Last active
December 2, 2023 01:31
-
-
Save shadowdevnotreal/e30c7dc12d67dbe39cd8148db4482f28 to your computer and use it in GitHub Desktop.
one hit script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Install tools | |
| echo "[*] Installing tools..." | |
| # Install Subfinder | |
| go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest | |
| # Install Assetfinder | |
| go install -v github.com/projectdiscovery/assetfinder/cmd/assetfinder@latest | |
| # Install Amass | |
| go install -v github.com/OWASP/Amass/v3/... | |
| # Install httprobe | |
| go install -v github.com/tomnomnom/httprobe@latest | |
| # Install gau | |
| go install -v github.com/lc/gau@latest | |
| # Install httpx | |
| go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest | |
| # Install nuclei | |
| GO111MODULE=on go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest | |
| # Install gf | |
| go install -v github.com/tomnomnom/gf@latest | |
| # Install ffuf | |
| go install -v github.com/ffuf/ffuf@latest | |
| # Install aquatone | |
| go install -v github.com/michenriksen/aquatone@latest | |
| echo "[*] Done!" | |
| # Ask for domain | |
| read -p "[*] Enter target domain: " domain | |
| # Run pipeline | |
| subfinder -d $domain | httpx -silent | nuclei -t /path/to/nuclei-templates/ -o nuclei.json | gau -subs -o urls.txt && cat urls.txt | httprobe | waybackurls | gf xss | tee vulns.txt ; subfinder -d $domain | tee subdomains.txt | assetfinder -subs-only $domain | tee -a subdomains.txt | amass enum -passive -d $domain -o subdomains.txt && cat subdomains.txt | httprobe | tee alive.txt | nuclei -l alive.txt -t cves/ -t vulnerabilities/ -t exposed-panels/ -o results.json | awk '{print $3}' | httpx -silent | tee final.txt && gau $domain | nuclei -l final.txt -t default-logins/ -t files/ -t git/ -t panels/ -t subdomain-takeover/ -t technologies/ -t vulnerabilities/ -t workflows/ -t exposures/ -t exposures/headers/ -o results.json && cat alive.txt | aquatone -out output_folder && cat final.txt | gf xss | tee xss.txt && ffuf -w final.txt -u FUZZ -t 50 -recursion -recursion-depth 3 -mc all -ac -fc 404,403 -o ffuf_output.html |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
subfinder -d domain.com: Uses Subfinder to enumerate subdomains for domain.com.
httpx -silent: Filters the subdomains by checking if they are alive using HTTP/HTTPS.
nuclei -t /path/to/nuclei-templates/ -o nuclei.json: Scans the alive subdomains using Nuclei with a specified template directory and outputs the results to a JSON file.
gau -subs -o urls.txt: Extracts URLs from the subdomains using GAU and outputs them to a text file.
cat urls.txt | httprobe: Filters the URLs by checking if they are alive using HTTP/HTTPS.
waybackurls: Retrieves historical URLs for the alive URLs.
gf xss: Searches for XSS vulnerabilities in the retrieved URLs using GF.
tee vulns.txt: Outputs the vulnerable URLs to a text file.
subfinder -d target.com: Uses Subfinder to enumerate subdomains for target.com.
tee subdomains.txt: Outputs the results to a text file.
assetfinder -subs-only target.com: Enumerates subdomains for target.com using Assetfinder.
tee -a subdomains.txt: Appends the Assetfinder results to the Subfinder results.
amass enum -passive -d target.com -o subdomains.txt: Enumerates subdomains for target.com using Amass and outputs the results to the same text file.
cat subdomains.txt | httprobe: Filters the subdomains by checking if they are alive using HTTP/HTTPS.
tee alive.txt: Outputs the alive subdomains to a text file.
nuclei -l alive.txt -t cves/ -t vulnerabilities/ -t exposed-panels/ -o results.json: Scans the alive subdomains using Nuclei with a set of specified templates and outputs the results to a JSON file.
awk '{print $3}': Extracts the URLs from the Nuclei output.
httpx -silent: Filters the URLs by checking if they are alive using HTTP/HTTPS.
The last part of the command, “&& cat final.txt | gf xss | tee xss.txt && ffuf -w final.txt -u FUZZ -t 50 -recursion -recursion-depth 3 -mc all -ac -fc 404,403 -o ffuf_output.html”, adds fuzzing to the mix.
First, it pipes the contents of the “final.txt” file to gf (grep for forms) and filters out any potential XSS vulnerabilities. The filtered results are then piped to a new file called “xss.txt”.
Next, it runs ffuf (Fuzz Faster U Fool), a popular web application fuzzer, using the subdomains in “final.txt” as input. It sets the concurrency level to 50, and enables recursion up to a depth of 3. It then sets various match, accept, and filter conditions to ensure that the fuzzer only targets valid pages and ignores irrelevant responses. Finally, the results are output to an HTML file called “ffuf_output.html”.
Overall, this one-liner combines a variety of powerful tools and techniques to perform comprehensive bug bounty research, including subdomain enumeration, endpoint discovery, vulnerability scanning, and fuzzing.