SRC漏洞挖掘实战指南<\/h1>

信息收集方法论<\/h2>

企业资产信息收集<\/h3>

企业关联信息查询工具<\/strong>：<\/p>

企查查 (https:\/\/www.qcc.com)<\/li>
天眼查 (https:\/\/www.tianyancha.com\/)<\/li>
启信宝 (https:\/\/www.qixin.com\/)<\/li> <\/ul> <\/li>

关键查询内容<\/strong>：<\/p>

子公司信息（100%全资子公司漏洞必收）<\/li>
同电话企业（通常为子公司）<\/li>
股份穿透图（控股超过50%的子公司）<\/li>
企业App、小程序、品牌资产<\/li> <\/ul> <\/li>

其他信息收集工具<\/strong>：<\/p>

站长之家 (http:\/\/whois.chinaz.com\/)：邮箱\/注册人\/电话反查<\/li>
七麦数据 (https:\/\/www.qimai.cn\/)：查询冷门App<\/li>
BroDomain (https:\/\/github.com\/code-scan\/BroDomain)：兄弟域名查询<\/li> <\/ul> <\/li> <\/ol>
子域名收集技术<\/h3>

工具推荐<\/strong>：<\/p>

OneForAll (https:\/\/github.com\/shmilylty\/OneForAll)
python oneforall.py --targets .\/domain.txt run <\/span><\/span>python oneforall.py --targets .\/domain.txt --brute true run <\/span><\/span><\/code><\/pre><\/li> Xray高级版子域名探测<\/li> Layer子域名挖掘机<\/li> <\/ul> <\/li> GitHub搜索技巧<\/strong>：<\/p> 直接搜索目标域名，可能已有他人分享的子域名结果<\/li> <\/ul> <\/li> 扫描优化建议<\/strong>：<\/p> 代理和非代理环境下分别扫描（结果可能有差异）<\/li> 对无CDN保护的IP（如开放22端口）进行全端口扫描<\/li> <\/ul> <\/li> <\/ol> 网站信息收集<\/h3> 综合扫描工具<\/strong>：<\/p> Goby (https:\/\/gobies.org\/)：可视化端口扫描和指纹识别<\/li> BBScan (https:\/\/github.com\/lijiejie\/BBScan)：快速探测C段资产管理后台探测<\/li> 敏感信息泄露检查<\/li> 自定义扫描规则<\/li> <\/ul> <\/li> <\/ul> <\/li> JS信息收集<\/strong>：<\/p> JSFinder (https:\/\/github.com\/Threezh1\/JSFinder)：快速提取JS中的URL和敏感信息<\/li> rad爬虫 (https:\/\/github.com\/chaitin\/rad)：Xray配套爬虫<\/li> JSINFO-SCAN (https:\/\/github.com\/p1g3\/JSINFO-SCAN)：匹配JS中的敏感信息<\/li> <\/ul> <\/li> <\/ol> 常见漏洞挖掘技巧<\/h2> 登录框相关漏洞<\/h3> 验证码绕过技术<\/strong>：<\/p> 验证码不刷新<\/li> 抓包删除验证码参数<\/li> 验证码置空<\/li> XFF头伪造 (使用burpFakeIP插件)<\/li> 账号后加空格绕过错误限制<\/li> <\/ul> <\/li> 弱口令爆破<\/strong>：<\/p> 社工字典生成工具：BaiLu-SED-Tool<\/li> 针对性字典制作：域名相关关键词<\/li> 员工邮箱格式<\/li> 企业名称变体<\/li> <\/ul> <\/li> 强密码字典参考： https:\/\/github.com\/huyuanzhi2\/password_brute_dictionary<\/li> <\/ul> <\/li> <\/ul> <\/li> 短信\/邮箱轰炸<\/strong>：<\/p> 绕过姿势：参数加空格<\/li> 加任意字母<\/li> 前面加86<\/li> XFF头伪造IP<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 信息泄露漏洞<\/h3> GitHub信息泄露<\/strong>：<\/p> 搜索关键词参考： org:companyname password companyname api_key companyname secret <\/code><\/pre> <\/li> 监控工具：GSIL (https:\/\/github.com\/FeeiCN\/GSIL)<\/li> <\/ul> <\/li> 配置错误泄露<\/strong>：<\/p> 精简字典优先扫描：备份文件 (www.zip, backup.tar.gz等)<\/li> SpringBoot泄露 (env, heapdump等)<\/li> 常见后台路径<\/li> <\/ul> <\/li> 扫描工具选择： Dirsearch\/Dirmap：命令行高效扫描<\/li> TEST404\/御剑：可视化扫描<\/li> <\/ul> <\/li> <\/ul> <\/li> 越权信息泄露<\/strong>：<\/p> Burp插件辅助： burp-unauth-checker：未授权检测<\/li> burp-sensitive-param-extractor：敏感参数提取<\/li> <\/ul> <\/li> 常见越权类型：用户ID遍历<\/li> 功能对象ID遍历<\/li> 接口身份越权<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> CSRF漏洞挖掘<\/h3> 常见漏洞点<\/strong>：<\/p> 用户资料修改<\/li> 文章发表\/删除<\/li> 评论操作<\/li> 收货地址管理<\/li> 