recon-and-methodology
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: Recon and Methodology — Expert Bug Bounty Playbook
SKILL: 侦察与方法论 —— 专家级漏洞赏金操作手册
AI LOAD INSTRUCTION: Systematic recon and bug-finding methodology from top bug hunters. Covers subdomain enumeration, endpoint discovery, tech fingerprinting, and the hunter's mental model for finding bugs that others miss. Key insight: most high-severity bugs are found through systematic coverage, not just clever payloads.
AI加载说明:来自顶尖漏洞猎人的系统化侦察与漏洞挖掘方法论,涵盖子域名枚举、端点发现、技术指纹识别,以及猎人挖掘他人遗漏漏洞的思维模型。核心观点:大多数高危漏洞是通过系统化覆盖发现的,而非仅依靠巧妙的Payload。
1. RECON HIERARCHY
1. 侦察层级
Target Selection
└── Scope Definition (in-scope assets)
└── Asset Discovery (subdomains, IPs, domains)
└── Tech Fingerprinting (what's running)
└── Endpoint Discovery (attack surface)
└── Vulnerability Testing (per vulnerability type)目标选择
└── 范围定义 (在测试范围内的资产)
└── 资产发现 (子域名、IP、域名)
└── 技术指纹识别 (运行的技术栈)
└── 端点发现 (攻击面)
└── 漏洞测试 (按漏洞类型逐个测试)2. SUBDOMAIN ENUMERATION (CRITICAL FIRST STEP)
2. 子域名枚举(关键的第一步)
Passive (no DNS queries to target)
被动枚举 (不向目标发送DNS查询)
bash
undefinedbash
undefinedSubfinder (aggregates multiple sources):
Subfinder (聚合多个数据源):
subfinder -d target.com -o subdomains.txt
subfinder -d target.com -o subdomains.txt
Amass passive:
Amass 被动模式:
amass enum -passive -d target.com
amass enum -passive -d target.com
Certsh (certificate transparency):
Certsh (证书透明度):
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
SecurityTrails API, Shodan:
SecurityTrails API, Shodan:
undefinedundefinedActive (DNS brute force + resolution)
主动枚举 (DNS暴力破解 + 解析)
bash
undefinedbash
undefinedMassdns + wordlist:
Massdns + 字典:
massdns -r /path/to/resolvers.txt -t A -o S -w output.txt
<(cat wordlist.txt | sed 's/$/.target.com/')
<(cat wordlist.txt | sed 's/$/.target.com/')
massdns -r /path/to/resolvers.txt -t A -o S -w output.txt
<(cat wordlist.txt | sed 's/$/.target.com/')
<(cat wordlist.txt | sed 's/$/.target.com/')
ffuf for subdomain brute:
ffuf 子域名爆破:
ffuf -w subdomains-wordlist.txt -u https://FUZZ.target.com
-mc 200,301,302,403 -H "Host: FUZZ.target.com"
-mc 200,301,302,403 -H "Host: FUZZ.target.com"
ffuf -w subdomains-wordlist.txt -u https://FUZZ.target.com
-mc 200,301,302,403 -H "Host: FUZZ.target.com"
-mc 200,301,302,403 -H "Host: FUZZ.target.com"
DNSx for bulk resolution:
DNSx 批量解析:
cat subdomains.txt | dnsx -a -resp -o resolved.txt
cat subdomains.txt | dnsx -a -resp -o resolved.txt
Recommended wordlist: SecLists/Discovery/DNS/
推荐字典: SecLists/Discovery/DNS/
undefinedundefinedVirtual Host Discovery
虚拟主机发现
bash
undefinedbash
undefinedffuf vhost mode:
ffuf 虚拟主机模式:
ffuf -w wordlist.txt -u https://target.com
-H "Host: FUZZ.target.com" -mc 200,301,403
-H "Host: FUZZ.target.com" -mc 200,301,403
ffuf -w wordlist.txt -u https://target.com
-H "Host: FUZZ.target.com" -mc 200,301,403
-H "Host: FUZZ.target.com" -mc 200,301,403
gobuster vhost:
gobuster 虚拟主机扫描:
gobuster vhost -u https://target.com -w wordlist.txt
---gobuster vhost -u https://target.com -w wordlist.txt
---3. SERVICE AND PORT DISCOVERY
3. 服务与端口发现
bash
undefinedbash
undefinedFast port scan (common ports):
快速端口扫描 (常用端口):
nmap -T4 -F target.com -oN ports.txt
