bug-bounty on Astroicers Bloghttps://astroicers.link/tags/bug-bounty.htmlRecent content in bug-bounty on Astroicers BlogHugo -- gohugo.ioenWed, 18 Mar 2026 00:00:00 +0000ffuf 網頁 Fuzzing 工具https://astroicers.link/p/ffuf-%E7%B6%B2%E9%A0%81-fuzzing-%E5%B7%A5%E5%85%B7.htmlWed, 18 Mar 2026 00:00:00 +0000https://astroicers.link/p/ffuf-%E7%B6%B2%E9%A0%81-fuzzing-%E5%B7%A5%E5%85%B7.html<h2 id="專案簡介">專案簡介</h2> <p><a class="link" href="https://github.com/ffuf/ffuf" target="_blank" rel="noopener" >ffuf</a> 是一個用 Go 語言編寫的高效能網頁 Fuzzer。支援目錄掃描、參數 Fuzzing、虛擬主機探測等多種模式,是取代 dirb、gobuster 的現代化工具。</p> <p><strong>GitHub Stars</strong>: 15K+</p> <h2 id="主要功能">主要功能</h2> <ul> <li><strong>高效能</strong> - Go 語言開發,支援高並發</li> <li><strong>多模式</strong> - 目錄、參數、Header Fuzzing</li> <li><strong>過濾強大</strong> - 依狀態碼、大小、字數過濾</li> <li><strong>輸出豐富</strong> - JSON、CSV、HTML 報告</li> <li><strong>管道友善</strong> - 易於自動化整合</li> </ul> <h2 id="安裝">安裝</h2> <h3 id="go-install">Go Install</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">go install github.com/ffuf/ffuf/v2@latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="homebrew">Homebrew</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install ffuf </span></span></code></pre></td></tr></table> </div> </div><h3 id="kali-linux">Kali Linux</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt install ffuf </span></span></code></pre></td></tr></table> </div> </div><h2 id="基本使用">基本使用</h2> <h3 id="目錄掃描">目錄掃描</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="指定副檔名">指定副檔名</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -e .php,.html,.js,.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="遞迴掃描">遞迴掃描</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth <span class="m">2</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="過濾與匹配">過濾與匹配</h2> <h3 id="狀態碼過濾">狀態碼過濾</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 只顯示 200, 301, 302</span> </span></span><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 過濾 404</span> </span></span><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -fc <span class="m">404</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="大小過濾">大小過濾</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 過濾特定大小</span> </span></span><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -fs <span class="m">1234</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 過濾大小範圍</span> </span></span><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 0-100 </span></span></code></pre></td></tr></table> </div> </div><h3 id="字數過濾">字數過濾</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -fw <span class="m">10</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="正則過濾">正則過濾</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -fr <span class="s2">&#34;not found|error&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="進階用法">進階用法</h2> <h3 id="參數-fuzzing">參數 Fuzzing</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># GET 參數</span> </span></span><span class="line"><span class="cl">ffuf -u <span class="s2">&#34;https://target.com/page?FUZZ=value&#34;</span> -w params.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 參數值</span> </span></span><span class="line"><span class="cl">ffuf -u <span class="s2">&#34;https://target.com/page?id=FUZZ&#34;</span> -w values.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="post-資料">POST 資料</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/login <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -X POST <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -d <span class="s2">&#34;username=admin&amp;password=FUZZ&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w passwords.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -fc <span class="m">401</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="header-fuzzing">Header Fuzzing</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/ <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -H <span class="s2">&#34;X-Custom-Header: FUZZ&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w headers.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="虛擬主機探測">虛擬主機探測</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/ <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -H <span class="s2">&#34;Host: FUZZ.target.com&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w subdomains.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -fs <span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="多關鍵字">多關鍵字</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ1/FUZZ2 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w users.txt:FUZZ1 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w ids.txt:FUZZ2 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -mode clusterbomb </span></span></code></pre></td></tr></table> </div> </div><h2 id="效能調整">效能調整</h2> <h3 id="並發與速率">並發與速率</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 設定執行緒數</span> </span></span><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -t <span class="m">100</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 請求延遲(毫秒)</span> </span></span><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -p 0.1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 每秒請求數</span> </span></span><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -rate <span class="m">100</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="超時設定">超時設定</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -timeout <span class="m">10</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="輸出格式">輸出格式</h2> <h3 id="json-輸出">JSON 輸出</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json </span></span></code></pre></td></tr></table> </div> </div><h3 id="csv-輸出">CSV 輸出</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.csv -of csv </span></span></code></pre></td></tr></table> </div> </div><h3 id="html-報告">HTML 報告</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.html -of html </span></span></code></pre></td></tr></table> </div> </div><h2 id="設定檔">設定檔</h2> <h3 id="ffufrc">~/.ffufrc</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[http]</span> </span></span><span class="line"><span class="cl"><span class="na">timeout</span> <span class="o">=</span> <span class="s">10</span> </span></span><span class="line"><span class="cl"><span class="na">method</span> <span class="o">=</span> <span class="s">GET</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[general]</span> </span></span><span class="line"><span class="cl"><span class="na">threads</span> <span class="o">=</span> <span class="s">50</span> </span></span><span class="line"><span class="cl"><span class="na">rate</span> <span class="o">=</span> <span class="s">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[input]</span> </span></span><span class="line"><span class="cl"><span class="na">wordlist</span> <span class="o">=</span> <span class="s">/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[output]</span> </span></span><span class="line"><span class="cl"><span class="na">format</span> <span class="o">=</span> <span class="s">json</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[matcher]</span> </span></span><span class="line"><span class="cl"><span class="na">status</span> <span class="o">=</span> <span class="s">200,204,301,302,307,401,403,405</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="使用設定檔">使用設定檔</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -config ~/.ffufrc -u https://target.com/FUZZ </span></span></code></pre></td></tr></table> </div> </div><h2 id="實戰範例">實戰範例</h2> <h3 id="api-端點探測">API 端點探測</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://api.target.com/v1/FUZZ <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -mc 200,201,204 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -H <span class="s2">&#34;Authorization: Bearer token&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="敏感檔案尋找">敏感檔案尋找</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -mc 200,403 </span></span></code></pre></td></tr></table> </div> </div><h3 id="備份檔案探測">備份檔案探測</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w /usr/share/seclists/Discovery/Web-Content/Common-Backups/common-backup-files.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -e .bak,.old,.backup,.zip,.tar.gz </span></span></code></pre></td></tr></table> </div> </div><h3 id="子域名接管檢測">子域名接管檢測</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u http://FUZZ.target.com <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w subdomains.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -H <span class="s2">&#34;Host: FUZZ.target.com&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -mr <span class="s2">&#34;not found|NXDOMAIN|unclaimed&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="與其他工具整合">與其他工具整合</h2> <h3 id="搭配-subfinder">搭配 Subfinder</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d target.com -silent <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> sed <span class="s1">&#39;s/$/.target.com/&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> ffuf -u http://FUZZ -w - -mc <span class="m">200</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="搭配-httpx">搭配 httpx</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -o results.json -of json </span></span><span class="line"><span class="cl">cat results.json <span class="p">|</span> jq -r <span class="s1">&#39;.results[].url&#39;</span> <span class="p">|</span> httpx -title -tech-detect </span></span></code></pre></td></tr></table> </div> </div><h3 id="搭配-nuclei">搭配 Nuclei</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -u https://target.com/FUZZ -w wordlist.txt -mc <span class="m">200</span> -o urls.txt -of csv </span></span><span class="line"><span class="cl">nuclei -l urls.txt -t exposures/ </span></span></code></pre></td></tr></table> </div> </div><h2 id="相關連結">相關連結</h2> <ul> <li><a class="link" href="https://github.com/ffuf/ffuf" target="_blank" rel="noopener" >GitHub Repository</a></li> <li><a class="link" href="https://github.com/danielmiessler/SecLists" target="_blank" rel="noopener" >SecLists</a></li> </ul> <h2 id="延伸閱讀">延伸閱讀</h2> <ul> <li><a class="link" href="https://astroicers.link/p/seclists-pentest-wordlists/" >SecLists 滲透測試字典</a></li> <li><a class="link" href="https://astroicers.link/p/nuclei-vulnerability-scanner/" >Nuclei 漏洞掃描工具</a></li> <li><a class="link" href="https://astroicers.link/p/subfinder-subdomain-enumeration/" >Subfinder 子域名列舉工具</a></li> </ul>Subfinder 子域名列舉工具https://astroicers.link/p/subfinder-%E5%AD%90%E5%9F%9F%E5%90%8D%E5%88%97%E8%88%89%E5%B7%A5%E5%85%B7.htmlSat, 14 Mar 2026 00:00:00 +0000https://astroicers.link/p/subfinder-%E5%AD%90%E5%9F%9F%E5%90%8D%E5%88%97%E8%88%89%E5%B7%A5%E5%85%B7.html<h2 id="專案簡介">專案簡介</h2> <p><a class="link" href="https://github.com/projectdiscovery/subfinder" target="_blank" rel="noopener" >Subfinder</a> 是 ProjectDiscovery 開發的被動式子域名列舉工具。