├── .gitignore ├── Dockerfile ├── ISSUE_TEMPLATE.md ├── LICENSE ├── README.md ├── cors.sh ├── fetch.php ├── findbuckets.sh ├── findstrings.sh ├── findtakeovers.sh ├── lists ├── configfiles ├── crlfinjection └── openredirects ├── megplus.sh ├── out └── shrug.txt ├── test.txt └── tests.sh /.gitignore: -------------------------------------------------------------------------------- 1 | domains 2 | domains-plus 3 | domains-sub 4 | output 5 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | LABEL maintainer="Anshuman Bhartiya" 3 | 4 | RUN apt-get update 5 | 6 | RUN apt-get install -y libldns-dev git build-essential wget libglib2.0-dev php7.0 nano python-requests python-dnspython python-argparse dnsutils 7 | 8 | RUN wget https://storage.googleapis.com/golang/go1.9.2.linux-amd64.tar.gz && \ 9 | tar xvf go1.9.2.linux-amd64.tar.gz && \ 10 | mv go /usr/local 11 | 12 | ENV GOPATH "/root/work" 13 | ENV PATH "$PATH:/usr/local/go/bin:$GOPATH/bin" 14 | ENV GOBIN "$GOPATH/bin/" 15 | 16 | RUN go get github.com/tomnomnom/meg && go get github.com/tomnomnom/waybackurls 17 | 18 | RUN git clone https://github.com/EdOverflow/megplus.git 19 | 20 | WORKDIR /megplus 21 | RUN chmod 777 megplus.sh 22 | RUN git clone https://github.com/aboul3la/Sublist3r.git 23 | 24 | ENTRYPOINT ["./megplus.sh"] 25 | -------------------------------------------------------------------------------- /ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 4 | 5 | ## Specifications 6 | 7 | - Operating system and version: 8 | 9 | ## Issue details 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 EdOverflow and Tom Hudson 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # meg+ 2 | 3 | Automated reconnaissance wrapper — [TomNomNom's](https://github.com/TomNomNom) [meg](https://github.com/tomnomnom/meg) on steroids. 4 | 5 | ![](https://user-images.githubusercontent.com/18099289/35483349-202e7f30-0441-11e8-9f2c-07d27c142839.gif) 6 | 7 | Built by [TomNomNom](https://github.com/TomNomNom) and [EdOverflow](https://github.com/EdOverflow). 8 | 9 | ## About 10 | 11 | This wrapper will automate numerous tasks and help you during your reconnaissance process. The script finds common issues, low hanging fruit, and assists you when approaching a target. meg+ also allows you to scan **all** your in-scope targets on HackerOne in one go — it simply retrieves them using a GraphQL query. 12 | 13 | Watch TomNomNom's talk to learn more about his reconnaissance methodology: 14 | 15 | [![](https://i.ytimg.com/vi/DvS_ew77GXA/maxresdefault.jpg)](https://www.youtube.com/watch?v=DvS_ew77GXA) 16 | 17 | ## Installation 18 | 19 | You will need [Golang](https://golang.org/doc/), Python 2 or 3, and [PHP 7.0](https://user-images.githubusercontent.com/18099289/35768719-daaaf30c-0900-11e8-92ab-bdc2498c80bf.png) to use all the features provided by this tool. On top of that, make sure to install [meg](https://github.com/tomnomnom/meg), [waybackurls](https://github.com/tomnomnom/waybackurls), [Sublist3r](https://github.com/aboul3la/Sublist3r), and [gio](http://manpages.ubuntu.com/manpages/artful/man1/gio.1.html). 20 | 21 | ``` 22 | git clone https://github.com/EdOverflow/megplus.git 23 | cd megplus 24 | go get github.com/tomnomnom/meg 25 | go get github.com/tomnomnom/waybackurls 26 | git clone https://github.com/aboul3la/Sublist3r.git 27 | # See https://github.com/aboul3la/Sublist3r#dependencies 28 | ``` 29 | 30 | ⚠ If you do not want to use `gio` or do not have `gio` on your machine, just comment out **all** the lines that have `gio` in them! Make sure to also remove the error message located here: https://github.com/EdOverflow/megplus/blob/master/megplus.sh#L65-L68. 