<\/p>\n\n\n\n
\u5efa\u7acb\u5b8c\u6574\u7684 Web \u6ef2\u900f\u6e2c\u8a66\u6d41\u7a0b\u8207\u653b\u64ca\u601d\u7dad\uff0c\u8b93\u5b78\u54e1\u80fd\u5728\u6388\u6b0a\u7bc4\u570d\u5167\u9032\u884c\u7cfb\u7d71\u5316\u5075\u67e5\u3001\u8cc7\u7522\u76e4\u9ede\u8207\u98a8\u96aa\u5224\u5b9a\uff1b\u719f\u7df4\u6f0f\u6d1e\u9a57\u8b49\u8207\u5229\u7528\u65b9\u6cd5\u4e26\u80fd\u7522\u51fa\u53ef\u91cd\u73fe\u7684\u6e2c\u8a66\u6b65\u9a5f<\/p>\n\n\n\n
\u4e86\u89e3\u6ef2\u900f\u6d41\u7a0b\uff0c\u4e26\u719f\u7df4\u4f7f\u7528 Burp Suite\u8207\u5e38\u7528\u6ef2\u900f\u6383\u63cf\u5de5\u5177\uff1b\u638c\u63e1\u624b\u52d5\u8207\u81ea\u52d5\u6aa2\u6e2c\u6d41\u7a0b\uff0c\u80fd\u8fa8\u8b58\u4e26\u9a57\u8b49XSS\u3001SQLi\u3001\u6a94\u6848\u4e0a\u50b3\u3001SSRF\u3001\u8a8d\u8b49\u7b49\u5e38\u898b\u6f0f\u6d1e\uff1b\u5177\u5099\u57fa\u672c\u64b0\u5beb\u6e2c\u8a66\u5831\u544a\u3001\u5206\u985e\u98a8\u96aa\u7b49\u7d1a\u7684\u5224\u65b7\u3002<\/p>\n\n\n\n
\u5206\u70ba\u56db\u5927\u6a21\u7d44\uff1a\u6982\u8ad6\uff08\u653b\u64ca\u6a21\u578b\u3001\u6ef2\u900f\u6d41\u7a0b\uff09\u3001\u5de5\u5177\u64cd\u4f5c\uff08\u5e38\u7528\u6ef2\u900f\u5de5\u5177\u5be6\u4f5c\uff09\u3001\u6f0f\u6d1e\u6316\u6398\u5be6\u4f5c\uff08\u5229\u7528BurpSuite\u5c0b\u627e\u5e38\u898b\u6f0f\u6d1e\uff09\u3001\u5be6\u6230\u9776\u6a5f\u6f14\u7df4\uff08\u7531\u6dfa\u5165\u6df1\u7684\u9776\u6a5f\u6311\u6230\uff09\uff1b<\/p>\n\n\n\n
\u53ef\u61c9\u5fb5\u8cc7\u5b89\u5de5\u7a0b\u5e2b\u3001\u5f31\u9ede\u6383\u63cf\u5de5\u7a0b\u5e2b\u3001\u6ef2\u900f\u6e2c\u8a66\u5de5\u7a0b\u5e2b\uff0c\u5177\u5be6\u6230\u7d93\u9a57\u5f8c\u53ef\u5f80\u7d05\u968a\u3001\u8cc7\u6df1\u6ef2\u900f\u6e2c\u8a66\u767c\u5c55\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5728\u8cc7\u5b89\u9818\u57df\uff0c\u6211\u5011\u4f7f\u7528\u6a19\u6e96\u5316\u7684\u6a21\u578b\u4f86\u5206\u6790\u653b\u64ca\u884c\u70ba\u8207\u7cfb\u7d71\u5f31\u9ede\uff1a<\/p>\n\n\n\n
\u7531 Lockheed Martin \u63d0\u51fa\uff0c\u5c07\u653b\u64ca\u884c\u70ba\u5206\u89e3\u70ba\u4e03\u500b\u968e\u6bb5\u3002\u7406\u89e3\u6b64\u6a21\u578b\u6709\u52a9\u65bc\u6211\u5011\u5728\u653b\u64ca\u7684\u4e0d\u540c\u968e\u6bb5\u5efa\u7acb\u9632\u79a6\u9ede\u3002<\/p>\n\n\n\n
\u5728\u57f7\u884c\u6ef2\u900f\u6e2c\u8a66\u524d\uff0c\u5fc5\u9808\u5148\u4e86\u89e3\u4f55\u8b02\u6f0f\u6d1e\u8a55\u4f30\u3002\u9019\u662f\u4e00\u500b\u7cfb\u7d71\u5316\u5730\u767c\u73fe\u3001\u78ba\u8a8d\u4e26\u5340\u5206\u7cfb\u7d71\u5f31\u9ede\u512a\u5148\u7d1a\u7684\u904e\u7a0b\u3002<\/p>\n\n\n\n
