pentest-hacktricks-finder
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseHackTricks Search Skill
HackTricks 搜索技能
Purpose
用途
Use this skill to reliably discover and extract the most relevant HackTricks pages for a given technique, vulnerability class, bypass, or exploitation workflow, then pull the exact sections needed (payloads, prerequisites, caveats, and defensive notes).
HackTricks can be inconsistently indexed across search engines. This skill therefore defines two search backends:
- Primary: Exa-based web search with strict site scoping.
- Secondary: DuckDuckGo dorks with strict site scoping and noise reduction.
Use the secondary backend when:
- Exa results are sparse or irrelevant.
- You need very tight matching by title/path/keyword.
- You want reproducible dork sets for common vuln classes.
使用该技能可针对特定技术、漏洞类型、绕过方法或利用流程,可靠地发现并提取最相关的HackTricks页面,然后获取所需的精准内容片段(Payload、前置条件、注意事项和防御说明)。
各搜索引擎对HackTricks的索引情况不一致。因此本技能定义了两种搜索后端:
- 主后端:基于Exa的网页搜索,严格限定站点范围。
- 次后端:基于DuckDuckGo的精准搜索,严格限定站点范围并减少干扰结果。
在以下场景使用次后端:
- Exa返回的结果数量少或不相关。
- 需要通过标题/路径/关键词实现高度匹配。
- 针对常见漏洞类型需要可复现的精准搜索语句。
Scope Guardrails
范围约束
Only target content under:
text
https://book.hacktricks.wiki/en/Avoid unrelated mirrors, translations, or cached copies unless explicitly requested.
仅针对以下路径下的内容:
text
https://book.hacktricks.wiki/en/除非明确要求,否则避免访问无关的镜像站、翻译版本或缓存副本。
Inputs
输入参数
- Topic: a short phrase describing the target, example: “DOM XSS bypass”, “XXE parameter entities”, “CSRF SameSite bypass”.
- Optional: vuln class (XSS, XXE, CSRF, SSRF, SSTI, IDOR, Smuggling, Deserialization, Cloud).
- Optional: constraints (framework, language, cloud provider, WAF, browser).
- 主题:描述目标的简短短语,例如:“DOM XSS 绕过”、“XXE 参数实体”、“CSRF SameSite 绕过”。
- 可选:漏洞类型(XSS、XXE、CSRF、SSRF、SSTI、IDOR、Smuggling、Deserialization、Cloud)。
- 可选:约束条件(框架、语言、云服务商、WAF、浏览器)。
Workflow
工作流程
- Search: Execute Exa first. If results are shallow, use DDG dorks or Exa to query DDG.
- Verify: Ensure the URL is under the subtree and matches the target TTP (Tactics, Techniques and Procedures).
/en/ - Fetch: Use the tool for all
web_fetchURLs. DO NOT usebook.hacktricks.wiki.read_file - Extract: Focus on:
- Payloads and variants
- Preconditions / limitations (e.g., IMDSv2, TTL, Hop Limit)
- Bypass techniques
- Detection / hardening notes
- Pivot: If a page is an index or high-level overview (like ), perform a follow-up search or fetch sub-pages mentioned in the text for specific payloads (e.g., ECS vs EC2).
cloud-ssrf.html - Return:
- The selected URLs
- The extracted payloads / steps
- Any prerequisites and constraints
- 搜索:优先使用Exa搜索。如果结果数量少,使用DDG精准搜索或通过Exa调用DDG查询。
- 验证:确保URL位于子路径下,且与目标TTP(战术、技术和流程)匹配。
/en/ - 获取内容:对所有的URL使用**
book.hacktricks.wiki**工具。禁止使用web_fetch。read_file - 提取信息:重点提取:
- Payload及其变体
- 前置条件/限制(如IMDSv2、TTL、Hop Limit)
- 绕过技术
- 检测/加固说明
- 深度探索:如果页面是索引页或高层概述(如),针对文本中提到的子页面执行后续搜索或获取操作,以获取特定Payload(如ECS vs EC2相关内容)。
cloud-ssrf.html - 返回结果:
- 选中的URL
- 提取的Payload/步骤
- 所有前置条件和约束条件
Backend A: Exa Search (Primary)
后端A:Exa搜索(主后端)
Generic pattern
通用模式
javascript
web_search_exa({
query: "site:book.hacktricks.wiki/en <topic>",
include: ["https://book.hacktricks.wiki/en/*"]
})javascript
web_search_exa({
query: "site:book.hacktricks.wiki/en <topic>",
include: ["https://book.hacktricks.wiki/en/*"]
})Tighten results (recommended)
优化结果(推荐)
javascript
web_search_exa({
query: "site:book.hacktricks.wiki/en (<high-entropy keywords>) (<bypass|payload|trick|technique>)",
include: ["https://book.hacktricks.wiki/en/*"]
})Notes:
- Prefer 1–3 high-entropy tokens over long keyword chains (page slugs, function names, CVE IDs, unique headings).