31 | 32 | ## Usage 33 | 34 | You can either scan a list of hosts or use your HackerOne `X-Auth-Token` token to scan all the bug bounty programs that you participate in. 35 | 36 | ``` 37 | $ ./megplus.sh 38 | 1) Usage - target list of domains: ./megplus.sh 39 | 2) Usage - target all HackerOne programs: ./megplus.sh -x

40 | 3) Usage - run sublist3r first: ./megplus.sh -s 41 | 42 | 1) Example: ./megplus.sh domains 43 | 2) Example: ./megplus.sh -x XXXXXXXXXXXXXXXX 44 | 3) Example: ./megplus.sh -s example.com 45 | ``` 46 | 47 | ## Usage - Docker 🐋 48 | 49 | If you don't feel like installing all the dependencies mentioned above, you can simply run the `abhartiya/tools_megplus` Docker container, where `test.txt` is a sample file containing the URLs to test against. In your case, this will be the file containing the URLs you want to test: 50 | 51 | `docker run -v $(pwd):/megplus abhartiya/tools_megplus test.txt` 52 | 53 | The command will run the `abhartiya/tools_megplus` Docker image as a container and mount the `pwd` onto the container as a volume (at `/megplus`), which makes the `test.txt` file available to the container. Once megplus finishes running, the `out` directory will be created in `pwd` with all the results. 54 | 55 | 56 | ## Scanner 57 | 58 | meg+ will scan for the following things: 59 | 60 | - Sudomains using Sublist3r; 61 | - Configuration files; 62 | - Interesting strings; 63 | - Open redirects; 64 | - CRLF injection; 65 | - CORS misconfigurations; 66 | - Path-based XSS; 67 | - (Sub)domain takeovers. 68 | 69 | ## Contributing 70 | 71 | I welcome contributions from the public. 72 | 73 | ### Using the issue tracker 💡 74 | 75 | The issue tracker is the preferred channel for bug reports and features requests. 76 | 77 | ### Issues and labels 🏷 78 | 79 | The bug tracker utilizes several labels to help organize and identify issues. 80 | 81 | ### Guidelines for bug reports 🐛 82 | 83 | Use the GitHub issue search — check if the issue has already been reported. 84 | 85 | ## ⚠ Legal Disclaimer 86 | 87 | This project is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. Developers assume no liability and are not responsible for any misuse or damage caused by this tool. 88 | -------------------------------------------------------------------------------- /cors.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | urlsfile=$1 4 | 5 | YELLOW='\033[0;33m' 6 | END='\033[0m' 7 | 8 | CORS=() 9 | CREDS=() 10 | 11 | if [ -z "$urlsfile" ]; then 12 | echo "Usage: $0 " 13 | exit 1 14 | fi 15 | 16 | function checkacao { 17 | local url=$1 18 | local origin=$2 19 | 20 | curl -vs --max-time 9 "$url" -H"Origin: $origin" 2>&1 | grep -i "< Access-Control-Allow-Origin: $origin" &> /dev/null 21 | } 22 | 23 | function checkacac { 24 | local url=$1 25 | local origin=$2 26 | 27 | curl -vs --max-time 9 "$url" -H"Origin: $origin" 2>&1 | grep -i "< Access-Control-Allow-Credentials: true" &> /dev/null 28 | } 29 | 30 | while read -r url; do 31 | domain=$(echo "$url" | sed -E 's#https?://([^/]*)/?.