Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/brosck/bugbountytricks

「🐞」Bug Bounty Tricks
https://github.com/brosck/bugbountytricks

bounty bug bugbounty security tips tricks

Last synced: 23 days ago
JSON representation

「🐞」Bug Bounty Tricks

Host: GitHub
URL: https://github.com/brosck/bugbountytricks
Owner: brosck
Created: 2021-09-23T18:29:31.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2023-10-04T17:38:39.000Z (over 1 year ago)
Last Synced: 2024-11-20T16:09:48.578Z (3 months ago)
Topics: bounty, bug, bugbounty, security, tips, tricks
Homepage:
Size: 58.6 KB
Stars: 35
Watchers: 2
Forks: 10
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        
「🐞」Bug Bounty Tricks




Welcome to my repository! I'll leave here all the tricks I developed throughout my career as a Bug Hunter, I hope to help you.


# Requirements:

* Anew

* Dalfox

* Eyewitness

* GetJS

* GF

* HTML-Tool

* Httpx

* Paramspider

* Qsreplace

* Rustscan

* SQLMap

* Sublist3r

* Waybackurls 

# Unix Terminal:

### Extract subdomains and check if it's active

```

sublist3r -d scope.com -o extracted_subdomains.txt;cat extracted_subdomains.txt | httpx -silent -o verified_subdomains.txt;cat verified_subdomains.txt | awk -F[/:] '{print $4}' | anew > subdomains.txt;rm verified_subdomains.txt extracted_subdomains.txt

cat domains.txt | assetfinder -subs-only | httpx -silent | awk -F[/:] '{print $4}' | tee -a subdomains.txt

```

### Extract subdomains (manually)

```

for scope in $(cat domains.txt);do curl "https://web.archive.org/cdx/search/cdx?url=*.$scope/*&output=text&fl=original&collapse=urlkey" | awk -F[/:] '{print $4}' | anew | sed -e 's/:80//' | httpx -silent | awk -F[/:] '{print $4}' | tee -a subdomains.txt;done

```

### Extract IPs from a list of subdomains

```

for scope in $(cat subdomains.txt);do dig +short $scope | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | anew | tee -a ips.txt;done

```

### Extract parameters from a list of subdomains

```

for scope in $(cat subdomains.txt);do paramspider -d $scope;done;cat output/* > parameters.txt;rm -r output

cat domains.txt | waybackurls | sed -e 's/:80//' | grep "?[a-z0-9]*="

```

### Extract parameters from a list of subdomains (manually)

```

for scope in $(cat domains.txt);do curl "https://web.archive.org/cdx/search/cdx?url=*.$scope/*&output=text&fl=original&collapse=urlkey" | grep "?[a-z0-9]*=" | sed -e 's/:80//' | tee -a parameters.txt;done

```

### Scan ports on a host quickly

```

SCOPE=192.168.0.0/24;RPORT=22,80,443;rustscan -b 500 -a $SCOPE -p $RPORT | grep "Open $SCOPE[0-9]*" | tee -a ports_scanned.txt

```

### Extract JS files with GetJS

```

cat subdomains.txt | getJS --complete | anew | tee -a js.txt

```

### Extract JS files

```

for scope in $(cat subdomains.txt);do curl "https://web.archive.org/cdx/search/cdx?url=$scope/*&output=text&fl=original&collapse=urlkey" | grep "\\.js" | sed -e 's/:80//' | tee -a js.txt;done

```

### Extract json files

```

cat domains.txt | waybackurls | grep "\\.json" | anew | tee -a json.txt

```

### Extract subdomains and capture the screen

```

assetfinder -subs-only scope.com | httpx -silent -o verified_subdomains.txt;cat verified_subdomains.txt | awk -F[/:] '{print $4}' | anew > subdomains.txt;rm verified_subdomains.txt;eyewitness -f subdomains.txt --prepend-https -d screenshots

```

### Extract subdomains and comments in source code

```

assetfinder -subs-only scope.com | httpx -silent | html-tool comments

