├── README.md
└── bashgf


/README.md:
--------------------------------------------------------------------------------
 1 | # bashgf
 2 | 
 3 | Bash version for Tomnomnom's <b>gf</b> tool. This version doesn't need any previous configuration
 4 | 
 5 | How to install:
 6 | 
 7 | ````bash
 8 | cd /opt && git clone https://github.com/e1abrador/bashgf
 9 | cd bashgf 
10 | chmod +x bashgf && cp bashgf $(echo $PATH | tr ':' ' ' | awk '{print $1}')
11 | ````
12 | 
13 | # How to use it 
14 | 
15 | ````bash
16 | bashgf --help
17 |         Options:
18 |                 > Read from stdin file
19 |                 cat file_with_urls | bashgf <value>
20 |                 Values: lfi rce open-redirect sqli ssrf ssti xss
21 |                 > Grep recursively on directory files
22 |                 bashgf <value>  /path/to/directory
23 |                 Values: jsvars urls upload-fields sub-takeover servers keys aws-buckets
24 |                 php-sources php-serialized php-errors php-curl json-sec http-auth software
25 |                 firebase debug-page cors base64-important-value aws-keys
26 | ````
27 | 
28 | Use it from stdin
29 | 
30 | ````bash
31 | cat file_with_urls | bashgf lfi
32 | https://example.com/?file=https://google.com
33 | ...
34 | 
35 | cat file_with_urls | bashgf open-redirect
36 | https://example.com/?image_url=https://google.com/image.png
37 | ...
38 | ````
39 | 
40 | Use it to scan a directory
41 | 
42 | ````bash
43 | bashgf jsvars .
44 | ./file-with-vars:1:var myName = 'e1abrador';
45 | ...
46 | ````
47 | 
48 | # Thanks
49 | Thanks to Tomnomnom for the great tool idea.
50 | 
51 | 
52 | 


--------------------------------------------------------------------------------
/bashgf:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | #Colours
  4 | greenColour="\e[0;32m\033[1m"
  5 | endColour="\033[0m\e[0m"
  6 | redColour="\e[0;31m\033[1m"
  7 | blueColour="\e[0;34m\033[1m"
  8 | yellowColour="\e[0;33m\033[1m"
  9 | purpleColour="\e[0;35m\033[1m"
 10 | turquoiseColour="\e[0;36m\033[1m"
 11 | grayColour="\e[0;37m\033[1m"
 12 | 
 13 | #gf in bash
 14 | 
 15 | pathh=$2
 16 | 
 17 | function xss(){
 18 | 	grep -iE "q=|s=|search=|lang=|keyword=|query=|page=|keywords=|year=|view=|email=|type=|name=|p=|callback=|jsonp=|api_key=|api=|password=|email=|emailto=|token=|username=|csrf_token=|unsubscribe_token=|id=|item=|page_id=|month=|immagine=|list_type=|url=|terms=|categoryid=|key=|l=|begindate=|enddate="
 19 | }
 20 | 
 21 | function ssti(){
 22 | 	grep -iE "template=|preview=|id=|view=|activity=|name=|content=|redirect="
 23 | }
 24 | 
 25 | function ssrf(){
 26 | 	grep -iE "access=|admin=|dbg=|debug=|edit=|grant=|test=|alter=|clone=|create=|delete=|disable=|enable=|exec=|execute=|load=|make=|modify=|rename=|reset=|shell=|toggle=|adm=|root=|cfg=|dest=|redirect=|uri=|path=|continue=|url=|window=|next=|data=|reference=|site=|html=|val=|validate=|domain=|callback=|return=|page=|feed=|host=|port=|to=|out=|view=|dir=|show=|navigation=|open=|file=|document=|folder=|pg=|php_path=|style=|doc=|img=|filename="
 27 | }
 28 | 
 29 | function sqli(){