\u60c5\u5831\u6536\u96c6\u662f\u6ef2\u900f\u6e2c\u8a66\u4e2d\u6700\u95dc\u9375\u7684\u4e00\u74b0\uff0c\u6c7a\u5b9a\u4e86\u5f8c\u7e8c\u653b\u64ca\u7684\u6210\u529f\u7387\u3002<\/p>\n\n\n\n
\n\u5b9a\u7fa9\uff1a<\/strong> \u5728\u4e0d\u76f4\u63a5\u63a5\u89f8\u76ee\u6a19\u4f3a\u670d\u5668\u7684\u60c5\u6cc1\u4e0b\u7372\u53d6\u8cc7\u8a0a\uff0c\u96b1\u853d\u6027\u6700\u9ad8\u3002<\/p>\n<\/blockquote>\n\n\n\n
\n
- Google Dorks (Google \u99ed\u5ba2\u8a9e\u6cd5)\uff1a<\/strong> \u5229\u7528\u641c\u5c0b\u5f15\u64ce\u5f37\u5927\u7684\u7d22\u5f15\u80fd\u529b\uff0c\u6316\u6398\u76ee\u6a19\u6d29\u6f0f\u7684\u654f\u611f\u8cc7\u6599\u6216\u5f8c\u53f0\u8def\u5f91\u3002\n
\n
- \u5e38\u7528\u5de5\u5177\uff1a<\/strong> Google Dork \u5be6\u7528\u6e05\u55ae<\/a><\/li>\n\n\n\n
- \u6559\u5b78\u6587\u7ae0\uff1a<\/strong> \u638c\u63e1 Google Dorks \u6280\u5de7<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- \u7db2\u8def\u7a7a\u9593\u641c\u5c0b\u5f15\u64ce\uff1a<\/strong> \u4f7f\u7528\u5982 Shodan \u6216 Censys \u641c\u5c0b\u5168\u7403\u9023\u7db2\u8a2d\u5099\u7684\u958b\u653e\u57e0\u53e3\u8207\u670d\u52d9\u7248\u672c\u3002\n
\n
- \u6559\u5b78\u6587\u7ae0\uff1a<\/strong> \u5982\u4f55\u4f7f\u7528\u7db2\u8def\u7a7a\u9593\u641c\u5c0b\u5f15\u64ce<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
B. \u4e3b\u52d5\u5075\u67e5 (Active Reconnaissance)<\/h4>\n\n\n\n
\n\u5b9a\u7fa9\uff1a<\/strong> \u76f4\u63a5\u767c\u9001\u5c01\u5305\u81f3\u76ee\u6a19\u7cfb\u7d71\u9032\u884c\u6383\u63cf\uff0c\u96d6\u7136\u8cc7\u8a0a\u6e96\u78ba\uff0c\u4f46\u5bb9\u6613\u88ab\u9632\u706b\u7246\u6216 IDS (\u5165\u4fb5\u5075\u6e2c\u7cfb\u7d71) \u8a18\u9304\u3002<\/p>\n<\/blockquote>\n\n\n\n
\n
- Nmap\uff1a\u7db2\u8def\u6383\u63cf\u4e4b\u738b<\/strong> \u7528\u65bc\u767c\u73fe\u4e3b\u6a5f\u3001\u6383\u63cf Port \u53e3\u3001\u8fa8\u8b58\u4f5c\u696d\u7cfb\u7d71\u8207\u670d\u52d9\u7248\u672c\u3002\n
\n
- \u5de5\u5177\u4e0b\u8f09\uff1a<\/strong> Nmap \u5b98\u65b9\u4e0b\u8f09 (Windows)<\/a><\/li>\n\n\n\n
- \u5feb\u901f\u5165\u9580\uff1a<\/strong> Nmap \u6307\u4ee4\u8a73\u89e3<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- ffuf\uff1a\u9ad8\u6548 Web \u6a21\u7cca\u6e2c\u8a66\u5de5\u5177<\/strong> \u7528\u65bc\u5feb\u901f\u7206\u7834\u96b1\u85cf\u76ee\u9304\u3001\u6a94\u6848\u540d\u7a31\u6216 API \u53c3\u6578\u3002\n
\n
- \u5de5\u5177\u4e0b\u8f09\uff1a<\/strong> ffuf GitHub Release (Windows)<\/a><\/li>\n\n\n\n
- \u5be6\u4f5c\u6307\u5357\uff1a<\/strong> ffuf \u76ee\u9304\u7206\u7834\u6559\u5b78<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
Day2 \u6ef2\u900f\u5de5\u5177\u61c9\u7528<\/h2>\n\n\n\n
<\/p>\n\n\n\n
