Yuval

5 posts

Yuval banner
Yuval

Yuval

@yuvalgal_

Katılım Mart 2021
46 Takip Edilen5 Takipçiler
Yuval
Yuval@yuvalgal_·
@yeswehack replace() will replace a single instance of '"' instead of the desired behavior, replacing every instance, that can be achieved using replaceAll(). Thus we can perform SQLi by using a payload similar to this - '"";DROP TABLE users;#'.
English
1
0
4
580
Yuval
Yuval@yuvalgal_·
@yeswehack @yeswehack Besides LFI using methods already commented, there is a reflected XSS vuln. 'http://e.vil/p.html' will be filtered, but we can use the fact filtering '://' is separate from '../' to construct 'http:..///e.vil/p.html' and file is a GET param so we can send bad link.
English
1
0
1
219
YesWeHack ⠵
YesWeHack ⠵@yeswehack·
Vulnerable Code Snippets Time 🥷 Level: Medium 🐝 This web application does not like dot dot slash! Try it out at Github: github.com/yeswehack/vuln… #BugBounty #YesWeRHackers Found the issue? Explain how in the comments! 👇 🎁 The best solution gets an exclusive swag!
YesWeHack ⠵ tweet media
English
8
11
63
15K
Yuval
Yuval@yuvalgal_·
@yeswehack @yeswehack After a password reset link is used, resetHash is called with $reset=true. $hs is bound to the prepared statement with a type of string(s) and NULL will not change the resethash column. Thus the same hash can be used indefinitely to reset a user's password.
English
1
0
2
1.4K
Yuval
Yuval@yuvalgal_·
@Turmio_ Oh it's trying to merge the files into the symlink, now I get it. Brilliant plan! Thanks for explaining further.
English
0
0
1
0
Mikko Kenttälä
Mikko Kenttälä@Turmio_·
@yuvalgal_ Thanks! Uncleaned symlink is in tempdir. Second zip gets extracted to same tempdir and since there is symlink named "Mail" already, all the files in second zip which are extracted to Mail directory will actually follow the symlink.
Mikko Kenttälä tweet media
English
1
0
1
0

Keşfet

@yeswehack @Turmio_ @elonmusk @BarackObama @taylorswift13 @cristiano @BillGates @NASA