 30 | 	grep -iE "id=|select=|report=|role=|update=|query=|user=|name=|sort=|where=|search=|params=|process=|row=|view=|table=|from=|sel=|results=|sleep=|fetch=|order=|keyword=|column=|field=|delete=|string=|number=|filter="
 31 | }
 32 | 
 33 | function open-redirect(){
 34 | 	grep -iE "image_url=|Open=|callback=|cgi-bin/redirect.cgi|cgi-bin/redirect.cgi?|checkout=|checkout_url=|continue=|data=|dest=|destination=|dir=|domain=|feed=|file=|file_name=|file_url=|folder=|folder_url=|forward=|from_url=|go=|goto=|host=|html=|image_url=|img_url=|load_file=|load_url=|login?to=|login_url=|logout=|navigation=|next=|next_page=|out=|page=|page_url=|path=|port=|redir=|redirect=|redirect_to=|redirect_uri=|redirect_url=|reference=|return=|returnTo=|return_path=|return_to=|return_url=|rt=|rurl=|show=|site=|target=|to=|uri=|url=|val=|validate=|view=|window="
 35 | }
 36 | 
 37 | function rce(){
 38 | 	grep -iE "daemon=|upload=|dir=|download=|log=|ip=|cli=|cmd=|exec=|command=|execute=|ping=|query=|jump=|code=|reg=|do=|func=|arg=|option=|load=|process=|step=|read=|function|req=|feature=|exe=|module=|payload=|run=|print="
 39 | }
 40 | 
 41 | function lfi(){
 42 | 	grep -iE "file=|document=|folder=|root=|path=|pg=|style=|pdf=|template=|php_path=|doc=|page=|name=|cat=|dir=|action=|board=|date=|detail=|download=|prefix=|include=|inc=|locate=|show=|site=|type=|view=|content=|layout=|mod=|conf=|url="
 43 | }
 44 | 
 45 | function jsvars(){
 46 | 	grep -HnriE "var [a-z0-9]+\s+=" $pathh
 47 | }
 48 | 
 49 | function urls(){
 50 | 	grep -HnriE "https?://[^\"\\'> ]+" $pathh
 51 | }
 52 | 
 53 | function upload-fields(){
 54 | 	grep -Hnri "<input\stype=*" $pathh
 55 | }
 56 | 
 57 | function sub-takeover(){
 58 | 	grep -HnriE "There is no app configured at that hostname|NoSuchBucket|No Such Account|You're Almost There|a GitHub Pages site here|There's nothing here|project not found|Your CNAME settings|InvalidBucketName|PermanentRedirect|The specified bucket does not exist|Repository not found|Sorry We Couldn't Find That Page|The feed has not been found.|The thing you were looking for is no longer here or never was|Please renew your subscription|There isn't a Github Pages site here.|We could not find what you're looking for.|No settings were found for this company:|No such app|is not a registered InCloud YouTrack|Unrecognized domain|project not found|This UserVoice subdomain is currently available\!|Do you want to register|Help Center Closed" $pathh
 59 | }
 60 | 
 61 | function servers(){
 62 | 	grep -HnriE "server: " $pathh
 63 | }
 64 | 
 65 | function keys(){
 66 | 	grep -HanriE "(aws_access|aws_secret|api[_-]?key|ListBucketResult|S3_ACCESS_KEY|Authorization:|RSA PRIVATE|Index of|aws_|secret|ssh-rsa AA)"
 67 | }
 68 | 
 69 | function aws-buckets(){
 70 | 	grep -hrioaE "[a-z0-9.-]+\\.s3\\.amazonaws\\.com|[a-z0-9.-]+\\.s3-[a-z0-9-]\\.amazonaws\\.com|[a-z0-9.-]+\\.s3-website[.-](eu|ap|us|ca|sa|cn)|//s3\\.amazonaws\\.com/[a-z0-9._-]+|//s3-[a-z0-9-]+\\.amazonaws\\.com/[a-z0-9._-]+" $pathh
 71 | }
 72 | 
 73 | function php-sources(){
 74 |         grep -HnrE "\\$_(POST|GET|COOKIE|REQUEST|SERVER|FILES)|php://(input|stdin)" $pathh
 75 | }
 76 | 
 77 | function php-serialized(){
 78 |         grep -HnrE "a:[0-9]+:{|O:[0-9]+:\"s:[0-9]+:\"" $pathh