整合數十個資料源 API,能快速收集目標域名的所有子域名,是滲透測試和 Bug Bounty 的必備偵察工具。</p> <p><strong>GitHub Stars</strong>: 13K+</p> <h2 id="主要功能">主要功能</h2> <ul> <li><strong>多資料源</strong> - 整合 50+ 被動式資料源</li> <li><strong>高效能</strong> - Go 語言開發,支援大規模掃描</li> <li><strong>API 整合</strong> - 支援付費 API 提升結果</li> <li><strong>輸出格式</strong> - JSON、純文字多種格式</li> <li><strong>管道友善</strong> - 易於與其他工具串接</li> </ul> <h2 id="安裝">安裝</h2> <h3 id="go-install">Go Install</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="homebrew">Homebrew</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install subfinder </span></span></code></pre></td></tr></table> </div> </div><h3 id="docker">Docker</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker pull projectdiscovery/subfinder:latest </span></span></code></pre></td></tr></table> </div> </div><h2 id="基本使用">基本使用</h2> <h3 id="單一域名">單一域名</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d example.com </span></span></code></pre></td></tr></table> </div> </div><h3 id="多個域名">多個域名</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -dL domains.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="輸出到檔案">輸出到檔案</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d example.com -o subdomains.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="json-輸出">JSON 輸出</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d example.com -json -o results.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="api-設定">API 設定</h2> <h3 id="設定檔位置">設定檔位置</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/.config/subfinder/provider-config.yaml </span></span></code></pre></td></tr></table> </div> </div><h3 id="設定範例">設定範例</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># provider-config.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">binaryedge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">your-api-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">censys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">your-api-id:your-api-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">chaos</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">your-chaos-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">github</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">your-github-token</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">another-github-token</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">hunter</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">your-hunter-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">intelx</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">your-intelx-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">securitytrails</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">your-securitytrails-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">shodan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">your-shodan-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">virustotal</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">your-virustotal-key</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="免費-api-推薦">免費 API 推薦</h3> <table> <thead> <tr> <th>服務</th> <th>免費額度</th> </tr> </thead> <tbody> <tr> <td>VirusTotal</td> <td>4 requests/min</td> </tr> <tr> <td>SecurityTrails</td> <td>50 queries/month</td> </tr> <tr> <td>Shodan</td> <td>100 queries/month</td> </tr> <tr> <td>Censys</td> <td>250 queries/month</td> </tr> <tr> <td>GitHub</td> <td>5000 requests/hour</td> </tr> </tbody> </table> <h2 id="進階選項">進階選項</h2> <h3 id="指定資料源">指定資料源</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 只使用特定來源</span> </span></span><span class="line"><span class="cl">subfinder -d example.com -sources crtsh,dnsdumpster,hackertarget </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 排除來源</span> </span></span><span class="line"><span class="cl">subfinder -d example.com -exclude-sources waybackarchive </span></span></code></pre></td></tr></table> </div> </div><h3 id="列出可用資料源">列出可用資料源</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -ls </span></span></code></pre></td></tr></table> </div> </div><h3 id="效能調整">效能調整</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 設定超時和並行</span> </span></span><span class="line"><span class="cl">subfinder -d example.com -timeout <span class="m">30</span> -t <span class="m">100</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="遞迴子域名">遞迴子域名</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 啟用遞迴模式</span> </span></span><span class="line"><span class="cl">subfinder -d example.com -recursive -recursive-level <span class="m">2</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="工具鏈整合">工具鏈整合</h2> <h3 id="完整偵察流程">完整偵察流程</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 子域名列舉</span> </span></span><span class="line"><span class="cl">subfinder -d target.com -o subs.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 存活檢測</span> </span></span><span class="line"><span class="cl">cat subs.txt <span class="p">|</span> httpx -o alive.