banner
言心吾

言心吾のBlog

吾言为心声
HomeArchivesLinks

Information Gathering in SRC Mining

#挖洞404
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses various web plugins, tool scripts, and techniques for information gathering, hacking, and optimizing user experience. It also covers tools for space mapping, enterprise search, Google hacking, and alternative search methods. The author provides tips and syntax for effective searching, particularly in the context of finding vulnerabilities in educational institutions. The article encourages readers to share their experiences in the comments section.

Web Plugin#

img-2024.06.22-06.28.46
The above are the Chrome plugins I use, which are very useful. Those who understand, understand 🥰
They mainly include the following categories:

  1. Information collection
  2. Proxy tools
  3. Hacking tools
  4. Development and debugging tools
  5. Anti-honeypot tools
  6. User experience optimization tools

Tool Scripts#

Essential Tools for Information Gathering#

ARL (Lighthouse), oneforall, URLfinder, httpx, EHole, dirsearch, Xray, goby

Project addresses:
URLfinder: https://github.com/pingcOy/URLFinder
dirsearch: https://github.com/lemonlove7/dirsearch_bypass403
httpx: https://github.com/projectdiscovery/httpx
Fingerprint recognition: https://github.com/lemonlove7/EHole_magic/tree/main
ARL (Lighthouse): https://github.com/ki9mu/ARL-plus-docker
FUZZ dictionary: https://github.com/TheKingOfDuck/fuzzDicts

Using Lighthouse#

Pay attention to the following information
arl
^_^ Lighthouse enhancements

  1. Add API
  2. Remove domain restrictions
  3. Update built-in subdomain dictionary
  4. Update built-in file leakage dictionary
  5. Update fingerprint information
  6. Update POC (optional, not usually used for vulnerability scanning)

Spatial Mapping#

Commonly Used Spatial Mapping Websites#

hunter, fofa, quake, zoomeye, shodan

Search Techniques#

Different websites have different search syntax, but they are similar. The more you use them, the more proficient you become. Fofa and Yingtu are self-explanatory. Zhongkui and quake are often used when searching for a system/component to kill.
For edusrc, when conducting penetration testing, if a vulnerability is found, pay attention to which product the system belongs to from the developer of the system. Generally, using mapping to search for corresponding educational assets products is effective.
Pay special attention to: ICP filing, icon

Enterprise Search#

Common Websites#

Qichacha, Aiqicha, Tianyancha, Xiaolanben, Diandian, Qimai

Information Collection#

image

Note:

  1. When digging for general-purpose CNVD, pay attention to software copyrights. When digging for SRC, pay more attention to assets such as apps, mini-programs, and official accounts.
  2. When searching for edge assets, pay attention to the equity ratio and the inclusion requirements of SRC. Usually, if the parent company holds more than 50% of the shares, it is sufficient.
  3. There are many techniques for collecting enterprise SRC, and there are also automated tools such as firefly. However, the most recommended method is to manually go through it yourself. It is easier to find vulnerabilities after having a comprehensive understanding of the assets and business.

Google Hacking#

Common Search Syntax for Vulnerability Hunting#

image

inurl: Used to search for URLs contained on web pages. This syntax is useful for finding searches, help, and other information on web pages.
intext: Only search for text contained in part of the web page (ignoring text in titles, URLs, etc.).
site: Limits the domain of your search.
filetype: Searches for files with a specific extension or file type.
intitle: Limits your search to web page titles.
allintitle: Searches for web pages with all the specified keywords in the title. However, it is not recommended to use this.
link: Provides a list of all pages that contain a specific URL. For example, link:http://www.google.com will provide all pages linked to Google.

Syntax for Finding Vulnerabilities in edu#

This type of syntax is often effective in edusrc mining:
site:edu.cn ext:doc | ext:docx | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv
site:edu.cn "internship" filetype:xlsx+ID number-student number-examination number
Keywords: bank card, admission, application, discharge, dormitory, library, student, teacher, subsidy, exemption from examination, exceptional promotion, league member, joining the party, active member
Article reference: https://blog.csdn.net/qq_33942040/article/details/108549892
Here is a tool created by a master: https://ght.se7ensec.cn/

image

Alternative Approaches#

Other Search Methods#

  1. Network disk search (Lingfengyun)
  2. Yuque

Enterprise + keywords
Keywords: phone number, contract, list, password, private data, internal files of xxx, xx account, address book, roster, report, bidding documents, employment, design drawings, notes, etc.

To be continued...#

Feel free to share your experiences in the comments~

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.