\u7b2c\u4e00\u5929\u6211\u5011\u5b78\u6703\u4e86\u5982\u4f55\u6536\u96c6\u60c5\u5831\uff0cDay 2 \u7684\u91cd\u9ede\u5c07\u653e\u5728\u300c\u9a57\u8b49\u6f0f\u6d1e\u300d\u3002\u6211\u5011\u5c07\u5b78\u7fd2\u5982\u4f55\u5229\u7528\u81ea\u52d5\u5316\u5de5\u5177\u63d0\u5347\u6548\u7387\uff0c\u4e26\u6df1\u5165\u63a2\u8a0e Web \u5b89\u5168\u4e2d\u6700\u81f4\u547d\u7684\u5a01\u8105\uff1aSQL \u6ce8\u5165\u8207\u5bc6\u78bc\u5b89\u5168\u6027\u3002<\/p>\n\n\n\n
\n\n\n\n1. \u6ef2\u900f\u6e2c\u8a66\u8207\u81ea\u52d5\u5316\u6383\u63cf (Automated Scanning)<\/h3>\n\n\n\n
\u5728\u9032\u5165\u624b\u52d5\u5206\u6790\u524d\uff0c\u719f\u7df4\u4f7f\u7528\u81ea\u52d5\u5316\u9a57\u8b49\u5de5\u5177\u80fd\u5e6b\u52a9\u6211\u5011\u5feb\u901f\u9396\u5b9a\u76ee\u6a19\u7684\u300c\u4f4e\u639b\u679c\u5be6\u300d\u3002<\/p>\n\n\n\n
\u6ef2\u900f\u6e2c\u8a66\u6838\u5fc3\u6d41\u7a0b<\/h4>\n\n\n\n
\u7406\u89e3\u6ef2\u900f\u6e2c\u8a66\uff08Penetration Testing\uff09\u7684\u6a19\u6e96\u5316\u4f5c\u696d\u7a0b\u5e8f\uff0c\u78ba\u4fdd\u6e2c\u8a66\u904e\u7a0b\u5408\u6cd5\u4e14\u5c08\u696d\u3002<\/p>\n\n\n\n
\n
- \u91cd\u9ede\u6982\u5ff5\uff1a<\/strong> \u8cc7\u8a0a\u6536\u96c6\u3001\u6f0f\u6d1e\u5206\u6790\u3001\u6f0f\u6d1e\u5229\u7528\u3001\u5f8c\u6ef2\u900f\u3001\u5831\u544a\u7de8\u5beb\u3002<\/li>\n\n\n\n
- \u6df1\u5165\u95b1\u8b80\uff1a<\/strong> \u6ef2\u900f\u6e2c\u8a66\u6a19\u6e96\u6d41\u7a0b\u8a73\u89e3<\/a><\/li>\n<\/ul>\n\n\n\n
Nuclei\uff1a\u57fa\u65bc\u6a21\u677f\u7684\u6f0f\u6d1e\u6383\u63cf<\/h4>\n\n\n\n
Nuclei \u662f\u73fe\u4ee3\u8cc7\u5b89\u5708\u6975\u53d7\u6b61\u8fce\u7684\u5de5\u5177\uff0c\u80fd\u900f\u904e\u793e\u7fa4\u7dad\u8b77\u7684 YAML \u6a21\u677f\u9032\u884c\u5feb\u901f\u3001\u53ef\u64f4\u5c55\u7684\u6383\u63cf\u3002<\/p>\n\n\n\n
\n
- \u5be6\u4f5c\u8981\u9ede\uff1a<\/strong> \u6a21\u677f\u66f4\u65b0\u3001\u91dd\u5c0d\u7279\u5b9a CVE \u9032\u884c\u6383\u63cf\u3001\u7d50\u679c\u532f\u51fa\u3002<\/li>\n\n\n\n
- \u6559\u5b78\u6587\u7ae0\uff1a<\/strong> Nuclei \u5feb\u901f\u4e0a\u624b\u6307\u5357<\/a><\/li>\n<\/ul>\n\n\n\n
\n\n\n\n2. \u6df1\u5ea6\u5256\u6790\uff1aSQL Injection (SQLi) \u653b\u64ca\u8207\u9632\u8b77<\/h3>\n\n\n\n
SQL \u6ce8\u5165\u662f Web \u61c9\u7528\u4e2d\u6700\u5177\u7834\u58de\u6027\u7684\u6f0f\u6d1e\u4e4b\u4e00\uff0c\u80fd\u5c0e\u81f4\u8cc7\u6599\u5eab\u5b8c\u5168\u6dea\u9677\u3002<\/p>\n\n\n\n
\u7406\u8ad6\u57fa\u790e<\/h3>\n\n\n\n
\n
- SQLi \u539f\u7406\uff1a<\/strong> \u653b\u64ca\u8005\u5982\u4f55\u900f\u904e\u8f38\u5165\u60e1\u610f SQL \u6307\u4ee4\u4f86\u6539\u8b8a\u539f\u59cb\u67e5\u8a62\u908f\u8f2f\u3002<\/li>\n\n\n\n
