Skip to content

Instantly share code, notes, and snippets.

View Spy0x7's full-sized avatar
💢
BrainFuck ;)

Nasur Ullah Spy0x7

💢
BrainFuck ;)
60 followers · 216 following
View GitHub Profile
@adcvga
adcvga / rfuzz.txt
Created December 12, 2023 21:28
another ffuf wordlist
This file has been truncated, but you can view the full file.
.nodeset.yaml
stuff.htm
test13.php
system/config
apiai.js
config/codeclimate.ps1
18079
hitable.js
supersmashbrothers
notice.txt
@win3zz
win3zz / zendesk_endpoints.txt
Created July 18, 2023 09:01
List of Zendesk API Endpoints for Fuzzing [Penetration Testing]
POST /api/v2/accounts
GET /api/v2/activities?since=cstest
GET /api/v2/audit_logs?filter[source_type]=cstest&filter[source_id]=1&filter[actor_id]=1&filter[ip_address]=cstest&filter[created_at]=cstest&filter[action]=cstest&sort_by=cstest&sort_order=cstest&sort=cstest
GET /api/v2/automations
POST /api/v2/automations
GET /api/v2/bookmarks
POST /api/v2/bookmarks
GET /api/v2/brands
POST /api/v2/brands
GET /api/v2/custom_objects
@seqrity
seqrity / ffuf_urls
Created September 19, 2022 18:35
A simple script for fuzzing URL list by ffuf
#!/bin/bash
mkdir -p out
for line in $(cat urls.txt)
do
DOMAIN=$(echo $line | tr : _ | tr -d //)
ffuf -u $line/FUZZ -w dir_wl.txt -D -e php,aspx,jsp,html,js,txt,bak,zip,json,conf,log,git -t 100 -mc 200 -r -o out/$DOMAIN
done
@seqrity
seqrity / wordlist_from_js.sh
Last active March 5, 2023 06:35
Make wordlist from js files
#! /bin/bash
## This script fetch js files from a domain name and make a wordlist by words in js files
## Credit: https://gist.github.com/aufzayed/6cabed910c081cc2f2186cd27b80f687
##### Install requirements #####
##### Before running this script you should install Go #####
## Install subjs (https://github.com/lc/subjs)
GO111MODULE=on go get -u -v github.com/lc/subjs
@sysevil
sysevil / 403_401_oauth_HeadersBypass.txt
Created September 20, 2021 13:59
403Bypass
CF-Connecting-IP: 127.0.0.1
Content-type: 0
Fastly-Client-IP: 127.0.0.1
Forwarded: 127.0.0.1
Forwarded: for=127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
True-Client-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Cluster-Client-IP: 127.0.0.1
@c3l3si4n
c3l3si4n / nuclei-rce.yaml
Last active December 18, 2023 06:48
POC demonstrating RCE on Nuclei v2.5.1. The following PoC will execute `touch /tmp/rce_on_nuclei`. JS exploit based on CVE-2021-21224 PoCs
id: nuclei-rce
info:
name: Nuclei Template RCE by Chromium
author: c3l3si4n
severity: critical
tags: rce,hackback
headless:
- steps:
@hakluke
hakluke / hakcombos.go
Last active November 27, 2023 21:08
Generate all 3 character domains of all TLDs in ./tlds.txt
package main
import (
"bufio"
"fmt"
"os"
)
func main() {
chars := []string{"1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "q", "w", "e", "r", "t", "y", "u", "i", "o", "p", "a", "s", "d", "f", "g", "h", "j", "k", "l", "z", "x", "c", "v", "b", "n", "m", "-"}
@honoki
honoki / hackerone-initiate-programs.sh
Last active September 18, 2023 18:56
Create new BBRF programs from your private and public HackerOne programs.
#!/bin/bash
# Initiate new BBRF programs from your public and private HackerOne programs
h1name="<your-hackerone-username>"
apitoken="<your-hackerone-api-token>"
next='https://api.hackerone.com/v1/hackers/programs?page%5Bsize%5D=100'
while [ "$next" ]; do
@nikitastupin
nikitastupin / fingerprint.js
Created February 8, 2021 12:21
fingerprint.js
(() => {
let gadgets = [];
if (typeof _satellite !== 'undefined') {
gadgets.push('Adobe Dynamic Tag Management');
}
if (typeof BOOMR !== 'undefined') {
gadgets.push('Akamai Boomerang');
}
@cyberheartmi9
cyberheartmi9 / user-pass-Fuzz.py
Created January 1, 2021 01:03
import requests
import re
import string
ch=string.ascii_lowercase+string.digits
#ch=string.printable