Share
## https://sploitus.com/exploit?id=C347A41F-D8DF-5047-AF98-E8721E43B124
[![Python](https://img.shields.io/badge/Python-3.10%2B-3776AB?style=for-the-badge&logo=python&logoColor=white)](https://www.python.org/)
[![OWASP](https://img.shields.io/badge/OWASP-Top%2010-000000?style=for-the-badge&logo=owasp&logoColor=white)](https://owasp.org/)
[![License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE)
[![EC-Council](https://img.shields.io/badge/EC--Council-Bug%20Bounty-red?style=for-the-badge)](https://www.eccouncil.org/)
[![Modules](https://img.shields.io/badge/Modules-12%20Scanners-blueviolet?style=for-the-badge)](/)
[![Reports](https://img.shields.io/badge/Reports-PDF%20%2B%20Markdown-orange?style=for-the-badge)](/)



```
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ• โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
 โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
 โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•
```

### *The Ultimate PHP Web Security Scanner for Bug Bounty & Penetration Testing*



> โš ๏ธ **For authorized security testing only.** Use responsibly.



---

## ๐Ÿ“– Table of Contents

- [Overview](#-overview)
- [Key Features](#-key-features)
- [Scanner Modules](#-scanner-modules)
- [Architecture](#-architecture)
- [Installation](#-installation)
- [Usage](#-usage)
- [Authentication](#-authentication)
- [PHP Exploitation Module](#-php-exploitation-module)
- [Payment Bypass Module](#-payment-bypass-module)
- [Report Generation](#-report-generation)
- [Target Analysis](#-target-analysis)
- [OWASP Coverage](#-owasp-coverage)
- [Legal Disclaimer](#-legal-disclaimer)
- [Author](#-author)

---

## ๐Ÿ” Overview

**BugScanner** is a professional-grade, modular Python web vulnerability scanner engineered for **bug bounty hunters**, **penetration testers**, and **security researchers**. Built specifically around the **OWASP Top 10 (2021)** framework, it combines automated detection with deep PHP-specific exploitation capabilities.

Unlike generic scanners, BugScanner is **source-intelligence driven** โ€” it can parse target JavaScript and HTML source files to extract exact API endpoints, response codes, and parameter names, then surgically craft tests against the real attack surface instead of guessing blindly.

```
Target JS/HTML Analysis โ†’ API Surface Map โ†’ Surgical Exploitation โ†’ HackerOne-Grade Report
```

**Designed for:**
- EC-Council Bug Bounty Course assignments
- HackerOne / Bugcrowd submissions
- CTF Lab environments
- Authorized penetration testing engagements

---

## โœจ Key Features

| Feature | Description |
|--------|-------------|
| ๐Ÿง  **Source Intelligence** | Parse JS/HTML to extract real API endpoints and response codes |
| ๐Ÿ” **Auto Authentication** | Auto-detects login forms, CSRF tokens, handles PHP response codes |
| ๐Ÿ“‹ **12 Scan Modules** | Full OWASP Top 10 coverage + PHP-specific + Payment Bypass |
| ๐Ÿ“„ **Dual Reports** | Professional PDF + Markdown in HackerOne/Bugcrowd format |
| ๐ŸŽฏ **CVSS 3.1 Scoring** | Every finding gets a CVSS vector and numerical score |
| ๐Ÿƒ **Race Condition Engine** | Multi-threaded parallel request firing for timing attacks |
| ๐Ÿ’พ **DB Dump Module** | UNION SQLi, LOAD_FILE, INTO OUTFILE, phpMyAdmin brute force |
| ๐Ÿš **Webshell Detection** | Probes 20+ shell paths + upload bypass attempts |
| ๐Ÿช™ **Crypto Payment Bypass** | Business logic tests sourced directly from site JS |
| ๐Ÿ”‘ **JWT Attacks** | alg:none, 23 weak secrets, kid path traversal |
| ๐Ÿ“ก **SSRF Probing** | AWS/GCP/Azure metadata, internal network |
| ๐Ÿ”’ **Scope Validation** | Blocks RFC-1918 IPs, validates target domain |