- \u6df1\u5165\u95b1\u8b80\uff1a<\/strong> SQL Injection \u57fa\u672c\u539f\u7406<\/a><\/li>\n<\/ul>\n\n\n\n
\u5be6\u4f5c\u6f14\u7df4<\/h3>\n\n\n\n
\n
- Login Bypass (\u767b\u5165\u7e5e\u904e)\uff1a<\/strong> \u7df4\u7fd2\u5982\u4f55\u5229\u7528\u908f\u8f2f\u6f0f\u6d1e\uff0c\u5728\u4e0d\u5177\u5099\u5bc6\u78bc\u7684\u60c5\u6cc1\u4e0b\u9032\u5165\u7ba1\u7406\u5f8c\u53f0\u3002\n
\n
- \u5be6\u4f5c\u6307\u5357\uff1a<\/strong> SQLi \u767b\u5165\u7e5e\u904e\u6280\u5de7<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- SQLMap\uff1a\u81ea\u52d5\u5316 SQL \u6ce8\u5165\u795e\u5668<\/strong>\n
\n
- \u57fa\u790e\u7bc7\uff1a<\/strong> \u5075\u6e2c\u6f0f\u6d1e\u3001\u5217\u8209\u8cc7\u6599\u5eab\u540d\u8207\u8868\u540d\u3002 SQLMap \u57fa\u790e\u6559\u7a0b<\/a><\/li>\n\n\n\n
- \u9032\u968e\u5f8c\u6ef2\u900f\uff1a<\/strong> \u7372\u53d6 OS Shell\u3001\u62d6\u5eab (Dump) \u8207\u63d0\u6b0a\u3002 SQLMap \u5f8c\u6ef2\u900f\u5be6\u4f5c<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n\n\n\n3. \u8eab\u4efd\u9a57\u8b49\u8207\u5bc6\u78bc\u5b89\u5168\u6027 (Identity & Password Security)<\/h3>\n\n\n\n
\u5373\u4f7f\u7cfb\u7d71\u6c92\u6709\u7a0b\u5f0f\u78bc\u6f0f\u6d1e\uff0c\u8106\u5f31\u7684\u5bc6\u78bc\u7b56\u7565\u4f9d\u7136\u662f\u81f4\u547d\u50b7\u3002<\/p>\n\n\n\n
\u5bc6\u78bc\u5b78\u7406\u8ad6<\/h4>\n\n\n\n
\n
- Hashing vs Encryption\uff1a<\/strong> \u70ba\u4ec0\u9ebc\u5bc6\u78bc\u5fc5\u9808\u4ee5\u96dc\u6e4a\u5f62\u5f0f\u5132\u5b58\uff1f<\/li>\n\n\n\n
- Salt & Pepper\uff1a<\/strong> \u5982\u4f55\u5c0d\u6297\u5f69\u8679\u8868\u653b\u64ca\uff1f<\/li>\n\n\n\n
- \u6838\u5fc3\u7406\u8ad6\u95b1\u8b80\uff1a<\/strong>\n
\n
- \u96dc\u6e4a\u51fd\u6578 Hashing Functions \u7c21\u4ecb<\/a><\/li>\n\n\n\n
- \u5bc6\u78bc\u96dc\u6e4a\u7684\u6838\u5fc3\u6982\u5ff5<\/a><\/li>\n\n\n\n
- \u5e38\u7528\u5bc6\u78bc\u96dc\u6e4a\u51fd\u6578\u5c0d\u6bd4<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
\u5bc6\u78bc\u7834\u89e3\u5be6\u4f5c<\/h4>\n\n\n\n
\n
- Hashcat\uff1a\u4e16\u754c\u6700\u5feb\u7684\u5bc6\u78bc\u6062\u5fa9\u5de5\u5177<\/strong> \u5b78\u7fd2\u5982\u4f55\u5229\u7528 GPU \u52a0\u901f\u4f86\u7834\u89e3\u4e0d\u540c\u985e\u578b\u7684\u5bc6\u78bc\u96dc\u6e4a\u3002\n
\n
- \u5be6\u4f5c\u6307\u5357\uff1a<\/strong> Hashcat \u6307\u4ee4\u5be6\u6230<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Medusa & Hydra\uff1a\u5728\u7dda\u7206\u7834\u5de5\u5177<\/strong> \u91dd\u5c0d SSH\u3001FTP\u3001HTTP \u767b\u5165\u8868\u55ae\u9032\u884c\u4e3b\u52d5\u5f0f\u5bc6\u78bc\u66b4\u529b\u7834\u89e3\u3002\n
