Welcome to my repository! I'll leave here all the tricks I developed throughout my career as a Bug Hunter, I hope to help you.
6 | 7 | # Requirements: 8 | 9 | * Anew 10 | * Dalfox 11 | * Eyewitness 12 | * GetJS 13 | * GF 14 | * HTML-Tool 15 | * Httpx 16 | * Paramspider 17 | * Qsreplace 18 | * Rustscan 19 | * SQLMap 20 | * Sublist3r 21 | * Waybackurls 22 | 23 | # Unix Terminal: 24 | 25 | ### Extract subdomains and check if it's active 26 | 27 | ``` 28 | sublist3r -d scope.com -o extracted_subdomains.txt;cat extracted_subdomains.txt | httpx -silent -o verified_subdomains.txt;cat verified_subdomains.txt | awk -F[/:] '{print $4}' | anew > subdomains.txt;rm verified_subdomains.txt extracted_subdomains.txt 29 | 30 | cat domains.txt | assetfinder -subs-only | httpx -silent | awk -F[/:] '{print $4}' | tee -a subdomains.txt 31 | ``` 32 | 33 | ### Extract subdomains (manually) 34 | 35 | ``` 36 | for scope in $(cat domains.txt);do curl "https://web.archive.org/cdx/search/cdx?url=*.$scope/*&output=text&fl=original&collapse=urlkey" | awk -F[/:] '{print $4}' | anew | sed -e 's/:80//' | httpx -silent | awk -F[/:] '{print $4}' | tee -a subdomains.txt;done 37 | ``` 38 | 39 | ### Extract IPs from a list of subdomains 40 | 41 | ``` 42 | for scope in $(cat subdomains.txt);do dig +short $scope | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | anew | tee -a ips.txt;done 43 | ``` 44 | 45 | ### Extract parameters from a list of subdomains 46 | 47 | ``` 48 | for scope in $(cat subdomains.txt);do paramspider -d $scope;done;cat output/* > parameters.txt;rm -r output 49 | 50 | cat domains.txt | waybackurls | sed -e 's/:80//' | grep "?[a-z0-9]*=" 51 | ``` 52 | 53 | ### Extract parameters from a list of subdomains (manually) 54 | 55 | ``` 56 | for scope in $(cat domains.txt);do curl "https://web.archive.org/cdx/search/cdx?url=*.$scope/*&output=text&fl=original&collapse=urlkey" | grep "?[a-z0-9]*=" | sed -e 's/:80//' | tee -a parameters.txt;done 57 | ``` 58 | 59 | ### Scan ports on a host quickly 60 | 61 | ``` 62 | SCOPE=192.168.0.0/24;RPORT=22,80,443;rustscan -b 500 -a $SCOPE -p $RPORT | grep "Open $SCOPE[0-9]*" | tee -a ports_scanned.txt 63 | ``` 64 | 65 | ### Extract JS files with GetJS 66 | 67 | ``` 68 | cat subdomains.txt | getJS --complete | anew | tee -a js.txt 69 | ``` 70 | 71 | ### Extract JS files 72 | 73 | ``` 74 | for scope in $(cat subdomains.txt);do curl "https://web.archive.org/cdx/search/cdx?url=$scope/*&output=text&fl=original&collapse=urlkey" | grep "\\.js" | sed -e 's/:80//' | tee -a js.txt;done 75 | ``` 76 | 77 | ### Extract json files 78 | 79 | ``` 80 | cat domains.txt | waybackurls | grep "\\.json" | anew | tee -a json.txt 81 | ``` 82 | 83 | ### Extract subdomains and capture the screen 84 | 85 | ``` 86 | assetfinder -subs-only scope.com | httpx -silent -o verified_subdomains.txt;cat verified_subdomains.txt | awk -F[/:] '{print $4}' | anew > subdomains.txt;rm verified_subdomains.txt;eyewitness -f subdomains.txt --prepend-https -d screenshots 87 | ``` 88 | 89 | ### Extract subdomains and comments in source code 90 | 91 | ``` 92 | assetfinder -subs-only scope.com | httpx -silent | html-tool comments 93 | ``` 94 | 95 | ### Extract subdomains by ASN 96 | 97 | ``` 98 | echo AS394161 | asnmap -silent | tlsx -silent -san -cn -resp-only | sort -u 99 | ``` 100 | 101 | ### Extract subdomains and open redirect parameters 102 | 103 | ``` 104 | assetfinder -subs-only scope.com | waybackurls | gf redirect | xargs -I@ sh -c 'oralyzer -u @' 105 | ``` 106 | 107 | ### Extract all subdomains with CMS WordPress 108 | 109 | ``` 110 | echo scope.com | assetfinder -subs-only | waybackurls | grep 'wp-content' | httpx -silent | awk -F[/:] '{print $4}' | anew 111 | ``` 112 | 113 | ### Verify SQL Injection 114 | 115 | ``` 116 | cat domains.txt | waybackurls | grep "?[a-z0-9]*=" | sed -e 's/:80//' | gf sqli | sqlmap --risk 3 --batch --dbs 117 | ``` 118 | 119 | ### Easy Open Redirect by endpoint injection 120 | 121 | ``` 122 | for x in $(cat domains.txt | assetfinder -subs-only | httpx -silent);do echo "$x//