---

## ๐Ÿงฉ Scanner Modules


Click to expand full module details

### Core OWASP Modules

| Module Key | Name | OWASP | CWE | Techniques |
|-----------|------|-------|-----|------------|
| `xxe` | XML External Entity | A4:2021 | CWE-611 | Classic, OOB, SVG, SOAP, blind |
| `sqli` | SQL Injection | A3:2021 | CWE-89 | Error-based, time-based, boolean-blind, UNION (5 DB signatures) |
| `xss` | Cross-Site Scripting | A3:2021 | CWE-79 | 18 reflected payloads, stored, header, DOM sinks |
| `ssrf` | Server-Side Request Forgery | A10:2021 | CWE-918 | AWS/GCP/Azure metadata, internal network, webhooks |
| `idor` | Insecure Direct Object Reference | A1:2021 | CWE-639 | ID enumeration, mass assignment, API enumeration |
| `cmdi` | OS Command Injection | A3:2021 | CWE-78 | Shell metacharacters, time-based blind |
| `lfi` | Local File Inclusion | A5:2021 | CWE-22 | Traversal 2-6 deep, null bytes, double-encoding, PHP wrappers |
| `open_redirect` | Open Redirect | A10:2021 | CWE-601 | 10 bypass variants, form fields, JS DOM sinks |
| `headers` | Security Headers | A5:2021 | CWE-16 | 6 headers, CORS, cookies, 22 sensitive file paths |
| `jwt` | JWT / Broken Auth | A2:2021 | CWE-287 | alg:none, 23 weak secrets, claim manipulation, kid traversal |

### Specialized Modules

| Module Key | Name | OWASP | Key Tests |
|-----------|------|-------|-----------|
| `payment` | Crypto Payment / Balance Bypass | A1:2021 | 15 business-logic tests sourced from allinone.js |
| `php` | PHP-Specific Exploitation | A5:2021 | 13 PHP attack categories (see below) |



---

## ๐Ÿ—๏ธ Architecture

```
bugscanner/
โ”‚
โ”œโ”€โ”€ main.py                     # CLI entrypoint (Click + Rich)
โ”‚
โ”œโ”€โ”€ scanners/
โ”‚   โ”œโ”€โ”€ base.py                 # BaseScanner + Finding dataclass
โ”‚   โ”œโ”€โ”€ xxe.py                  # XML External Entity
โ”‚   โ”œโ”€โ”€ sqli.py                 # SQL Injection
โ”‚   โ”œโ”€โ”€ xss.py                  # Cross-Site Scripting
โ”‚   โ”œโ”€โ”€ ssrf.py                 # Server-Side Request Forgery
โ”‚   โ”œโ”€โ”€ idor.py                 # Insecure Direct Object Reference
โ”‚   โ”œโ”€โ”€ cmdi.py                 # OS Command Injection
โ”‚   โ”œโ”€โ”€ lfi.py                  # Local File Inclusion
โ”‚   โ”œโ”€โ”€ open_redirect.py        # Open Redirect
โ”‚   โ”œโ”€โ”€ headers.py              # Security Headers & Misconfig
โ”‚   โ”œโ”€โ”€ jwt_check.py            # JWT / Broken Authentication
โ”‚   โ”œโ”€โ”€ payment_bypass.py       # Crypto Payment Bypass (site-tuned)
โ”‚   โ””โ”€โ”€ php_specific.py         # PHP Exploitation Suite
โ”‚
โ”œโ”€โ”€ utils/
โ”‚   โ”œโ”€โ”€ auth.py                 # AuthManager: form/JSON/basic/CSRF
โ”‚   โ”œโ”€โ”€ http_client.py          # Shared requests.Session wrapper
โ”‚   โ”œโ”€โ”€ scope.py                # Target scope & IP validation
โ”‚   โ””โ”€โ”€ logger.py               # Rich logging setup
โ”‚
โ”œโ”€โ”€ reporter/
โ”‚   โ”œโ”€โ”€ generator.py            # PDF (ReportLab) + Markdown generator
โ”‚   โ””โ”€โ”€ templates/
โ”‚       โ”œโ”€โ”€ report.md.j2        # Jinja2 Markdown template
โ”‚       โ””โ”€โ”€ report.html.j2      # Jinja2 HTMLโ†’PDF template
โ”‚
โ”œโ”€โ”€ Target/                     # Drop target JS/HTML here for analysis
โ”‚   โ”œโ”€โ”€ allinone.js
โ”‚   โ””โ”€โ”€ ...
โ”‚
โ”œโ”€โ”€ reports/                    # Generated reports land here
โ”œโ”€โ”€ requirements.txt
โ””โ”€โ”€ README.md
```

