├── .gf ├── README.md ├── aws-keys.json ├── base64.json ├── cors.json ├── debug-pages.json ├── debug_logic.json ├── firebase.json ├── fw.json ├── go-functions.json ├── http-auth.json ├── idor.json ├── img-traversal.json ├── interestingsubs.json ├── ip.json ├── json-sec.json ├── lfi.json ├── meg-headers.json ├── php-curl.json ├── php-errors.json ├── php-serialized.json ├── php-sinks.json ├── php-sources.json ├── rce.json ├── redirect.json ├── s3-buckets.json ├── sec.json ├── servers.json ├── sqli.json ├── ssrf.json ├── ssti.json ├── strings.json ├── takeovers.json ├── upload-fields.json └── urls.json ├── .z ├── .zshrc ├── README.md └── bin ├── add-path ├── lazy.sh ├── tmux-splash.sh └── wgetlist /.gf/README.md: -------------------------------------------------------------------------------- 1 | # Gf-Patterns V 1.9 2 | 3 | ## [GF](https://github.com/tomnomnom/gf) By [![Twitter](https://img.shields.io/badge/twitter-@TomNomNom-blue.svg)](https://twitter.com/TomNomNom) 4 | 5 | A wrapper around grep, to help you grep for things 6 | 7 | # installation 8 | 9 | [Go Path Setup](https://github.com/golang/go/wiki/SettingGOPATH) 10 | 11 | If you've got Go installed and configured you can install `waybackurls & Gf` with: 12 | 13 | ```bash 14 | 15 | ▶ go get -u github.com/tomnomnom/waybackurls 16 | ``` 17 | ```bash 18 | ▶ go get -u github.com/tomnomnom/gf 19 | ``` 20 | 21 | If you've installed using `go get`, you can enable auto-completion to your `.bashrc` like this: 22 | 23 | ```bash 24 | ▶ echo 'source $GOPATH/src/github.com/tomnomnom/gf/gf-completion.bash' >> ~/.bashrc 25 | ``` 26 | 27 | Note that you'll have to restart your terminal, or run `source ~/.bashrc` for the changes to 28 | take effect. 29 | 30 | To get started quickly, you can copy the example pattern files to `~/.gf` like this: 31 | ```bash 32 | ▶ mkdir .gf 33 | ``` 34 | ```bash 35 | ▶ cp -r $GOPATH/src/github.com/tomnomnom/gf/examples ~/.gf 36 | ``` 37 | **MY Gf Patterns installation** 38 | ```bash 39 | ▶ git clone https://github.com/1ndianl33t/Gf-Patterns 40 | ``` 41 | 42 | To get started quickly, you can copy the example pattern files to `~/.gf` like this: 43 | ```bash 44 | ▶ mkdir .gf 45 | ``` 46 | ```bash 47 | ▶ mv ~/Gf-Patterns/*.json ~/.gf 48 | ``` 49 | **Use example** 50 | ```bash 51 | 52 | ▶ cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.txt 53 | 54 | ▶ cat waybackdata | gf redirect | tee -a redirect.txt 55 | ``` 56 | ### Pattern Files 57 | 58 | The pattern definitions are stored in `~/.gf` as little JSON files that can be kept under version control: 59 | 60 | **gf ssrf** 61 | 62 | ```bash 63 | ▶ cat ~/.gf/ssrf.json 64 | 65 | { 66 | "flags": "-iE", 67 | "patterns": [ 68 | 69 | "access", 70 | "admin", 71 | "dbg", 72 | "debug", 73 | "edit", 74 | "grant", 75 | "test", 76 | "alter", 77 | "clone", 78 | "create", 79 | "delete", 80 | "disable", 81 | "enable", 82 | "exec", 83 | "execute", 84 | "load", 85 | "make", 86 | "modify", 87 | "rename", 88 | "reset", 89 | "shell", 90 | "toggle", 91 | "adm", 92 | "root", 93 | "cfg", 94 | "dest", 95 | "redirect", 96 | "uri", 97 | "path", 98 | "continue", 99 | "url", 100 | "window", 101 | "next", 102 | "data", 103 | "reference", 104 | "site", 105 | "html", 106 | "val", 107 | "validate", 108 | "domain", 109 | "callback", 110 | "return", 111 | "page", 112 | "feed", 113 | "host", 114 | "port", 115 | "to", 116 | "out", 117 | "view", 118 | "dir", 119 | "show", 120 | "navigation", 121 | "open" 122 | 123 | ] 124 | } 125 | 126 | ``` 127 | 128 | **gf redirect** 129 | 130 | ```bash 131 | ▶ cat ~/.gf/redirect 132 | 133 | { 134 | "flags": "-iE", 135 | "patterns": [ 136 | "forward=", 137 | "dest=", 138 | "redirect=", 139 | "uri=", 140 | "path=", 141 | "continue=", 142 | "url=", 143 | "window=", 144 | "to=", 145 | "out=", 146 | "view=", 147 | "dir=", 148 | "show=", 149 | "navigation=", 150 | "Open=", 151 | "file=", 152 | "val=", 153 | "validate=", 154 | "domain=", 155 | "callback=", 156 | "return=", 157 | "page=", 158 | "feed=", 159 | "host=", 160 | "port=", 161 | "next=", 162 | "data=", 163 | "reference=", 164 | "site=", 165 | "html=" 166 | ] 167 | } 168 | 169 | ``` 170 | ***gf rce*** 171 | ```bash 172 | ▶ cat ~/.gf/rce.json 173 | { 174 | "flags": "-iE", 175 | "patterns": [ 176 | 177 | "daemon", 178 | "upload", 179 | "dir", 180 | "execute", 181 | "download", 182 | "log", 183 | "ip", 184 | "cli", 185 | "cmd" 186 | ] 