Research
The research section is the section I add potential theories or endpoints i want to take a look at that may or may not be added to the notes in the future once confirmed it's a vulnerability. These should not be considered as a learning experience at all but could be worth researching yourself in interested.
Potential CloudFlare Disclosure
If an app uses cloudflare, navigate to the following endpoint and observe a potential internal gateway or IP address if misconfigured.
/cdn-cgi/trace
WP Plugin - Duplicator
Google Dork: inurl:"/wp-content/backups-dup-lite/"
May find something like this:
20201214_bananabay_2fbe2b83a6dc4e568688_20201214140243_scan.json
- Theory
- Navigate to the following URL to gain a valid CSRF-token:
/wp-content/backups-dup-lite/20201214_bananabay_2fbe2b83a6dc4e568688_20201214140243_installer.php
Note:The name of company may be "bananabay"
- Navigate to the following URL if not redirected and note that the administrative interface for the duplicator plugin is accessible
without authentication:
/wp-content/backups-dup-lite/dup-installer/main.installer.php
Search Engines
Need to find one that disregards robots.txt disallowence and scans directories anyways to find sensitive endpoints.
WAF Bypass -> General WAF Bypass
Add "TLS Certificate method" to obtain a webservers IP despite having eg CloudFlare as a Proxy.