---

## โš™๏ธ Installation

### Prerequisites

- Python **3.10+**
- pip

### Quick Setup

```bash
# 1. Clone or download the tool
git clone https://github.com/yourusername/bugscanner.git
cd bugscanner

# 2. Install dependencies
pip install -r requirements.txt

# 3. Verify installation
python main.py list-modules
```

### Dependencies

```
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
click>=8.1.0
rich>=13.0.0
Jinja2>=3.1.0
reportlab>=4.0.0
weasyprint>=60.0
```

---

## ๐Ÿš€ Usage

### Basic Scan

```bash
python main.py scan \
  -t https://target.com \
  --i-have-permission
```

### Full Authenticated Scan

```bash
python main.py scan \
  -t https://target.com \
  --i-have-permission \
  -u your_username \
  -p your_password \
  --verbose
```

### Run Specific Modules

```bash
# PHP exploitation only
python main.py scan -t https://target.com --i-have-permission --modules php

# Payment bypass only
python main.py scan -t https://target.com --i-have-permission -u USER -p PASS --modules payment

# Combined high-value modules
python main.py scan -t https://target.com --i-have-permission -u USER -p PASS \
  --modules php payment sqli lfi --verbose
```

### Test Authentication First

```bash
python main.py test-login \
  -t https://target.com \
  -u your_username \
  -p your_password
```

### List All Modules

```bash
python main.py list-modules
```

### All CLI Options

```
Options:
  -t, --target TEXT           Target URL (required)
  --i-have-permission         Confirm authorization (required)
  -m, --modules CHOICE        Modules to run (default: all)
  -u, --username TEXT         Login username
  -p, --password TEXT         Login password
  --login-url TEXT            Explicit login URL (auto-detected if omitted)
  --auth-type CHOICE          auto|form|json|basic (default: auto)
  -o, --output TEXT           Report output directory (default: ./reports)
  --timeout INTEGER           HTTP timeout in seconds (default: 10)
  --threads INTEGER           Concurrent threads (default: 5)
  --cookies TEXT              Manual cookie string (e.g. 'PHPSESSID=abc')
  --headers-extra TEXT        Extra headers as JSON string
  --depth INTEGER             Crawl depth (default: 2)
  --no-pdf                    Skip PDF generation
  --format CHOICE             pdf|markdown|both (default: both)
  -v, --verbose               Verbose output
```

---

## ๐Ÿ” Authentication

BugScanner includes a fully automatic authentication pipeline:

```
1. Auto-detect login URL (scans common paths + LOGIN_URL_PATTERNS)
2. Parse login form โ†’ extract field names + CSRF tokens
3. Submit credentials via form POST / JSON / Basic Auth
4. Evaluate response (body text, status code, redirect, JSON token)
5. Apply session cookies + auth headers to ALL subsequent scanner requests
```

### PHP Site-Specific Authentication

For PHP sites returning single-character response codes (e.g., `'5'` = success):

```bash
python main.py scan \
  -t https://php-target.com \
  --i-have-permission \
  --auth-type form \
  --login-url /login.php?login \
  -u YOUR_USERNAME \
  -p YOUR_PASSWORD
```