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. 漏洞掃描</span> </span></span><span class="line"><span class="cl">nuclei -l alive.txt -severity critical,high </span></span></code></pre></td></tr></table> </div> </div><h3 id="搭配-httpx">搭配 httpx</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d target.com -silent <span class="p">|</span> httpx -title -tech-detect -status-code </span></span></code></pre></td></tr></table> </div> </div><h3 id="搭配-naabu端口掃描">搭配 naabu(端口掃描)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d target.com -silent <span class="p">|</span> naabu -p 80,443,8080,8443 </span></span></code></pre></td></tr></table> </div> </div><h3 id="搭配-dnsxdns-解析">搭配 dnsx(DNS 解析)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d target.com -silent <span class="p">|</span> dnsx -a -resp </span></span></code></pre></td></tr></table> </div> </div><h2 id="實戰範例">實戰範例</h2> <h3 id="bug-bounty-自動化">Bug Bounty 自動化</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="c1"># recon.sh</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">TARGET</span><span class="o">=</span><span class="nv">$1</span> </span></span><span class="line"><span class="cl"><span class="nv">OUTDIR</span><span class="o">=</span><span class="s2">&#34;recon/</span><span class="si">${</span><span class="nv">TARGET</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">mkdir -p <span class="nv">$OUTDIR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[*] Subdomain enumeration...&#34;</span> </span></span><span class="line"><span class="cl">subfinder -d <span class="nv">$TARGET</span> -all -o <span class="nv">$OUTDIR</span>/subdomains.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[*] Checking alive hosts...&#34;</span> </span></span><span class="line"><span class="cl">cat <span class="nv">$OUTDIR</span>/subdomains.txt <span class="p">|</span> httpx -silent -o <span class="nv">$OUTDIR</span>/alive.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[*] Screenshot capture...&#34;</span> </span></span><span class="line"><span class="cl">cat <span class="nv">$OUTDIR</span>/alive.txt <span class="p">|</span> gowitness file -f - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[*] Vulnerability scanning...&#34;</span> </span></span><span class="line"><span class="cl">nuclei -l <span class="nv">$OUTDIR</span>/alive.txt -severity critical,high -o <span class="nv">$OUTDIR</span>/vulns.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="持續監控">持續監控</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="c1"># monitor.sh</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">TARGET</span><span class="o">=</span><span class="nv">$1</span> </span></span><span class="line"><span class="cl"><span class="nv">NEW_SUBS</span><span class="o">=</span><span class="k">$(</span>mktemp<span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">subfinder -d <span class="nv">$TARGET</span> -silent &gt; <span class="nv">$NEW_SUBS</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 比對新發現的子域名</span> </span></span><span class="line"><span class="cl">comm -13 &lt;<span class="o">(</span>sort old_subs.txt<span class="o">)</span> &lt;<span class="o">(</span>sort <span class="nv">$NEW_SUBS</span><span class="o">)</span> &gt; new_found.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> -s new_found.txt <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;New subdomains found:&#34;</span> </span></span><span class="line"><span class="cl"> cat new_found.txt </span></span><span class="line"><span class="cl"> <span class="c1"># 發送通知</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mv <span class="nv">$NEW_SUBS</span> old_subs.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="cicd-整合">CI/CD 整合</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># .github/workflows/recon.yml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Subdomain Monitoring</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">cron</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;0 0 * * *&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Subfinder</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest </span></span></span><span class="line"><span class="cl"><span class="sd"> subfinder -d example.com -o subdomains.txt</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Upload Results</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/upload-artifact@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">subdomains</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">subdomains.txt</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="輸出格式">輸出格式</h2> <h3 id="純文字">純文字</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d example.com </span></span><span class="line"><span class="cl"><span class="c1"># api.example.com</span> </span></span><span class="line"><span class="cl"><span class="c1"># www.example.com</span> </span></span><span class="line"><span class="cl"><span class="c1"># mail.example.com</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="json">JSON</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d example.com -json </span></span><span class="line"><span class="cl"><span