├── out └── shrug.txt ├── test.txt ├── .gitignore ├── tests.sh ├── findbuckets.sh ├── ISSUE_TEMPLATE.md ├── findstrings.sh ├── lists ├── crlfinjection ├── openredirects └── configfiles ├── Dockerfile ├── findtakeovers.sh ├── LICENSE ├── cors.sh ├── fetch.php ├── README.md └── megplus.sh /out/shrug.txt: -------------------------------------------------------------------------------- 1 | ¯\_(ツ)_/¯ 2 | -------------------------------------------------------------------------------- /test.txt: -------------------------------------------------------------------------------- 1 | http://test.com/ -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | domains 2 | domains-plus 3 | domains-sub 4 | output 5 | -------------------------------------------------------------------------------- /tests.sh: -------------------------------------------------------------------------------- 1 | ./megplus.sh 2 | echo "reddit.com" > domains 3 | ./megplus.sh domains 4 | ./megplus.sh -s reddit.com 5 | -------------------------------------------------------------------------------- /findbuckets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | grep --color -Pri \ 4 | '(/|2F)?\K([\w\.\-_]+)\.(amazonaws\.com|digitaloceanspaces\.com|blob\.core\.windows\.net)(/|%2F)?([\w\.\-_]+)?' out/ 5 | -------------------------------------------------------------------------------- /ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 4 | 5 | ## Specifications 6 | 7 | - Operating system and version: 8 | 9 | ## Issue details 10 | -------------------------------------------------------------------------------- /findstrings.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | searches=( 3 | '\-----BEGIN PRIVATE KEY-----' 4 | '\-----BEGIN RSA PRIVATE KEY-----' 5 | '$1$' 6 | 'md5' 7 | '$5$' 8 | '$6$' 9 | '$2a$' 10 | '$2x$' 11 | '$2y$' 12 | '$2b$' 13 | 'secret' 14 | 'api_key' 15 | 'api-key' 16 | 'api_secret_key' 17 | 'api-secret-key' 18 | 'secret_key' 19 | 'secret-key' 20 | 'private_key' 21 | 'private-key' 22 | ) 23 | 24 | for str in "${searches[@]}"; do 25 | grep --color -Hnri "$str" out/ 26 | done -------------------------------------------------------------------------------- /lists/crlfinjection: -------------------------------------------------------------------------------- 1 | /%%0a0aSet-Cookie:crlf=injection 2 | /%0aSet-Cookie:crlf=injection 3 | /%0d%0aSet-Cookie:crlf=injection 4 | /%0dSet-Cookie:crlf=injection 5 | /%23%0aSet-Cookie:crlf=injection 6 | /%23%0d%0aSet-Cookie:crlf=injection 7 | /%23%0dSet-Cookie:crlf=injection 8 | /%25%30%61Set-Cookie:crlf=injection 9 | /%25%30aSet-Cookie:crlf=injection 10 | /%250aSet-Cookie:crlf=injection 11 | /%25250aSet-Cookie:crlf=injection 12 | /%2e%2e%2f%0d%0aSet-Cookie:crlf=injection 13 | /%2f%2e%2e%0d%0aSet-Cookie:crlf=injection 14 | /%2F..