187 | } 188 | ``` 189 | ***Gf idor*** 190 | 191 | ```bash 192 | ▶ cat ~/.gf/idor.json 193 | { 194 | "flags": "-iE", 195 | "patterns": [ 196 | 197 | "id", 198 | "user", 199 | "account", 200 | "number", 201 | "order", 202 | "no", 203 | "doc", 204 | "key", 205 | "email", 206 | "group", 207 | "profile", 208 | "edit", 209 | "report" 210 | 211 | ] 212 | } 213 | 214 | ``` 215 | 216 | 217 | 218 | 219 | 220 | 221 | ***Gf Sqli*** 222 | ```bash 223 | ▶ cat ~/.gf/sqli.json 224 | { 225 | "flags": "-iE", 226 | "patterns": [ 227 | 228 | "id", 229 | "select", 230 | "report", 231 | "role", 232 | "update", 233 | "query", 234 | "user", 235 | "name", 236 | "sort", 237 | "where", 238 | "search", 239 | "params", 240 | "process", 241 | "row", 242 | "view", 243 | "table", 244 | "from", 245 | "sel", 246 | "results", 247 | "sleep", 248 | "fetch", 249 | "order", 250 | "keyword", 251 | "column", 252 | "field", 253 | "delete", 254 | "string", 255 | "number", 256 | "filter" 257 | ] 258 | } 259 | ``` 260 | ***Gf LFI*** 261 | ```bash 262 | ▶ cat ~/.gf/lfi.json 263 | { 264 | "flags": "-iE", 265 | "patterns": [ 266 | 267 | "file", 268 | "document", 269 | "folder", 270 | "root", 271 | "path", 272 | "pg", 273 | "style", 274 | "pdf", 275 | "template", 276 | "php_path", 277 | "doc" 278 | ] 279 | } 280 | ``` 281 | 282 | ***Gf ssti*** 283 | ```bash 284 | ▶ cat ~/.gf/ssti.json 285 | 286 | 287 | { 288 | "flags": "-iE", 289 | "patterns": [ 290 | 291 | "template", 292 | "preview", 293 | "id", 294 | "view", 295 | "activity", 296 | "name", 297 | "content", 298 | "redirect" 299 | ] 300 | } 301 | ``` 302 | 303 | ***Gf debug_logic*** 304 | ```bash 305 | ▶ cat ~/.gf/debug_logic.json 306 | { 307 | "flags": "-iE", 308 | "patterns": [ 309 | 310 | "access", 311 | "admin", 312 | "dbg", 313 | "debug", 314 | "edit", 315 | "grant", 316 | "test", 317 | "alter", 318 | "clone", 319 | "create", 320 | "delete", 321 | "disable", 322 | "enable", 323 | "exec", 324 | "execute", 325 | "load", 326 | "make", 327 | "modify", 328 | "rename", 329 | "reset", 330 | "shell", 331 | "toggle", 332 | "adm", 333 | "root", 334 | "cfg", 335 | "config" 336 | ] 337 | } 338 | ``` 339 | 340 | ### Donations 341 | You can encourage me to contribute more to the open source with donations. 342 | 343 | - Paypal - [https://www.paypal.me/1ndianl33t](https://www.paypal.me/1ndianl33t) 344 | 345 | - GooglePay,Paytm - 346 | 347 | `8085778875` 348 | 349 | 350 | # Credit 351 | 352 | [![Twitter](https://img.shields.io/badge/twitter-@TomNomNom-blue.svg)](https://twitter.com/TomNomNom) 353 | [Bugcrowd HUNT](https://github.com/bugcrowd/HUNT) 354 | [![Twitter](https://img.shields.io/badge/twitter-@1ndianl33t-blue.svg)](https://twitter.com/1ndianl33t) 355 | 356 | # Contributers 357 | @victoni `added more redirect parameters` 358 | 359 | @s0meguy1 `redirect & ssrf pattern Added additional filters` 360 | 361 | # Contact 362 | [![Twitter](https://img.shields.io/badge/twitter-@1ndianl33t-blue.svg)](https://twitter.com/1ndianl33t) 363 | -------------------------------------------------------------------------------- /.gf/aws-keys.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HanrE", 3 | "pattern": "([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/base64.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnroE", 3 | "pattern": "([^A-Za-z0-9+/]|^)(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[%a-zA-Z0-9+/]+={0,2}" 4 | } 5 | 6 | 7 | -------------------------------------------------------------------------------- /.gf/cors.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnriE", 3 | "patterns": [ 4 | "Access-Control-Allow" 5 | ] 6 | } 7 | -------------------------------------------------------------------------------- /.gf/debug-pages.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnraiE", 3 | "pattern": "(Application-Trace|Routing Error|DEBUG\"? ?[=:] ?True|Caused by:|stack trace:|Microsoft .NET Framework|Traceback|[0-9]:in `|#!/us|WebApplicationException|java\\.lang\\.|phpinfo|swaggerUi|on line [0-9]|SQLSTATE)" 4 | 5 | } 6 | -------------------------------------------------------------------------------- /.gf/debug_logic.