Hey Hunter's
Ever seen a Local File Inclusion (LFI) turn into full Remote Code Execution (RCE) using just a phpinfo() page?
Sounds crazy, right? But trust me, it's one of the coolest and mind-blowing tricks you'll ever see in web exploitation!
If you're truly curious and want to witness the full step-by-step Proof of Concept (PoC) tested on a live website.
I'll walk you through every detail — no gatekeeping, just pure hacker knowledge.
This method will seriously change how you think about LFI vulnerabilities!
Show some love—React, comment, and follow me👉🏼 DarkShadow
#POC@brutsecurity
Ever seen a Local File Inclusion (LFI) turn into full Remote Code Execution (RCE) using just a phpinfo() page?
Sounds crazy, right? But trust me, it's one of the coolest and mind-blowing tricks you'll ever see in web exploitation!
If you're truly curious and want to witness the full step-by-step Proof of Concept (PoC) tested on a live website.
I'll walk you through every detail — no gatekeeping, just pure hacker knowledge.
This method will seriously change how you think about LFI vulnerabilities!
Show some love—React, comment, and follow me👉🏼 DarkShadow
#POC@brutsecurity
❤27🔥14👍7👨💻1
Brut Security
Please don't forget to share your reviews! 🤖
Please open Telegram to view this post
VIEW IN TELEGRAM
❤7👍2
Brut Security
Hey Hunter's Ever seen a Local File Inclusion (LFI) turn into full Remote Code Execution (RCE) using just a phpinfo() page? Sounds crazy, right? But trust me, it's one of the coolest and mind-blowing tricks you'll ever see in web exploitation! If you're…
😎Hello Hunters,
After a long wait🔥, I’ve finally published the complete methodology on:
This in-depth article includes step-by-step explanations, multiple screenshots, and testing on a website. The full write-up is now live on our NAS BrutSecurity community platform.
Dive into the article for a detailed learning experience, and don’t forget to join us to stay updated with the latest exploits, techniques, and research!
👀https://nas.io/brutsecurity/feed/aagc
After a long wait🔥, I’ve finally published the complete methodology on:
LFI to RCE via phpinfo()
This in-depth article includes step-by-step explanations, multiple screenshots, and testing on a website. The full write-up is now live on our NAS BrutSecurity community platform.
Dive into the article for a detailed learning experience, and don’t forget to join us to stay updated with the latest exploits, techniques, and research!
👀https://nas.io/brutsecurity/feed/aagc
1❤15🔥5🗿5👍4🐳1🤣1
💥Hey hunters, I’m DarkShadow. Just dropping a quick tip — don’t skip this simple test method⚡
If there is a file upload functionality and the POST request sending like
Then try to execute code in the filename parameter like:
If the web application is not sanitize properly and execute the command then you got RCE!
Join our penetration testing NAS community 👉🏼 brutsecurity
#BugBountytips@brutsecurity
If there is a file upload functionality and the POST request sending like
fname="example.pdf"
Then try to execute code in the filename parameter like:
fname="example.pdf\";id;#"
If the web application is not sanitize properly and execute the command then you got RCE!
Join our penetration testing NAS community 👉🏼 brutsecurity
#BugBountytips@brutsecurity
👏25👍9👨💻5🔥3
✅https://github.com/Arcanum-Sec/Scopify
Please open Telegram to view this post
VIEW IN TELEGRAM
👍13❤10
🧠 Bug Bounty Tip – Denial of Wallet Attacks 💸
You’ve heard of Denial of Service… but what about Denial of Wallet?
🔍 A Denial of Wallet (DoW) attack is when an attacker abuses a feature that’s free for users but costs the company money—draining resources, credits, or cloud budgets.
🚨 How Does This Work? It’s called a cost amplification attack — the attacker doesn’t spend a penny, but the company pays every time the action is triggered.
💥 Common Targets in Bug Bounty Programs:
Cloud Functions (e.g., AWS Lambda, Azure Functions)
Example:
A public search feature calls a Lambda function. You send 10,000 automated requests—boom, the company’s AWS bill spikes 📈.
Email/SMS APIs
Example:
Signup/login feature sends OTPs via Twilio or SendGrid. No rate-limiting? You can abuse this to drain credits by generating endless verification codes to your burner emails or numbers.
AI Chatbots (e.g., OpenAI, Claude APIs)
Example:
The company integrates an LLM bot on their site. Each chat costs them ~$0.01+. You script endless interactions—each response is a costly API call.
💡 Real-world Inspiration
As per PortSwigger’s article:
“A researcher abused a company’s serverless endpoint triggering costly Lambda functions—racking up bills with zero rate-limiting in place.”