*#\1#') 32 | 33 | for origin in https://evil.com null https://$domain.evil.com https://${domain}evil.com; do 34 | if checkacao "$url" "$origin"; then 35 | CORS+=("$url might be vulnerable with origin '$origin'") 36 | if checkacac "$url" "$origin"; then 37 | CREDS+=("$url with origin '$origin' has Allow-Credentials: true") 38 | fi 39 | fi 40 | sleep 2 41 | done 42 | done < $urlsfile 43 | 44 | if [[ ${#CORS[@]} -gt 0 ]]; then 45 | printf "${YELLOW}[i]${END} Potentially vulnerable targets:\\n" 46 | printf '%s\n' "${CORS[@]}" 47 | fi 48 | if [[ ${#CREDS[@]} -gt 0 ]]; then 49 | printf "${YELLOW}[i]${END} Has 'Allow-Credentials: true':\\n" 50 | printf '%s\n' "${CREDS[@]}" 51 | fi -------------------------------------------------------------------------------- /fetch.php: -------------------------------------------------------------------------------- 1 | // Created by TomNomNom 2 | sprintf($query, $cursor), 44 | 'variables' => (object) [] 45 | ]); 46 | }; 47 | 48 | 49 | $cursor = ""; 50 | do { 51 | $params = [ 52 | 'http' => [ 53 | 'method' => 'POST', 54 | 'header' => "Content-Type: application/json\r\n". 55 | "Origin: https://hackerone.com\r\n". 56 | "Referer: https://hackerone.com/programs\r\n". 57 | "X-Auth-Token: {$authtoken}", 58 | 'content' => $gen($cursor) 59 | ] 60 | ]; 61 | $context = stream_context_create($params); 62 | $fp = fopen($url, 'rb', false, $context); 63 | $result = $fp ? stream_get_contents($fp) : null; 64 | $result = json_decode($result); 65 | if (!$result) die('response error'); 66 | 67 | $hasNextPage = $result->data->query->teams->pageInfo->hasNextPage; 68 | 69 | foreach ($result->data->query->teams->edges as $edge){ 70 | $cursor = $edge->cursor; 71 | foreach ($edge->node->structured_scopes->edges as $scope){ 72 | $scope = $scope->node; 73 | if (!$scope->eligible_for_submission){ 74 | continue; 75 | } 76 | if (strToLower($scope->asset_type) != "url"){ 77 | continue; 78 | } 79 | 80 | echo $scope->asset_identifier.PHP_EOL; 81 | } 82 | } 83 | 84 | } while($hasNextPage); 85 | 86 | -------------------------------------------------------------------------------- /findbuckets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | grep --color -Pri \ 4 | '(/|2F)?\K([\w\.\-_]+)\.(amazonaws\.com|digitaloceanspaces\.com|blob\.core\.windows\.net)(/|%2F)?([\w\.\-_]+)?' out/ 5 | -------------------------------------------------------------------------------- /findstrings.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | searches=( 3 | '\-----BEGIN PRIVATE KEY-----' 4 | '\-----BEGIN RSA PRIVATE KEY-----' 5 | '$1$' 6 | 'md5' 7 | '$5$' 8 | '$6$' 9 | '$2a$' 10 | '$2x$' 11 | '$2y$' 12 | '$2b$' 13 | 'secret' 14 | 'api_key' 15 | 'api-key' 16 | 'api_secret_key' 17 | 'api-secret-key' 18 | 'secret_key' 19 | 'secret-key' 20 | 'private_key' 21 | 'private-key' 22 | ) 23 | 24 | for str in "${searches[@]}"; do 25 | grep --color -Hnri "$str" out/ 26 | done -------------------------------------------------------------------------------- /findtakeovers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Created by TomNomNom 3 | searches=( 4 | "There is no app configured at that hostname" 5 | "NoSuchBucket" 6 | "No Such Account" 7 | "You're Almost There" 8 | "a GitHub Pages site here" 9 | "this shop is currently unavailable" 10 | "There's nothing here" 11 | "The site you were looking for couldn't be found" 12 | "The request could not be satisfied" 13 | "project not found" 14 | "Your CNAME settings" 15 | "The resource that you are attempting to access does not exist or you don't have the necessary permissions to view it." 16 | "Domain mapping upgrade for this domain not found" 17 | "The feed has not been found" 18 | "This UserVoice subdomain is currently available!" 