Web Plugin#
The above are the Chrome plugins I use, which are very useful. Those who understand, understand 🥰
They mainly include the following categories:
- Information collection
- Proxy tools
- Hacking tools
- Development and debugging tools
- Anti-honeypot tools
- User experience optimization tools
Tool Scripts#
Essential Tools for Information Gathering#
ARL (Lighthouse), oneforall, URLfinder, httpx, EHole, dirsearch, Xray, goby
Project addresses:
URLfinder: https://github.com/pingcOy/URLFinder
dirsearch: https://github.com/lemonlove7/dirsearch_bypass403
httpx: https://github.com/projectdiscovery/httpx
Fingerprint recognition: https://github.com/lemonlove7/EHole_magic/tree/main
ARL (Lighthouse): https://github.com/ki9mu/ARL-plus-docker
FUZZ dictionary: https://github.com/TheKingOfDuck/fuzzDicts
Using Lighthouse#
Pay attention to the following information
^_^ Lighthouse enhancements
- Add API
- Remove domain restrictions
- Update built-in subdomain dictionary
- Update built-in file leakage dictionary
- Update fingerprint information
- Update POC (optional, not usually used for vulnerability scanning)
Spatial Mapping#
Commonly Used Spatial Mapping Websites#
hunter, fofa, quake, zoomeye, shodan
Search Techniques#
Different websites have different search syntax, but they are similar. The more you use them, the more proficient you become. Fofa and Yingtu are self-explanatory. Zhongkui and quake are often used when searching for a system/component to kill.
For edusrc, when conducting penetration testing, if a vulnerability is found, pay attention to which product the system belongs to from the developer of the system. Generally, using mapping to search for corresponding educational assets products is effective.
Pay special attention to: ICP filing, icon
Enterprise Search#
Common Websites#
Qichacha, Aiqicha, Tianyancha, Xiaolanben, Diandian, Qimai
Information Collection#
Note:
- When digging for general-purpose CNVD, pay attention to software copyrights. When digging for SRC, pay more attention to assets such as apps, mini-programs, and official accounts.
- When searching for edge assets, pay attention to the equity ratio and the inclusion requirements of SRC. Usually, if the parent company holds more than 50% of the shares, it is sufficient.
- There are many techniques for collecting enterprise SRC, and there are also automated tools such as firefly. However, the most recommended method is to manually go through it yourself. It is easier to find vulnerabilities after having a comprehensive understanding of the assets and business.
Google Hacking#
Common Search Syntax for Vulnerability Hunting#
inurl: Used to search for URLs contained on web pages. This syntax is useful for finding searches, help, and other information on web pages.
intext: Only search for text contained in part of the web page (ignoring text in titles, URLs, etc.).
site: Limits the domain of your search.
filetype: Searches for files with a specific extension or file type.
intitle: Limits your search to web page titles.
allintitle: Searches for web pages with all the specified keywords in the title. However, it is not recommended to use this.
link: Provides a list of all pages that contain a specific URL. For example, link:http://www.google.com will provide all pages linked to Google.
Syntax for Finding Vulnerabilities in edu#
This type of syntax is often effective in edusrc mining:
site:edu.cn ext:doc | ext:docx | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv
site:edu.cn "internship" filetype:xlsx+ID number-student number-examination number
Keywords: bank card, admission, application, discharge, dormitory, library, student, teacher, subsidy, exemption from examination, exceptional promotion, league member, joining the party, active member
Article reference: https://blog.csdn.net/qq_33942040/article/details/108549892
Here is a tool created by a master: https://ght.se7ensec.cn/
Alternative Approaches#
Other Search Methods#
- Network disk search (Lingfengyun)
- Yuque
Enterprise + keywords
Keywords: phone number, contract, list, password, private data, internal files of xxx, xx account, address book, roster, report, bidding documents, employment, design drawings, notes, etc.
To be continued...#
Feel free to share your experiences in the comments~