Last active
          July 3, 2025 21:27 
        
      - 
            
      
        
      
    Star
      
          
          (111)
      
  
You must be signed in to star a gist 
- 
              
      
        
      
    Fork
      
          
          (31)
      
  
You must be signed in to fork a gist 
- 
      
- 
        Save haccer/3698ff6927fc00c8fe533fc977f850f8 to your computer and use it in GitHub Desktop. 
     PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar
  
        
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | #!/bin/bash | |
| # Usage : ./scanio.sh <save file> | |
| # Example: ./scanio.sh cname_list.txt | |
| # Premium | |
| function ech() { | |
| spinner=( "|" "/" "-" "\\" ) | |
| while true; do | |
| for i in ${spinner[@]}; do | |
| echo -ne "\r[$i] $1" | |
| sleep 0.15 | |
| done | |
| done | |
| } | |
| # Joining elements together | |
| function join_by() { | |
| local IFS=$1 | |
| shift | |
| echo "$*" | |
| } | |
| # Kill function | |
| function die() { | |
| disown $1 | |
| kill -9 $1 | |
| length=$(echo -n $3 | wc -m) | |
| Count=$(($length + 5)) | |
| Clear=$(head -c $Count < /dev/zero | tr '\0' '\040') | |
| echo -ne "\r $Clear" | |
| echo -e "\r[*] $2" | |
| } | |
| function run() { | |
| ech "$1" & | |
| pid=$! | |
| eval "$2" | |
| die $pid "$3" "$1" | |
| } | |
| # Gathering data from scans.io | |
| # | |
| # Instructions for if you already have a file downloaded: | |
| # 1. Comment or delete the next four lines. | |
| # 2. Comment out the line below with the downloaded .gz file | |
| #file=$(echo "insertfilehere.gz") | |
| latest=$(curl -s "https://opendata.rapid7.com/sonar.fdns_v2/" | grep "<td><a" | grep any | head -n 1 | cut -d'"' -f2) | |
| file=$(echo $latest | cut -d'/' -f3) | |
| cmd="wget -q https://opendata.rapid7.com$latest" | |
| run "Downloading $file (This may take a while)." "$cmd" "Finished Downloading $file" | |
| # Parsing it into a file called cname_scanio | |
| msg="Grepping for CNAME records." | |
| ech $msg & | |
| pid=$! | |
| zcat $file | grep 'type":"cname' | awk -F'":"' '{print $3, $5}' | \ | |
| awk -F'"' '{print $1, $3}' | sed -e s/" type "/" "/g >> cname_scanio | |
| die $pid "CNAME records grepped." $msg | |
| # List of CNAMEs we're going to grep for | |
| declare -a arr=( | |
| "\.cloudfront.net" | |
| "\.s3-website" | |
| "\.s3.amazonaws.com" | |
| "w.amazonaws.com" | |
| "1.amazonaws.com" | |
| "2.amazonaws.com" | |
| "s3-external" | |
| "s3-accelerate.amazonaws.com" | |
| "\.herokuapp.com" | |
| "\.herokudns.com" | |
| "\.wordpress.com" | |
| "\.pantheonsite.io" | |
| "domains.tumblr.com" | |
| "\.zendesk.com" | |
| "\.github.io" | |
| "\.global.fastly.net" | |
| "\.helpjuice.com" | |
| "\.helpscoutdocs.com" | |
| "\.ghost.io" | |
| "cargocollective.com" | |
| "redirect.feedpress.me" | |
| "\.myshopify.com" | |
| "\.statuspage.io" | |
| "\.uservoice.com" | |
| "\.surge.sh" | |
| "\.bitbucket.io" | |
| "custom.intercom.help" | |
| "proxy.webflow.com" | |
| "landing.subscribepage.com" | |
| "endpoint.mykajabi.com" | |
| "\.teamwork.com" | |
| "\.thinkific.com" | |
| "clientaccess.tave.com" | |
| "wishpond.com" | |
| "\.aftership.com" | |
| "ideas.aha.io" | |
| "domains.tictail.com" | |
| "cname.mendix.net" | |
| "\.bcvp0rtal.com" | |
| "\.brightcovegallery.com" | |
| "\.gallery.video" | |
| "\.bigcartel.com" | |
| "\.activehosted.com" | |
| "\.createsend.com" | |
| "\.acquia-test.co" | |
| "\.proposify.biz" | |
| "simplebooklet.com" | |
| "\.gr8.com" | |
| "\.vendecommerce.com" | |
| "\.azurewebsites.net" | |
| "\.cloudapp.net" | |
| "\.trafficmanager.net" | |
| "\.blob.core.windows.net" | |
| ) | |
| # Prepare CNAME grep | |
| DOMAINS=$(join_by '|' ${arr[@]}) | |
| # Grepping CNAMEs from the array | |
| cmd="grep -Ei '${DOMAINS}' cname_scanio >> cname_db" | |
| run "Sorting CNAME records." "$cmd" "CNAME records sorted." | |
| # Sorting the CNAME list | |
| cmd="cat cname_db | cut -d' ' -f1 | sort | uniq >> $1" | |
| run "Cleaning up." "$cmd" "Cleaned up." | |
| # RM files. | |
| rm cname_db cname_scanio | |
| echo "[+] Finished." | 
I don't know about the 'dangerous functions' but when I run it in ubuntu I get:
$ ./scanio.sh
[*] Finished Downloading                  
[|] Greppinggzip: compressed data not read from a terminal. Use -f to force decompression.
For help, type: gzip -h
[*] CNAME records grepped.
[*] CNAME records sorted.   
[|] Cleaning up../scanio.sh: eval: line 38: syntax error near unexpected token `newline'
./scanio.sh: eval: line 38: `cat cname_db | cut -d' ' -f1 | sort | uniq >> '
[*] Cleaned up.   
[+] Finished.
I don't know about the 'dangerous functions' but when I run it in ubuntu I get:
$ ./scanio.sh [*] Finished Downloading [|] Greppinggzip: compressed data not read from a terminal. Use -f to force decompression. For help, type: gzip -h [*] CNAME records grepped. [*] CNAME records sorted. [|] Cleaning up../scanio.sh: eval: line 38: syntax error near unexpected token `newline' ./scanio.sh: eval: line 38: `cat cname_db | cut -d' ' -f1 | sort | uniq >> ' [*] Cleaned up. [+] Finished.
#!/bin/bash
# Usage : ./scanio.sh <save file>
# Example: ./scanio.sh cname_list.txt
if [ -z "$1" ]; then
  echo "Usage: $0 <save file>"
  exit 1
fi
# Premium
function ech() {
  spinner=( "|" "/" "-" "\\" )
  while true; do
    for i in ${spinner[@]}; do
      echo -ne "\r[$i] $1"
      sleep 0.15
    done
  done
}
# Joining elements together
function join_by() {
  local IFS=$1
  shift
  echo "$*"
}
# Kill function
function die() {
  disown $1
  kill -9 $1
  