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-iE", 3 | "patterns": [ 4 | 5 | "access=", 6 | "admin=", 7 | "dbg=", 8 | "debug=", 9 | "edit=", 10 | "grant=", 11 | "test=", 12 | "alter=", 13 | "clone=", 14 | "create=", 15 | "delete=", 16 | "disable=", 17 | "enable=", 18 | "exec=", 19 | "execute=", 20 | "load=", 21 | "make=", 22 | "modify=", 23 | "rename=", 24 | "reset=", 25 | "shell=", 26 | "toggle=", 27 | "adm=", 28 | "root=", 29 | "cfg=", 30 | "config=" 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /.gf/firebase.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-Hnri", 3 | "pattern": "firebaseio.com" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/fw.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnriE", 3 | "patterns": [ 4 | "django", 5 | "laravel", 6 | "symfony", 7 | "graphite", 8 | "grafana", 9 | "X-Drupal-Cache", 10 | "struts", 11 | "code ?igniter", 12 | "cake ?php", 13 | "grails", 14 | "elastic ?search", 15 | "kibana", 16 | "log ?stash", 17 | "tomcat", 18 | "jenkins", 19 | "hudson", 20 | "com.atlassian.jira", 21 | "Apache Subversion", 22 | "Chef Server", 23 | "RabbitMQ Management", 24 | "Mongo", 25 | "Travis CI - Enterprise", 26 | "BMC Remedy", 27 | "artifactory" 28 | ] 29 | } 30 | -------------------------------------------------------------------------------- /.gf/go-functions.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnriE", 3 | "pattern": "func [a-z0-9_]+\\(" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/http-auth.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-hrioaE", 3 | "pattern": "[a-z0-9_/\\.:-]+@[a-z0-9-]+\\.[a-z0-9.-]+" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/idor.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-iE", 3 | "patterns": [ 4 | 5 | "id=", 6 | "user=", 7 | "account=", 8 | "number=", 9 | "order=", 10 | "no=", 11 | "doc=", 12 | "key=", 13 | "email=", 14 | "group=", 15 | "profile=", 16 | "edit=", 17 | "report=" 18 | 19 | ] 20 | } 21 | 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /.gf/img-traversal.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-iE", 3 | "patterns": [ 4 | 5 | "=.*.jpg", 6 | "=.*.jpeg", 7 | "=.*.gif", 8 | "=.*.png" 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /.gf/interestingsubs.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-iE", 3 | "patterns": [ 4 | "admin", 5 | "jenkins", 6 | "test", 7 | "proxy", 8 | "stage", 9 | "test", 10 | "dev", 11 | "devops", 12 | "staff", 13 | "db", 14 | "qa", 15 | "internal" 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /.gf/ip.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnroE", 3 | "pattern": "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/json-sec.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-harioE", 3 | "pattern": "(\\\\?\"|"|%22)[a-z0-9_-]*(api[_-]?key|S3|aws_|secret|passw|auth)[a-z0-9_-]*(\\\\?\"|"|%22): ?(\\\\?\"|"|%22)[^\"&]+(\\\\?\"|"|%22)" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/lfi.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-iE", 3 | "patterns": [ 4 | 5 | "file=", 6 | "document=", 7 | "folder=", 8 | "root=", 9 | "path=", 10 | "pg=", 11 | "style=", 12 | "pdf=", 13 | "template=", 14 | "php_path=", 15 | "doc=", 16 | "page=", 17 | "name=" 18 | 19 | 20 | ] 21 | } 22 | -------------------------------------------------------------------------------- /.gf/meg-headers.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-hroiE", 3 | "pattern": "^\u003c [a-z0-9_\\-]+: .*" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/php-curl.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnrE", 3 | "pattern": "CURLOPT_(HTTPHEADER|HEADER|COOKIE|RANGE|REFERER|USERAGENT|PROXYHEADER)" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/php-errors.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnriE", 3 | "patterns": [ 4 | "php warning", 5 | "php error", 6 | "fatal error", 7 | "uncaught exception", 8 | "include_path", 9 | "undefined index", 10 | "undefined variable", 11 | "\\?php", 12 | "<\\?[^x]", 13 | "stack trace\\:", 14 | "expects parameter [0-9]*", 15 | "Debug Trace" 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /.gf/php-serialized.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnrE", 3 | "patterns": [ 4 | "a:[0-9]+:{", 5 | "O:[0-9]+:\"", 6 | "s:[0-9]+:\"" 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /.gf/php-sinks.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnriE", 3 | "pattern": "[^a-z0-9_](system|exec|popen|pcntl_exec|eval|create_function|unserialize|file_exists|md5_file|filemtime|filesize|assert) ?\\(" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/php-sources.