itsmenaga

## subtone.sh
#!/bin/bash
echo "[*]Subfinder and Aquatone Scan Started [*]"
subfinder -d $1 -o $1.json -oT -nW -v
rm -rf /root/pentest/results/$1
mkdir /root/pentest/results/$1
cp $1.json /root/pentest/results/$1/
mv /root/pentest/results/$1/$1.json /root/pentest/results/$1/hosts.json
aquatone-scan -d $1 --ports huge --threads 10
DEBUG=nightmare xvfb-run -a aquatone-gather -d $1 --threads 10
aquatone-takeover -d $1 --threads 10

## aq.sh
#!/bin/bash
aquatone-discover -d $1 --threads 10
aquatone-scan -d $1 --ports huge --threads 10
DEBUG=nightmare xvfb-run -a aquatone-gather -d $1 --threads 10
aquatone-takeover -d $1 --threads 10

## gist:5bf91071e040116bd00348ace9f8bd32
#!/bin/bash

# this script was written by viss as a challenge from @random_robbie
# This one-liner replaces a fairly lengthy python script
# if you want to be walked through it, sign up for square cash, send $viss 20 dollars. Otherwise, flex your google fu!
# oh, ps: you need to pip install shodan, and then configure the shodan cli client by giving it your api key.
# then you're off to the races.

shodan search --fields ip_str --limit 1000 'product:"Oracle Weblogic" port:"7001" country:"US"' | sort -u | nmap -sT -Pn -n -oG - -iL - -p 7001 | grep open | awk '{print $2}' | xargs -I % -n 1 -P 30 bash -c 'RESULT=`curl -s -I -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko0100101 Firefox/54.0" -H "Connection":"close" -H "Accept-Language":"en-US -H en;q=0.5" -H "Accept":"text/html -H application/xhtml+xml -H application/xml;q=0.9 -H */*;q=0.8" -H "Upgrade-Insecure-Requests":"1" %:7001/ws_utc/config.do | egrep HTTP`; echo "%: $RESULT";'

## subdomain.rb
#Tools based on a resolver.rb by @melvinsh
#Repository: https://github.com/melvinsh/subresolve
#Modified by @ehsahil for Personal Use.
#Modified by @nikallass for Personal Use.

require 'socket'
require 'colorize'

begin
  if ARGV[0] == nil

## csrf_jwt_redirect_leak.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                itsmenaga
                / csrf_jwt_redirect_leak.md
            
            
              Created
              May 16, 2019 03:42
                — forked from stefanocoding/csrf_jwt_redirect_leak.md
            
          
    You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.
CSRF token bug


There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
User loads https://example.com/?code=VALUE
Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user
GET /verify/VALUE HTTP/1.1
Host: example.com


## openinbrowser.py
#! /usr/bin/python3
import webbrowser, sys

if len(sys.argv) < 3:
    print("Usage: openinbrowser.py ./urls.txt 20")
    quit()

f = open(sys.argv[1])
tabs = int(sys.argv[2])
counter = 1

## ejs.sh
curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(\>\>\>)|(['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu

function ejs() {
  curl -L -k -s "$1" | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu
}

## dicom-bruteforce.py
#/usr/bin/env python3
# run me with ulimits -n 2048

import itertools
import string
from pydicom.dataset import Dataset
from pynetdicom import AE, QueryRetrievePresentationContexts
from pynetdicom.sop_class import PatientRootQueryRetrieveInformationModelFind
import sys
import time

## user.js
// Mozilla User Preferences
// To change a preference value, you can either:
// - modify it via the UI (e.g. via about:config in the browser); or
// - set it within a user.js file in your profile (create it if it doesn't exist).
//
// Profile folder location on different systems:
// Windows: C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default
// Mac OS X: Users/<username>/Library/Application Support/Firefox/Profiles/xxxxxxxx.default
// Linux: /home/<username>/.mozilla/firefox/xxxxxxxx.default

## s3tko.sh
#!/bin/bash
touch index.html
touch error.html
aws s3api create-bucket --bucket $1 --region us-east-1
aws s3 website s3://$1/ --index-document index.html --error-document error.html
aws s3 cp index.html s3://$1 --acl public-read
aws s3 cp error.html s3://$1 --acl public-read
	#!/bin/bash
	echo "[]Subfinder and Aquatone Scan Started []"
	subfinder -d $1 -o $1.json -oT -nW -v
	rm -rf /root/pentest/results/$1
	mkdir /root/pentest/results/$1
	cp $1.json /root/pentest/results/$1/
	mv /root/pentest/results/$1/$1.json /root/pentest/results/$1/hosts.json
	aquatone-scan -d $1 --ports huge --threads 10
	DEBUG=nightmare xvfb-run -a aquatone-gather -d $1 --threads 10
	aquatone-takeover -d $1 --threads 10
	#!/bin/bash
	aquatone-discover -d $1 --threads 10
	aquatone-scan -d $1 --ports huge --threads 10
	DEBUG=nightmare xvfb-run -a aquatone-gather -d $1 --threads 10
	aquatone-takeover -d $1 --threads 10
	#!/bin/bash

