※hackerone経由で公式にwebの調査をしています。
バグバウンティ
やろうとしたこと
- 実践
- グループ運用
やったこと
- グループ運用
1.グループ運用
需要がありそうなので、「バグバウンティの始め方の始め方」を作りました。
というか、グループの参加人数の半分くらいが「バグバウンティの始め方がわからない」方でした。
まぁ、身近じゃないですよね。バグバウンティ。
次やりたいこと
- 実践
ハニーポット
トップ画面
直近1ヶ月折れ線グラフ
GETリクエスト
no | uri | Co |
---|---|---|
1 | / | 63 |
2 | /wp-login.php | 56 |
3 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=wordpres | 3 |
4 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=aa123456 | 3 |
5 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=music | 3 |
6 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=a123456 | 3 |
7 | ///?author=1 | 2 |
8 | /manager/html | 2 |
9 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=abc123 | 2 |
10 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=qnap | 2 |
11 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=rootadmin | 2 |
12 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=123qwe | 2 |
13 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=123123 | 2 |
14 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=12qwaszx | 2 |
15 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=host | 2 |
16 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=databases | 2 |
17 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=donald | 2 |
18 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2016 | 2 |
19 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=xampp | 2 |
20 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=user | 2 |
21 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=whatever | 2 |
22 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=toor123 | 2 |
23 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=password1 | 2 |
24 | /phpmyadmin/index.php?lang=en&pma_username=money&pma_password=money | 2 |
25 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=web | 2 |
26 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=queen | 2 |
27 | /wp-json/wp/v2/users/ | 2 |
28 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=backup | 2 |
29 | /phpmyadmin/index.php?lang=en&pma_username=shopdb&pma_password=shopdb | 2 |
30 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=passw0rd | 2 |
31 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=123qweasdzxc | 2 |
32 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=usa | 2 |
33 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=freedom | 2 |
34 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=onetwothree | 2 |
35 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=mysql | 2 |
36 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=solo | 2 |
37 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=master | 2 |
38 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=test | 2 |
39 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=12345678 | 2 |
40 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=charlie | 2 |
41 | ///wp-json/wp/v2/users/ | 2 |
42 | /phpmyadmin/index.php?lang=en&pma_username=wordpress&pma_password=password | 2 |
43 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=111111 | 2 |
44 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=4321 | 2 |
45 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=developer | 2 |
46 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=Password | 2 |
47 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=pass1234 | 2 |
48 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2018 | 2 |
49 | /phpmyadmin/index.php?lang=en&pma_username=admin&pma_password=root | 2 |
50 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=shop | 2 |
51 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=654321 | 1 |
52 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=trustno1 | 1 |
53 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=confidential | 1 |
54 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=database | 1 |
55 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=hello | 1 |
56 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=666666 | 1 |
57 | /phpmyadmin/index.php?lang=en&pma_username=admin&pma_password=pass | 1 |
58 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=backupdbs | 1 |
59 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=qwerty | 1 |
60 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=gameserver | 1 |
61 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2020 | 1 |
62 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=qazwsx | 1 |
63 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=princess | 1 |
64 | /phpmyadmin/index.php?lang=en&pma_username=nginx&pma_password=nginx | 1 |
65 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=acces | 1 |
66 | /phpmyadmin/index.php?lang=en&pma_username=wordpress&pma_password=wordpress | 1 |
67 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=12345 | 1 |
68 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=acceso | 1 |
69 | /phpmyadmin/index.php?lang=en&pma_username=popa3d&pma_password=popa3d | 1 |
70 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=backupserver | 1 |
71 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=letmein | 1 |
72 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=1234567890 | 1 |
