Find PII Info Disclosure Bugs With this Simple GUI Tool-Easy P1😍

AjakCybersecurity
6 min readApr 29, 2024

--

Thank you for 2K Followers, keep showing love :) Hi, Ajak Amico’s welcome back to another blog today. One of my subscriber hit me this tool, and said I got a easy bounty, with this GUI tool just by leaking employers username and passwords and asked me to share it, which could be beneficial to all bug bounty hunters out there, so here I am. In this blog, I will show how to find Easy PII info disclosure bugs using a simple GUI tool. Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation.

Credits: https://www.instagram.com/randyrishi27/

Follow our Youtube Channel: @ajakcybersecurity (360 Videos)

Follow on Instagram: AjakCybersecurity

What is -PII Disclosure?

PII stands for Personally Identifiable Information It is information that, when used alone or with other relevant data, can identify an individual.

PII may contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.

What is this COMB?

In February of 2021, the largest dataset of leaked credentials (emails, usernames, and passwords) named COMB (Combination Of Many Breaches) was leaked to the public. It was the largest data leak of all time, containing over 3.2 billion credentials combined across from various other data breaches over the years from services such as Netflix, LinkedIn and many others. The purpose of this tool is to make that massive dataset of leaked usernames and passwords easily searchable, and to encourage better security practices by giving people an ability to check if their credentials were leaked and thus exposed to hackers.

To Access: Search for leaked passwords inside the largest dataset of all time (Combination Of Many Breaches) (proxynova.com)

Usage of this Tool

This tool has a large collection of breached datasets, which we can use to find the information and report to the organization. This is a fully GUI-based tool we can use very easily and it contains various other tools too we will explore further

Let’s learn practically !!!

click the link and open the website.

Now enter your target here, for Demo purposes I used ‘airtel’ as my target, you can choose your target accordingly. Enter the target website or organization in the search tab by mentioning ‘@’ before the target then hit enter. (eg: @target.com)

As you could see the employers breached, username and password will be listed

Let’s Try with Tesla.com

as you can it shows some credentials. like this you can just simply enter your target name,and search for PII information.

Escalation:

In order to escalate this issue again, just try to get the target employers login page, and give the username and credentials, if it works, it’s going to be a jackpot for you.

Other Features of this tool

Port Scanner

As a tester, we have to wait more time for the report like if you are using NMAP to scan the open ports available in the IP address. this tool helps you to avoid those waiting times.

It has a GUI-based port scanner you can share here easily.

I choose Target as Home of Acunetix Art (vulnweb.com)

we need ip address for the website so go to the command prompt and give ping testphp.vulweb.com hit enter, it shows the ip address copy that paste it into the tool search bar and in port add 80,443.

BOOM!!!!!! within a fraction of a second, it gives the result.

IP address to location

This is my favourite feature of this tool we can find geo locations using the IP address, it takes IP addresses as the input it will list the continent, country, region, city and coordinates. You can give one or more IP addresses at the same.

I give the IP addresses of the test website which we use for the port scanner.

then press the find location within a few seconds it produces the results. For this IP address, it produces.

Is it accurate?

The accuracy will ultimately depend on the database that is being used as some are more accurate than others. this tool sources the geolocation data from GeoLite2 by MaxMind and then refresh that data periodically once a month if possible. Regarding exact accuracy,

Always keep in mind that whoever is trying to track you down, may have access to a more accurate database, and thus be able to get a more precise location from your IP address.

To find the exact physical location from your IP address, someone would have to contact your Internet Service Provider (ISP) and ask them to provide such information since they are the ones who would have it. However, your ISP is very unlikely to give up that information to anyone other than the police or some other authority.

Link Extractor

This tool will extract all the links — both internal and external — found on the page. No browser extensions are needed. No programming needed. Works with JavaScript-heavy websites that render completely client-side too. Useful for webmasters when optimizing their website for search engines as linking to too many external links theoretically hurts your “page rank”.

Type the target in search bar and hit enter.

it lists all the link available by the zoho.

Find IP Ranges by Location

one of the interesting features of the tool is we can find the IP ranges by our location.

In this enter the location do you want to search the IP ranges then click draw circle choose the circle you want to search.

it will produce results we can export as csv file or any format.

Results:

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you have learned some information from this blog if so, kindly press the follow button for further updates. Best wishes from Ajak Cybersecurity.❤️

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌

https://www.buymeacoffee.com/Ajak

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Follow our Youtube Channel: @ajakcybersecurity

Follow on Instagram: @ajakcybersecurity

--

--

AjakCybersecurity

Security Researcher @UK || Digital Forensics Investigator|| Web Pentester||Youtuber| Instructor|| Blogger https://www.youtube.com/@ajakcybersecurity23