19 | ) 20 | 21 | for str in "${searches[@]}"; do 22 | grep --color -Hnri "$str" out/ 23 | done 24 | -------------------------------------------------------------------------------- /lists/configfiles: -------------------------------------------------------------------------------- 1 | /.AppleDB 2 | /.aws.yml 3 | /.aws/.credentials.swp 4 | /.aws/credentials 5 | /.babelrc 6 | /.bash_history 7 | /.bash_profile 8 | /.bashrc 9 | /.bowerrc 10 | /.bzr/repository/format 11 | /.cvsignore 12 | /.dockerignore 13 | /.DS_Store 14 | /.editorconfig 15 | /.env 16 | /.git/config 17 | /.git/HEAD 18 | /.gitconfig 19 | /.gitignore 20 | /.gitlab-ci.yml 21 | /.hg 22 | /.hg/branch 23 | /.hgignore 24 | /.htaccess 25 | /.htpasswd 26 | /.idea 27 | /.idea/.rakeTasks 28 | /.idea/dataSources 29 | /.idea/dataSources.local.xml 30 | /.idea/dataSources.xml 31 | /.idea/modules.xml 32 | /.idea/vcs.xml 33 | /.idea/workspace.xml 34 | /.jestrc 35 | /.jshintrc 36 | /.keys.yml 37 | /.keys.yml.swp 38 | /.muttrc 39 | /.mysql_history 40 | /.nbproject 41 | /.netrc 42 | /.npmignore 43 | /.npmrc 44 | /.pgpass 45 | /.profile 46 | /.psql_history 47 | /.s3.yml 48 | /.sh_history 49 | /.ssh 50 | /.ssh/authorized_keys 51 | /.ssh/id_dsa 52 | /.ssh/id_dsa.pub 53 | /.ssh/id_rsa 54 | /.ssh/id_rsa.pub 55 | /.ssh/known_hosts 56 | /.svn/all-wcprops 57 | /.svn/entries 58 | /.svn/format 59 | /.svn/wc.db 60 | /.svnignore 61 | /.swp 62 | /.terraform.tfstate.swp 63 | /.terraform.tfvars.swp 64 | /.travis.composer.config.json 65 | /.travis.yml 66 | /.travis.yml.swp 67 | /.wp-config.php 68 | /.wp-config.php.swp 69 | /.zsh_history 70 | /.zsh_profile 71 | /.zshrc 72 | /_admin/operations.aspx 73 | /_vti_bin/admin.asmx 74 | /admin 75 | /autoconfig 76 | /aws.yml 77 | /backup 78 | /backup.asp 79 | /backup.aspx 80 | /backup.do 81 | /backup.html 82 | /backup.jsp 83 | /backup.php 84 | /backup.txt 85 | /backup/ 86 | /beans 87 | /bower.json 88 | /build.xml 89 | /cgi-bin/printenv.pl 90 | /cgi-bin/status.pl 91 | /cgi-bin/test-cgi.pl 92 | /circle.yml 93 | /composer.json 94 | /composer.lock 95 | /config 96 | /config.gypi 97 | /config.json 98 | /configprops 99 | /CVS/Entries 100 | /CVS/Root 101 | /cvsroot/CVSROOT 102 | /cvsroot/CVSROOT/val-tags 103 | /debug 104 | /debug.asp 105 | /debug.aspx 106 | /debug.do 107 | /debug.html 108 | /debug.jsp 109 | /debug.php 110 | /debug.txt 111 | /debug/ 112 | /Dockerfile 113 | /dump 114 | /e2e-tests 115 | /env 116 | /examples/jsp/error/error.html 117 | /examples/jsp/num/numguess.jsp 118 | /examples/servlet/HelloWorldExample 119 | /features 120 | /flex 121 | /Gemfile 122 | /Gemfile.lock 123 | /gruntfile.coffee 124 | /Gruntfile.coffee 125 | /gruntfile.js 126 | /Gruntfile.js 127 | /Gulpfile 128 | /Gulpfile.js 129 | /gulpfile.js 130 | /index.asp 131 | /index.aspx 132 | /index.jsp 133 | /index.php 134 | /index.txt 135 | /info 136 | /info.asp 137 | /info.aspx 138 | /info.do 139 | /info.html 140 | /info.jsp 141 | /info.php 142 | /info.txt 143 | /info/ 144 | /invoker/EJBInvokerServlet 145 | /invoker/JMXInvokerServlet 146 | /Jenkinsfile 147 | /jmx-console/HtmlAdaptor 148 | /karma.conf.js 149 | /keys.yml 