The auth engine recognizes these response codes automatically:

| Code | Meaning |
|------|---------|
| `5` | Login success |
| `3` | No such account |
| `0` | IP rate-limited |
| `1` | Username rate-limited |

---

## ๐Ÿ˜ PHP Exploitation Module

The `php` module targets 13 attack categories specific to PHP applications:

```bash
python main.py scan -t https://target.com --i-have-permission --modules php --verbose
```

### What It Tests

| # | Test | Severity | Description |
|---|------|----------|-------------|
| 1 | **PHPInfo Exposure** | HIGH | Probes 6 phpinfo paths, extracts PHP version |
| 2 | **Version Header Disclosure** | LOW | X-Powered-By / Server header leak |
| 3 | **Sensitive File Exposure** | CRITICAL | 50+ paths: `.env`, `config.php`, `database.sql`, `.git`, backups |
| 4 | **DB Admin Panel Discovery** | CRITICAL | phpMyAdmin, Adminer, SQLiteManager (15 paths) |
| 5 | **Pre-existing Web Shells** | CRITICAL | 20+ known shell signatures (c99, r57, WSO, b374k) |
| 6 | **PHP Error Mode** | MEDIUM | Triggers errors to expose file paths and stack traces |
| 7 | **PHP Object Injection** | CRITICAL | Unserialize gadget chain detection |
| 8 | **Remote File Inclusion** | CRITICAL | data:// wrapper RFI with execution verification |
| 9 | **LFI + PHP Filter Wrappers** | CRITICAL | `php://filter/base64-encode` to read PHP source files |
| 10 | **SQL Injection โ†’ DB Dump** | CRITICAL | UNION, error-based, `LOAD_FILE()`, `INTO OUTFILE` |
| 11 | **phpMyAdmin Default Creds** | CRITICAL | Tests 9 default credential pairs |
| 12 | **Server-Side Template Injection** | CRITICAL | Twig, Smarty, ERB expression evaluation |
| 13 | **Webshell Upload** | CRITICAL | Extension bypass, Content-Type spoofing, null byte, .htaccess |

### PHP Filter Wrapper โ€” Read Source Code

```
GET /index.php?page=php://filter/convert.base64-encode/resource=config.php
              โ†’ Base64 blob โ†’ decoded PHP source with DB credentials
```

### MySQL File Operations via SQLi

```sql
-- Read server files (requires FILE privilege)
' UNION SELECT LOAD_FILE('/etc/passwd'),2,3-- -
' UNION SELECT LOAD_FILE('/var/www/html/config.php'),2,3-- -

-- Write webshell (requires write permission on webroot)
' UNION SELECT '' INTO OUTFILE '/var/www/html/x.php'-- -
```

---

## ๐Ÿ’ฐ Payment Bypass Module

The `payment` module was purpose-built for PHP e-commerce / crypto deposit sites, with tests reverse-engineered directly from real JavaScript source analysis.

```bash
python main.py scan -t https://target.com --i-have-permission -u USER -p PASS \
  --modules payment --verbose
```

### 15 Business Logic Tests

| # | Test | Priority | Vector |
|---|------|----------|--------|
| 1 | **Payment Type Enumeration** | HIGH | `GET /money_add.php?type=0/-1/999` |
| 2 | **Force-Confirm Order (IDOR)** | ๐Ÿ”ด CRITICAL | `GET /money_view.php?check_order=` |
| 3 | **Cross-User Order Takeover** | ๐Ÿ”ด CRITICAL | Sequential order ID enumeration |
| 4 | **Fake Transaction Hash** | CRITICAL | Submit fake LTC/BTC hash to deposit endpoint |
| 5 | **Amount Parameter Injection** | MEDIUM | `amount=9999` alongside payment type |
| 6 | **Direct Balance Manipulation** | CRITICAL | `/info.php?set_balance=9999` |
| 7 | **Quick Buy with Zero Balance** | CRITICAL | `POST /cc_buy.php?buy_one` |
| 8 | **Basket Buy with Low Balance** | CRITICAL | `GET /cc_basket.php?buy` |
| 9 | **Bulk Cart Duplicate IDs** | MEDIUM | Send same `id[]` 20ร— in one request |
| 10 | **Transaction History IDOR** | HIGH | `get_history=0/all/'` |
| 11 | **Purchased Card IDOR** | CRITICAL | `get_card=` |
| 12 | **Card Data IDOR** | CRITICAL | `get_card_data=` without purchase |
| 13 | **Password Change No-Auth** | CRITICAL | `POST /ch_password.php` with empty/wrong password |
| 14 | **Race Condition** | CRITICAL | 10 parallel `check_order` requests |
| 15 | **Session Cookie Flags** | MEDIUM | PHPSESSID HttpOnly/Secure/SameSite audit |