%0d%0aSet-Cookie:crlf=injection 15 | /%3f%0d%0aSet-Cookie:crlf=injection 16 | /%3f%0dSet-Cookie:crlf=injection 17 | /%u000aSet-Cookie:crlf=injection 18 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | LABEL maintainer="Anshuman Bhartiya" 3 | 4 | RUN apt-get update 5 | 6 | RUN apt-get install -y libldns-dev git build-essential wget libglib2.0-dev php7.0 7 | 8 | RUN wget https://storage.googleapis.com/golang/go1.9.2.linux-amd64.tar.gz && \ 9 | tar xvf go1.9.2.linux-amd64.tar.gz && \ 10 | mv go /usr/local 11 | 12 | ENV GOPATH "/root/work" 13 | ENV PATH "$PATH:/usr/local/go/bin:$GOPATH/bin" 14 | ENV GOBIN "$GOPATH/bin/" 15 | 16 | RUN go get github.com/tomnomnom/meg && go get github.com/tomnomnom/waybackurls 17 | 18 | RUN git clone https://github.com/EdOverflow/megplus.git 19 | 20 | WORKDIR /megplus 21 | 22 | ENTRYPOINT ["./megplus.sh"] 23 | -------------------------------------------------------------------------------- /findtakeovers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Created by TomNomNom 3 | searches=( 4 | "There is no app configured at that hostname" 5 | "NoSuchBucket" 6 | "No Such Account" 7 | "You're Almost There" 8 | "a GitHub Pages site here" 9 | "this shop is currently unavailable" 10 | "There's nothing here" 11 | "The site you were looking for couldn't be found" 12 | "The request could not be satisfied" 13 | "project not found" 14 | "Your CNAME settings" 15 | "The resource that you are attempting to access does not exist or you don't have the necessary permissions to view it." 16 | "Domain mapping upgrade for this domain not found" 17 | "The feed has not been found" 18 | "This UserVoice subdomain is currently available!" 19 | ) 20 | 21 | for str in "${searches[@]}"; do 22 | grep --color -Hnri "$str" out/ 23 | done 24 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 EdOverflow and Tom Hudson 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /cors.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | urlsfile=$1 4 | 5 | GREEN='\033[0;32m' 6 | YELLOW='\033[0;33m' 7 | RED='\033[0;31m' 8 | END='\033[0m' 9 | 10 | CORS=() 11 | CREDS=() 12 | 13 | if [ -z "$urlsfile" ]; then 14 | echo "Usage: $0 " 15 | exit 1 16 | fi 17 | 18 | function checkacao { 19 | local url=$1 20 | local origin=$2 21 | 22 | curl -vs --max-time 9 "$url" -H"Origin: $origin" 2>&1 | grep -i "< Access-Control-Allow-Origin: $origin" &> /dev/null 23 | } 24 | 25 | function checkacac { 26 | local url=$1 27 | local origin=$2 28 | 29 | curl -vs --max-time 9 "$url" -H"Origin: $origin" 2>&1 | grep -i "< Access-Control-Allow-Credentials: true" &> /dev/null 30 | } 31 | 32 | while read url; do 33 | domain=$(echo "$url" | sed -E 's#https?://([^/]*)/?.*#\1#') 34 | 35 | for origin in https://evil.com null https://$domain.evil.com https://${domain}evil.com; do 36 | if checkacao $url $origin; then 37 | CORS+=("$url might be vulnerable with origin '$origin'") 38 | if checkacac $url $origin; then 39 | CREDS+=("$url with origin '$origin' has Allow-Credentials: true") 40 | fi 41 | fi 42 | sleep 2 43 | done 44 | done < $urlsfile 45 | 46 | if [[ ${#CORS[@]} -gt 0 ]]; then 47 | printf "${YELLOW}[i]${END} Potentially vulnerable targets:\\n" 48 | printf '%s\n' "${CORS[@]}" 49 | fi 50 | if [[ ${#CREDS[@]} -gt 0 ]]; then 51 | printf "${YELLOW}[i]${END} Has 'Allow-Credentials: true':\\n" 52 | printf '%s\n' "${CREDS[@]}" 53 | fi -------------------------------------------------------------------------------- /lists/openredirects: -------------------------------------------------------------------------------- 1 | /%09/example.com 2 | /%2f%2fexample.com 3 | /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/ 