150 | /license 151 | /LICENSE 152 | /license.md 153 | /LICENSE.md 154 | /LICENSE.txt 155 | /license.txt 156 | /Makefile 157 | /metrics 158 | /mkdocs.yml 159 | /nginx_status 160 | /npm-debug.log 161 | /npm-shrinkwrap.json 162 | /package.json 163 | /pagespeed_admin 164 | /php.php 165 | /phpinfo.php 166 | /phptest.php 167 | /phpunit.xml 168 | /readme 169 | /README 170 | /readme.html 171 | /README.html 172 | /readme.md 173 | /README.md 174 | /readme.mkd 175 | /README.mkd 176 | /README.txt 177 | /readme.txt 178 | /robots.txt 179 | /routes 180 | /s3.yml 181 | /s3.yml.swp 182 | /server-info 183 | /server-status 184 | /serverinfo 185 | /tags 186 | /terraform.tfstate 187 | /terraform.tfstate.backup 188 | /terraform.tfvars 189 | /terraform.tfvars.json 190 | /test 191 | /test.asp 192 | /test.aspx 193 | /test.do 194 | /test.html 195 | /test.jsp 196 | /test.php 197 | /test.txt 198 | /test/ 199 | /tests 200 | /Thumbs.db 201 | /tmp 202 | /tmp.asp 203 | /tmp.aspx 204 | /tmp.do 205 | /tmp.html 206 | /tmp.jsp 207 | /tmp.php 208 | /tmp.txt 209 | /tmp/ 210 | /tomcat-docs/appdev/sample/web/hello.jsp 211 | /trace 212 | /travis.yml 213 | /tsconfig.json 214 | /unit-tests 215 | /Vagrantfile 216 | /web-console/AOPBinding.jsp 217 | /web-console/applet.jsp 218 | /web-console/Invoker 219 | /web-console/listMonitors.jsp 220 | /web-console/ServerInfo.jsp 221 | /web-console/status 222 | /web-console/SysProperties.jsp 223 | /web-console/WebModule.jsp 224 | /WEB-INF/struts-config.xml 225 | /WEB-INF/web.xml 226 | /web.config 227 | /web.xml 228 | /webpack.config.js 229 | /wp-config.php 230 | /yarn-debug.log 231 | /yarn-error.log 232 | /yarn.lock 233 | /zephyr 234 | -------------------------------------------------------------------------------- /lists/crlfinjection: -------------------------------------------------------------------------------- 1 | /%%0a0aSet-Cookie:crlf=injection 2 | /%0aSet-Cookie:crlf=injection 3 | /%0d%0aSet-Cookie:crlf=injection 4 | /%0dSet-Cookie:crlf=injection 5 | /%23%0aSet-Cookie:crlf=injection 6 | /%23%0d%0aSet-Cookie:crlf=injection 7 | /%23%0dSet-Cookie:crlf=injection 8 | /%25%30%61Set-Cookie:crlf=injection 9 | /%25%30aSet-Cookie:crlf=injection 10 | /%250aSet-Cookie:crlf=injection 11 | /%25250aSet-Cookie:crlf=injection 12 | /%2e%2e%2f%0d%0aSet-Cookie:crlf=injection 13 | /%2f%2e%2e%0d%0aSet-Cookie:crlf=injection 14 | /%2F..%0d%0aSet-Cookie:crlf=injection 15 | /%3f%0d%0aSet-Cookie:crlf=injection 16 | /%3f%0dSet-Cookie:crlf=injection 17 | /%u000aSet-Cookie:crlf=injection 18 | -------------------------------------------------------------------------------- /lists/openredirects: -------------------------------------------------------------------------------- 1 | /%09/example.com 2 | /%2f%2fexample.com 3 | /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/ 4 | /%5cexample.com 5 | /%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d 6 | /.example.com 7 | //%09/example.com 8 | //%5cexample.com 9 | ///%09/example.com 10 | ///%5cexample.com 11 | ////%09/example.com 12 | ////%5cexample.com 13 | /////example.com 14 | /////example.com/ 15 | ////\;@example.com 16 | ////example.com/ 17 | ////example.com/%2e%2e 18 | ////example.com/%2e%2e%2f 19 | ////example.com/%2f%2e%2e 20 | ////example.com/%2f.. 21 | ////example.com// 22 | ///\;@example.com 23 | ///example.com 24 | ///example.com/ 25 | ///example.com/%2e%2e 26 | ///example.com/%2e%2e%2f 