🔗Links: 💸Purchase my code at a discounted rate using code 'RCE'👉🏼 hhub.io/Mt32ZHP4790 👀Free Remote Command Execution (RCE) Lab: shorturl.at/1QATs 💬Join the discord 👉🏼 Discord.gg/NahamSec
Cool video! Other methods of exploiting blind RCE to exfiltrate data: * Write to a text file somewhere under the web site folder, then access this file from the web site. * Use curl to send internal traffic to the website to imitate a public user feedback, like comments or post (if the site provides such functionality) and access it later from the web.
The first one is a good idea, but that requires you to find out where the web directories are and if you have access to write in those folders. Will make a video on this later, maybe.
nice catch bro, the ideas of exfiltrating data u have explained is also provided by portswiger in sqli labs i didn't thought of that we could do the same but in bash environment instead , so thanks for this infos
You can with if [ $(whoami | wc - c) = X ] where X is the length + 1. I see no reason for doing that. You do the approach in the video until you don't get any matches.
Hi Ben, I may have missed it if you've mentioned it before; but am I correct to assume that your course on hackinghub is updated vs the one on udemy? Thanks in advance
When we were working on this program, we had documentation that allowed us to know how the application worked. The scenario wasn't the same as this but the exploitation route was the same. A lot of times, you have throw sh*t at the wall and see what sticks.
BRO I AM DEEPLY LOOKING FOR OS COMMAND INJECTION BUT FINDING SOME ISSUE HAVE DONE PORTSWIGGER BUT I WANT DIFFER APPROACH INSTEAD OF FORMS TESTING COULD YOU HELP
Observer that wheever nahamsec clicks enter at that moment only the timer get prints. you can consider it as a timer/clock is not getting the packet latency it just get prints whever he enters, enter button is the trigger not the request time.
Sometimes, yeah. In my instance, we had to upload a file that was rendered server-side where we invoked a function that allowed us to RCE. So burp wouldn't be able to catch it. But something like this where you are injecting a command, burp may be able to pick it up
🔗Links:
💸Purchase my code at a discounted rate using code 'RCE'👉🏼 hhub.io/Mt32ZHP4790
👀Free Remote Command Execution (RCE) Lab: shorturl.at/1QATs
💬Join the discord 👉🏼 Discord.gg/NahamSec
Cool video! Other methods of exploiting blind RCE to exfiltrate data:
* Write to a text file somewhere under the web site folder, then access this file from the web site.
* Use curl to send internal traffic to the website to imitate a public user feedback, like comments or post (if the site provides such functionality) and access it later from the web.
The first one is a good idea, but that requires you to find out where the web directories are and if you have access to write in those folders. Will make a video on this later, maybe.
nice catch bro,
the ideas of exfiltrating data u have explained is also provided by portswiger in sqli labs
i didn't thought of that we could do the same but in bash environment instead , so
thanks for this infos
Thanks for watching!
Your videos are so helpful thnk you Behrooz❤❤
My pleasure 😊
This is also possible with Blind sql attacks, and is a very common attack vector.
Watched the video, very good, I like how it is designed sort of like DVWA with options of a firewall or no
as a software eng, i was seriously mind blown when it clicked what you were doing with `sleep`, this is wild OMG 😳😳
Thank you!
awesome. I enjoyed very much.tnx
Great Approach .! Is it possible to determine the length of the string first and then applying the character bruteforcing
You can with
if [ $(whoami | wc - c) = X ]
where X is the length + 1.
I see no reason for doing that. You do the approach in the video until you don't get any matches.
Basically a time based SQLi, but with RCE. Cool.
Unbelievable, how did you even think there could be an RCE in stock checking app?
This is a made up scenario to show the exploitation process. Sorry about the confusion.
this video shows how much smart you have become to become a hacker
Hi Ben,
I may have missed it if you've mentioned it before; but am I correct to assume that your course on hackinghub is updated vs the one on udemy?
Thanks in advance
could the output of a command be redirected to a file which the server is serving, as an alternative to using sleep?
Wow thats smart idea 💡
This is Crazyyyy!! 😍
The point is, how did you spot the vulnerability?
When we were working on this program, we had documentation that allowed us to know how the application worked. The scenario wasn't the same as this but the exploitation route was the same. A lot of times, you have throw sh*t at the wall and see what sticks.
Hey @nahamsec
Why is rate limiting not a valid bug even though the server is exhausted from handling multiple requests?
رفیق، تو عالی هستی ... دستت درد نکنه. کورس فارسی میذاری ؟
WHY NOT TRYING DIRECT REVERSE SHELL ?
I thought companies have stopped paying bounties.
Amazing Content ;
هکر پارسیش قشنگه❤❤❤
that RCE helper url isn't working, is it possible to self host or..?
We haven't had any issues reported with the lab and I just tested it out as well. Seems to be working.
@@NahamSec Getting 'hub not started'
BRO I AM DEEPLY LOOKING FOR OS COMMAND INJECTION BUT FINDING SOME ISSUE HAVE DONE PORTSWIGGER BUT I WANT DIFFER APPROACH INSTEAD OF FORMS TESTING COULD YOU HELP
@NahamSec please give us more discount on your bug bounty course in this festive season
Comando curl ajuda muito ,ética heck
At 8:40.... 15:23:30 to 15:23:56 is not one second... Still don't get why no one saw that
Observer that wheever nahamsec clicks enter at that moment only the timer get prints. you can consider it as a timer/clock is not getting the packet latency it just get prints whever he enters, enter button is the trigger not the request time.
That's freaking smart
I wonder, can burp scan pick this up?
Sometimes, yeah. In my instance, we had to upload a file that was rendered server-side where we invoked a function that allowed us to RCE. So burp wouldn't be able to catch it. But something like this where you are injecting a command, burp may be able to pick it up
How do you capture dnslookup results?
I dont understand this part how can you see the result from nslookup
@@abdelrahmanmostafa9489 nslookup is like dig, they send dns queries.
I'm capturing the results using interact.sh that has that capability for me. It has the ability to capture DNS and HTTP requests.
Thanks for you free content
Yes sqli
Please a make video on sql injection zero to hero
google and learning zero to hero :3
awsomeee
peace
All these hackers
TOMMYBOYDUPING!!!
هکر🫀
هكر ؟؟
هكر
shit this is an amzaing
noice
Now Hacker in Urdu , ❤
❤
its arabic
its Arabic bro
@@0xlol64 thanks, ( ہیکر ) I know brother
It's Farsi :P but I guess the same letters, right?
First 🎉
amazing