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnrE", 3 | "patterns": [ 4 | "\\$_(POST|GET|COOKIE|REQUEST|SERVER|FILES)", 5 | "php://(input|stdin)" 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /.gf/rce.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-iE", 3 | "patterns": [ 4 | 5 | "daemon=", 6 | "upload=", 7 | "dir=", 8 | "execute=", 9 | "download=", 10 | "log=", 11 | "ip=", 12 | "cli=", 13 | "cmd=" 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /.gf/redirect.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-iE", 3 | "patterns": [ 4 | "(&|[?])callback=", 5 | "(&|[?])cgi-bin/redirect.cgi", 6 | "(&|[?])checkout=", 7 | "(&|[?])checkout_url=", 8 | "(&|[?])continue=", 9 | "(&|[?])data=", 10 | "(&|[?])dest=", 11 | "(&|[?])destination=", 12 | "(&|[?])dir=", 13 | "(&|[?])domain=", 14 | "(&|[?])feed=", 15 | "(&|[?])file=", 16 | "(&|[?])file_name=", 17 | "(&|[?])file_url=", 18 | "(&|[?])folder=", 19 | "(&|[?])folder_url=", 20 | "(&|[?])forward=", 21 | "(&|[?])from_url=", 22 | "(&|[?])go=", 23 | "(&|[?])goto=", 24 | "(&|[?])host=", 25 | "(&|[?])html=", 26 | "(&|[?])image_url=", 27 | "(&|[?])img_url=", 28 | "(&|[?])load_file=", 29 | "(&|[?])load_url=", 30 | "(&|[?])login_url=", 31 | "(&|[?])logout=", 32 | "(&|[?])navigation=", 33 | "(&|[?])next=", 34 | "(&|[?])next_page=", 35 | "(&|[?])Open=", 36 | "(&|[?])out=", 37 | "(&|[?])page_url=", 38 | "(&|[?])path=", 39 | "(&|[?])port=", 40 | "(&|[?])redir=", 41 | "(&|[?])redirect=", 42 | "(&|[?])redirect_to=", 43 | "(&|[?])redirect_uri=", 44 | "(&|[?])redirect_url=", 45 | "(&|[?])reference=", 46 | "(&|[?])return=", 47 | "(&|[?])return_path=", 48 | "(&|[?])return_to=", 49 | "(&|[?])returnTo=", 50 | "(&|[?])return_url=", 51 | "(&|[?])rt=", 52 | "(&|[?])rurl=", 53 | "(&|[?])show=", 54 | "(&|[?])site=", 55 | "(&|[?])target=", 56 | "(&|[?])to=", 57 | "(&|[?])uri=", 58 | "(&|[?])url=", 59 | "(&|[?])val=", 60 | "(&|[?])validate=", 61 | "(&|[?])view=", 62 | "(&|[?])window=" 63 | ] 64 | } 65 | -------------------------------------------------------------------------------- /.gf/s3-buckets.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-hrioaE", 3 | "patterns": [ 4 | "[a-z0-9.-]+\\.s3\\.amazonaws\\.com", 5 | "[a-z0-9.-]+\\.s3-[a-z0-9-]\\.amazonaws\\.com", 6 | "[a-z0-9.-]+\\.s3-website[.-](eu|ap|us|ca|sa|cn)", 7 | "//s3\\.amazonaws\\.com/[a-z0-9._-]+", 8 | "//s3-[a-z0-9-]+\\.amazonaws\\.com/[a-z0-9._-]+" 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /.gf/sec.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HanriE", 3 | "pattern": "(aws_access|aws_secret|api[_-]?key|ListBucketResult|S3_ACCESS_KEY|Authorization:|RSA PRIVATE|Index of|aws_|secret|ssh-rsa AA)" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/servers.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-hri", 3 | "pattern": "server: " 4 | } 5 | -------------------------------------------------------------------------------- /.gf/sqli.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-iE", 3 | "patterns": [ 4 | 5 | "id=", 6 | "select=", 7 | "report=", 8 | "role=", 9 | "update=", 10 | "query=", 11 | "user=", 12 | "name=", 13 | "sort=", 14 | "where=", 15 | "search=", 16 | "params=", 17 | "process=", 18 | "row=", 19 | "view=", 20 | "table=", 21 | "from=", 22 | "sel=", 23 | "results=", 24 | "sleep=", 25 | "fetch=", 26 | "order=", 27 | "keyword=", 28 | "column=", 29 | "field=", 30 | "delete=", 31 | "string=", 32 | "number=", 33 | "filter=" 34 | ] 35 | } 36 | -------------------------------------------------------------------------------- /.gf/ssrf.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-iE", 3 | "patterns": [ 4 | 5 | "(&|[?])access(&|=)", 6 | "(&|[?])admin(&|=)", 7 | "(&|[?])dbg(&|=)", 8 | "(&|[?])debug(&|=)", 9 | "(&|[?])edit(&|=)", 10 | "(&|[?])grant(&|=)", 11 | "(&|[?])test(&|=)", 12 | "(&|[?])alter(&|=)", 13 | "(&|[?])clone(&|=)", 14 | "(&|[?])create(&|=)", 15 | "(&|[?])delete(&|=)", 16 | "(&|[?])disable(&|=)", 17 | "(&|[?])enable(&|=)", 18 | "(&|[?])exec(&|=)", 19 | "(&|[?])execute(&|=)", 20 | "(&|[?])load(&|=)", 21 | "(&|[?])make(&|=)", 22 | "(&|[?])modify(&|=)", 23 | "(&|[?])rename(&|=)", 24 | "(&|[?])reset(&|=)", 25 | "(&|[?])shell(&|=)", 26 | "(&|[?])toggle(&|=)", 27 | "(&|[?])adm(&|=)", 28 | "(&|[?])root(&|=)", 29 | "(&|[?])cfg(&|=)", 30 | "(&|[?])dest(&|=)", 31 | "(&|[?])redirect(&|=)", 32 | "(&|[?])uri(&|=)", 33 | "(&|[?])path(&|=)", 34 | "(&|[?])continue(&|=)", 35 | "(&|[?])url(&|=)", 