- If Exa returns index pages, pivot to deeper subpages under the same directory.
javascript
web_search_exa({
query: "site:book.hacktricks.wiki/en (<high-entropy keywords>) (<bypass|payload|trick|technique>)",
include: ["https://book.hacktricks.wiki/en/*"]
})注意事项:
- 优先使用1-3个高熵词,而非长关键词链(页面别名、函数名、CVE编号、唯一标题)。
- 如果Exa返回索引页,深入探索同一目录下的子页面。
Backend B: DuckDuckGo Dorking (Secondary)
后端B:DuckDuckGo精准搜索(次后端)
DuckDuckGo query semantics are not identical to Google “dorking”. Adjust how you construct queries:
- Do not assume implicit AND across space-separated terms. Use high-entropy anchors (slugs, quoted phrases, intitle/inurl).
- DuckDuckGo can relax constraints and show “related results” if an operator-heavy query yields few/no hits. When this happens, tighten with slugs/quotes rather than adding generic keywords.
- is a relevance boost, not a strict requirement.
+term - Prefer +
site:/inurl:+ quoted phrase + negative filters over boolean-style chains.intitle:
Supported operators you should rely on:
- Quotes for exact phrases
- Exclusion and
-term-site:example.com - ,
site:,inurl:,intitle:(limited set)filetype:
DuckDuckGo的查询语法与Google的“精准搜索”并不完全相同。调整查询构造方式:
- 不要假设空格分隔的术语默认是AND关系。使用高熵锚点(别名、带引号的短语、intitle/inurl)。
- 如果包含多个操作符的查询返回结果很少或无结果,DuckDuckGo会放宽约束并显示“相关结果”。这种情况下,通过别名/引号来缩小范围,而非添加通用关键词。
- 是相关性提升,而非严格要求。
+term - 优先使用+
site:/inurl:+ 带引号的短语 + 排除过滤器,而非布尔式链式查询。intitle:
推荐使用的操作符:
- 引号用于精确匹配短语
- 排除操作和
-term-site:example.com - 、
site:、inurl:、intitle:(支持有限集合)filetype:
Baseline template (DDG-correct)
基准模板(符合DDG规则)
text
site:book.hacktricks.wiki inurl:/en/ <high-entropy tokens> -inurl:/print -inurl:/index -inurl:/tagstext
site:book.hacktricks.wiki inurl:/en/ <high-entropy tokens> -inurl:/print -inurl:/index -inurl:/tagsTargeted Search Playbooks (Slug-first)
针对性搜索手册(优先使用别名)
These playbooks are designed to work well with DuckDuckGo by anchoring on stable HackTricks slugs and directories.
这些手册通过锚定稳定的HackTricks别名和目录,在DuckDuckGo上能获得良好效果。
XSS playbook
XSS手册
text
site:book.hacktricks.wiki inurl:/en/pentesting-web/xss-cross-site-scripting/ (csp OR waf OR bypass OR payload) -inurl:/print -inurl:/indextext
site:book.hacktricks.wiki inurl:/en/pentesting-web/xss-cross-site-scripting/ (csp OR waf OR bypass OR payload) -inurl:/print -inurl:/indexXXE playbook
XXE手册
text
site:book.hacktricks.wiki inurl:/en/pentesting-web/ inurl:xxe-xee-xml-external-entity (DTD OR "parameter entity" OR payload) -inurl:/print -inurl:/indextext
site:book.hacktricks.wiki inurl:/en/pentesting-web/ inurl:xxe-xee-xml-external-entity (DTD OR "parameter entity" OR payload) -inurl:/print -inurl:/indexSSRF playbook (Including Cloud)
SSRF手册(含云场景)
text
site:book.hacktricks.wiki inurl:/en/pentesting-web/ssrf-server-side-request-forgery/ (metadata OR cloud OR "169.254" OR "169.254.170.2" OR bypass) -inurl:/print -inurl:/indextext
site:book.hacktricks.wiki inurl:/en/pentesting-web/ssrf-server-side-request-forgery/ (metadata OR cloud OR "169.254" OR "169.254.170.2" OR bypass) -inurl:/print -inurl:/indexCloud Pentesting Playbook (AWS/GCP/Azure)
云渗透测试手册(AWS/GCP/Azure)
text
site:book.hacktricks.wiki inurl:/en/ (pentesting-web OR pentesting-cloud) (aws OR gcp OR azure) (ssrf OR privilege OR "metadata-service" OR iam) -inurl:/print -inurl:/indextext