 79 | }
 80 | 
 81 | function php-errors(){
 82 | 	grep -HnriE "php warning|php error|fatal error|uncaught exception|include_path|undefined index|undefined variable|\\?php|<\\?^x|stack trace\\:|expects parameter 0-9*|Debug Trace" $pathh
 83 | }
 84 | 
 85 | function php-curl(){
 86 | 	grep -HnrE "CURLOPT_(HTTPHEADER|HEADER|COOKIE|RANGE|REFERER|USERAGENT|PROXYHEADER)" $pathh
 87 | }
 88 | 
 89 | function json-sec(){
 90 | 	grep -HnriE "(\\\\?\"|&quot;|%22)[a-z0-9_-]*(api[_-]?key|S3|aws_|secret|passw|auth)[a-z0-9_-]*(\\\\?\"|&quot;|%22): ?(\\\\?\"|&quot;|%22)[^\"&]+(\\\\?\"|&quot;|%22)" $pathh
 91 | }
 92 | 
 93 | function http-auth(){
 94 | 	grep -hrioaE "[a-z0-9_/\\.:-]+@[a-z0-9-]+\\.[a-z0-9.-]+" $pathh
 95 | }
 96 | 
 97 | function software(){
 98 | 	grep -HnriE "django|laravel|symfony|graphite|grafana|X-Drupal-Cache|struts|code ?igniter|cake ?php|grails|elastic ?search|kibana|log ?stash|tomcat|jenkins|hudson|com.atlassian.jira|Apache Subversion|Chef Server|RabbitMQ Management|Mongo|Travis CI - Enterprise|BMC Remedy|artifactory" $pathh
 99 | }
100 | 
101 | function firebase(){
102 | 	grep -Hnri "firebaseio.com" $pathh
103 | }
104 | 
105 | function debug-page(){
106 | 	grep -HnraiE "(Application-Trace|Routing Error|DEBUG\"? ?[=:] ?True|Caused by:|stack trace:|Microsoft .NET Framework|Traceback|[0-9]:in \`|#\!/us|WebApplicationException|java\\.lang\\.|phpinfo|swaggerUi|on line [0-9]|SQLSTATE)" $pathh
107 | }
108 | 
109 | function cors(){
110 | 	grep -HnriE "Access-Control-Allow" $pathh
111 | }
112 | 
113 | function base64-important-value(){
114 | 	grep -HnroE "([^A-Za-z0-9+/]|^)(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[%a-zA-Z0-9+/]+={0,2}" $pathh
115 | }
116 | 
117 | function aws-keys(){
118 | 	grep -HanrE "([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}" $pathh
119 | }
120 | 
121 | function dom-xss(){
122 |         grep -HanriE "Database|document.baseURI|document.cookie|document.documentURI|document.referrer|document.URL|document.URLUnencoded|history.pushState|history.replaceState|IndexedDB|localStorage|location|sessionStorage|window.name|document.domain|document.write|document.writeln|element.innerHTML|element.insertAdjacentHTML|element.onevent|element.outerHTML" $pathh
123 | }
124 | 
125 | function general-api(){
126 |         grep -HanrE "(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]" $pathh
127 | }
128 | 
129 | function grep_stdin(){
130 | 	while read lines
131 | 	do
132 |   		echo $lines
133 | 	done < "${1:-/dev/stdin}"
134 | }
135 | 
136 | function helpPanel(){
137 | 	echo -e "\tOptions:"
138 | 	echo -e "\t\t${redColour}>${endColour} ${grayColour}Read from stdin file${endColour}"
139 | 	echo -e "\t\t${purpleColour}cat file_with_urls | bashgf ${endColour}${yellowColour}<value>${endColour}"
140 | 	echo -e "\t\t${blueColour}Values:${endColour} ${yellowColour}lfi rce open-redirect sqli ssrf ssti xss${endColour}"
141 | 	echo -e "\t\t${redColour}>${endColour} ${grayColour}Grep recursively on directory files${endColour}"
142 | 	echo -e "\t\t${purpleColour}bashgf ${endColour}${yellowColour}<value>${endColour} ${purpleColour} /path/to/directory${endColour}"
