Good Write on $20k reward for RCE on Pornhubs - GoFuckYourself.com - Adult Webmaster Forum

X

deonbell

Confirmed User

Join Date: Sep 2015

Posts: 1045
Share

Post
#1

Tech Good Write on $20k reward for RCE on Pornhubs

07-23-2016, 08:29 PM

Good Right on $20k reward for RCE on Pornhubs

Very good write. Smart Russian guy. Withs good detail.

https://www.evonide.com/how-we-broke...-20000-dollar/

We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone.
We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm.
Those vulnerabilities were remotely exploitable over PHP’s unserialize function.
We were also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Hackerone).

I dont understand most.

Fake Naked Celebrity Sex Gallery
Tags: None
AdultKing

Raise Your Weapon

Join Date: Jun 2003

Posts: 15601
Share

Post
#2

07-23-2016, 08:37 PM

Originally posted by deonbell

I dont understand most.

What he is saying is that they found a way to run a program on Pornhub that shouldn't have been allowed to happen and they remotely did so, thus gaining a bounty for finding the bug.

They found a vulnerability in PHP that allowed them to do this.

btw: follow @swiftonsecurity on Twitter for some internet security goodness.

https://twitter.com/SwiftOnSecurity
Comment
plaster

So Fucking Banned

Join Date: Apr 2015

Posts: 2295
Share

Post
#3

07-23-2016, 08:40 PM

Originally posted by deonbell

I dont understand most.

It means they will not get paid.
The most pornhub manslut was going to shell out for this was $100 tops.
Comment
Bladewire

StraightBro

Join Date: Aug 2003

Posts: 56228
Share

Post
#4

07-23-2016, 08:42 PM

I posted this before here.

Also posted here a way for anyone to make a post on Pornhub that redirects to any site

Skype: CallTomNow
Comment
AdultKing

Raise Your Weapon

Join Date: Jun 2003

Posts: 15601
Share

Post
#5

07-23-2016, 08:43 PM

Originally posted by plaster

It means they will not get paid.
The most pornhub manslut was going to shell out for this was $100 tops.

PornHub has paid already. Every last cent of it.
Comment
plaster

So Fucking Banned

Join Date: Apr 2015

Posts: 2295
Share

Post
#6

07-23-2016, 08:43 PM

Originally posted by Bladewire

I posted this before here.

Also posted here a way for anyone to make a post on Pornhub that redirects to any site

Can you post that method again top tits?
Comment
plaster

So Fucking Banned

Join Date: Apr 2015

Posts: 2295
Share

Post
#7

07-23-2016, 08:45 PM

Originally posted by AdultKing

PornHub has paid already. Every last cent of it.

And how do you know that?

Edit: in their rules they said that revealing the method of exploit to "others" would negate the contract. Something similar to that. I know 2 people who can find exploits in anything and wouldn't touch that challenge with squirtit dick.
Comment
AdultKing

Raise Your Weapon

Join Date: Jun 2003

Posts: 15601
Share

Post
#8

07-23-2016, 08:45 PM

Originally posted by plaster

And how do you know that?

Because I know.

(know how to read)
Comment
plaster

So Fucking Banned

Join Date: Apr 2015

Posts: 2295
Share

Post
#9

07-23-2016, 08:51 PM

Originally posted by AdultKing

Because I know.

(know how to read)

Lol... I don't need to read, makes my "know everything" at jeoperdy. But going to take a stab at this... the Russian guy started bragging but the funds actually not in account yet... am I close?
Comment
plaster

So Fucking Banned

Join Date: Apr 2015

Posts: 2295
Share

Post
#10

07-23-2016, 08:56 PM

2k paid... lol
Comment
AdultKing

Raise Your Weapon

Join Date: Jun 2003

Posts: 15601
Share

Post
#11

07-23-2016, 09:23 PM

Originally posted by plaster

Lol... I don't need to read, makes my "know everything" at jeoperdy. But going to take a stab at this... the Russian guy started bragging but the funds actually not in account yet... am I close?

Originally posted by plaster

2k paid... lol

Now I know the meaning behind your nick.

It's the substance (plaster) that fills the cranial cavity between your ears. That can be the only explanation for your complete stupidity, either that or you were dropped on your head as a child, in which case I apologise because it's not cool to make fun of the mentally handicapped.

