Bug Bounty - GitBook
前往频道在 Telegram
7 429
订阅者
+424 小时
+207 天
+16430 天
帖子存档
7 432
⚙️ Complete Bug Bounty tool List ⚙️
Enjoy :)
dnscan https://github.com/rbsec/dnscan
Knockpy https://github.com/guelfoweb/knock
Sublist3r https://github.com/aboul3la/Sublist3r
massdns https://github.com/blechschmidt/massdns
Nmap https://nmap.org
Masscan https://github.com/robertdavidgraham/masscan
EyeWitness https://github.com/ChrisTruncer/EyeWitness
DirBuster https://sourceforge.net/projects/dirbuster/
dirsearch https://github.com/maurosoria/dirsearch
Gitrob https://github.com/michenriksen/gitrob
git-secrets https://github.com/awslabs/git-secrets
sandcastle https://github.com/yasinS/sandcastle
bucket_finder https://digi.ninja/projects/bucket_finder.php
GoogD0rker https://github.com/ZephrFish/GoogD0rker/
Wayback Machine https://web.archive.org
waybackurls https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050
Sn1per https://github.com/1N3/Sn1per/
XRay https://github.com/evilsocket/xray
wfuzz https://github.com/xmendez/wfuzz/
patator https://github.com/lanjelot/patator
datasploit https://github.com/DataSploit/datasploit
hydra https://github.com/vanhauser-thc/thc-hydra
changeme https://github.com/ztgrace/changeme
MobSF https://github.com/MobSF/Mobile-Security-Framework-MobSF/
Apktool https://github.com/iBotPeaches/Apktool
dex2jar https://sourceforge.net/projects/dex2jar/
sqlmap http://sqlmap.org/
oxml_xxe https://github.com/BuffaloWill/oxml_xxe/
XXE Injector https://github.com/enjoiz/XXEinjector
The JSON Web Token Toolkit https://github.com/ticarpi/jwt_tool
ground-control https://github.com/jobertabma/ground-control
ssrfDetector https://github.com/JacobReynolds/ssrfDetector
LFISuit https://github.com/D35m0nd142/LFISuite
GitTools https://github.com/internetwache/GitTools
dvcs-ripper https://github.com/kost/dvcs-ripper
tko-subs https://github.com/anshumanbh/tko-subs
HostileSubBruteforcer https://github.com/nahamsec/HostileSubBruteforcer
Race the Web https://github.com/insp3ctre/race-the-web
ysoserial https://github.com/GoSecure/ysoserial
PHPGGC https://github.com/ambionics/phpggc
CORStest https://github.com/RUB-NDS/CORStest
Retire-js https://github.com/RetireJS/retire.js
getsploit https://github.com/vulnersCom/getsploit
Findsploit https://github.com/1N3/Findsploit
bfac https://github.com/mazen160/bfac
WPScan https://wpscan.org/
CMSMap https://github.com/Dionach/CMSmap
Amass https://github.com/OWASP/Amass
Extra Tools
http://projectdiscovery.io
7 432
Awesome Asset Discovery
List by x.com/RedHuntLabs
IP Address
Domain/Subdomain
Email
Network
Business Infrastructure
Cloud Infrastructure
Company Info
Internet Survey Data
Social Media / Employee Profiling
Data Leaks
Archived Info
https://github.com/redhuntlabs/Awesome-Asset-Discovery
7 432
🚨 PART 2 — ADVANCED BUG BOUNTY RECON PLAYBOOK 🚨
Stealth, Automation & Finding What Others Miss Most hunters stop at surface recon. But the real money? It’s buried deeper. Welcome to the elite 1%. This is how you go stealth, automate, and win.1️⃣ JavaScript Recon — Extract Hidden Gems JS files hide API endpoints, tokens, secrets. 🔧 Tools: subjs, LinkFinder, JSParser
subjs -i alive.txt -o jsfiles.txt
cat jsfiles.txt | LinkFinder -i - -o cli > endpoints.txt
➡️ Hidden attack surface unlocked.
2️⃣ Historical Data Mining — Gold in the Past
Old URLs often lead to vulnerable legacy endpoints.
🔧 Tools: waybackurls, gau
cat alive.txt | waybackurls > wayback.txt
cat alive.txt | gau > gau.txt
cat wayback.txt gau.txt | sort -u > historical_urls.txt
➡️ Time travel for bugs.
3️⃣ Parameter Discovery — Hunt the Inputs
Params = your entry point for XSS, SQLi, IDOR.
🔧 Tools: ParamSpider, Arjun
paramspider -d target.com -o params.txt
arjun -i historical_urls.txt -o arjun_params.txt
4️⃣ Virtual Host Enumeration — Hidden Panels
Sometimes, real targets are behind unseen VHOSTs.
🔧 Tools: ffuf, vhostscan
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 4242
5️⃣ Cloud Bucket Recon — Jackpot Mode
Open buckets = exposed sensitive data.
🔧 Tools: CloudBrute, S3Scanner
cloudbrute -d target.com -o buckets.txt
6️⃣ Recon Automation — Set & Forget
Real recon doesn’t sleep.
🔧 Tools: recon-pipeline, recon-ng
git clone https://github.com/epi052/recon-pipeline.git
cd recon-pipeline
./recon-pipeline.py --target target.com
7️⃣ Stealth Recon — Avoid Getting Blocked
Don’t be loud. Be invisible.
🛡 Tips:
✅ Rotate user-agents
✅ Delay scans
✅ Use proxychains + VPN/TOR
8️⃣ Continuous Monitoring — Be First to Strike
New IPs? Dev errors? You’ll know first.