nmap -T4 -F target.com -oN ports.txt
Comprehensive scan on resolved subdomains:
对已解析的子域名进行全面扫描:
cat resolved_ips.txt | nmap -iL - --open -p 80,443,8080,8443,8888,3000,5000 -oG scan.txt
cat resolved_ips.txt | nmap -iL - --open -p 80,443,8080,8443,8888,3000,5000 -oG scan.txt
httpx for HTTP probing:
httpx HTTP探测:
cat subdomains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt
cat subdomains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt
masscan for speed on large IP ranges:
masscan 大IP范围快速扫描:
masscan -p 80,443,8080,8443 10.0.0.0/8 --rate=1000
---masscan -p 80,443,8080,8443 10.0.0.0/8 --rate=1000
---4. WEB TECHNOLOGY FINGERPRINTING
4. Web技术指纹识别
bash
undefinedbash
undefinedWappalyzer (browser extension) or:
Wappalyzer (浏览器插件) 或者:
whatweb https://target.com
whatweb https://target.com
httpx with tech detection:
httpx 带技术检测功能:
httpx -u https://target.com -tech-detect
httpx -u https://target.com -tech-detect
Check headers manually:
手动检查响应头:
curl -sI https://target.com | grep -i "server|x-powered-by|x-generator|cf-ray"
curl -sI https://target.com | grep -i "server|x-powered-by|x-generator|cf-ray"
Fingerprint from:
指纹可从以下位置获取:
- Server header: nginx/1.18, Apache/2.4, IIS/10.0
- X-Powered-By: PHP/7.4, ASP.NET
- Cookies: PHPSESSID (PHP), JSESSIONID (Java), _rails_session (Rails)
- HTML comments: <!-- Drupal 9 -->
- Meta generator: <meta name="generator" content="WordPress 6.2">
- JS framework files: /static/js/angular.min.js
---- Server响应头: nginx/1.18, Apache/2.4, IIS/10.0
- X-Powered-By: PHP/7.4, ASP.NET
- Cookies: PHPSESSID (PHP), JSESSIONID (Java), _rails_session (Rails)
- HTML注释: <!-- Drupal 9 -->
- Meta生成器标签: <meta name="generator" content="WordPress 6.2">
- JS框架文件: /static/js/angular.min.js
---5. ENDPOINT DISCOVERY
5. 端点发现
Directory Brute Force
目录暴力破解
bash
undefinedbash
undefinedffuf (fastest):
ffuf (速度最快):
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
-mc 200,301,302,403 -t 50 -o dirs.txt
-mc 200,301,302,403 -t 50 -o dirs.txt
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
-mc 200,301,302,403 -t 50 -o dirs.txt
-mc 200,301,302,403 -t 50 -o dirs.txt
Gobuster:
Gobuster:
gobuster dir -u https://target.com -w wordlist.txt -x php,html,js,json
gobuster dir -u https://target.com -w wordlist.txt -x php,html,js,json
feroxbuster (recursive):
feroxbuster (递归扫描):
feroxbuster -u https://target.com -w wordlist.txt -x php,html,txt -r
undefinedferoxbuster -u https://target.com -w wordlist.txt -x php,html,txt -r
undefinedParameter Discovery
参数发现
bash
undefinedbash
undefinedArjun (hidden parameter finder):
Arjun (隐藏参数查找工具):
arjun -u https://target.com/api/endpoint
arjun -u https://target.com/api/endpoint
x8:
x8:
x8 -u https://target.com/api/endpoint -w params-wordlist.txt
undefinedx8 -u https://target.com/api/endpoint -w params-wordlist.txt
undefinedJavaScript Source Mining
JavaScript源码挖掘
bash
undefinedbash
undefinedExtract endpoints from JS files:
从JS文件中提取端点:
gau target.com | grep '.js$' | httpx -mc 200 | xargs -I{} curl -s {} |
grep -oE '"/[a-zA-Z0-9/_-]+"' | sort -u
grep -oE '"/[a-zA-Z0-9/_-]+"' | sort -u
gau target.com | grep '.js$' | httpx -mc 200 | xargs -I{} curl -s {} |