36 | "(&|[?])window(&|=)", 37 | "(&|[?])next(&|=)", 38 | "(&|[?])data(&|=)", 39 | "(&|[?])reference(&|=)", 40 | "(&|[?])site(&|=)", 41 | "(&|[?])html(&|=)", 42 | "(&|[?])val(&|=)", 43 | "(&|[?])validate(&|=)", 44 | "(&|[?])domain(&|=)", 45 | "(&|[?])callback(&|=)", 46 | "(&|[?])return(&|=)", 47 | "(&|[?])feed(&|=)", 48 | "(&|[?])host(&|=)", 49 | "(&|[?])port(&|=)", 50 | "(&|[?])to(&|=)", 51 | "(&|[?])out(&|=)", 52 | "(&|[?])view(&|=)", 53 | "(&|[?])dir(&|=)", 54 | "(&|[?])show(&|=)", 55 | "(&|[?])navigation(&|=)", 56 | "(&|[?])open(&|=)", 57 | "(&|[?])file(&|=)", 58 | "(&|[?])document(&|=)", 59 | "(&|[?])folder(&|=)", 60 | "(&|[?])pg(&|=)", 61 | "(&|[?])php_path(&|=)", 62 | "(&|[?])style(&|=)", 63 | "(&|[?])doc(&|=)", 64 | "(&|[?])img(&|=)", 65 | "(&|[?])filename(&|=)" 66 | ] 67 | } 68 | 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /.gf/ssti.json: -------------------------------------------------------------------------------- 1 | 2 | { 3 | "flags": "-iE", 4 | "patterns": [ 5 | 6 | "template=", 7 | "preview=", 8 | "id=", 9 | "view=", 10 | "activity=", 11 | "name=", 12 | "content=", 13 | "redirect=" 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /.gf/strings.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-hroiaE", 3 | "patterns": [ 4 | "\"[^\"]+\"", 5 | "'[^']+'" 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /.gf/takeovers.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnriE", 3 | "patterns": [ 4 | "There is no app configured at that hostname", 5 | "NoSuchBucket", 6 | "No Such Account", 7 | "You're Almost There", 8 | "a GitHub Pages site here", 9 | "There's nothing here", 10 | "project not found", 11 | "Your CNAME settings", 12 | "InvalidBucketName", 13 | "PermanentRedirect", 14 | "The specified bucket does not exist", 15 | "Repository not found", 16 | "Sorry, We Couldn't Find That Page", 17 | "The feed has not been found.", 18 | "The thing you were looking for is no longer here, or never was", 19 | "Please renew your subscription", 20 | "There isn't a Github Pages site here.", 21 | "We could not find what you're looking for.", 22 | "No settings were found for this company:", 23 | "No such app", 24 | "is not a registered InCloud YouTrack", 25 | "Unrecognized domain", 26 | "project not found", 27 | "This UserVoice subdomain is currently available!", 28 | "Do you want to register", 29 | "Help Center Closed" 30 | ] 31 | } 32 | 33 | -------------------------------------------------------------------------------- /.gf/upload-fields.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-HnriE", 3 | "pattern": "\u003cinput[^\u003e]+type=[\"']?file[\"']?" 4 | } 5 | -------------------------------------------------------------------------------- /.gf/urls.json: -------------------------------------------------------------------------------- 1 | { 2 | "flags": "-oriahE", 3 | "pattern": "https?://[^\"\\'> ]+" 4 | } 5 | -------------------------------------------------------------------------------- /.z: -------------------------------------------------------------------------------- 1 | /home/op/recon|12|1591811752 2 | /home/op/work/authy.com/scans|11|1591831669 3 | /home/op/work/navisec.io/flags|19|1591821904 4 | /home/op/work/navisec.io/http/aquatone/screenshots|2|1591821533 5 | /home|1|1590937195 6 | /home/op/lists/seclists/.git|3|1590939529 7 | /home/op/work/authy.com/scans/ip|2|1591831667 8 | /home/op/work/navisec.xyz/dns|4|1591835009 9 | /home/op/work/navisec.io|171|1591821924 10 | /home/op/go|4|1590947885 11 | /home/op/c2|4|1590939978 12 | /home/op/work|28|1591831396 13 | /home/op/work/navisec.io/dns|31|1591821926 14 | /home/op/work/navisec.io/scans/ip|22|1591816711 15 | /home/op/lists/seclists|28|1590947872 16 | /home/op/lists/seclists/Discovery|4|1590939959 17 | /home/op/recon/emailgen|34|1591811750 18 | /home/op/work/authy.com/logs|4|1591831432 19 | /home/op/go/src|2|1591818563 20 | /home/op/lists|13|1590957838 21 | /home/op/work/navisec.io/http/js|4|1591820397 22 | /home/op/go/src/github.com|2|1591818565 23 | /home/op/work/navisec.io/scans/domains|86|1591816849 24 | /home/op/recon/amass|2|1590939969 25 | /home/op/work/authy.com/dns|19|1591831660 26 | /home/op/bin|33|1591834906 27 | /home/op/work/navisec.io/http/aquatone|5|1591821628 28 | /home/op/work/authy.com/flags|6|1591831473 29 | /home/op/work/navisec.io/http|24|1591821789 30 | /home/op/work/authy.com|21|1591831661 