\n
- \u5be6\u4f5c\u6307\u5357\uff1a<\/strong> \u5728\u7dda\u5bc6\u78bc\u7834\u89e3\u5de5\u5177\u61c9\u7528<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
Day3 \u6f0f\u6d1e\u6316\u6398\u65b9\u6cd5<\/h2>\n\n\n\n
\u4eca\u5929\u6211\u5011\u5c07\u653e\u4e0b\u81ea\u52d5\u5316\u5de5\u5177\uff0c\u62ff\u8d77\u6ef2\u900f\u6e2c\u8a66\u54e1\u7684\u300c\u745e\u58eb\u5200\u300d\u2014\u2014 Burp Suite<\/strong>\u3002\u6211\u5011\u5c07\u5b78\u7fd2\u5982\u4f55\u6514\u622a\u3001\u5206\u6790\u4e26\u4fee\u6539\u700f\u89bd\u5668\u8207\u4f3a\u670d\u5668\u4e4b\u9593\u7684\u901a\u8a0a\uff0c\u4e26\u6df1\u5165\u63a2\u8a0e\u4f3a\u670d\u5668\u7aef\uff08Server-side\uff09\u8207\u5546\u696d\u908f\u8f2f\uff08Logic\uff09\u7684\u81f4\u547d\u6f0f\u6d1e\u3002<\/p>\n\n\n\n
\n\n\n\n1. Web \u5b89\u5168\u6a19\u6e96\uff1aOWASP Top 10<\/h3>\n\n\n\n
\u5728\u958b\u59cb\u6316\u6398\u6f0f\u6d1e\u524d\uff0c\u5fc5\u9808\u5148\u4e86\u89e3\u76ee\u524d\u6700\u5a01\u8105 Web \u5b89\u5168\u7684\u5341\u5927\u98a8\u96aa\u3002\u9019\u662f\u6240\u6709\u6ef2\u900f\u6e2c\u8a66\u5831\u544a\u7684\u53c3\u8003\u57fa\u6e96\u3002<\/p>\n\n\n\n
\n
- \u91cd\u9ede\u89e3\u6790\uff1a<\/strong> \u6b0a\u9650\u63a7\u5236\u5931\u6548\u3001\u52a0\u5bc6\u5931\u6557\u3001\u6ce8\u5165\u653b\u64ca…\u7b49\u3002<\/li>\n\n\n\n
- \u5ef6\u4f38\u95b1\u8b80\uff1a<\/strong> OWASP Top 10 2021 \u8da8\u52e2\u5206\u6790<\/a><\/li>\n<\/ul>\n\n\n\n
\n\n\n\n2. \u5de5\u5177\u738b\u8005\uff1aBurp Suite \u5be6\u4f5c<\/h3>\n\n\n\n
Burp Suite \u662f\u624b\u52d5\u6e2c\u8a66\u7684\u5fc5\u5099\u5de5\u5177\uff0c\u900f\u904e\u4ee3\u7406\uff08Proxy\uff09\u6a21\u5f0f\uff0c\u6211\u5011\u53ef\u4ee5\u638c\u63a7\u6240\u6709 HTTP \u5c01\u5305\u3002<\/p>\n\n\n\n
\n
- \u6838\u5fc3\u529f\u80fd\u7df4\u7fd2\uff1a<\/strong>\n
\n
- Proxy (\u4ee3\u7406)\uff1a<\/strong> \u89c0\u5bdf HTTP \u8acb\u6c42\uff08Request\uff09\u8207\u56de\u61c9\uff08Response\uff09\u7684\u7d50\u69cb\u3002<\/li>\n\n\n\n
- Repeater (\u91cd\u767c\u5668)\uff1a<\/strong> \u624b\u52d5\u4fee\u6539\u53c3\u6578\u4e26\u591a\u6b21\u91cd\u9001\u8acb\u6c42\uff0c\u89c0\u5bdf\u4e0d\u540c\u8f38\u5165\u7684\u7d50\u679c\u3002<\/li>\n\n\n\n
- Interceptor (\u6514\u622a\u5668)\uff1a<\/strong> \u5728\u5c01\u5305\u9001\u51fa\u524d\u5373\u6642\u6514\u622a\u4e26\u7ac4\u6539\u5167\u5bb9\u3002<\/li>\n<\/ol>\n<\/li>\n\n\n\n
- \u9032\u968e\u806f\u9632\uff1a<\/strong> Burp Suite \u8207 SQLMap \u7684\u5354\u4f5c\u6280\u5de7<\/a><\/li>\n<\/ul>\n\n\n\n
\n\n\n\n3. \u4f3a\u670d\u5668\u7aef\u6f0f\u6d1e (Server-Side Vulnerabilities)<\/h3>\n\n\n\n