grep -oE '"/[a-zA-Z0-9/_-]+"' | sort -u
grep -oE '"/[a-zA-Z0-9/_-]+"' | sort -u
LinkFinder:
LinkFinder:
python3 linkfinder.py -i https://target.com -d -o output.html
python3 linkfinder.py -i https://target.com -d -o output.html
GetAllURLs (gau):
GetAllURLs (gau):
gau target.com | sort -u > all_urls.txt
gau target.com | sort -u > all_urls.txt
Wayback URLs:
Wayback机器URL:
waybackurls target.com | sort -u > wayback_urls.txt
undefinedwaybackurls target.com | sort -u > wayback_urls.txt
undefinedAPI Endpoint Discovery
API端点发现
bash
undefinedbash
undefinedCommon API paths:
常见API路径:
ffuf -u https://target.com/FUZZ -w /SecLists/Discovery/Web-Content/api/api-endpoints.txt
ffuf -u https://target.com/FUZZ -w /SecLists/Discovery/Web-Content/api/api-endpoints.txt
Swagger/OpenAPI:
Swagger/OpenAPI:
test: /swagger.json /api-docs /openapi.json /v2/api-docs /.well-known/ /docs/
测试路径: /swagger.json /api-docs /openapi.json /v2/api-docs /.well-known/ /docs/
GraphQL:
GraphQL:
test: /graphql /gql /v1/graphql /api/graphql
---测试路径: /graphql /gql /v1/graphql /api/graphql
---6. SOURCE CODE RECON
6. 源代码侦察
GitHub / GitLab Exposure
GitHub / GitLab 信息泄露
bash
undefinedbash
undefinedtrufflehog (secret scanner in git history):
trufflehog (Git历史中的密钥扫描工具):
trufflehog git https://github.com/target-org/target-repo
trufflehog git https://github.com/target-org/target-repo
gitleaks:
gitleaks:
gitleaks detect --source /path/to/cloned/repo
gitleaks detect --source /path/to/cloned/repo
Manual GitHub search:
手动GitHub搜索:
site:github.com "target.com" "api_key" OR "secret" OR "password"
site:github.com "target.com" "api_key" OR "secret" OR "password"
site:github.com "target.com" ".env" OR "config.php" OR "db_password"
site:github.com "target.com" ".env" OR "config.php" OR "db_password"
GitHub dorks:
GitHub dorks:
"target.com" extension:env
"target.com" extension:env
"target.com" filename:*.config password
"target.com" filename:*.config password
org:target-org secret OR password OR apikey
org:target-org secret OR password OR apikey
undefinedundefinedExposed Environment Files
暴露的环境文件
undefinedundefinedCheck common paths:
检查常见路径:
7. ZSEANO'S TESTING METHODOLOGY
7. ZSEANO测试方法论
Core Philosophy
核心理念
- Go deep on one program rather than spread across many — learn the application thoroughly
- Build a profile of the company — tech stack, developers, processes
- Look where others don't — check error pages, admin paths, old versions, mobile API
- Follow the filter — if input is filtered somewhere, that functionality exists and may be bypassed
- 深入研究单个项目而非分散到多个项目——全面了解应用程序
- 构建公司画像——技术栈、开发者、业务流程
- 关注他人忽略的位置——检查错误页面、管理路径、旧版本、移动端API
- 跟随过滤逻辑——如果某个位置对输入做了过滤,说明该功能存在,可能存在绕过漏洞
Testing Sequence (One Page / Feature)
测试流程(单页面/功能)
For each input point:
1. Non-malicious HTML tags (<h2>, <img>) → are they reflected?
2. Incomplete tags → what happens? (<iframe src=//evil.com )
3. Encoding tests → %0d, %0a, %09, <%00
4. Observe the OUTPUT too (not just response) — where does your input appear?
5. Test same input in ALL similarly-structured pages (shared code → shared vuln)
6. Check if the same parameter exists in mobile/API endpoint (less protected)针对每个输入点:
1. 非恶意HTML标签 (<h2>, <img>) → 是否被回显?