73 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=123456789 | 1 |
74 | /phpmyadmin/index.php?lang=en | 1 |
75 | /mysql/dbadmin/index.php?lang=en | 1 |
76 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=1234 | 1 |
77 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=1234567 | 1 |
78 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=test123 | 1 |
79 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2010 | 1 |
80 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=administrator | 1 |
81 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=webs | 1 |
82 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=pass2019 | 1 |
83 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=blog | 1 |
84 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=crypto | 1 |
85 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=bitcoin | 1 |
86 | /phpmyadmin/index.php?lang=en&pma_username=db&pma_password=db | 1 |
87 | /phpmyadmin/index.php?lang=en&pma_username=wp&pma_password=wp | 1 |
88 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2013 | 1 |
89 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=webadmin | 1 |
90 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=dbs | 1 |
91 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=321 | 1 |
92 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2012 | 1 |
93 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=trump | 1 |
94 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=password2019 | 1 |
95 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=toor | 1 |
96 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=oracle | 1 |
97 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=p455w0rd | 1 |
98 | /proxyjudge.php | 1 |
99 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=michael | 1 |
100 | /phpmyadmin/index.php?lang=en&pma_username=apache&pma_password=apache | 1 |
101 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=blogs | 1 |
102 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password= | 1 |
103 | /mysql/sqlmanager/index.php?lang=en | 1 |
104 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=root | 1 |
105 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=sunshine | 1 |
106 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=secure | 1 |
107 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=linux | 1 |
108 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=welcome | 1 |
109 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=db | 1 |
110 | /phpmyadmin/index.php?lang=en&pma_username=dbs&pma_password=dbs | 1 |
111 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=Password1 | 1 |
112 | /phpmyadmin/index.php?lang=en&pma_username=pma&pma_password=pma | 1 |
113 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=users | 1 |
114 | /mysql/admin/index.php?lang=en | 1 |
115 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=admin123 | 1 |
116 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=pass123 | 1 |
117 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=monkey | 1 |
118 | /phpmyadmin/index.php?lang=en&pma_username=http&pma_password=http | 1 |
119 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=toor321 | 1 |
120 | /phpmyadmin/index.php?lang=en&pma_username=admin&pma_password=123 | 1 |
121 | /phpmyadmin/index.php?lang=en&pma_username=sql&pma_password=sql | 1 |
122 | /phpmyadmin/index.php?lang=en&pma_username=wordpress&pma_password=pass | 1 |
123 | /mysql/mysqlmanager/index.php?lang=en | 1 |
124 | /phpmyadmin/index.php?lang=en&pma_username=shop&pma_password=shop | 1 |
125 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=pass2018 | 1 |
126 | /phpmyadmin/index.php?lang=en&pma_username=joomla&pma_password=joomla | 1 |
127 | /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=dragon | 1 |
POSTリクエスト
※パラメータが多いため省略。wordpressです。
pypmyadminユーザー
no | user | Co |
---|---|---|
1 | root | 140 |
2 | admin | 4 |
3 | wordpress | 4 |
4 | shopdb | 2 |
5 | money | 2 |
6 | pma | 1 |
7 | nginx | 1 |
8 | sql | 1 |
9 | shop | 1 |
10 | apache | 1 |
11 | popa3d | 1 |
12 | dbs | 1 |
13 | http | 1 |
14 | db | 1 |
15 | wp | 1 |
16 | joomla | 1 |
pypmyadminパスワード
※ちょこまか大量にあるので割愛
wordpressユーザー
no | user | Co |
---|---|---|
1 | 53 |
wordpressパスワード
no | pwd | Co |
---|---|---|
1 | admin@123 | 3 |
2 | admin123 | 3 |
3 | password | 3 |
4 | pass | 3 |
5 | 123456 | 3 |
6 | Admin | 3 |
7 | adminadmin | 3 |
8 | 12345678 | 3 |
9 | 12345 | 3 |
10 | 123456789 | 3 |
11 | Admin123 | 2 |
12 | 123 | 2 |
13 | admin | 2 |
14 | @123 | 2 |
15 | [Login] | 2 |
16 | Admin@123 | 2 |
17 | onlinedocumentsite | 2 |
18 | 1234 | 1 |
19 | admin1234 | 1 |
20 | admim | 1 |
21 | @1234 | 1 |
22 | admin@1234 | 1 |
23 | mars | 1 |
24 | hello | 1 |
25 | [Login]123 | 1 |
26 | [Login]@123 | 1 |
tomcatユーザー
no | user | Co |
---|---|---|
1 | 2 |
tomcatパスワード
no | pwd | Co |
---|---|---|
1 | 2 |
直近24時間新着アクセス
なし
まとめ
落ち着きました。
気になったニュースなど
0verpwnさんのXSSペイロードが更新されました。1万超えってすごいですね。
Update: Added 3710 more XSS Payloads, now contains 12710 XSS Payloads, I believe this is the largest collection of XSS payloads available anywhere, Please correct me if I'm wrong! :) https://t.co/lIsM2y2NWt #BugBounty #BugBountyTips
— 0verpwn (@0verpwn) 2019年6月6日