\u9019\u985e\u6f0f\u6d1e\u76f4\u63a5\u767c\u751f\u5728\u5f8c\u7aef\u4f3a\u670d\u5668\uff0c\u901a\u5e38\u5177\u6709\u6975\u9ad8\u7684\u7834\u58de\u529b\u3002<\/p>\n\n\n\n
OS Command Injection (\u6307\u4ee4\u6ce8\u5165)<\/h4>\n\n\n\n
\u7576\u7db2\u9801\u7a0b\u5f0f\u5c07\u4f7f\u7528\u8005\u8f38\u5165\u76f4\u63a5\u7576\u4f5c\u7cfb\u7d71\u6307\u4ee4\u57f7\u884c\u6642\uff0c\u653b\u64ca\u8005\u53ef\u85c9\u6b64\u63a7\u5236\u4f3a\u670d\u5668\u4f5c\u696d\u7cfb\u7d71\u3002<\/p>\n\n\n\n
\n
- \u5be6\u4f5c\u7df4\u7fd2\uff1a<\/strong> Lab: Simple OS command injection<\/a><\/li>\n\n\n\n
- \u6280\u8853\u7b46\u8a18\uff1a<\/strong> OS Command Injection \u7e5e\u904e\u8207\u9632\u79a6<\/a><\/li>\n<\/ul>\n\n\n\n
File Upload (\u6a94\u6848\u4e0a\u50b3\u6f0f\u6d1e)<\/h4>\n\n\n\n
\u900f\u904e\u4e0a\u50b3\u60e1\u610f\u7684 Web Shell (\u5982 PHP \u8173\u672c)\uff0c\u653b\u64ca\u8005\u53ef\u7372\u53d6\u4f3a\u670d\u5668\u7684\u9060\u7aef\u7a0b\u5f0f\u57f7\u884c\u6b0a\u9650 (RCE)\u3002<\/p>\n\n\n\n
\n
- \u5be6\u4f5c\u7df4\u7fd2\uff1a<\/strong> Lab: Remote code execution via web shell upload<\/a> (lab support web)<\/li>\n\n\n\n
- \u6280\u8853\u7b46\u8a18\uff1a<\/strong> \u6a94\u6848\u4e0a\u50b3\u6f0f\u6d1e\u5229\u7528\u6307\u5357<\/a><\/li>\n<\/ul>\n\n\n\n
Directory Traversal (\u76ee\u9304\u7a7f\u8d8a)<\/h4>\n\n\n\n
\u5229\u7528
..\/<\/code> \u8a9e\u6cd5\u8b80\u53d6\u4f3a\u670d\u5668\u4e0a\u4e0d\u61c9\u516c\u958b\u7684\u654f\u611f\u6a94\u6848\uff08\u5982\/etc\/passwd<\/code>\uff09\u3002<\/p>\n\n\n\n\n
- \u5be6\u4f5c\u7df4\u7fd2\uff1a<\/strong> Lab: File path traversal, simple case<\/a> (lab support web)<\/li>\n\n\n\n
- \u6280\u8853\u7b46\u8a18\uff1a<\/strong> \u76ee\u9304\u7a7f\u8d8a\u8def\u5f91\u6e2c\u8a66\u6280\u5de7<\/a><\/li>\n<\/ul>\n\n\n\n
\n\n\n\n4. \u908f\u8f2f\u8207\u6b0a\u9650\u6f0f\u6d1e (Logic & Access Control)<\/h3>\n\n\n\n
\u9019\u985e\u6f0f\u6d1e\u4e0d\u4e00\u5b9a\u6709\u660e\u986f\u7684\u7a0b\u5f0f\u5831\u932f\uff0c\u800c\u662f\u7a0b\u5f0f\u908f\u8f2f\u8a2d\u8a08\u4e0a\u7684\u7f3a\u9677\u3002<\/p>\n\n\n\n
HTTP Host Header Attack<\/h4>\n\n\n\n
\u7ac4\u6539 Host \u6a19\u982d\u4f86\u7e5e\u904e\u8a8d\u8b49\u3002<\/p>\n\n\n\n
\n
- \u5be6\u4f5c\u7df4\u7fd2\uff1a<\/strong> Lab: Host header authentication bypass<\/a><\/li>\n\n\n\n
- \u6280\u8853\u7b46\u8a18\uff1a<\/strong> Host Header \u7e5e\u904e\u6280\u5de7<\/a><\/li>\n<\/ul>\n\n\n\n
\u5b58\u53d6\u63a7\u5236\u8207 2FA \u7e5e\u904e<\/h4>\n\n\n\n
\n
- Access Control Bypass\uff1a<\/strong> \u7e5e\u904e URL \u6b0a\u9650\u6aa2\u67e5\u9032\u5165\u7ba1\u7406\u54e1\u4ecb\u9762\u3002\n
\n