```

### Extract subdomains by ASN

```

echo AS394161 | asnmap -silent | tlsx -silent -san -cn -resp-only | sort -u

```

### Extract subdomains and open redirect parameters

```

assetfinder -subs-only scope.com | waybackurls | gf redirect | xargs -I@ sh -c 'oralyzer -u @'

```

### Extract all subdomains with CMS WordPress

```

echo scope.com | assetfinder -subs-only | waybackurls | grep 'wp-content' | httpx -silent | awk -F[/:] '{print $4}' | anew

```

### Verify SQL Injection

```

cat domains.txt | waybackurls | grep "?[a-z0-9]*=" | sed -e 's/:80//' | gf sqli | sqlmap --risk 3 --batch --dbs

```

### Easy Open Redirect by endpoint injection

```

for x in $(cat domains.txt | assetfinder -subs-only | httpx -silent);do echo "$x///%2F.." | httpx -silent -follow-redirects;done

```

### Automatic Open Redirect

```

cat domains.txt | waybackurls | gf redirect | qsreplace  | httpx -silent -follow-redirects

```

### Automatic SSRF

```

cat domains.txt | waybackurls | gf ssrf | qsreplace  | httpx -silent -follow-redirects

```

### Verify Cross-Site Scripting (XSS)

```

cat parameters.txt | gf xss > xss_parameters.txt;dalfox file xss_parameters.txt --skip-bav -o dalfox.txt

```

# Google Dorks:

### Confidential files

```

site:*.scope.com ext:pdf intext:"name" intext:"email" intext:"phone" intext:"address"

site:*.scope.com ext:pdf intext:"name" intext:"email" intext:"<@domain.com>" intext:"phone" intext:"address"

site:*.scope.com ext:pdf intext:"name" intext:"email" intext:"phone" intext:"city" intext:"state" intext:"zipcode"

site:groups.google com ""

```

### Files containing credentials

```

site:*.scope.com ext:sql

site:*.scope.com ext:env

site:*.scope.com ext:txt

site:*.scope.com ext:sql intext:"Dumping data for table `users`" | `password` | `name`

site:*.scope.com ext:txt intext:"<@domain.com>" intext:email intext:password

```

### Open Redirect

* More

```

site:*.scope.com inurl:?RedirectUrl=

site:*.scope.com inurl:?page=

site:*.scope.com inurl:?url=

site:*.scope.com inurl:?uri=

site:*.scope.com inurl:?u=

site:*.scope.com inurl:?return=

site:*.scope.com inurl:?redirectBack=

site:*.scope.com inurl:?redir=

site:*.scope.com inurl:?returnurl=

site:*.scope.com inurl:?return_url=

site:*.scope.com inurl:?link=

site:*.scope.com inurl:?location=

site:*.scope.com inurl:?referrer=

site:*.scope.com inurl:?back=

site:*.scope.com inurl:?home=

site:*.scope.com inurl:?return_to=

site:*.scope.com inurl:?startUrl=

```

### (LFI) Local File Inclusion & (RFI) Remote File Inclusion

* More

```

site:*.scope.com inurl:?file=

site:*.scope.com inurl:download.php?file=

site:*.scope.com inurl:cat.php?file=

site:*.scope.com inurl:?cat=

site:*.scope.com inurl:read.php?file=

site:*.scope.com inurl:index.php?include=

site:*.scope.com inurl:index.php?file=

site:*.scope.com inurl:index.php?inc=

site:*.scope.com inurl:index.php?open=

site:*.scope.com inurl:index.php?content=

site:*.scope.com inurl:index.php?configFile=

site:*.scope.com inurl:index.php?page=

site:*.scope.com inurl:index.php?template=

site:*.scope.com inurl:index.php?archive=

```

### Sites with CMS WordPress

```

site:*.scope.com inurl:wp-content

site:*.scope.com inurl:wp-content/uploads//

site:*.scope.com inurl:wp-includes

site:*.scope.com intitle:"Author at"

site:*.scope.com intitle:WordPress intitle:ReadMe ext:html

```