---

## ๐Ÿ“„ Report Generation

Every scan automatically produces two professional reports:

```
reports/
โ””โ”€โ”€ bugscanner_target.com_20240324_143052/
    โ”œโ”€โ”€ report.pdf          โ† Professional PDF with cover page
    โ””โ”€โ”€ report.md           โ† Markdown for Bugcrowd/HackerOne submission
```

Each finding includes:
- **Title** and **Severity** (CRITICAL / HIGH / MEDIUM / LOW / INFO)
- **CVSS 3.1 Score** and **Vector String**
- **OWASP Category** and **CWE Reference**
- **Proof of Concept** โ€” exact URL, parameter, payload
- **Evidence** โ€” response excerpts confirming the vulnerability
- **Impact** โ€” real-world exploitation scenario
- **Remediation** โ€” specific fix with code examples

---

## ๐Ÿ”ฌ Target Analysis

Drop the target website's JS/HTML files into the `Target/` folder to enable **source intelligence mode**. BugScanner extracts:

- All AJAX endpoint URLs and HTTP methods
- POST field names and expected response codes
- Client-side validation logic (to bypass server-side)
- DOM XSS sinks (`.html()`, `.append()` with server data)

**Endpoints extracted from EC-Council CVV HUB training target:**

```
POST /login.php?login              response: '5'=ok, '3'=no-acct, '0'=ip-ban
GET  /info.php?get_balance         returns: "0,91" comma-decimal format
GET  /money_add.php?type=     type 5 = USDT min $50
GET  /money_view.php?check_order=  HIGH VALUE: returns '1' = payment confirmed
POST /cc_buy.php?buy_one           response: 3=bought, 2=low-bal, 0=err
GET  /cc_basket.php?buy            response: '3'=bought
POST /ch_password.php              returns new auto-generated password!
```

---

## ๐Ÿ“Š OWASP Coverage

```
OWASP Top 10 (2021) โ€” 10/10 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100%

A1  Broken Access Control      โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ IDOR, Payment Bypass, PHP Auth
A2  Cryptographic Failures     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ JWT Attacks, Session Flags
A3  Injection                  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ SQLi, XSS, CMDi, XXE, RFI, SSTI
A4  Insecure Design            โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ Payment Business Logic Testing
A5  Security Misconfiguration  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ Headers, PHPInfo, DB Admin Panels
A6  Vulnerable Components      โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ PHP Version Detection, CVE Mapping
A7  Auth Failures              โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ JWT, Default Creds, PW Bypass
A8  Data Integrity Failures    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ PHP Object Injection / Unserialize
A9  Logging & Monitoring       โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ Error Mode & Debug Exposure
A10 SSRF                       โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ Cloud Metadata, Internal Network
```

---

## ๐Ÿ’ก Advanced Tips

```bash
# Use manually grabbed browser cookies
python main.py scan -t https://target.com --i-have-permission \
  --cookies "PHPSESSID=abc123def456"

# Add custom headers (e.g. bypass WAF, internal routing)
python main.py scan -t https://target.com --i-have-permission \
  --headers-extra '{"X-Forwarded-For": "127.0.0.1"}'

# Maximum coverage attack
python main.py scan -t https://target.com --i-have-permission \
  -u admin -p password \
  --modules php payment sqli lfi idor headers jwt \
  --verbose --format both --output ./my_reports
```