2. 不完整标签 → 会发生什么? (<iframe src=//evil.com )
3. 编码测试 → %0d, %0a, %09, <%00
4. 同时观察输出(不只是响应)——你的输入出现在哪里?
5. 在所有结构相似的页面测试相同输入(共享代码→共享漏洞)
6. 检查移动/API端点是否存在相同参数(通常防护更弱)Parameter Insights
参数分析思路
- Each parameter tells a story: "what does this do server-side?"
- Filename → OS interaction → Path Traversal / CMDi
- URL/location → HTTP fetch → SSRF
- Template/HTML parameter → render function → SSTI
- XML field → parser → XXE
- SQL filter → query → SQLi
- User-content → storage → Stored XSS- 每个参数都有对应的逻辑: "这个参数在服务端用来做什么?"
- 文件名 → 操作系统交互 → 路径遍历 / CMDi
- URL/地址 → HTTP请求 → SSRF
- 模板/HTML参数 → 渲染函数 → SSTI
- XML字段 → 解析器 → XXE
- SQL过滤 → 查询语句 → SQLi
- 用户内容 → 存储 → 存储型XSS8. BUG BOUNTY PROGRAM TRIAGE (WHERE TO SPEND TIME)
8. 漏洞赏金项目筛选(时间投入优先级)
High-Value Target Selection
高价值目标选择
✓ Programs with large scope (*.target.com)
✓ Programs that pay for P2/P3 (not just RCE)
✓ Programs with recent tech changes (migrations = new bugs)
✓ Programs with active development (new features = new attack surface)
× Avoid: frozen/old codebases with well-known CVEs (already claimed)
× Avoid: strict programs with narrow scope (less surface)✓ 范围大的项目 (*.target.com)
✓ 为P2/P3漏洞付费的项目(不只是RCE)
✓ 近期有技术变更的项目(迁移会产生新漏洞)
✓ 开发活跃的项目(新功能=新攻击面)
× 避免: 已有大量已知CVE的冻结/旧代码库(漏洞已经被提交过了)
× 避免: 范围严格狭窄的项目(攻击面小)High-Value Feature Focus (by bug probability)
高价值功能优先级(按漏洞概率排序)
Priority 1: Authentication, password reset, 2FA → account takeover
Priority 2: File upload, profile edit, API endpoints → stored XSS, IDOR
Priority 3: Admin panels, user management → BFLA, privilege escalation
Priority 4: Payment flows, subscription → business logic
Priority 5: Import/export, template rendering → XXE, SSTI优先级1: 认证、密码重置、2FA → 账户接管
优先级2: 文件上传、个人资料编辑、API端点 → 存储型XSS、IDOR
优先级3: 管理面板、用户管理 → BFLA、权限提升
优先级4: 支付流程、订阅 → 业务逻辑漏洞
优先级5: 导入/导出、模板渲染 → XXE、SSTI9. NUCLEI TEMPLATES (AUTOMATED SCANNING)
9. NUCLEI模板(自动化扫描)
bash
undefinedbash
undefinedRun all on target:
对目标运行所有模板:
nuclei -u https://target.com -t /nuclei-templates/ -o nuclei-results.txt
nuclei -u https://target.com -t /nuclei-templates/ -o nuclei-results.txt
Specific categories:
特定分类扫描:
nuclei -u https://target.com -t cves/ -severity critical,high
nuclei -u https://target.com -t exposures/
nuclei -u https://target.com -t misconfiguration/
nuclei -u https://target.com -t cves/ -severity critical,high
nuclei -u https://target.com -t exposures/
nuclei -u https://target.com -t misconfiguration/
On subdomain list:
对子域名列表扫描:
cat subdomains.txt | nuclei -t exposures/ -t misconfiguration/ -o exposed.txt
---cat subdomains.txt | nuclei -t exposures/ -t misconfiguration/ -o exposed.txt
---10. COMMON MISCONFIGURATIONS (QUICK WINS)
10. 常见配置错误(快速得分点)
□ CORS: Access-Control-Allow-Origin: * with credentials → CSRF + data theft
□ S3 bucket public: curl https://target.s3.amazonaws.com/
□ Directory listing: response contains "Index of /"
