goblin_book_gobbler

一个小工具，提供有关公开的赏金猎人漏洞报告的大量信息！目前仅支持 HackerOne。

_{^{Gif made with vhs}}

安装

您可以使用 cargo 从 crates.io 进行安装

cargo install goblin_book_gobbler

或从发布版下载预构建的二进制文件。发布版

您还可以直接克隆仓库并使用 cargo 构建工具

git clone https://gitlab.com/bea_stung/goblin_book_gobbler.git
cd goblin_book_gobbler
cargo install --path=.

用法

基本用法

goblin_book_gobbler h1 --program yahoo

示例输出

XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z
URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z
XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z
HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z

显示 CSV 样式标题并按倒序排列

goblin_book_gobbler h1 --program yahoo --csv-headers --reverse

示例输出

title,reporter,url,substate,severity,disclosed_at
HTML Injection on flickr screename using IOS App,panchocosil,https://hackerone.com/reports/1483,resolved,Unknown,2015-10-27T20:27:41.988Z
XSS Reflected - Yahoo Travel,akkilion,https://hackerone.com/reports/1553,resolved,Unknown,2015-08-14T20:10:11.686Z
URL Redirection,christypriory,https://hackerone.com/reports/1429,resolved,Unknown,2015-08-14T20:09:38.219Z
XSS in my yahoo,3lement,https://hackerone.com/reports/1203,resolved,Unknown,2015-08-14T20:09:00.793Z

获取自 2022 年以来公开的按标题字母顺序排序的报告

goblin_book_gobbler h1 --program rockstargames --disclosed-since "2022-01-01T00:00:00.000Z" --order-by title

--disclosed-since 标志必须使用 HackerOne 的 API 用于日期的格式："2022-01-01T00:00:00.000Z"

--order-by 标志的选项

-o, --order-by <ORDER_BY>
          What field to order the reports by, accepts:
          id
          created_at
          submitted_at
          latest_activity_at
          timer_report_resolved_elapsed_time
          timer_report_triage_elapsed_time
          timer_bounty_awarded_elapsed_time
          timer_first_program_response_elapsed_time
          substate
          severity_rating
          title
          jira_status
          swag_awarded_at
          bounty_awarded_at
          last_reporter_activity_at
          first_program_activity_at
          last_program_activity_at
          last_public_activity_at
          last_activity_at
          triaged_at
          closed_at
          disclosed_at

自定义输出格式

受 tomnomnom 的 unfurl 启发，您可以指定自定义输出格式

-f, --format <FORMAT>
          Format string, replaces:
          "%dd": 'disclosed at' date
          "%u" : The report url
          "%U" : The reporter username
          "%s" : The report substate (e.g. Resolved)
          "%S" : The report severity rating (e.g. Critical)
          "%t" : The report title
          Defaults to:
          "%t,%U,%u,%s,%S"
          Which gives e.g.:
          Reflected XSS in reddeadredemption site,nahamsec,https://hackerone.com/reports/149673,resolved,medium
          Ignores any other characters and leaves them unchanged

获取本周的所有新报告

适用于自动化或可以通知您通过 slack/discord 等 cron 作业

goblin_book_gobbler h1 --program security --disclosed-since $(date +%Y-%m-%dT00:00:00.000Z -d "1 week ago")

示例输出

Improper CSRF token validation allows attackers to access victim's accounts linked to Hackerone,medmahmoudi,https://hackerone.com/reports/1727221,resolved,high,2023-06-19T20:15:24.936Z