27 | ///example.com/%2f%2e%2e 28 | ///example.com/%2f.. 29 | ///example.com// 30 | //example.com 31 | //example.com/ 32 | //example.com/%2e%2e 33 | //example.com/%2e%2e%2f 34 | //example.com/%2f%2e%2e 35 | //example.com/%2f.. 36 | //example.com// 37 | //google%00.com 38 | //google%E3%80%82com 39 | //https:///example.com/%2e%2e 40 | //https://example.com/%2e%2e%2f 41 | //https://example.com// 42 | /<>//example.com 43 | /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com 44 | /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com 45 | /?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com 46 | /\/\/example.com/ 47 | /\/example.com/ 48 | /example.com/%2f%2e%2e 49 | /http://%67%6f%6f%67%6c%65%2e%63%6f%6d 50 | /http://example.com 51 | /http:/example.com 52 | /https:/%5cexample.com/ 53 | /https://%09/example.com 54 | /https://%5cexample.com 55 | /https:///example.com/%2e%2e 56 | /https:///example.com/%2f%2e%2e 57 | /https://example.com 58 | /https://example.com/ 59 | /https://example.com/%2e%2e 60 | /https://example.com/%2e%2e%2f 61 | /https://example.com/%2f%2e%2e 62 | /https://example.com/%2f.. 63 | /https://example.com// 64 | /https:example.com 65 | /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com 66 | /redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com 67 | /redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com 68 | -------------------------------------------------------------------------------- /megplus.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | GREEN='\033[0;32m' 4 | YELLOW='\033[0;33m' 5 | CYAN='\033[0;36m' 6 | END='\033[0m' 7 | 8 | if [[ $1 == '' ]] || [[ $1 == '-h' ]] || [[ $1 == '--help' ]]; then 9 | echo "1) Usage - target list of domains: ./megplus.sh " 10 | echo "2) Usage - target all HackerOne programs: ./megplus.sh -x

" 11 | echo "3) Usage - run Sublist3r first against host: ./megplus.sh -s " 12 | echo 13 | echo "1) Example: ./megplus.sh domains" 14 | echo "2) Example: ./megplus.sh -x XXXXXXXXXXXXXXXX" 15 | echo "3) Example: ./megplus.sh -s example.com" 16 | exit 1 17 | fi 18 | 19 | echo -e """${CYAN} 20 | 21 | 88888b.d88b. .d88b. .d88b. 888 22 | 888 888 88b d8P Y8b d88P 88b 8888888 23 | 888 888 888 88888888 888 888 888 24 | 888 888 888 Y8b. Y88b 888 25 | 888 888 888 Y8888 Y88888 26 | 888 27 | ${GREEN}Automate meg${END} ${CYAN}Y8b d88P${END} 28 | ${GREEN}By TomNomNom${END} ${CYAN}YYY88P${END} 29 | ${GREEN}& EdOverflow${END} 30 | """ 31 | 32 | QUOTES=( 33 | "Activating 1337 mode!" 34 | "Target uses Equifax-grade security." 35 | "ᕕ( ᐛ )ᕗ" 36 | "ᕕ( ᐕ )ᕗ" 37 | "三三ᕕ( ᐛ )ᕗ" 38 | "ᐠ( ᐛ )ᐟ" 39 | "Never gonna give you up." 40 | "Bounty pls." 41 | "Update pls." 42 | "Sleep is for the weak." 43 | "Grab a cuppa!" 44 | "meg+, meg on steroids." 45 | "I am 100 percent natural." 46 | "A bug is never just a mistake. It represents something bigger. An error of thinking that makes you who you are." 47 | "You hack people. I hack time." 48 | "I hope you don't screw like you type." 49 | "Hack the planet!" 50 | "Crypto stands for cryptography." 51 | "PoC||GTFO" 52 | ) 53 | 54 | rand=$((RANDOM % ${#QUOTES[@]})) 55 | printf "${YELLOW}[i]${END} ${QUOTES[$rand]}\\n" 56 | echo 57 | 58 | if ! which meg &> /dev/null; then 59 | echo "You need to install meg." 60 | echo "Follow the installation instructions found here: https://github.com/tomnomnom/meg#install" 61 | exit 1 62 | fi 63 | 64 | if [[ $1 == '-x' ]] && [[ $2 != '' ]]; then 65 | printf "${GREEN}[+]${END} Fetching all in-scope targets.