□ .git exposed: curl https://target.com/.git/config
□ .env exposed: curl https://target.com/.env
□ Debug mode: stack traces in production (source code exposure)
□ Default credentials: admin:admin, admin:password on admin panels
□ phpinfo.php: curl https://target.com/phpinfo.php
□ Backup files: config.bak, database.sql.gz, app.zip
□ GraphQL introspection enabled: POST /graphql {"query":"{__schema{types{name}}}"}
□ Admin panels: /admin /manager /console /phpmyadmin /wp-admin□ CORS: Access-Control-Allow-Origin: * 且允许携带凭证 → CSRF + 数据窃取
□ S3桶公开: curl https://target.s3.amazonaws.com/
□ 目录列权限: 响应包含 "Index of /"
□ .git暴露: curl https://target.com/.git/config
□ .env暴露: curl https://target.com/.env
□ 调试模式开启: 生产环境返回堆栈跟踪(源代码暴露)
□ 默认凭证: 管理面板存在admin:admin、admin:password等默认账号
□ phpinfo.php暴露: curl https://target.com/phpinfo.php
□ 备份文件: config.bak、database.sql.gz、app.zip
□ GraphQL自检开启: POST /graphql {"query":"{__schema{types{name}}}"}
□ 管理面板暴露: /admin /manager /console /phpmyadmin /wp-admin11. QUICK REFERENCE TOOLS
11. 快速参考工具表
| Category | Tool |
|---|---|
| Subdomain enum | subfinder, amass, massdns |
| Port scan | nmap, masscan |
| HTTP probe | httpx |
| Dir brute | ffuf, feroxbuster, gobuster |
| JS mining | LinkFinder, gau, waybackurls |
| Secret scan | trufflehog, gitleaks |
| Parameter fuzz | arjun, x8 |
| Vuln scan | nuclei |
| Proxy/intercept | Burp Suite Pro |
| JWT attacks | jwt_tool |
| SQLi | sqlmap |
| XSS | dalfox, XSStrike |
| SSRF | SSRFmap, Gopherus |
| 分类 | 工具 |
|---|---|
| 子域名枚举 | subfinder, amass, massdns |
| 端口扫描 | nmap, masscan |
| HTTP探测 | httpx |
| 目录爆破 | ffuf, feroxbuster, gobuster |
| JS源码挖掘 | LinkFinder, gau, waybackurls |
| 密钥扫描 | trufflehog, gitleaks |
| 参数模糊测试 | arjun, x8 |
| 漏洞扫描 | nuclei |
| 代理/请求拦截 | Burp Suite Pro |
| JWT攻击 | jwt_tool |
| SQLi | sqlmap |
| XSS | dalfox, XSStrike |
| SSRF | SSRFmap, Gopherus |
12. JAVA MIDDLEWARE FINGERPRINT MATRIX
12. Java中间件指纹矩阵
| Middleware | Detection Path | Key Indicators |
|---|---|---|
| Apache Tomcat | | Default creds: |
| JBoss / WildFly | | JMX MBean access, WAR deployment |
| WebLogic | | T3 protocol on 7001/7002, IIOP |
| Spring Boot Actuator | | JSON endpoint listing, heap dump contains secrets |
| Spring Boot (alt paths) | | Jolokia JMX bridge, Gateway route injection |
| Jenkins | | Groovy console, API token in cookie |
| GlassFish | | Admin on 4848, default empty password |
| Jetty | | JMX access |
| Resin | | Admin panel |
| 中间件 | 检测路径 | 关键特征 |
|---|---|---|
| Apache Tomcat | | 默认凭证: |
| JBoss / WildFly | | JMX MBean访问权限、支持WAR部署 |
| WebLogic | | 7001/7002端口开放T3协议、IIOP |
| Spring Boot Actuator | | 返回JSON端点列表、堆转储文件包含密钥 |
| Spring Boot(其他路径) | | Jolokia JMX桥接、存在网关路由注入风险 |
| Jenkins | | Groovy控制台、Cookie中包含API令牌 |
| GlassFish | | 4848端口开放管理后台、默认空密码 |
| Jetty | | 存在JMX访问权限 |