- Lab \u6f14\u7df4<\/a> | \u6280\u8853\u7b46\u8a18<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- 2FA Bypass\uff1a<\/strong> \u7e5e\u904e\u96d9\u91cd\u9a57\u8b49\u6a5f\u5236\u76f4\u63a5\u767b\u5165\u5e33\u865f\u3002\n
\n
- Lab \u6f14\u7df4<\/a>(lab support web) | \u6280\u8853\u7b46\u8a18<\/a> <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
\u5546\u696d\u908f\u8f2f\u6f0f\u6d1e (Business Logic)<\/h4>\n\n\n\n
\u5229\u7528\u7a0b\u5f0f\u5c0d\u696d\u52d9\u6d41\u7a0b\u8655\u7406\u7684\u758f\u5ffd\uff08\u5982\uff1a\u4fee\u6539\u7d50\u5e33\u91d1\u984d\u3001\u8df3\u904e\u4ed8\u8cbb\u6b65\u9a5f\uff09\u3002<\/p>\n\n\n\n
\n
- \u5be6\u4f5c\u7df4\u7fd2\uff1a<\/strong> Lab: Weak isolation on dual-use endpoint<\/a><\/li>\n\n\n\n
- \u6280\u8853\u7b46\u8a18\uff1a<\/strong> \u908f\u8f2f\u6f0f\u6d1e\u6848\u4f8b\u5206\u6790<\/a><\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
Day4 \u5be6\u6230\u6f14\u7df4<\/h2>\n\n\n\n
\u4eca\u5929\u6211\u5011\u5c07\u8df3\u812b\u55ae\u4e00\u6f0f\u6d1e\u7684\u601d\u7dad\uff0c\u9032\u5165 ATT&CK \u6846\u67b6<\/strong>\u89c0\u6e2c\u653b\u64ca\u5168\u8c8c\u3002\u6211\u5011\u6703\u5b78\u7fd2\u5982\u4f55\u4f7f\u7528 Burp Suite \u57f7\u884c\u81ea\u52d5\u5316\u8907\u96dc\u653b\u64ca\uff0c\u4e26\u6df1\u5165\u63a2\u8a0e\u5ba2\u6236\u7aef\uff08Client-side\uff09\u8207\u5176\u4ed6\u9032\u968e\u6f0f\u6d1e\u3002\u6700\u5f8c\uff0c\u6211\u5011\u5c07\u900f\u904e\u5be6\u969b\u9776\u5834\u8207\u5c08\u696d\u5831\u544a\u7bc4\u4f8b\uff0c\u5b8c\u6210\u6ef2\u900f\u6e2c\u8a66\u7684\u6700\u5f8c\u4e00\u584a\u62fc\u5716\u3002<\/p>\n\n\n\n
\n\n\n\n1. \u653b\u64ca\u8005\u6230\u8853\u6846\u67b6\uff1aMITRE ATT&CK<\/h3>\n\n\n\n
\u4e86\u89e3\u6f0f\u6d1e\u5f8c\uff0c\u6211\u5011\u9700\u8981\u4e00\u500b\u5730\u5716\u4f86\u6a19\u8a18\u653b\u64ca\u9032\u7a0b\u3002ATT&CK \u6846\u67b6\u5e6b\u52a9\u6211\u5011\u5f9e\u300c\u9ede\u300d\u7684\u6f0f\u6d1e\u8f49\u5411\u300c\u9762\u300d\u7684\u6230\u8853\u5206\u6790\u3002<\/p>\n\n\n\n
\n
- \u6838\u5fc3\u6982\u5ff5\uff1a<\/strong> \u6230\u8853 (Tactics)\u3001\u6280\u8853 (Techniques) \u8207\u5b50\u6280\u8853\u3002<\/li>\n\n\n\n
- \u5ef6\u4f38\u95b1\u8b80\uff1a<\/strong> MITRE ATT&CK \u6846\u67b6\u5c0e\u8b80<\/a><\/li>\n<\/ul>\n\n\n\n
\n\n\n\n2. Burp Suite \u9ad8\u968e\u81ea\u52d5\u5316\u5be6\u6230<\/h3>\n\n\n\n
\u5229\u7528 Burp Suite \u7684\u64f4\u5145\u529f\u80fd\u8207\u81ea\u5b9a\u7fa9\u914d\u7f6e\uff0c\u57f7\u884c\u5e38\u898f\u6383\u63cf\u7121\u6cd5\u767c\u73fe\u7684\u6f0f\u6d1e\u3002<\/p>\n\n\n\n
JWT \u5b89\u5168\u8207 Bypass<\/h4>\n\n\n\n