Imagine reporting $5,000 of potential cloud misuse from one vulnerable endpoint. Now that’s a high-severity bug.
🛡️ What to Look For as a Bug Hunter:
Public features that trigger server-side logic
APIs without authentication or usage caps
No CAPTCHA or rate-limiting
LLM-based bots or dynamic content generation without user restrictions
Email/SMS OTP or notification abuse opportunities
✅ Tips Before You Report:
Demonstrate the cost impact (e.g., "This endpoint uses OpenAI’s API. X requests = $Y.")
Prove unrestricted access (no auth/rate-limiting)
Suggest mitigations like usage quotas, CAPTCHA, or billing caps
💰 These bugs often hide in plain sight, yet they can cause real financial damage—making them a favorite for high bounty payouts.
You’ve heard of Denial of Service… but what about Denial of Wallet?
🔍 A Denial of Wallet (DoW) attack is when an attacker abuses a feature that’s free for users but costs the company money—draining resources, credits, or cloud budgets.
🚨 How Does This Work? It’s called a cost amplification attack — the attacker doesn’t spend a penny, but the company pays every time the action is triggered.
💥 Common Targets in Bug Bounty Programs:
Cloud Functions (e.g., AWS Lambda, Azure Functions)
Example:
A public search feature calls a Lambda function. You send 10,000 automated requests—boom, the company’s AWS bill spikes 📈.
Email/SMS APIs
Example:
Signup/login feature sends OTPs via Twilio or SendGrid. No rate-limiting? You can abuse this to drain credits by generating endless verification codes to your burner emails or numbers.
AI Chatbots (e.g., OpenAI, Claude APIs)
Example:
The company integrates an LLM bot on their site. Each chat costs them ~$0.01+. You script endless interactions—each response is a costly API call.
💡 Real-world Inspiration
As per PortSwigger’s article:
“A researcher abused a company’s serverless endpoint triggering costly Lambda functions—racking up bills with zero rate-limiting in place.”
Imagine reporting $5,000 of potential cloud misuse from one vulnerable endpoint. Now that’s a high-severity bug.
🛡️ What to Look For as a Bug Hunter:
Public features that trigger server-side logic
APIs without authentication or usage caps
No CAPTCHA or rate-limiting
LLM-based bots or dynamic content generation without user restrictions
Email/SMS OTP or notification abuse opportunities
✅ Tips Before You Report:
Demonstrate the cost impact (e.g., "This endpoint uses OpenAI’s API. X requests = $Y.")
Prove unrestricted access (no auth/rate-limiting)
Suggest mitigations like usage quotas, CAPTCHA, or billing caps
💰 These bugs often hide in plain sight, yet they can cause real financial damage—making them a favorite for high bounty payouts.
👍10🐳5❤3
This media is not supported in your browser
VIEW IN TELEGRAM
Extract all URL endpoints from an application and dump them to the command-line with hakrawler!
How hakrawler works:
1️⃣ Spider the application
2️⃣ Query the wayback machine
3️⃣ Parses robots.txt and sitemap.xml files
How hakrawler works:
1️⃣ Spider the application
2️⃣ Query the wayback machine
3️⃣ Parses robots.txt and sitemap.xml files
👍8❤4🔥2
Hunting for misconfigured AWS S3 cloud buckets:
1. Clone CloudEnum
2. Run $ python3 cloud_enum.py -k <TARGET_KEYWORD>
3. Examine results 😎
https://github.com/initstring/cloud_enum
1. Clone CloudEnum
2. Run $ python3 cloud_enum.py -k <TARGET_KEYWORD>
3. Examine results 😎
https://github.com/initstring/cloud_enum
👍10
⚡ Simple Temp Mail Bypass Method🔥
Hello hunters! I'm DarkShadow, dropping a quick trick for when websites block temporary emails and only accept "legit" ones.
First, understand the security behind it:
When you sign up, the server doesn’t just trust your email. It checks if the domain is live via DNS before accepting and sending emails. Temp mail services use dead domains, so they fail this check.
Bypass Trick:
Use Burp Collaborator to create a "live" email!
Example:
Burp link: https://2twpagov8v5bsbmdwktmtkyygpmia9yy.oastify.com
Make it look like an email:
Since the domain is live (thanks to Burp), you’ll bypass the email validation easily!
Pro Tip:
Use Burp Collaborator emails — they’re not just for bypassing, they also help you spot SSRF vulnerabilities!
Follow me 👉🏼 DarkShadow 😁
#BugBountytips@brutsecurity
Hello hunters! I'm DarkShadow, dropping a quick trick for when websites block temporary emails and only accept "legit" ones.