| Resin | | 暴露管理面板 |
Spring Boot Actuator Exploitation Priority
Spring Boot Actuator 利用优先级
/actuator/env → Leak environment variables (DB creds, API keys)
/actuator/heapdump → Download JVM heap → search for passwords in memory
/actuator/jolokia → JMX → possible RCE via MBean manipulation
/actuator/gateway/routes → Spring Cloud Gateway → SpEL injection (CVE-2022-22947)
/actuator/configprops → All configuration properties
/actuator/mappings → All URL mappings (hidden endpoints)
/actuator/beans → All Spring beans
/actuator/shutdown → POST to shutdown application (DoS)/actuator/env → 泄露环境变量(数据库凭证、API密钥)
/actuator/heapdump → 下载JVM堆转储文件 → 搜索内存中的密码
/actuator/jolokia → JMX → 可通过MBean操作实现RCE
/actuator/gateway/routes → Spring Cloud Gateway → SpEL注入(CVE-2022-22947)
/actuator/configprops → 所有配置属性
/actuator/mappings → 所有URL映射(隐藏端点)
/actuator/beans → 所有Spring beans
/actuator/shutdown → POST请求可关闭应用(DoS)13. INFORMATION LEAK DETECTION CHECKLIST
13. 信息泄露检测清单
Version Control & Backup Leaks
版本控制与备份泄露
/.git/HEAD → Git repository exposed
/.svn/entries → SVN metadata
/.svn/wc.db → SVN SQLite database
/.hg/requires → Mercurial
/.bzr/README → Bazaar
/.DS_Store → macOS directory listing/.git/HEAD → Git仓库暴露
/.svn/entries → SVN元数据
/.svn/wc.db → SVN SQLite数据库
/.hg/requires → Mercurial
/.bzr/README → Bazaar
/.DS_Store → macOS目录列表文件Backup File Patterns
备份文件模式
/backup.zip /backup.tar.gz /backup.sql
/wwwroot.rar /www.zip /web.zip
/db.sql /database.sql /dump.sql
/config.php.bak /config.php~ /config.php.swp
/.config.php.swp /wp-config.php.bak
/.env /.env.bak /.env.production/backup.zip /backup.tar.gz /backup.sql
/wwwroot.rar /www.zip /web.zip
/db.sql /database.sql /dump.sql
/config.php.bak /config.php~ /config.php.swp
/.config.php.swp /wp-config.php.bak
/.env /.env.bak /.env.productionAPI Documentation & Debug
API文档与调试接口
/swagger-ui.html → Swagger/OpenAPI
/swagger-ui/ → Swagger UI
/api-docs → API documentation
/graphql → GraphQL playground
/graphiql → GraphQL IDE
/debug/ → Debug endpoints
/phpinfo.php → PHP configuration
/server-status → Apache status
/server-info → Apache info
/nginx_status → Nginx status/swagger-ui.html → Swagger/OpenAPI
/swagger-ui/ → Swagger UI
/api-docs → API文档
/graphql → GraphQL playground
/graphiql → GraphQL IDE
/debug/ → 调试端点
/phpinfo.php → PHP配置信息
/server-status → Apache状态
/server-info → Apache信息
/nginx_status → Nginx状态Cloud & Infrastructure
云与基础设施
/.aws/credentials → AWS credentials
/.docker/config.json → Docker registry auth
/robots.txt → Disallowed paths (hint list)
/sitemap.xml → Full URL listing
/crossdomain.xml → Flash cross-domain policy
/.well-known/ → Various well-known URIs/.aws/credentials → AWS凭证
/.docker/config.json → Docker Registry认证信息
/robots.txt → 禁止爬取的路径(hint列表)
/sitemap.xml → 完整URL列表
/crossdomain.xml → Flash跨域策略
/.well-known/ → 各类标准知名URI