4 | /%5cexample.com 5 | /%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d 6 | /.example.com 7 | //%09/example.com 8 | //%5cexample.com 9 | ///%09/example.com 10 | ///%5cexample.com 11 | ////%09/example.com 12 | ////%5cexample.com 13 | /////example.com 14 | /////example.com/ 15 | ////\;@example.com 16 | ////example.com/ 17 | ////example.com/%2e%2e 18 | ////example.com/%2e%2e%2f 19 | ////example.com/%2f%2e%2e 20 | ////example.com/%2f.. 21 | ////example.com// 22 | ///\;@example.com 23 | ///example.com 24 | ///example.com/ 25 | ///example.com/%2e%2e 26 | ///example.com/%2e%2e%2f 27 | ///example.com/%2f%2e%2e 28 | ///example.com/%2f.. 29 | ///example.com// 30 | //example.com 31 | //example.com/ 32 | //example.com/%2e%2e 33 | //example.com/%2e%2e%2f 34 | //example.com/%2f%2e%2e 35 | //example.com/%2f.. 36 | //example.com// 37 | //google%00.com 38 | //google%E3%80%82com 39 | //https:///example.com/%2e%2e 40 | //https://example.com/%2e%2e%2f 41 | //https://example.com// 42 | /<>//example.com 43 | /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com 44 | /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com 45 | /?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com 46 | /\/\/example.com/ 47 | /\/example.com/ 48 | /example.com/%2f%2e%2e 49 | /http://%67%6f%6f%67%6c%65%2e%63%6f%6d 50 | /http://example.com 51 | /http:/example.com 52 | /https:/%5cexample.com/ 53 | /https://%09/example.com 54 | /https://%5cexample.com 55 | /https:///example.com/%2e%2e 56 | /https:///example.com/%2f%2e%2e 57 | /https://example.com 58 | /https://example.com/ 59 | /https://example.com/%2e%2e 60 | /https://example.com/%2e%2e%2f 61 | /https://example.com/%2f%2e%2e 62 | /https://example.com/%2f.. 63 | /https://example.com// 64 | /https:example.com 65 | /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com 66 | /redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com 67 | /redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com 68 | -------------------------------------------------------------------------------- /fetch.php: -------------------------------------------------------------------------------- 1 | // Created by TomNomNom 2 | sprintf($query, $cursor), 44 | 'variables' => (object) [] 45 | ]); 46 | }; 47 | 48 | 49 | $cursor = ""; 50 | do { 51 | $params = [ 52 | 'http' => [ 53 | 'method' => 'POST', 54 | 'header' => "Content-Type: application/json\r\n". 55 | "Origin: https://hackerone.com\r\n". 56 | "Referer: https://hackerone.com/programs\r\n". 57 | "X-Auth-Token: {$authtoken}", 58 | 'content' => $gen($cursor) 59 | ] 60 | ]; 61 | $context = stream_context_create($params); 62 | $fp = fopen($url, 'rb', false, $context); 63 | $result = $fp ? stream_get_contents($fp) : null; 64 | $result = json_decode($result); 65 | if (!$result) die('response error'); 66 | 67 | $hasNextPage = $result->data->query->teams->pageInfo->hasNextPage; 68 | 69 | foreach ($result->data->query->teams->edges as $edge){ 70 | $cursor = $edge->cursor; 71 | foreach ($edge->node->structured_scopes->edges as $scope){ 72 | $scope = $scope->node; 73 | if (!