JSON Web Token \u7684\u4e0d\u7576\u914d\u7f6e\uff08\u5982\u672a\u9a57\u8b49\u7c3d\u540d\uff09\u6703\u5c0e\u81f4\u8eab\u4efd\u507d\u9020\u3002<\/p>\n\n\n\n
\n
- \u5be6\u4f5c\uff1a<\/strong> \u5b89\u88dd
JWT Editor<\/code> \u64f4\u5145\u63d2\u4ef6\uff0c\u7df4\u7fd2\u7c3d\u540d\u7e5e\u904e\u3002<\/li>\n\n\n\n- Lab\uff1a<\/strong> JWT authentication bypass (Unverified Signature)<\/a><\/li>\n\n\n\n
- \u7b46\u8a18\uff1a<\/strong> JWT \u653b\u64ca\u624b\u6cd5\u8a73\u89e3<\/a><\/li>\n<\/ul>\n\n\n\n
\u8cc7\u8a0a\u6d29\u6f0f<\/h4>\n\n\n\n
\u81ea\u52d5\u4fee\u6539\u6bcf\u6b21\u8acb\u6c42\u5167\u5bb9 + \u914d\u7f6e\u4e0d\u5b89\u5168<\/p>\n\n\n\n
\n
- Lab\uff1a<\/strong>Lab: Info leak authentication bypass<\/a> <\/li>\n\n\n\n
- \u7b46\u8a18\uff1a<\/strong> \u8cc7\u8a0a\u6d29\u9732<\/a><\/li>\n<\/ul>\n\n\n\n
\u5546\u696d\u908f\u8f2f<\/h4>\n\n\n\n
\u81ea\u52d5\u5316\u57f7\u884c\u591a\u500b\u8acb\u6c42 + \u5229\u7528\u696d\u52d9\u898f\u5247\u5957\u5229<\/p>\n\n\n\n
\n
- Lab\uff1a<\/strong> Lab: Infinite money logic flaw<\/a> <\/li>\n\n\n\n
- \u7b46\u8a18\uff1a<\/strong> \u5546\u696d\u908f\u8f2f\u6f0f\u6d1e<\/a><\/li>\n<\/ul>\n\n\n\n
Race Condition (\u689d\u4ef6\u7af6\u901f)<\/h3>\n\n\n\n
\u5229\u7528\u7cfb\u7d71\u8655\u7406\u4f75\u767c\u8acb\u6c42\u7684\u6642\u9593\u5dee\uff0c\u9054\u6210\u300c\u8d85\u8d8a\u9650\u5236\u300d\u7684\u884c\u70ba\uff08\u5982\u91cd\u8907\u9818\u53d6\u512a\u60e0\u5238\uff09\u3002<\/p>\n\n\n\n
\n
- \u7b46\u8a18\uff1a<\/strong> \u689d\u4ef6\u7af6\u901f\u653b\u64ca\u539f\u7406<\/a><\/li>\n\n\n\n
- Lab\uff1a<\/strong> Limit overrun race conditions<\/a><\/li>\n<\/ul>\n\n\n\n
\n\n\n\n3. \u5ba2\u6236\u7aef\u6f0f\u6d1e<\/h3>\n\n\n\n
Client-Side \u653b\u64ca (XSS & CSRF)<\/h4>\n\n\n\n
\n
- XSS (\u8de8\u7ad9\u8173\u672c)\uff1a<\/strong> \u53cd\u5c04\u578b\u3001\u5132\u5b58\u578b\u8207 DOM-based \u7684\u5168\u65b9\u4f4d\u6f14\u7df4\u3002\n
\n
- XSS \u6280\u8853\u7b46\u8a18<\/a> |<\/li>\n\n\n\n
- Lab: Reflected<\/a> | Lab: Stored<\/a> (lab support web)<\/li>\n\n\n\n
- Lab: DOM XSS<\/a> (lab support web)<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- CSRF (\u8de8\u7ad9\u8acb\u6c42\u507d\u9020)\uff1a<\/strong> \u8a98\u4f7f\u53d7\u5bb3\u8005\u57f7\u884c\u975e\u9810\u671f\u52d5\u4f5c\u3002\n
\n
- CSRF \u6280\u8853\u7b46\u8a18<\/a> | Lab \u5be6\u4f5c<\/a> (lab support web)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
\u88dc\u5145\uff1aSSRF (\u4f3a\u670d\u5668\u7aef\u6f0f\u6d1e)<\/h4>\n\n\n\n
\u5229\u7528 Web \u61c9\u7528\u4f5c\u70ba\u8df3\u677f\uff0c\u653b\u64ca\u5167\u90e8\u79c1\u6709\u7db2\u8def\u3002<\/p>\n\n\n\n