\\n" 66 | php fetch.php "$2" > temp 67 | cat temp | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' > domains-plus 68 | targets="domains-plus" 69 | # gio trash temp 70 | elif [[ $1 == '-s' ]] && [[ $2 != '' ]]; then 71 | printf "${GREEN}[+]${END} Running Sublist3r against $2.\\n" 72 | # Set Sublist3r path here! 73 | python Sublist3r/sublist3r.py -d "$2" -o domains-sub > /dev/null 74 | while read -r domain; do 75 | if host "$domain" > /dev/null; then 76 | echo "$domain"; 77 | fi; 78 | done < domains-sub >> output 79 | cat output | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' > domains-plus 80 | targets="domains-plus" 81 | echo 82 | else 83 | cat "$1"" | sed "-E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' > "$1-plus" 84 | targets="$1-plus" 85 | fi 86 | 87 | printf "${GREEN}[+]${END} Finding configuration files.\\n" 88 | meg --delay 100 lists/configfiles "$targets" &>/dev/null 89 | grep -Hnri "200 ok" out/ 90 | echo 91 | 92 | printf "${GREEN}[+]${END} Finding interesting strings.\\n" 93 | ./findstrings.sh out/ 94 | echo 95 | 96 | printf "${GREEN}[+]${END} Finding AWS/DigitalOcean/Azure buckets.\\n" 97 | ./findbuckets.sh out/ 98 | echo 99 | 100 | printf "${GREEN}[+]${END} Finding open redirects.\\n" 101 | meg --delay 100 lists/openredirects "$targets" &>/dev/null 102 | grep --color -HnriE '< location: (https?:)?[/\\]{2,}example.com' out/ 103 | echo 104 | 105 | printf "${GREEN}[+]${END} Finding CRLF injection.\\n" 106 | meg --delay 100 lists/crlfinjection "$targets" &>/dev/null 107 | grep --color -HnriE "< Set-Cookie: ?crlf" 108 | echo 109 | 110 | printf "${GREEN}[+]${END} Finding CORS misconfigurations.\\n" 111 | ./cors.sh "$targets" 112 | echo 113 | 114 | printf "${GREEN}[+]${END} Finding path-based XSS.\\n" 115 | meg /bounty%3c%22pls "$targets" 116 | grep --color -Hrie '(bounty<|"pls)' out/ 117 | echo 118 | 119 | printf "${GREEN}[+]${END} Searching for (sub)domain takeovers.\\n" 120 | ./findtakeovers.sh 121 | echo 122 | 123 | printf "${GREEN}[+]${END} Running waybackurls.\\n" 124 | cat "$targets" | waybackurls > out/urls 125 | printf "${YELLOW}[i]${END} Output in './out/urls' file.\\n" 126 | echo 127 | 128 | # You can use gvfs-trash too. 129 | # gio trash output 130 | # gio trash domains-plus 131 | # gio trash domains-sub 132 | printf "${YELLOW}[i]${END} Done scanning -- all output located in ./out.\\n" 133 | 134 | echo """ 135 | _,-. -------------------- 136 | ,-. ,--' o ) -( Frogs find bugs! ) 137 | \(,' ' ,,-' -------------------- 138 | ,-.\-.__,\\\_ 139 | \('--' '\ 140 | """ 141 | -------------------------------------------------------------------------------- /out/shrug.txt: -------------------------------------------------------------------------------- 1 | ¯\_(ツ)_/¯ 2 | -------------------------------------------------------------------------------- /test.txt: -------------------------------------------------------------------------------- 1 | http://test.com/ -------------------------------------------------------------------------------- /tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ./megplus.sh 3 | echo "reddit.com" > domains 4 | ./megplus.sh domains 5 | ./megplus.sh -s reddit.com 6 | --------------------------------------------------------------------------------