class="c1"># {&#34;host&#34;:&#34;api.example.com&#34;,&#34;source&#34;:&#34;crtsh&#34;}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="csv">CSV</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d example.com -cs -all </span></span><span class="line"><span class="cl"><span class="c1"># api.example.com,crtsh</span> </span></span><span class="line"><span class="cl"><span class="c1"># www.example.com,dnsdumpster</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="相關連結">相關連結</h2> <ul> <li><a class="link" href="https://github.com/projectdiscovery/subfinder" target="_blank" rel="noopener" >GitHub Repository</a></li> <li><a class="link" href="https://docs.projectdiscovery.io/tools/subfinder" target="_blank" rel="noopener" >官方文件</a></li> <li><a class="link" href="https://projectdiscovery.io/" target="_blank" rel="noopener" >ProjectDiscovery</a></li> </ul> <h2 id="延伸閱讀">延伸閱讀</h2> <ul> <li><a class="link" href="https://astroicers.link/p/nuclei-vulnerability-scanner/" >Nuclei 漏洞掃描工具</a></li> <li><a class="link" href="https://astroicers.link/p/seclists-pentest-wordlists/" >SecLists 滲透測試字典</a></li> <li><a class="link" href="https://astroicers.link/p/ffuf-web-fuzzer/" >ffuf 網頁 Fuzzing 工具</a></li> </ul>SecLists 滲透測試字典集合https://astroicers.link/p/seclists-%E6%BB%B2%E9%80%8F%E6%B8%AC%E8%A9%A6%E5%AD%97%E5%85%B8%E9%9B%86%E5%90%88.htmlTue, 10 Mar 2026 00:00:00 +0000https://astroicers.link/p/seclists-%E6%BB%B2%E9%80%8F%E6%B8%AC%E8%A9%A6%E5%AD%97%E5%85%B8%E9%9B%86%E5%90%88.html<h2 id="專案簡介">專案簡介</h2> <p><a class="link" href="https://github.com/danielmiessler/SecLists" target="_blank" rel="noopener" >SecLists</a> 是滲透測試和安全研究中最常用的字典集合。包含使用者名稱、密碼、URL、敏感資料模式、Fuzzing Payload 等,是 Bug Bounty 和紅隊演練的必備工具。</p> <p><strong>GitHub Stars</strong>: 68K+</p> <h2 id="安裝">安裝</h2> <h3 id="git-clone">Git Clone</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone --depth <span class="m">1</span> https://github.com/danielmiessler/SecLists.git </span></span></code></pre></td></tr></table> </div> </div><h3 id="kali-linux">Kali Linux</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt install seclists </span></span><span class="line"><span class="cl"><span class="c1"># 安裝位置:/usr/share/seclists</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="homebrew">Homebrew</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install seclists </span></span></code></pre></td></tr></table> </div> </div><h2 id="目錄結構">目錄結構</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">SecLists</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Discovery</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">DNS</span><span class="o">/</span> <span class="c1"># 子域名字典</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">Web</span><span class="o">-</span><span class="n">Content</span><span class="o">/</span> <span class="c1"># 目錄和檔案</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">Infrastructure</span><span class="o">/</span> <span class="c1"># 基礎設施</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Fuzzing</span><span class="o">/</span> <span class="c1"># Fuzzing Payload</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Passwords</span><span class="o">/</span> <span class="c1"># 密碼字典</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Usernames</span><span class="o">/</span> <span class="c1"># 使用者名稱</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Pattern</span><span class="o">-</span><span class="n">Matching</span><span class="o">/</span> <span class="c1"># 敏感資料模式</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Payloads</span><span class="o">/</span> <span class="c1"># 攻擊 Payload</span> </span></span><span class="line"><span class="cl"><span class="err">└──</span> <span class="n">Miscellaneous</span><span class="o">/</span> <span class="c1"># 其他</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="常用字典">常用字典</h2> <h3 id="目錄掃描">目錄掃描</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 常見目錄</span> </span></span><span class="line"><span class="cl">Discovery/Web-Content/common.txt </span></span><span class="line"><span class="cl">Discovery/Web-Content/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 備份檔案</span> </span></span><span class="line"><span class="cl">Discovery/Web-Content/Common-Backups/common-backup-files.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># API 端點</span> </span></span><span class="line"><span class="cl">Discovery/Web-Content/api/api-endpoints.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="子域名列舉">子域名列舉</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 子域名字典</span> </span></span><span class="line"><span class="cl">Discovery/DNS/subdomains-top1million-5000.txt </span></span><span class="line"><span class="cl">Discovery/DNS/subdomains-top1million-20000.txt </span></span><span class="line"><span class="cl">Discovery/DNS/subdomains-top1million-110000.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># DNS 記錄類型</span> </span></span><span class="line"><span class="cl">Discovery/DNS/dns-jhaddix.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="密碼攻擊">密碼攻擊</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 常見密碼</span> </span></span><span class="line"><span class="cl">Passwords/Common-Credentials/10k-most-common.txt </span></span><span class="line"><span class="cl">Passwords/Common-Credentials/best1050.