	# this script was written by viss as a challenge from @random_robbie
	# This one-liner replaces a fairly lengthy python script
	# if you want to be walked through it, sign up for square cash, send $viss 20 dollars. Otherwise, flex your google fu!
	# oh, ps: you need to pip install shodan, and then configure the shodan cli client by giving it your api key.
	# then you're off to the races.

	shodan search --fields ip_str --limit 1000 'product:"Oracle Weblogic" port:"7001" country:"US"' \| sort -u \| nmap -sT -Pn -n -oG - -iL - -p 7001 \| grep open \| awk '{print $2}' \| xargs -I % -n 1 -P 30 bash -c 'RESULT=`curl -s -I -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko0100101 Firefox/54.0" -H "Connection":"close" -H "Accept-Language":"en-US -H en;q=0.5" -H "Accept":"text/html -H application/xhtml+xml -H application/xml;q=0.9 -H /;q=0.8" -H "Upgrade-Insecure-Requests":"1" %:7001/ws_utc/config.do \| egrep HTTP`; echo "%: $RESULT";'
	#Tools based on a resolver.rb by @melvinsh
	#Repository: https://github.com/melvinsh/subresolve
	#Modified by @ehsahil for Personal Use.
	#Modified by @nikallass for Personal Use.

	require 'socket'
	require 'colorize'

	begin
	if ARGV[0] == nil
	#! /usr/bin/python3
	import webbrowser, sys

	if len(sys.argv) < 3:
	print("Usage: openinbrowser.py ./urls.txt 20")
	quit()

	f = open(sys.argv[1])
	tabs = int(sys.argv[2])
	counter = 1
	curl -L -k -s https://www.example.com \| tac \| sed "s#\\\/#\/#g" \| egrep -o "src['\"]?\s[=:]\s['\"]?[^'\"]+.js[^'\"> ]" \| awk -F '//' '{if(length($2))print "https://"$2}' \| sort -fu \| xargs -I '%' sh -c "curl -k -s \"%\" \| sed \"s/[;}\)>]/\n/g\" \| grep -Po \"(\>\>\>)\|(['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})\|(\.(get\|post\|ajax\|load)\s\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})\"" \| awk -F "['\"]" '{print $2}' \| sort -fu

	function ejs() {
	curl -L -k -s "$1" \| tac \| sed "s#\\\/#\/#g" \| egrep -o "src['\"]?\s[=:]\s['\"]?[^'\"]+.js[^'\"> ]" \| awk -F '//' '{if(length($2))print "https://"$2}' \| sort -fu \| xargs -I '%' sh -c "curl -k -s \"%\" \| sed \"s/[;}\)>]/\n/g\" \| grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})\|(\.(get\|post\|ajax\|load)\s\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"]{5,})\"" \| awk -F "['\"]" '{print $2}' \| sort -fu
	}
	#/usr/bin/env python3
	# run me with ulimits -n 2048

	import itertools
	import string
	from pydicom.dataset import Dataset
	from pynetdicom import AE, QueryRetrievePresentationContexts
	from pynetdicom.sop_class import PatientRootQueryRetrieveInformationModelFind
	import sys
	import time
	// Mozilla User Preferences
	// To change a preference value, you can either:
	// - modify it via the UI (e.g. via about:config in the browser); or
	// - set it within a user.js file in your profile (create it if it doesn't exist).
	//
	// Profile folder location on different systems:
	// Windows: C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default
	// Mac OS X: Users/<username>/Library/Application Support/Firefox/Profiles/xxxxxxxx.default
	// Linux: /home/<username>/.mozilla/firefox/xxxxxxxx.default
	#!/bin/bash
	touch index.html
	touch error.html
	aws s3api create-bucket --bucket $1 --region us-east-1
	aws s3 website s3://$1/ --index-document index.html --error-document error.html
	aws s3 cp index.html s3://$1 --acl public-read
	aws s3 cp error.html s3://$1 --acl public-read