd Bug: Information Disclosure (High)🔥🔥 :

It was one of my fastest finding . This is about PostgreSQL host , name , password disclosure . In January I was testing a web service which managed cloud service hosting for software infrastructure services . Lets assume it as BBcloud.com . There have 4 type of roles for members

  • Admin (have full access)
  • Operator (Access on few operations, can see service information)
  • Developer(less access on operations than operator, can see service information)
  • Read_only(only read access ,can’t see service information)

I set up 2 account , One as Admin , another as read_only . As you know read_only can’t see service information , but wait I leverage that and able to see service information . So , as Admin I start a PostgreSQL service and buy premium service plan where I have extra feature called Pool . what is Pool : Connection pooling allows managing large numbers of PostgreSQL client connections efficiently without sacrificing overall performance.

Now I add pool size any type(doesn’t matter) . Also there have option called info , where you can see about your PostgreSQL info and connection URI and PostgreSQL connection URI looks like :

postgres://admin:[email protected]:port/pool-name?sslmode=require

Now I login as read_only user , as you know in this mode I can see only operation names and can’t see infos . But in Pool tab when I click on info button I was able to see PostgreSQL info and URI and in URI part I can see password, host & username .

read_only vs Admin

This is how I found critical severity bug under few minutes and got rewarded a good bounty.

3rd Bug: Non-accessible project invoice download :

This bug also found on same target as above . So , what actually this bug do is when you got removed from project you can still access and download the updated invoice of the project .

The invoice link looks like

https://BBcloud.com/v1/project/[project-name]/invoice/id/#hash

As I mention in 2nd bug there have 4 roles , everyone can access the invoice tab on project except read_only user. Now I have developer role and I copied the newly created invoice link and after that I got removed my self from the project , so I don’t have access to the project anymore but I have the invoice link . Now fun part of the invoice is whenever project got updated the invoice link stays same ,only contents of the invoice got updated , after knowing this I was super happy . That means if attacker got the invoice link , he don’t have to look for any other information , invoice report contains few juicy information . I report that and got bounty and they fixed quickly .

Thats for all guys .

Here few tips :

  • Always go for the premium product of the app . There will always some juicy bugs which you can exploit and get bounty .
  • Check for sub domains whether it’s in scope or not and do directory fuzz over that sub domain , try to check if it make effect on primary or scoped domain . Then process further .
  • Always check invoice or juicy links after removed from project or group , If you can access and download the invoice without access the project , report it and get the bounty .

Stay tune for more.

Leave a Comment