$scope->eligible_for_submission){ 74 | continue; 75 | } 76 | if (strToLower($scope->asset_type) != "url"){ 77 | continue; 78 | } 79 | 80 | echo $scope->asset_identifier.PHP_EOL; 81 | } 82 | } 83 | 84 | } while($hasNextPage); 85 | 86 | -------------------------------------------------------------------------------- /lists/configfiles: -------------------------------------------------------------------------------- 1 | /.AppleDB 2 | /.aws.yml 3 | /.aws/credentials 4 | /.babelrc 5 | /.bash_history 6 | /.bash_profile 7 | /.bashrc 8 | /.bzr/repository/format 9 | /.cvsignore 10 | /.dockerignore 11 | /.DS_Store 12 | /.editorconfig 13 | /.git/config 14 | /.git/HEAD 15 | /.gitconfig 16 | /.gitignore 17 | /.hg 18 | /.hg/branch 19 | /.hgignore 20 | /.htaccess 21 | /.htpasswd 22 | /.jestrc 23 | /.keys.yml 24 | /.muttrc 25 | /.mysql_history 26 | /.netrc 27 | /.npmignore 28 | /.npmrc 29 | /.pgpass 30 | /.profile 31 | /.psql_history 32 | /.s3.yml 33 | /.sh_history 34 | /.ssh/authorized_keys 35 | /.ssh/id_dsa 36 | /.ssh/id_dsa.pub 37 | /.ssh/id_rsa 38 | /.ssh/id_rsa.pub 39 | /.ssh/known_hosts 40 | /.svn/all-wcprops 41 | /.svn/entries 42 | /.svn/format 43 | /.svn/wc.db 44 | /.svnignore 45 | /.swp 46 | /.travis.composer.config.json 47 | /.travis.yml 48 | /.zsh_history 49 | /.zsh_profile 50 | /.zshrc 51 | /_admin/operations.aspx 52 | /_vti_bin/admin.asmx 53 | /aws.yml 54 | /backup.asp 55 | /backup.aspx 56 | /backup.html 57 | /backup.jsp 58 | /backup.php 59 | /backup.txt 60 | /backup/ 61 | /bower.json 62 | /build.xml 63 | /cgi-bin/printenv.pl 64 | /cgi-bin/status.pl 65 | /cgi-bin/test-cgi.pl 66 | /circle.yml 67 | /composer.json 68 | /composer.lock 69 | /config.gypi 70 | /config.json 71 | /CVS/Entries 72 | /CVS/Root 73 | /debug.asp 74 | /debug.aspx 75 | /debug.html 76 | /debug.jsp 77 | /debug.php 78 | /debug.txt 79 | /debug/ 80 | /Dockerfile 81 | /examples/jsp/error/error.html 82 | /examples/jsp/num/numguess.jsp 83 | /examples/servlet/HelloWorldExample 84 | /Gemfile 85 | /Gemfile.lock 86 | /gruntfile.coffee 87 | /Gruntfile.coffee 88 | /gruntfile.js 89 | /Gruntfile.js 90 | /Gulpfile 91 | /Gulpfile.js 92 | /gulpfile.js 93 | /index.asp 94 | /index.aspx 95 | /index.jsp 96 | /index.php 97 | /index.txt 98 | /info.asp 99 | /info.aspx 100 | /info.html 101 | /info.jsp 102 | /info.php 103 | /info.txt 104 | /info/ 105 | /invoker/EJBInvokerServlet 106 | /invoker/JMXInvokerServlet 107 | /Jenkinsfile 108 | /jmx-console/HtmlAdaptor 109 | /keys.yml 110 | /license 111 | /LICENSE 112 | /license.md 113 | /LICENSE.md 114 | /LICENSE.txt 115 | /license.txt 116 | /Makefile 117 | /mkdocs.yml 118 | /nginx_status 119 | /npm-debug.log 120 | /npm-shrinkwrap.json 121 | /package.json 122 | /pagespeed_admin 123 | /php.php 124 | /phpinfo.php 125 | /phptest.php 126 | /phpunit.xml 127 | /readme 128 | /README 129 | /readme.html 130 | /README.html 131 | /readme.md 132 | /README.md 133 | /readme.mkd 134 | /README.mkd 135 | /README.txt 136 | /readme.txt 137 | /robots.txt 138 | /s3.yml 139 | /server-info 140 | /server-status 141 | /serverinfo 142 | /tags 143 | /test.asp 144 | /test.aspx 145 | /test.html 146 | /test.jsp 147 | /test.php 148 | /test.txt 149 | /test/ 150 | /Thumbs.db 151 | /tmp.asp 152 | /tmp.aspx 153 | /tmp.html 154 | /tmp.jsp 155 | /tmp.php 156 | /tmp.txt 157 | /tmp/ 158 | /tomcat-docs/appdev/sample/web/hello.jsp 