First take logic:

1. The owner of a web property worth millions of dollars is not going to put it at risk over 20k

2. Bug Bounties are commonplace and structures exist in their setup to ensure bounties are paid.

Now let's examine comprehension:

1. The authors thanked PornHub for being professional and competent.

2. The authors also stated that they received two bounties, one related to Pornhub and the other related to PHP itself.

3. The timeline of events has been verified by third parties.

To quote the authors:

Here is the timeline of the disclosure process:
2016-05-30 Hacked Pornhub and submitted the issue over Hackerone. Hours later Pornhub quickly fixed the issue by removing calls to unserialize
2016-06-14 Received a reward of $20,000
2016-06-16 Submitted issues to bugs.php.net
2016-06-21 Both bugs got fixed in PHP?s security repository
2016-06-27 Received Hackerone IBB reward of $2,000 ($1,000 for each vulnerability)
2016-07-22 Ponhub resolved the issue on Hackerone
Comment
plaster

So Fucking Banned

Join Date: Apr 2015

Posts: 2295
Share

Post
#12

07-23-2016, 09:42 PM

Originally posted by AdultKing

Now I know the meaning behind your nick.

It's the substance (plaster) that fills the cranial cavity between your ears. That can be the only explanation for your complete stupidity, either that or you were dropped on your head as a child, in which case I apologise because it's not cool to make fun of the mentally handicapped.

First take logic:

1. The owner of a web property worth millions of dollars is not going to put it at risk over 20k

2. Bug Bounties are commonplace and structures exist in their setup to ensure bounties are paid.

Now let's examine comprehension:

1. The authors thanked PornHub for being professional and competent.

2. The authors also stated that they received two bounties, one related to Pornhub and the other related to PHP itself.

3. The timeline of events has been verified by third parties.

To quote the authors:

Robert... they are still cock suckers and your head is so far up their ass you should be wiping the shit from between your ears.

It doesn't matter... so they paid on something they said... i'm shocked, yeah.

I don't know why you are sucking up to these ass fucks anyways... you're talking about TGP's and shit in some of your posts. Holy fucking shit nog man... what in the hell are you doing?
Comment
deonbell

Confirmed User

Join Date: Sep 2015

Posts: 1045
Share

Post
#13

07-23-2016, 10:58 PM

Originally posted by AdultKing

What he is saying is that they found a way to run a program on Pornhub that shouldn't have been allowed to happen and they remotely did so, thus gaining a bounty for finding the bug.

They found a vulnerability in PHP that allowed them to do this.

btw: follow @swiftonsecurity on Twitter for some internet security goodness.

https://twitter.com/SwiftOnSecurity

Thanks You.
Yes, But I gets lost in details.
Details of exploit is two much. I buy shell coder handbook, but difficult to reads and old book for 32 byte systems. I wants to learn more. About stack and heap.

I wants to finds RCE two. I only finds XSS. Maybe I try capture flags.

I now follows SwiftOnSecurity now. Very good. Thanks you.

Fake Naked Celebrity Sex Gallery
Comment
CPA-Rush

small trip to underworld

Join Date: Mar 2012

Posts: 4927
Share

Post
#14

07-24-2016, 12:09 AM

Originally posted by deonbell

Thanks You.
Yes, But I gets lost in details.
Details of exploit is two much. I buy shell coder handbook, but difficult to reads and old book for 32 byte systems. I wants to learn more. About stack and heap.

I wants to finds RCE two. I only finds XSS. Maybe I try capture flags.

I now follows SwiftOnSecurity now. Very good. Thanks you.

you are crazy man , i'm not sure why u don't post that on hackforums
....if u have that big brain maybe maybe after 10 years u will come as hacker u talk about now .

but are ready to be bashed in their culture ? specially with your english , technical knowledge,impulsiveness !

are you logical ?not trying to judge btw

automatic exchange - paxum , bitcoin,pm, payza

. daizzzy signbucks caution will black-hat black-hat your traffic

ignored forever :zuzana designs

{firefox- remove some posters |skills#1|skills#2| email >[email protected] } ツ
Comment
AdultKing

Raise Your Weapon

Join Date: Jun 2003

Posts: 15601
Share

Post
#15

07-24-2016, 12:18 AM

Originally posted by CPA-Rush

are you logical ?not trying to judge btw

I'm not sure the OP is "all there" actually.
Comment
Google Expert

Webmaster

Join Date: Jun 2004

Posts: 14294
Share

Post
#16

07-24-2016, 01:12 AM

Originally posted by plaster

And how do you know that?.

he could be on Mindgeek's payroll

would explain why he dicked around with filesharing sites instead of going after tubes
Comment
seeandsee

Check SIG!

Join Date: Mar 2006

Posts: 50945
Share

Post
#17

07-24-2016, 01:24 AM

good to them

BUY MY SIG - 50$/Year

Contact here
Comment

Previous template Next

Working...