Code injection is an attack that delivers a malicious code payload through a vulnerable attack vector in eval() function without any sanitization or block dangerous functions like exec(), shell_exec(), system() or passthru()
While hunting on a private program I like to search on custom parameters in burpsuite after finishing test , like ssrf , lfi , xss parameters and custom by me , you can see this repo GF-Patterns to many parameters
I have found interested parameter name [ local ] in post request , I am trying to test ssrf and lfi but failed
Trying inject PHP code because subdomain uses…
The Wayback Machine (web.archive.org) is a digital archive of the World Wide Web.
Users can enter a URL to view and interact with past versions of any website contained in the Archive, even if the site no longer exists on the “live” web
Also stores urls.
A company asked me for do pentest on her website , This company submit a service to developers, This service used by paied API keys like view the climate on websites.
I started to sign up in this website and start to use this service to know how this service running and write anything…
Note: Since its a private program, I will call it example.com
If you send many requests, the reset password will block you with response code => 429 and response message “Too many requests”.
Attempts in testing
1- Change the user-agent header’s value randomly in every request. [Failed]
2- Adding some headers like below: [Failed]
X-Forwarded-For : 127.0.0.1
X-Forwarded-Host : 127.0.0.1
X-Client-IP : 127.0.0.1
X-Remote-IP : 127.0.0.1
X-Remote-Addr : 127.0.0.1
X-Host : 127.0.0.1 …