159 | /travis.yml 160 | /tsconfig.json 161 | /web-console/AOPBinding.jsp 162 | /web-console/applet.jsp 163 | /web-console/Invoker 164 | /web-console/listMonitors.jsp 165 | /web-console/ServerInfo.jsp 166 | /web-console/status 167 | /web-console/SysProperties.jsp 168 | /web-console/WebModule.jsp 169 | /WEB-INF/web.xml 170 | /web.config 171 | /web.xml 172 | /webpack.config.js 173 | /wp-config.php 174 | /yarn-debug.log 175 | /yarn-error.log 176 | /yarn.lock 177 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # meg+ 2 | 3 | Automated reconnaissance wrapper — [TomNomNom's](https://github.com/TomNomNom) [meg](https://github.com/tomnomnom/meg) on steroids. 4 | 5 | ![](https://user-images.githubusercontent.com/18099289/35483349-202e7f30-0441-11e8-9f2c-07d27c142839.gif) 6 | 7 | Built by [TomNomNom](https://github.com/TomNomNom) and [EdOverflow](https://github.com/EdOverflow). 8 | 9 | ## About 10 | 11 | This wrapper will automate numerous tasks and help you during your reconnaissance process. The script finds common issues, low hanging fruit, and assists you when approaching a target. meg+ also allows you to scan **all** your in-scope targets on HackerOne in one go — it simply retrieves them using a GraphQL query. 12 | 13 | Watch TomNomNom's talk to learn more about his reconnaissance methodology: 14 | 15 | [![](https://i.ytimg.com/vi/DvS_ew77GXA/maxresdefault.jpg)](https://www.youtube.com/watch?v=DvS_ew77GXA) 16 | 17 | ## Installation 18 | 19 | You will need [Golang](https://golang.org/doc/), Python 2 or 3, and [PHP 7.0](https://user-images.githubusercontent.com/18099289/35768719-daaaf30c-0900-11e8-92ab-bdc2498c80bf.png) to use all the features provided by this tool. On top of that, make sure to install [meg](https://github.com/tomnomnom/meg), [waybackurls](https://github.com/tomnomnom/waybackurls), [Sublist3r](https://github.com/aboul3la/Sublist3r), and [gio](http://manpages.ubuntu.com/manpages/artful/man1/gio.1.html). 20 | 21 | ``` 22 | git clone https://github.com/EdOverflow/megplus.git 23 | cd megplus 24 | go get github.com/tomnomnom/meg 25 | go get github.com/tomnomnom/waybackurls 26 | git clone https://github.com/aboul3la/Sublist3r.git 27 | # See https://github.com/aboul3la/Sublist3r#dependencies 28 | ``` 29 | 30 | ⚠ If you do not want to use `gio` or do not have `gio` on your machine, just comment out **all** the lines that have `gio` in them! Make sure to also remove the error message located here: https://github.com/EdOverflow/megplus/blob/master/megplus.sh#L65-L68. 31 | 32 | ## Usage 33 | 34 | You can either scan a list of hosts or use your HackerOne `X-Auth-Token` token to scan all the bug bounty programs that you participate in. 35 | 36 | ``` 37 | $ ./megplus.sh 38 | 1) Usage - target list of domains: ./megplus.sh 39 | 2) Usage - target all HackerOne programs: ./megplus.sh -x