🔧 Tools: Shodan, SecurityTrails
shodan search "hostname:target.com"9️⃣ Advanced Google Dorking — Open Secrets Google knows what they forgot to lock. 💡 Dorks:
site:target.com ext:sql site:target.com inurl:admin site:target.com intitle:"index of"🔟 GitHub Recon — Where Devs Slip Up They push secrets. You collect bounty. 🔧 Tools: gitrob, GitHub Dorks
gitrob target.com✅ Combine all → Build the ultimate recon pipeline ✅ Find what others miss → Land critical, $$$ bugs
7 432
🔥 ADVANCED BUG BOUNTY RECON PLAYBOOK (2025) 🔥
💰 Deep Recon = Real Money
Most hunters stop at surface-level scans. The real high-value bugs lie in what others overlook.
Here’s your Ultimate Recon Pipeline — battle-tested, fully loaded, and ready to execute:
🔍 1. Scope Review
Know what you're allowed to touch.
➡️ *.target.com
Avoid legal issues & save time by staying within bounds.
🌐 2. Subdomain Enumeration
Tools: bbot, subfinder, amass
bbot -d target.com
subfinder -d target.com -o subfinder.txt
amass enum -d target.com -o amass.txt
cat *.txt | sort -u > subdomains.txt
🧠 Passive + Active = Deep Coverage
⚡️ 3. Alive Check
Tool: httpx
cat subdomains.txt | httpx -silent -o alive.txt
✅ Only focus on live hosts = efficiency boost.
🕷 4. Crawl Alive Domains
Tool: katana
katana -list alive.txt -o endpoints.txt
Uncover hidden paths & juicy endpoints.
📸 5. Screenshot Everything
Tool: eyewitness
eyewitness --web -f alive.txt --threads 10 -d screenshots
Visually scan for promising targets.
🚨 6. Automated Vuln Scan
Tools: nuclei, nmap, nikto
cat alive.txt | nuclei -t templates/ -o nuclei.txt
nmap -sVC -T4 -iL alive.txt -oN nmap.txt
nikto -h alive.txt -output nikto.txt
💡 Easy wins from common misconfigs & outdated software.
🔬 7. Tech Stack Fingerprinting
Tools: wappalyzer, builtwith, whatruns
Find tech-specific CVEs, weak plugins, and CDN leaks.
🍯 8. Low-Hanging Fruits
Tools: subzy, socialhunter
subzy run --targets alive.txt socialhunter -f alive.txt⚠️ Subdomain Takeovers + Broken Links = easy $$$ 🌐 9. URL Gathering & Param Discovery Tools: waybackurls, gau, paramspider
cat alive.txt | waybackurls >> urls.txt
cat alive.txt | gau >> urls.txt
paramspider -d target.com -o params.txt
📦 Old URLs = Unpatched Gold Mines
🧙 10. Google Dorking
site:target.com ext:sql site:target.com inurl:admin site:target.com ext:bak🧠 Hidden backups, exposed configs, and sensitive portals. 🗂 11. GitHub Recon Search:
"target.com" in:code🔑 Leaked API keys, secrets, and config files by devs. 🎯 Bonus: XSS / LFI / SQLi Param Hunt Tools: gf, qsreplace, httpx
gf xss urls.txt | qsreplace '"><script>alert(1)</script>' | httpx -silent
Auto-test for high-impact bugs at scale.
🧠 Final Take:
✔️ End-to-End Automation
✔️ Focus on overlooked assets
✔️ Hit where it hurts (and pays)
Run this full recon cycle, and you'll outpace 90% of the bug bounty crowd.7 432
Burp Suite Professional v2024.1.4 + JDK 22
NOTE - Run this version With Java SE JDK 22
Released Friday, 7 March 2025
#pentest #security
7 432
Hacking_Beginner_to_Expert_Guide_to_Computer_Hacking,_Basic_Security.pdf1.02 MB
7 432
url.com/admin/? url.com//admin// url.com///admin/// url.com/./admin/./ url.com/admin? url.com/admin?? url.com/admin?? url.com/admin/?/ url.com/admin/?? url.com/admin/??/ url.com/admin/.. url.com/admin/../ url.com/admin/./ url.com/admin/. url.com/admin/.// url.com/admin/* url.com/admin//* url.com/admin/%2f url.com/admin/%2f/ url.com/admin/%20 url.com/admin/%20/ url.com/admin/%09 url.com/admin/%09/ url.com/admin/%0a url.com/admin/%0a/ url.com/admin/%0d url.com/admin/%0d/ url.com/admin/%25 url.com/admin/%25/ url.com/admin/%23 url.com/admin/%23/ url.com/admin/%26 url.com/admin/%3f url.com/admin/%3f/ url.com/admin/%26/ url.com/admin/# url.com/admin/#/ url.com/admin/#/./ url.com/./admin url.com/./admin/ url.com/..;/admin url.com/..;/admin/ url.com/.;/admin url.com/.;/admin/ url.com/;/admin url.com/;/admin/ url.com//;//admin url.com//;//admin/ url.com/admin/./ url.com/%2e/admin url.com/%2e/admin/ url.com/%20/admin/%20 url.com/%20/admin/%20/ url.com/admin/..;/ url.com/admin.json url.com/admin/.json url.com/admin..;/ url.com/admin;/ url.com/admin%00 url.com/admin.css url.com/admin.html url.com/admin?id=1 url.com/admin~ url.com/admin/~ url.com/admin/°/ url.com/admin/& url.com/admin/- url.com/admin\/\/ url.com/admin/..%3B/ url.com/admin/;%2f..%2f..%2f url.com/ADMIN url.com/ADMIN/ url.com/admin/..\;/ url.com/*/admin url.com/*/admin/ url.com/ADM+IN url.com/ADM+IN/
现已上线!2025 年 Telegram 研究 — 年度关键洞察 