31 | /home/op/work/navisec.xyz|2|1591834996 32 | /home/op/work/authy.com/scans/domains|66|1591831825 33 | /home/op/go/src/github.com/tomnomnom/gf/examples|4|1591818576 34 | /home/op/.gf|2|1591818422 35 | /home/op/work/navisec.io/scans|32|1591816717 36 | -------------------------------------------------------------------------------- /.zshrc: -------------------------------------------------------------------------------- 1 | export TERM="xterm-256color" 2 | export ZSH=/home/op/.oh-my-zsh 3 | 4 | ZSH_THEME="gallifrey" 5 | plugins=(dircycle github z autojump rails archlinux zsh-navigation-tools docker vagrant cp ruby) 6 | 7 | source $ZSH/oh-my-zsh.sh 8 | source $HOME/bin/tmux-splash.sh 9 | source ~/.profile 10 | 11 | function bin2sc { 12 | # convert .bin to shellcode 13 | hexdump -v -e '"\\""x" 1/1 "%02x" ""' ${1} 14 | } 15 | 16 | function dockershell() { 17 | docker run --rm -i -t --entrypoint=/bin/bash "$@" 18 | } 19 | 20 | function dockershellsh() { 21 | docker run --rm -i -t --entrypoint=/bin/sh "$@" 22 | } 23 | 24 | function dockershellhere() { 25 | dirname=${PWD##*/} 26 | docker run --rm -it --entrypoint=/bin/bash -v `pwd`:/${dirname} -w /${dirname} "$@" 27 | } 28 | 29 | function dockershellshhere() { 30 | docker run --rm -it --entrypoint=/bin/sh -v `pwd`:/${dirname} -w /${dirname} "$@" 31 | } 32 | 33 | function dockerwindowshellhere() { 34 | dirname=${PWD##*/} 35 | docker -c 2019-box run --rm -it -v "C:${PWD}:C:/source" -w "C:/source" "$@" 36 | } 37 | 38 | function impacket() { 39 | docker run --rm -it rflathers/impacket "$@" 40 | } 41 | 42 | function smbservehere() { 43 | local sharename 44 | [[ -z $1 ]] && sharename="SHARE" || sharename=$1 45 | docker run --rm -it -p 445:445 -v "${PWD}:/tmp/serve" rflathers/impacket smbserver.py -smb2support $sharename /tmp/serve 46 | } 47 | 48 | function nginxhere() { 49 | docker run --rm -it -p 80:80 -p 443:443 -v "${PWD}:/srv/data" rflathers/nginxserve 50 | } 51 | 52 | function webdavhere() { 53 | docker run --rm -it -p 80:80 -v "${PWD}:/srv/data/share" rflathers/webdav 54 | } 55 | 56 | function metasploit() { 57 | docker run --rm -it --network=host metasploitframework/metasploit-framework ./msfconsole "$@" 58 | } 59 | 60 | function msfvenomhere() { 61 | docker run --rm -it -v "${HOME}/.msf4:/home/msf/.msf4" -v "${PWD}:/data" metasploitframework/metasploit-framework ./msfvenom "$@" 62 | } 63 | 64 | function reqdump() { 65 | docker run --rm -it -p 80:3000 rflathers/reqdump 66 | } 67 | 68 | function postfiledumphere() { 69 | docker run --rm -it -p80:3000 -v "${PWD}:/data" rflathers/postfiledump 70 | } 71 | 72 | export EDITOR='vim' 73 | export GOPATH=/home/op/go 74 | export TERM="xterm-256color" 75 | export HOME=/home/op 76 | export PATH="$PATH:$HOME/.rvm/bin:/home/op/go/bin:/home/op/bin" # Add RVM to PATH for scripting 77 | 78 | export BIG="/home/op/lists/seclists/Discovery/Web-Content/big.txt" 79 | export WEB="/home/op/lists/seclists/Discovery/Web-Content/" 80 | export DIRS_LARGE="/home/op/lists/seclists/Discovery/Web-Content/raft-large-directories.txt" 81 | export DIRS_SMALL="/home/op/lists/seclists/Discovery/Web-Content/raft-small-directories.txt" 82 | export FILES_LARGE="/home/op/lists/seclists/Discovery/Web-Content/raft-large-files.txt" 83 | export FILES_SMALL="/home/op/lists/seclists/Discovery/Web-Content/raft-small-files.txt" 84 | 85 | alias ls=" ls --color -sh" 86 | alias wclone="wget -H -p -k" 87 | alias vim="nvim" 88 | 89 | 90 | # added by pipsi (https://github.com/mitsuhiko/pipsi) 91 | export PATH="/home/op/.local/bin:$PATH" 92 | source /home/op/.oh-my-zsh/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh 93 | 94 | # added by pipsi (https://github.com/mitsuhiko/pipsi) 95 | export PATH="/home/op/.local/bin:$PATH" 96 | export PATH="$PATH:/home/op/.axiom/interact" 97 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Axiom box: `pry0cc/lazy` 2 | Welcome to the second publicly available axiom box on github! 3 | 4 | ## Description 5 | This box is a fork of https://github.com/victoni/Bug-Bounty-Scripts/, this is a repo of Vict0ni's bug bounty emumeration scripts and some tooling that he uses, I thought it was a perfect example for what this does. 6 | 7 | ## Whats in the box 8 | - lazy.sh - enumeration script 9 | - wgetlines - wget for while read loop utility 10 | - custom ZSH theme 11 | - Some extra useful zsh aliases 12 | 13 | # Installation 14 | ``` 15 | axiom-boxes get pry0cc/lazy 16 | ``` 17 | 18 | # Usage 19 | ``` 20 | axiom-init --restore=pry0cc/lazy 21 | ``` 22 | 23 | ``` 24 | axiom-select my-server 25 | axiom-restore pry0cc/lazy 26 | ``` 27 | 28 | Enjoy! 