40 | 3) Usage - run sublist3r first: ./megplus.sh -s 41 | 42 | 1) Example: ./megplus.sh domains 43 | 2) Example: ./megplus.sh -x XXXXXXXXXXXXXXXX 44 | 3) Example: ./megplus.sh -s example.com 45 | ``` 46 | 47 | ## Usage - Docker 🐋 48 | 49 | If you don't feel like installing all the dependencies mentioned above, you can simply run the `abhartiya/tools_megplus` Docker container, where `test.txt` is a sample file containing the URLs to test against. In your case, this will be the file containing the URLs you want to test: 50 | 51 | `docker run -v $(pwd):/megplus abhartiya/tools_megplus test.txt` 52 | 53 | The command will run the `abhartiya/tools_megplus` Docker image as a container and mount the `pwd` onto the container as a volume (at `/megplus`), which makes the `test.txt` file available to the container. Once megplus finishes running, the `out` directory will be created in `pwd` with all the results. 54 | 55 | 56 | ## Scanner 57 | 58 | meg+ will scan for the following things: 59 | 60 | - Sudomains using Sublist3r; 61 | - Configuration files; 62 | - Interesting strings; 63 | - Open redirects; 64 | - CRLF injection; 65 | - CORS misconfigurations; 66 | - Path-based XSS; 67 | - (Sub)domain takeovers. 68 | 69 | ## Contributing 70 | 71 | I welcome contributions from the public. 72 | 73 | ### Using the issue tracker 💡 74 | 75 | The issue tracker is the preferred channel for bug reports and features requests. 76 | 77 | ### Issues and labels 🏷 78 | 79 | The bug tracker utilizes several labels to help organize and identify issues. 80 | 81 | ### Guidelines for bug reports 🐛 82 | 83 | Use the GitHub issue search — check if the issue has already been reported. 84 | 85 | ## ⚠ Legal Disclaimer 86 | 87 | This project is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. Developers assume no liability and are not responsible for any misuse or damage caused by this tool. 88 | -------------------------------------------------------------------------------- /megplus.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | GREEN='\033[0;32m' 4 | YELLOW='\033[0;33m' 5 | RED='\033[0;31m' 6 | CYAN='\033[0;36m' 7 | END='\033[0m' 8 | 9 | if [[ $1 == '' ]] || [[ $1 == '-h' ]] || [[ $1 == '--help' ]]; then 10 | echo "1) Usage - target list of domains: ./megplus.sh " 11 | echo "2) Usage - target all HackerOne programs: ./megplus.sh -x

" 12 | echo "3) Usage - run Sublist3r first against host: ./megplus.sh -s " 13 | echo 14 | echo "1) Example: ./megplus.sh domains" 15 | echo "2) Example: ./megplus.sh -x XXXXXXXXXXXXXXXX" 16 | echo "3) Example: ./megplus.sh -s example.com" 17 | exit 1 18 | fi 19 | 20 | echo -e """${CYAN} 21 | 22 | 88888b.d88b. .d88b. .d88b. 888 23 | 888 888 88b d8P Y8b d88P 88b 8888888 24 | 888 888 888 88888888 888 888 888 25 | 888 888 888 Y8b. Y88b 888 26 | 888 888 888 Y8888 Y88888 27 | 888 28 | ${GREEN}Automate meg${END} ${CYAN}Y8b d88P${END} 29 | ${GREEN}By TomNomNom${END} ${CYAN}YYY88P${END} 30 | ${GREEN}& EdOverflow${END} 31 | """ 32 | 33 | QUOTES=( 34 | "Activating 1337 mode!" 35 | "Target uses Equifax-grade security." 36 | "ᕕ( ᐛ )ᕗ" 37 | "ᕕ( ᐕ )ᕗ" 38 | "三三ᕕ( ᐛ )ᕗ" 39 | "ᐠ( ᐛ )ᐟ" 40 | "Never gonna give you up." 41 | "Bounty pls." 42 | "Update pls." 43 | "Sleep is for the weak." 44 | "Grab a cuppa!" 45 | "meg+, meg on steroids." 46 | "I am 100 percent natural." 47 | "A bug is never just a mistake. It represents something bigger. An error of thinking that makes you who you are." 48 | "You hack people. I hack time." 49 | "I hope you don't screw like you type." 50 | "Hack the planet!" 51 | "Crypto stands for cryptography." 