banner
言心吾

言心吾のBlog

吾言为心声
HomeArchivesLinks

Information Gathering in SRC Mining

#挖洞523
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses various web plugins, tools, and techniques for information gathering, hacking, development, and optimization. It also covers tools for mapping spaces, enterprise searches, Google hacking, and alternative search methods. Additionally, it provides tips for finding vulnerabilities in educational institutions and enterprises. Readers are encouraged to share their experiences in the comments section.

Web Plugin#

img-2024.06.22-06.28.46
The above is a Chrome plugin that I use, it's very useful, those who know, know 🥰
It mainly includes the following categories:

  1. Information collection
  2. Proxy tools
  3. Hacking tools
  4. Development and debugging tools
  5. Anti-honeypot tools
  6. User experience optimization tools

Tool Scripts#

Essential tools for information gathering#

ARL (Lighthouse), oneforall, URLfinder, httpx, EHole, dirsearch, Xray, goby

Project addresses:
URLfinder: https://github.com/pingcOy/URLFinder
dirsearch: https://github.com/lemonlove7/dirsearch_bypass403
httpx: https://github.com/projectdiscovery/httpx
Fingerprint recognition: https://github.com/lemonlove7/EHole_magic/tree/main
ARL (Lighthouse): https://github.com/ki9mu/ARL-plus-docker
FUZZ dictionary: https://github.com/TheKingOfDuck/fuzzDicts

Using Lighthouse#

Pay attention to the following information
arl
^_^ Lighthouse enhancements

  1. Add API
  2. Remove domain restrictions
  3. Update built-in subdomain dictionary
  4. Update built-in file leakage dictionary
  5. Update fingerprint information
  6. Update POC (optional, not usually used for scanning vulnerabilities)

Spatial Mapping#

Common spatial mapping websites#

hunter, fofa, quake, zoomeye, shodan

Search techniques#

Different websites have different search syntax, but they are similar. The more you use them, the more proficient you will become. Fofa and Yingtuyi are self-explanatory. Zhongkui and Quake are often used when searching for a system/component to exploit.
For edusrc, when conducting penetration testing, after discovering a vulnerability, pay attention to which product the system belongs to from the developer of that system. Generally, using mapping to search for corresponding educational assets of the product is effective.
Pay special attention to: ICP filing, icon

Enterprise Search#

Common websites#

Qichacha, Aiqicha, Tianyancha, Xiaolanben, Diandian, Qimai

Information gathering#

image

Note:

  1. When conducting general-purpose mining on CNVD, pay attention to software copyrights. When mining SRC, pay more attention to assets such as apps, mini-programs, and public accounts.
  2. When searching for edge assets, pay attention to the proportion of equity and the inclusion requirements of SRC. Usually, if the parent company holds more than 50% of the shares, it is sufficient.
  3. There are many techniques for collecting enterprise SRC, and there are also automated tools such as firefly. However, the most recommended method is to manually go through it yourself. After having a comprehensive understanding of the assets and business, it is easier to find vulnerabilities.

Google Hacking#

Common search syntax for vulnerability discovery#

image

inurl: Used to search for URLs contained on web pages. This syntax is useful for finding search, help, and other pages on a website.
intext: Only search for text contained in the body of a web page (ignoring text in titles, URLs, etc.).
site: Limits your search to a specific domain.
filetype: Searches for files with a specific extension or file type.
intitle: Limits your search to web pages with specific titles.
allintitle: Searches for web pages with titles that contain all specified keywords. However, it is not recommended to use this syntax.
link: Provides a list of all pages that contain a specified URL. For example, link:http://www.google.com will provide a list of all pages that link to Google.

Syntax for finding vulnerabilities in educational institutions#

This type of syntax is often effective in edusrc mining:
site:edu.cn ext:doc | ext:docx | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv
site:edu.cn "internship" filetype:xlsx+ID number-student number-examination number
Keywords: bank card, admission, application, discharge, dormitory, library, student, teacher, subsidy, exemption from examination, exceptional promotion, league member, joining the party, active member
Reference article: https://blog.csdn.net/qq_33942040/article/details/108549892
Here's a tool created by a master: https://ght.se7ensec.cn/

image

Alternative Approaches#

Other search methods#

  1. File search (Lingfengyun)
  2. Yuque

Enterprise + keywords
Keywords: phone number, contract, list, password, private data, internal files of xxx, xx account, address book, roster, report, bidding documents, employment, design drawings, notes, etc.

To be continued...#

Feel free to share your experiences in the comments~

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.