29 | -------------------------------------------------------------------------------- /bin/add-path: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | while read line 4 | do 5 | echo "$line/.env" 6 | echo "$line/.well-known/security.txt" 7 | echo "$line/.git/config" 8 | echo "$line/package.json" 9 | echo "$line/Gruntfile" 10 | done < "${1:-/dev/stdin}" -------------------------------------------------------------------------------- /bin/lazy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mkdir -p "$HOME/work/$1/logs" 4 | LOG="$HOME/work/$1/logs/log.txt" 5 | # Reset 6 | export NC='\033[0m' # Text Reset 7 | 8 | # Regular Colors 9 | export Black='\033[0;30m' # Black 10 | export Red='\033[0;31m' # Red 11 | export Green='\033[0;32m' # Green 12 | export Yellow='\033[0;33m' # Yellow 13 | export Blue='\033[0;34m' # Blue 14 | export Purple='\033[0;35m' # Purple 15 | export Cyan='\033[0;36m' # Cyan 16 | export White='\033[0;37m' # White 17 | 18 | # Bold 19 | export BBlack='\033[1;30m' # Black 20 | export BRed='\033[1;31m' # Red 21 | export BGreen='\033[1;32m' # Green 22 | export BYellow='\033[1;33m' # Yellow 23 | export BBlue='\033[1;34m' # Blue 24 | export BPurple='\033[1;35m' # Purple 25 | export BCyan='\033[1;36m' # Cyan 26 | export BWhite='\033[1;37m' # White 27 | 28 | 29 | echo_info_n() { 30 | msg="$1" 31 | echo "$(date "+%Y-%m-%d %H:%M:%S") INFO: $msg" >> $LOG 32 | echo -n -e "${Blue}[+] $msg${NC}" 33 | } 34 | 35 | echo_info() { 36 | msg="$1" 37 | echo "$(date "+%Y-%m-%d %H:%M:%S") INFO: $msg" >> $LOG 38 | echo -e "${Blue}[+] $msg${NC}" 39 | } 40 | 41 | echo_success() { 42 | msg="$1" 43 | echo "$(date "+%Y-%m-%d %H:%M:%S") SUCCESS: $msg" >> $LOG 44 | echo -e "${BGreen}[*] $msg${NC}" 45 | } 46 | 47 | echo_error() { 48 | msg="$1" 49 | echo "$(date "+%Y-%m-%d %H:%M:%S") ERROR: $msg" >> $LOG 50 | echo -e "${Red}[-] $msg${NC}" 51 | } 52 | 53 | ok() { 54 | if [ $? -eq 0 ]; then 55 | echo -e "[ ${Green}OK${NC} ]" 56 | else 57 | echo -e "[ ${Red}FAIL${NC} ]" 58 | fi 59 | 60 | } 61 | 62 | set_progress() { 63 | progress="$1" 64 | echo $progress > /tmp/progress 65 | } 66 | 67 | set_progress 0 68 | 69 | echo_success "Launching enumeration against $1" 70 | echo_info_n "Creating folder structure... " 71 | TARGET="$1" 72 | HOME_DIR="$HOME/work/$TARGET" 73 | 74 | mkdir -p $HOME_DIR 75 | mkdir -p $HOME_DIR/dns 76 | mkdir -p $HOME_DIR/http 77 | mkdir -p $HOME_DIR/http/js 78 | mkdir -p $HOME_DIR/flags 79 | mkdir -p $HOME_DIR/scans/domains 80 | mkdir -p $HOME_DIR/scans/ip 81 | mkdir -p $HOME_DIR/http/aquatone 82 | 83 | flags="$HOME_DIR/flags" 84 | domains="$HOME_DIR/dns/domains" 85 | takeover="$HOME_DIR/dns/takeover" 86 | responsive="$HOME_DIR/dns/responsive" 87 | all_urls="$HOME_DIR/http/all_urls" 88 | interestingsubs="$HOME_DIR/flags/interestingsubs" 89 | ip_uniq="$HOME_DIR/dns/ip_uniq" 90 | resolved="$HOME_DIR/dns/resolved" 91 | javascript_files="$HOME_DIR/http/javascript_files" 92 | js="$HOME_DIR/http/js" 93 | aquatone="$HOME_DIR/http/aquatone" 94 | 95 | cd $HOME_DIR 96 | ok 97 | 98 | set_progress 5 99 | #finding subdomains 100 | 101 | echo_info_n "Running DNS enumeration... " 102 | subfinder -silent -d $1 | tee -a $domains &>> $LOG 103 | assetfinder -subs-only $1 | tee -a $domains &>> $LOG 104 | curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a $domains &>> $LOG 105 | # This needs serious work - I'm sorry vict0ni :) 106 | #cat ~/lists/jhaddix-all.txt | subgen -d "$1" | zdns A | jq '.[].answers?[]?' | jq -r 'select(.type == "A") | .name' | tee -a domains 107 | ok 108 | 109 | set_progress 10 110 | #sorting/uniq 111 | echo_info_n "Sorting domain files... " 112 | sort -u $domains > $HOME_DIR/dns/dom2;rm $domains;mv $HOME_DIR/dns/dom2 $domains 113 | ok 114 | 115 | echo_success "Found $(wc -l $domains | awk '{ print $1 }') unique domains!" 116 | 117 | #account takeover scanning 118 | echo_info_n "Scanning for domain takeovers... " 119 | subjack -w $domains -t 100 -timeout 30 -ssl -c $GOPATH/src/github.com/haccer/subjack/fingerprints.json -v | tee -a $takeover &>> $LOG 120 | ok 121 | 122 | set_progress 15 123 | #httprobing 124 | echo_info_n "Probing for interactive hosts... " 125 | cat $domains | httprobe | sort -u | tee -a $responsive &>> $LOG 126 | gf interestingsubs $responsive > $interestingsubs 127 | ok 128 | 129 | echo_success "Found $(wc -l $responsive| awk '{ print $1 }') responsive hosts!" 