First, understand the security behind it:
When you sign up, the server doesn’t just trust your email. It checks if the domain is live via DNS before accepting and sending emails. Temp mail services use dead domains, so they fail this check.
Bypass Trick:
Use Burp Collaborator to create a "live" email!
Example:
Burp link: https://2twpagov8v5bsbmdwktmtkyygpmia9yy.oastify.com
Make it look like an email:
[email protected]
Since the domain is live (thanks to Burp), you’ll bypass the email validation easily!
Pro Tip:
Use Burp Collaborator emails — they’re not just for bypassing, they also help you spot SSRF vulnerabilities!
Follow me 👉🏼 DarkShadow 😁
#BugBountytips@brutsecurity
🔥17👍6❤4🤣3
💬 Enjoying the free content?
If you found it helpful or valuable, consider leaving a small tip or a reaction to support us! 🫶✨
Your support helps us continue creating and sharing more awesome resources for everyone. 🚀❤️
Every contribution, big or small, truly makes a difference for the community. Thank you for being with us! 🙏
If you found it helpful or valuable, consider leaving a small tip or a reaction to support us! 🫶✨
Your support helps us continue creating and sharing more awesome resources for everyone. 🚀❤️
Every contribution, big or small, truly makes a difference for the community. Thank you for being with us! 🙏
4👍28❤21🗿3🔥1👏1🤝1
Guy's how about my poem🙈
DarkShadow's Vulnerable Heart
I hate XSS — it plays with my mind,
I master SQLi — injections I find.
My crush? XXE — stealing the show,
LFI's easy — just follow the flow.
I dream of RCE — ultimate power,
But a broken auth melts me like a flower.
Race conditions — they're chasing me fast,
IDOR unlocks the secrets of the past.
SSRF teases — from inside the gate,
And open redirects just seal my fate.
DarkShadow hunts — in shadows unseen,
Turning every weakness into my dream.
I don’t just hack —
I rewrite the scene.
Written by ~DarkShadow
❤24🫡9👍5🗿5🤣3🤝2🐳1
DarkShadow truly remembers all of you:
Guys, some very interesting topics are coming soon about Advance XSS, leaking credentials to RCE, Google XSS POC, XXE to RCE, and more.Show your love, guys!
1. Learn less, practice more.
2. Tools are nothing without core knowledge.
3. Chasing basic bugs won't make you elite.
4. Pro hunters create new exploits, not copy old ones.
5. Think beyond checklists — think like an attacker.
Guys, some very interesting topics are coming soon about Advance XSS, leaking credentials to RCE, Google XSS POC, XXE to RCE, and more.
❤44👍5🔥5🤝2🫡1
CVE-2025-32432: RCE in CraftCMS, 10.0 rating 🔥🔥🔥
0-day vulnerability makes some versions of CraftCMS vulnerable to RCE. Used in the wild in combination with CVE-2024-58136.
Search at Netlas.io:
👉 Link: https://nt.ls/XVVPd
👉 Dork: http.headers.x_powered_by:"Craft CMS"
Vendor's advisory: https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
0-day vulnerability makes some versions of CraftCMS vulnerable to RCE. Used in the wild in combination with CVE-2024-58136.
Search at Netlas.io:
👉 Link: https://nt.ls/XVVPd
👉 Dork: http.headers.x_powered_by:"Craft CMS"
Vendor's advisory: https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
❤12👍3🔥2
Please open Telegram to view this post
VIEW IN TELEGRAM
👍10🔥5
Hello Hunters,
DarkShadow here, back again with a quick tip and a heads-up: you might encounter SSRF vulnerabilities in email-sending features!
Take a look at these screenshots — the website actively validates emails to block temporary email addresses. However, when I used Burp Collaborator as the email input, I received DNS, SMTP, and even HTTP responses!
This demonstrates that during pentesting, instead of relying on temporary mail services, you should always use Burp Collaborator to uncover hidden vulnerabilities.
Stay sharp and hunt smarter!
Follow me👉🏼 DarkShadow
#bugbountytips@brutsecurity #ssrf
DarkShadow here, back again with a quick tip and a heads-up: you might encounter SSRF vulnerabilities in email-sending features!
Take a look at these screenshots — the website actively validates emails to block temporary email addresses. However, when I used Burp Collaborator as the email input, I received DNS, SMTP, and even HTTP responses!
This demonstrates that during pentesting, instead of relying on temporary mail services, you should always use Burp Collaborator to uncover hidden vulnerabilities.
Stay sharp and hunt smarter!
Follow me👉🏼 DarkShadow
#bugbountytips@brutsecurity #ssrf
🗿12👍10❤9🔥7