管理员添加<\/li> <\/ul> <\/li> POC构造<\/strong>：<\/p> GET型： <\/span><\/span><\/code><\/pre><\/li> POST型： <form<\/span> action<\/span>=<\/span>"http:\/\/target.com\/action"<\/span> method<\/span>=<\/span>"POST"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"param"<\/span> value<\/span>=<\/span>"value"<\/span>> <\/span><\/span><\/form<\/span>> <\/span><\/span><script<\/span>>document.forms<\/span>[0<\/span>].submit<\/span>();<\/script<\/span>> <\/span><\/span><\/code><\/pre><\/li> JSON格式绕过： fetch<\/span>('http:\/\/target.com\/api'<\/span>, { <\/span><\/span> method<\/span>:<\/span> 'POST'<\/span>, <\/span><\/span> headers<\/span>:<\/span> {'Content-Type'<\/span>:<\/span> 'text\/plain'<\/span>}, <\/span><\/span> body<\/span>:<\/span> '{"param":"value"}'<\/span> <\/span><\/span>}) <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> Flash CSRF<\/strong>：<\/p> 检查crossdomain.xml配置： <?xml version="1.0"?><\/span> <\/span><\/span><cross-domain-policy><\/span> <\/span><\/span> <allow-access-from<\/span> domain=<\/span>"*"<\/span>\/><\/span> <\/span><\/span><\/cross-domain-policy><\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 文件上传漏洞<\/h3> 绕过技巧<\/strong>：<\/p> 双写绕过：<iimgmg src=1 oonerrornerror=alert(1)><\/code><\/li> 大小写混淆：<iMg src=1 oNerRor=alert(1)><\/code><\/li> 编码绕过： <\/span><\/span><\/code><\/pre><\/li> 特殊构造： <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 实际利用<\/strong>：<\/p> 上传HTML文件实现存储型XSS<\/li> 目录穿越尝试：..\/filename<\/code><\/li> 结合其他漏洞（如CORS）扩大危害<\/li> <\/ul> <\/li> <\/ol> XSS漏洞挖掘<\/h3> 常用Payload<\/strong>：<\/p> <script<\/span>>alert<\/span>(1<\/span>)<\/script<\/span>> <\/span><\/span><svg<\/span> onload<\/span>=<\/span>alert(1)<\/span>> <\/span><\/span> <\/span><\/span><details<\/span> open<\/span> ontoggle<\/span>=<\/span>alert(1)<\/span>> <\/span><\/span><iframe<\/span> src<\/span>=<\/span>javascript:alert(1)<\/span>><\/iframe<\/span>> <\/span><\/span><\/code><\/pre><\/li> 高级绕过技巧<\/strong>：<\/p> 空格替代：``<\/li> 编码混淆： <\/span><\/span><\/code><\/pre><\/li> 异常处理： <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 高阶漏洞挖掘策略<\/h2> 自动化信息收集体系<\/strong>：<\/p> 建立自动化资产发现流程<\/li> 实现结果自动去重和分类<\/li> 定期监控资产变化<\/li> <\/ul> <\/li> 漏洞组合利用<\/strong>：<\/p> 信息泄露 + 弱口令 = 后台访问<\/li> 越权 + CSRF = 大规模账户接管<\/li> 文件上传 + 解析漏洞 = RCE<\/li> <\/ul> <\/li> WAF绕过思路<\/strong>：<\/p> 研究目标WAF特性<\/li> 收集特定WAF绕过技巧<\/li> 使用非常规编码和分隔符<\/li> <\/ul> <\/li> 威胁情报提交<\/strong>：<\/p> 关注羊毛群等非传统信息源<\/li> 监控企业相关漏洞讨论<\/li> 及时提交0day情报<\/li> <\/ul> <\/li> <\/ol> 实战建议<\/h2> 心态调整<\/strong>：<\/p> 以学习为主要目的<\/li> 不盲目追求漏洞数量<\/li> 重视漏洞质量而非奖金<\/li> <\/ul> <\/li> 持续学习<\/strong>：<\/p> 研究历史漏洞报告（Wooyun\/HackerOne）<\/li> 关注最新漏洞研究动态<\/li> 参与安全社区讨论<\/li> <\/ul> <\/li> 效率提升<\/strong>：<\/p> 建立个人漏洞知识库<\/li> 开发自动化测试工具链<\/li> 定期总结挖掘经验<\/li> <\/ul> <\/li> <\/ol> 通过系统化的信息收集和针对性的漏洞探测，即使是初学者也能在SRC挖掘中有所收获。关键在于保持耐心，注重细节，并不断积累实战经验。<\/p>