Credential Stuffing (part 2) CLI

Query to get the Data (it will be in json format)

curl 'https://api.dehashed.com/search?query=domain:"swiggy.com"' \

-u email@email.com:api-key \

-H 'Accept: application/json' | tee dehashed_company_output.txt But how to format the output json to get only usernames,emails and passwords

cat dehashed_company_output.txt | jq -r '.entries | .[] | select(.password|test(".+")) | [.email,.password] | join(“,“)' To get only emails

cat dehashed_company_output.txt | jq -r '.entries | .[] | select(.password|test(".+")) | [.email,.password] | join(“,“)' | cut -d”,” -f1 To get only passwords

cat dehashed_company_output.txt | jq -r '.entries | .[] | select(.password|test(".+")) | [.email,.password] | join(“,“)'

You can change it to a way how you need it. test is for matching the regex.

you can play with jq to understand it better.

After you get the credentials from the above query you can bruteforce the login panels using pitchfork in intruder / ffuf.

I’ll keep the posts short and straight to the point.

Any queries?

Comment or contact me on twitter. @_thesecurityguy

The single jq line above took me 3 hours to figure out how to process the output in a detailed way.

The time invested by me = Time you saved.

Share your thanks

https://www.buymeacoffee.com/ballx