  length=$(echo -n $3 | wc -m)
  Count=$(($length + 5))
  Clear=$(head -c $Count < /dev/zero | tr '\0' '\040')
  echo -ne "\r $Clear"
  echo -e "\r[*] $2"
}
function run() {
  ech "$1" &
  pid=$!
  eval "$2"
  die $pid "$3" "$1"
}
# Gathering data from scans.io
#
# Instructions for if you already have a file downloaded:
# 1. Comment or delete the next four lines.
# 2. Comment out the line below with the downloaded .gz file
#file=$(echo "insertfilehere.gz")
latest=$(curl -s "https://opendata.rapid7.com/sonar.fdns_v2/" | grep "<td><a" | grep any | head -n 1 | cut -d'"' -f2)
file=$(echo $latest | cut -d'/' -f3)
cmd="wget -q https://opendata.rapid7.com$latest"
run "Downloading $file (This may take a while)." "$cmd" "Finished Downloading $file"
# Parsing it into a file called cname_scanio
msg="Grepping for CNAME records."
ech $msg &
pid=$!
zcat -f $file | grep 'type":"cname' | awk -F'":"' '{print $3, $5}' | \
  awk -F'"' '{print $1, $3}' | sed -e s/" type "/" "/g >> cname_scanio
die $pid "CNAME records grepped." $msg
# List of CNAMEs we're going to grep for
declare -a arr=(
  "\.cloudfront.net"
  "\.s3-website"
  "\.s3.amazonaws.com"
  "w.amazonaws.com"
  "1.amazonaws.com"
  "2.amazonaws.com"
  "s3-external"
  "s3-accelerate.amazonaws.com"
  "\.herokuapp.com"
  "\.herokudns.com"
  "\.wordpress.com"
  "\.pantheonsite.io"
  "domains.tumblr.com"
  "\.zendesk.com"
  "\.github.io"
  "\.global.fastly.net"
  "\.helpjuice.com"
  "\.helpscoutdocs.com"
  "\.ghost.io"
  "cargocollective.com"
  "redirect.feedpress.me"
  "\.myshopify.com"
  "\.statuspage.io"
  "\.uservoice.com"
  "\.surge.sh"
  "\.bitbucket.io"
  "custom.intercom.help"
  "proxy.webflow.com"
  "landing.subscribepage.com"
  "endpoint.mykajabi.com"
  "\.teamwork.com"
  "\.thinkific.com"
  "clientaccess.tave.com"
  "wishpond.com"
  "\.aftership.com"
  "ideas.aha.io"
  "domains.tictail.com"
  "cname.mendix.net"
  "\.bcvp0rtal.com"
  "\.brightcovegallery.com"
  "\.gallery.video"
  "\.bigcartel.com"
  "\.activehosted.com"
  "\.createsend.com"
  "\.acquia-test.co"
  "\.proposify.biz"
  "simplebooklet.com"
  "\.gr8.com"
  "\.vendecommerce.com"
  "\.azurewebsites.net"
  "\.cloudapp.net"
  "\.trafficmanager.net"
  "\.blob.core.windows.net"
)
# Prepare CNAME grep
DOMAINS=$(join_by '|' ${arr[@]})
# Grepping CNAMEs from the array
cmd="grep -Ei '${DOMAINS}' cname_scanio >> cname_db"
run "Sorting CNAME records." "$cmd" "CNAME records sorted."
# Sorting the CNAME list
cmd="cat cname_db | cut -d' ' -f1 | sort | uniq >> $1"
run "Cleaning up." "$cmd" "Cleaned up."
# RM files.
rm cname_db cname_scanio
echo "[+] Finished."
This should work
@hussec your script is not working now.
Not working.
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment
  
            
Does not work in 14/03/2023