130 | 131 | set_progress 20 132 | #resolving 133 | echo_info_n "Resolving domains... " 134 | cat $domains | dnsprobe -silent | tee -a $resolved &>> $LOG 135 | cat $resolved | sed 's/ /,/g' | tee -a $resolved.formatted &>> $LOG 136 | cat $resolved | awk '{ print $2 }' | sort -u > $ip_uniq 137 | ok 138 | 139 | set_progress 30 140 | echo_success "Launching full IP scan" 141 | 142 | for ip in $(cat $ip_uniq) 143 | do 144 | masscan_outfile="$HOME_DIR/scans/ip/$ip.masscan" 145 | nmap_outfile="$HOME_DIR/scans/ip/$ip.nmap.xml" 146 | 147 | if [ ! -f "$nmap_outfile" ] 148 | then 149 | echo_info_n "Running full vulnerability scan against $ip...(Can take some time)... " 150 | sudo masscan -p0-65535 --banners --rate=10000 "$ip" -oG "$masscan_outfile" &>> $LOG 151 | ports=$(cat "$masscan_outfile" | grep -v "#" | sed 's/\// /g' | awk '{ print $5 }' | sort -u | tr '\n' ',' | rev | cut -c 2- | rev) 152 | if [ "$(echo $ports | wc -c )" -gt 1 ] 153 | then 154 | echo "Ports [$ports]" >> $LOG 155 | nmap -Pn -T5 -sV -p$ports --script=vulners -oX "$nmap_outfile" "$ip" &>> $LOG 156 | else 157 | echo "No Ports, doing classic nmap... " >> $LOG 158 | nmap -Pn -T5 -sV --script=vulners -oX "$nmap_outfile" "$ip" &>> $LOG 159 | fi 160 | ok 161 | fi 162 | done 163 | 164 | set_progress 50 165 | ok 166 | echo_info_n "Converting scans and parsing to json... " 167 | 168 | for line in $(cat $resolved.formatted) 169 | do 170 | domain=$(echo $line | cut -d "," -f 1) 171 | ip=$(echo $line | cut -d "," -f 2) 172 | 173 | nmap_outfile="$HOME_DIR/scans/ip/$ip.nmap.xml" 174 | domain_outfile="$HOME_DIR/scans/domains/$domain.json" 175 | 176 | if [[ -f "$nmap_outfile" && ! -f "$domain_outfile" ]] 177 | then 178 | nmap2json convert "$nmap_outfile" > $domain_outfile 179 | cat $domain_outfile | jq -C '.[].host.ports[] | .[] | .service.port=.portid | .service.script=.script | .service' > $domain_outfile.detailed 180 | fi 181 | done 182 | 183 | ok 184 | 185 | set_progress 60 186 | 187 | #endpoint discovery 188 | echo_info_n "Crawling detected URLs... " 189 | cat $responsive | gau | tee -a $all_urls &>> $LOG 190 | cat $responsive | hakrawler --depth 3 --plain | tee -a $all_urls &>> $LOG 191 | ok 192 | 193 | set_progress 65 194 | #extracting all responsive js files 195 | echo_info "Scanning javascript files for secrets... " 196 | grep "\.js$" $all_urls | anti-burl | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort -u | tee -a $javascript_files 197 | ok 198 | 199 | set_progress 70 200 | #analyzing js files for secrets 201 | echo_info "Scanning javascript files for secrets... " 202 | wget -nc -i $javascript_files -P "$js" &>> $LOG 203 | cat $js/* >> $js/gf-all 204 | gf sec $js/gf-all > $flags/secrets 205 | ok 206 | 207 | set_progress 80 208 | echo_info "Running aquatone against all endpoints... " 209 | if [ ! -f "$aquatone/aquatone_report.html" ] 210 | then 211 | cat $domains | aquatone -out $aquatone -ports 80,443,7443,8080,8000,8443,8081 -scan-timeout 20000 212 | fi 213 | ok 214 | 215 | set_progress 90 216 | #grabing endpoints that include juicy parameters 217 | gf redirect $all_urls | anti-burl > $flags/redirects 218 | gf idor $all_urls | anti-burl > $flags/idor 219 | gf rce $all_urls | anti-burl > $flags/rce 220 | gf lfi $all_urls | anti-burl > $flags/lfi 221 | gf xss $all_urls | anti-burl > $flags/xss 222 | gf ssrf $all_urls | anti-burl > $flags/ssrf 223 | 224 | 225 | set_progress 100 226 | -------------------------------------------------------------------------------- /bin/tmux-splash.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ "$(tty)" == "/dev/pts/1" && "$(echo $TMUX | wc -c)" -gt "1" ]] 4 | then 5 | ip=$(ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -n 1) 6 | echo "" 7 | echo "$(hostname)" | figlet -f Bloody 8 | echo "" 9 | echo -e "Public IP: \033[0;34m$ip\033[0m" 10 | echo -e "Instance: \033[0;34m$(hostname)\033[0m" 11 | echo "" 12 | fi 13 | -------------------------------------------------------------------------------- /bin/wgetlist: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | while read LINE; do wget $LINE; done < $1 --------------------------------------------------------------------------------