site:book.hacktricks.wiki inurl:/en/ (pentesting-web OR pentesting-cloud) (aws OR gcp OR azure) (ssrf OR privilege OR "metadata-service" OR iam) -inurl:/print -inurl:/indexSSTI playbook
SSTI手册
text
site:book.hacktricks.wiki inurl:/en/pentesting-web/ssti-server-side-template-injection/ (payload OR bypass OR sandbox) -inurl:/print -inurl:/indextext
site:book.hacktricks.wiki inurl:/en/pentesting-web/ssti-server-side-template-injection/ (payload OR bypass OR sandbox) -inurl:/print -inurl:/indexIDOR playbook
IDOR手册
text
site:book.hacktricks.wiki inurl:/en/pentesting-web/ (idor OR "insecure direct object reference" OR "broken access control") -inurl:/print -inurl:/indextext
site:book.hacktricks.wiki inurl:/en/pentesting-web/ (idor OR "insecure direct object reference" OR "broken access control") -inurl:/print -inurl:/indexVerification Checklist (Before Fetch)
获取前验证清单
- URL starts with the /en/ subtree.
- The slug matches the intended vuln class (or at least the intended technique).
- The page is not an index-only aggregator when you need payload detail.
- If DuckDuckGo returns “related results”, reduce generic terms and increase specificity (slug + quoted phrase).
- URL以/en/子路径开头。
- 别名与目标漏洞类型(或至少目标技术)匹配。
- 当你需要Payload细节时,页面不是仅索引的聚合页。
- 如果DuckDuckGo返回“相关结果”,减少通用术语,增加具体内容(别名+带引号的短语)。
Fetch and Extraction
获取与提取
After selecting URLs, always use . Extract:
web_fetch- Section headers that contain payloads, bypasses, PoCs
- Any prerequisites (versions, libraries, browser constraints)
- Any “gotchas” (encoding, parsing differences, WAF behaviors, Cloud-specific hurdles like IMDSv2 tokens)
Return results in a minimal structure:
json
{
"topic": "<topic>",
"selected_urls": [
"https://book.hacktricks.wiki/en/..."
],
"extracted": [
{
"url": "https://book.hacktricks.wiki/en/...",
"sections": ["<header 1>", "<header 2>"],
"payloads_or_steps": ["<payload/step 1>", "<payload/step 2>"],
"constraints": ["<constraint 1>", "<constraint 2>"]
}
]
}选中URL后,务必使用。提取以下内容:
web_fetch- 包含Payload、绕过技巧、PoC的章节标题
- 所有前置条件(版本、库、浏览器约束)
- 所有“注意事项”(编码、解析差异、WAF行为、云特定障碍如IMDSv2令牌)
以极简结构返回结果:
json
{
"topic": "<topic>",
"selected_urls": [
"https://book.hacktricks.wiki/en/..."
],
"extracted": [
{
"url": "https://book.hacktricks.wiki/en/...",
"sections": ["<header 1>", "<header 2>"],
"payloads_or_steps": ["<payload/step 1>", "<payload/step 2>"],
"constraints": ["<constraint 1>", "<constraint 2>"]
}
]
}Notes for Pentesters
渗透测试人员注意事项
- Prefer subtree-restricted searches first (example: xss-cross-site-scripting, ssrf-server-side-request-forgery).
- Pivot Strategy: If a page mentions an environment variable (e.g., ), look for the section explaining how to leak it.
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI - IMDSv2 Note: Always check if a payload requires a request for a token (IMDSv2) or if it's a simple
PUT(IMDSv1).GET - When you find a strong index page, pivot to deeper subpages under the same directory for payload detail.
- 优先使用子路径限制的搜索(例如:xss-cross-site-scripting、ssrf-server-side-request-forgery)。
- 深度探索策略:如果页面提到环境变量(如),查找解释如何泄露该变量的章节。
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI - IMDSv2注意事项:务必检查Payload是否需要通过请求获取令牌(IMDSv2),还是仅需简单的
PUT请求(IMDSv1)。GET - 当找到优质索引页时,深入探索同一目录下的子页面以获取Payload细节。