143 | 	echo -e "\t\t${blueColour}Values:${endColour} ${yellowColour}jsvars urls upload-fields sub-takeover servers keys aws-buckets\n\t\tphp-sources php-serialized php-errors php-curl json-sec http-auth software\n\t\tfirebase debug-page cors base64-important-value aws-keys dom-xss general-api${endColour}"
144 | }
145 | 
146 | if [ $1 == $(echo -e xss) 2>/dev/null ]; then
147 | 	grep_stdin | xss 2>/dev/null
148 | elif [ $1 == $(echo -e ssti) 2>/dev/null ]; then
149 | 	grep_stdin | ssti 2>/dev/null
150 | elif [ $1 == $(echo -e ssrf) 2>/dev/null ]; then
151 |         grep_stdin | ssrf 2>/dev/null
152 | elif [ $1 == $(echo -e sqli) 2>/dev/null ]; then
153 |         grep_stdin | sqli 2>/dev/null
154 | elif [ $1 == $(echo -e open-redirect) 2>/dev/null ]; then
155 |         grep_stdin | open-redirect 2>/dev/null
156 | elif [ $1 == $(echo -e rce) 2>/dev/null ]; then
157 |         grep_stdin | rce 2>/dev/null
158 | elif [ $1 == $(echo -e lfi) 2>/dev/null ]; then
159 |         grep_stdin | lfi 2>/dev/null
160 | elif [ $1 == $(echo -e jsvars) 2>/dev/null ]; then
161 |         jsvars 2>/dev/null
162 | elif [ $1 == $(echo -e urls) 2>/dev/null ]; then
163 |         urls 2>/dev/null
164 | elif [ $1 == $(echo -e upload-fields) 2>/dev/null ]; then
165 |         upload-fields 2>/dev/null
166 | elif [ $1 == $(echo -e sub-takeover) 2>/dev/null ]; then  
167 |         sub-takeover 2>/dev/null
168 | elif [ $1 == $(echo -e servers) 2>/dev/null ]; then
169 |         servers 2>/dev/null
170 | elif [ $1 == $(echo -e keys) 2>/dev/null ]; then
171 |         keys 2>/dev/null
172 | elif [ $1 == $(echo -e aws-buckets) 2>/dev/null ]; then
173 |         aws-buckets 2>/dev/null
174 | elif [ $1 == $(echo -e php-sources) 2>/dev/null ]; then
175 |         php-sources 2>/dev/null
176 | elif [ $1 == $(echo -e php-serialized) 2>/dev/null ]; then
177 |         php-serialized 2>/dev/null
178 | elif [ $1 == $(echo -e php-errors) 2>/dev/null ]; then
179 |         php-errors 2>/dev/null
180 | elif [ $1 == $(echo -e php-curl) 2>/dev/null ]; then
181 |         php-curl 2>/dev/null
182 | elif [ $1 == $(echo -e json-sec) 2>/dev/null ]; then
183 |         json-sec 2>/dev/null
184 | elif [ $1 == $(echo -e http-auth) 2>/dev/null ]; then
185 |         http-auth 2>/dev/null
186 | elif [ $1 == $(echo -e software) 2>/dev/null ]; then
187 |         software 2>/dev/null
188 | elif [ $1 == $(echo -e firebase) 2>/dev/null ]; then
189 |         firebase 2>/dev/null
190 | elif [ $1 == $(echo -e debug-page) 2>/dev/null ]; then
191 |         debug-page 2>/dev/null
192 | elif [ $1 == $(echo -e cors) 2>/dev/null ]; then
193 |         cors 2>/dev/null
194 | elif [ $1 == $(echo -e base64-important-value) 2>/dev/null ]; then
195 |         base64-important-value 2>/dev/null
196 | elif [ $1 == $(echo -e aws-keys) 2>/dev/null ]; then
197 |         aws-keys 2>/dev/null
198 | elif [ $1 == $(echo -e dom-xss) 2>/dev/null ]; then
199 |         dom-xss 2>/dev/null
200 | elif [ $1 == $(echo -e general-api) 2>/dev/null ]; then
201 |         general-api 2>/dev/null
202 | else
203 | 	helpPanel
204 | fi
205 | 


--------------------------------------------------------------------------------