---

## โš–๏ธ Legal Disclaimer

```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘              โš   AUTHORIZED USE ONLY โš                โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ
โ•‘                                                       โ•‘
โ•‘  โœ“ Bug bounty programs with explicit written scope    โ•‘
โ•‘  โœ“ CTF (Capture The Flag) lab environments            โ•‘
โ•‘  โœ“ Systems you own or have written permission to test โ•‘
โ•‘  โœ“ EC-Council course lab environments                 โ•‘
โ•‘                                                       โ•‘
โ•‘  โœ— Unauthorized scanning of third-party systems       โ•‘
โ•‘  โœ— Any use violating computer fraud laws (CFAA/CMA)   โ•‘
โ•‘  โœ— Malicious exploitation of discovered vulns         โ•‘
โ•‘                                                       โ•‘
โ•‘  The author assumes NO LIABILITY for misuse.          โ•‘
โ•‘  Unauthorized use is a criminal offense worldwide.    โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
```

---



---

## ๐Ÿ‘จโ€๐Ÿ’ป Author & Signature



```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘                                                                      โ•‘
โ•‘    โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ•—      โ•‘
โ•‘    โ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ•‘      โ•‘
โ•‘    โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘      โ•‘
โ•‘    โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘      โ•‘
โ•‘    โ–ˆโ–ˆโ•‘ โ•šโ•โ• โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ•โ• โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ•โ• โ–ˆโ–ˆโ•‘      โ•‘
โ•‘    โ•šโ•โ•     โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•     โ•šโ•โ•โ•šโ•โ•     โ•šโ•โ•      โ•‘
โ•‘                                                                      โ•‘
โ•‘    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—                   โ•‘
โ•‘    โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘                   โ•‘
โ•‘    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘    โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘                   โ•‘
โ•‘    โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘                   โ•‘
โ•‘    โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘                   โ•‘
โ•‘    โ•šโ•โ•     โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•   โ•šโ•โ•  โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•                   โ•‘
โ•‘                                                                      โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ
โ•‘                                                                      โ•‘
โ•‘                  Muhammad Faizan                                     โ•‘
โ•‘                  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€                       โ•‘
โ•‘                  Cybersecurity Researcher                            โ•‘
โ•‘                  Bug Bounty Hunter                                   โ•‘
โ•‘                  EC-Council Bug Bounty Student                       โ•‘
โ•‘                                                                      โ•‘
โ•‘                  ๐Ÿ“ง  faizzyhon@gmail.com                             โ•‘
โ•‘                                                                      โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
```



[![Email](https://img.shields.io/badge/Email-faizzyhon%40gmail.com-red?style=for-the-badge&logo=gmail&logoColor=white)](mailto:faizzyhon@gmail.com)
[![EC-Council](https://img.shields.io/badge/EC--Council-Bug%20Bounty%20Student-blue?style=for-the-badge)](https://www.eccouncil.org/)
[![Bug Bounty](https://img.shields.io/badge/Status-Active%20Researcher-brightgreen?style=for-the-badge&logo=hackerone)](/)



---

```
  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—
  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•     โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ•šโ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•
  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘    โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘    โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘     โ•šโ–ˆโ–ˆโ•”โ•
  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•    โ–ˆโ–ˆโ•‘     โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘      โ–ˆโ–ˆโ•‘
  โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ•     โ•šโ•โ•      โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•โ•   โ•šโ•โ•      โ•šโ•โ•

        "The quieter you become, the more you can hear."
                     โ€” hack the planet ๐ŸŒ โ€”
```



---

*Engineered with ๐Ÿ”ฅ passion for cybersecurity*
*EC-Council Bug Bounty Course โ€” 2024*

**ยฉ 2024 Muhammad Faizan โ€” All Rights Reserved**

*โญ If this tool helped you find a bug, drop a star!*