52 | "PoC||GTFO" 53 | ) 54 | 55 | rand=$[RANDOM % ${#QUOTES[@]}] 56 | printf "${YELLOW}[i]${END} ${QUOTES[$rand]}\\n" 57 | echo 58 | 59 | if ! which meg &> /dev/null; then 60 | echo "You need to install meg." 61 | echo "Follow the installation instructions found here: https://github.com/tomnomnom/meg#install" 62 | exit 1 63 | fi 64 | 65 | if ! which gio &> /dev/null; then 66 | echo "You need to install gio or you can comment out the lines containing the gio command." 67 | exit 1 68 | fi 69 | 70 | if [[ $1 == '-x' ]] && [[ $2 != '' ]]; then 71 | printf "${GREEN}[+]${END} Fetching all in-scope targets.\\n" 72 | php fetch.php $2 > temp 73 | cat temp | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' > domains-plus 74 | targets="domains-plus" 75 | gio trash temp 76 | elif [[ $1 == '-s' ]] && [[ $2 != '' ]]; then 77 | printf "${GREEN}[+]${END} Running Sublist3r against $2.\\n" 78 | # Set Sublist3r path here! 79 | python Sublist3r/sublist3r.py -d $2 -o domains-sub > /dev/null 80 | while read domain; do 81 | if host "$domain" > /dev/null; then 82 | echo $domain; 83 | fi; 84 | done < domains-sub >> output 85 | cat output | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' > domains-plus 86 | targets="domains-plus" 87 | echo 88 | else 89 | cat $1 | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' > "$1-plus" 90 | targets="$1-plus" 91 | fi 92 | 93 | printf "${GREEN}[+]${END} Finding configuration files.\\n" 94 | meg --delay 100 lists/configfiles $targets &>/dev/null 95 | grep -Hnri "200 ok" out/ 96 | echo 97 | 98 | printf "${GREEN}[+]${END} Finding interesting strings.\\n" 99 | ./findstrings.sh out/ 100 | echo 101 | 102 | printf "${GREEN}[+]${END} Finding AWS/DigitalOcean/Azure buckets.\\n" 103 | ./findbuckets.sh out/ 104 | echo 105 | 106 | printf "${GREEN}[+]${END} Finding open redirects.\\n" 107 | meg --delay 100 lists/openredirects $targets &>/dev/null 108 | grep --color -HnriE '< location: (https?:)?[/\\]{2,}example.com' out/ 109 | echo 110 | 111 | printf "${GREEN}[+]${END} Finding CRLF injection.\\n" 112 | meg --delay 100 lists/crlfinjection $targets &>/dev/null 113 | grep --color -HnriE "< Set-Cookie: ?crlf" 114 | echo 115 | 116 | printf "${GREEN}[+]${END} Finding CORS misconfigurations.\\n" 117 | ./cors.sh $targets 118 | echo 119 | 120 | printf "${GREEN}[+]${END} Finding path-based XSS.\\n" 121 | meg /bounty%3c%22pls $targets 122 | grep --color -Hrie '(bounty<|"pls)' out/ 123 | echo 124 | 125 | printf "${GREEN}[+]${END} Searching for (sub)domain takeovers.\\n" 126 | ./findtakeovers.sh 127 | echo 128 | 129 | printf "${GREEN}[+]${END} Running waybackurls.\\n" 130 | cat $targets | waybackurls > out/urls 131 | printf "${YELLOW}[i]${END} Output in './out/urls' file.\\n" 132 | echo 133 | 134 | # You can use gvfs-trash too. 135 | gio trash output 136 | gio trash domains-plus 137 | gio trash domains-sub 138 | printf "${YELLOW}[i]${END} Done scanning -- all output located in ./out.\\n" 139 | 140 | echo """ 141 | _,-. -------------------- 142 | ,-. ,--' o ) -( Frogs find bugs! ) 143 | \(,' ' ,,-' -------------------- 144 | ,-.\-.__,\\\_ 145 | \('--' '\ 146 | """ 147 | --------------------------------------------------------------------------------