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 洩漏密碼</span> </span></span><span class="line"><span class="cl">Passwords/Leaked-Databases/rockyou.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 預設憑證</span> </span></span><span class="line"><span class="cl">Passwords/Default-Credentials/default-passwords.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="使用者名稱">使用者名稱</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 常見使用者名稱</span> </span></span><span class="line"><span class="cl">Usernames/Names/names.txt </span></span><span class="line"><span class="cl">Usernames/top-usernames-shortlist.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 特定服務</span> </span></span><span class="line"><span class="cl">Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt </span></span></code></pre></td></tr></table> </div> </div><h2 id="實戰應用">實戰應用</h2> <h3 id="目錄-fuzzingffuf">目錄 Fuzzing(ffuf)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -u https://target.com/FUZZ <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -mc 200,301,302,403 </span></span></code></pre></td></tr></table> </div> </div><h3 id="子域名掃描subfinder">子域名掃描(Subfinder)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="密碼爆破hydra">密碼爆破(Hydra)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> target.com ssh </span></span></code></pre></td></tr></table> </div> </div><h3 id="參數-fuzzingburp">參數 Fuzzing(Burp)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 使用 Burp Intruder 載入</span> </span></span><span class="line"><span class="cl">Fuzzing/LFI/LFI-Jhaddix.txt </span></span><span class="line"><span class="cl">Fuzzing/SQLi/Generic-SQLi.txt </span></span><span class="line"><span class="cl">Fuzzing/XSS/XSS-Jhaddix.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="api-測試nuclei">API 測試(Nuclei)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nuclei -u https://api.target.com <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt </span></span></code></pre></td></tr></table> </div> </div><h2 id="常用字典推薦">常用字典推薦</h2> <h3 id="web-安全測試">Web 安全測試</h3> <table> <thead> <tr> <th>用途</th> <th>字典路徑</th> </tr> </thead> <tbody> <tr> <td>目錄掃描</td> <td><code>Discovery/Web-Content/raft-large-directories.txt</code></td> </tr> <tr> <td>檔案掃描</td> <td><code>Discovery/Web-Content/raft-large-files.txt</code></td> </tr> <tr> <td>參數名稱</td> <td><code>Discovery/Web-Content/burp-parameter-names.txt</code></td> </tr> <tr> <td>敏感檔案</td> <td><code>Discovery/Web-Content/quickhits.txt</code></td> </tr> </tbody> </table> <h3 id="sql-injection">SQL Injection</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Fuzzing/SQLi/Generic-SQLi.txt </span></span><span class="line"><span class="cl">Fuzzing/SQLi/Generic-BlindSQLi.txt </span></span><span class="line"><span class="cl">Fuzzing/SQLi/quick-SQLi.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="xss">XSS</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Fuzzing/XSS/XSS-Jhaddix.txt </span></span><span class="line"><span class="cl">Fuzzing/XSS/XSS-Cheat-Sheet-PortSwigger.txt </span></span><span class="line"><span class="cl">Fuzzing/XSS/xss-payload-list.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="lfipath-traversal">LFI/Path Traversal</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Fuzzing/LFI/LFI-Jhaddix.txt </span></span><span class="line"><span class="cl">Fuzzing/LFI/LFI-gracefulsecurity-linux.txt </span></span><span class="line"><span class="cl">Fuzzing/LFI/LFI-gracefulsecurity-windows.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssrf">SSRF</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Fuzzing/SSRF/SSRF-HTTP.txt </span></span><span class="line"><span class="cl">Fuzzing/SSRF/SSRF-DNS.txt </span></span></code></pre></td></tr></table> </div> </div><h2 id="自訂字典">自訂字典</h2> <h3 id="建立專案字典">建立專案字典</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 從網站收集關鍵字</span> </span></span><span class="line"><span class="cl">cewl https://target.com -d <span class="m">3</span> -w custom-wordlist.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 合併字典</span> </span></span><span class="line"><span class="cl">cat /usr/share/seclists/Discovery/Web-Content/common.txt custom-wordlist.txt <span class="p">|</span> sort -u &gt; combined.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="密碼變形">密碼變形</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 使用 hashcat 規則</span> </span></span><span class="line"><span class="cl">hashcat --stdout -r /usr/share/hashcat/rules/best64.rule passwords.txt &gt; mutated.txt </span></span></code></pre></td></tr></table> </div> </div><h2 id="工具整合">工具整合</h2> <h3 id="ffuf-設定">ffuf 設定</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># ~/.ffufrc</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>input<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">wordlist</span> <span class="o">=</span> /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>output<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">format</span> <span class="o">=</span> json </span></span></code></pre></td></tr></table> </div> </div><h3 id="burp-suite">Burp Suite</h3> <ol> <li>Intruder → Payloads → Load</li> <li>選擇 SecLists 字典</li> <li>設定 Payload Processing</li> </ol> <h3 id="nuclei">Nuclei</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># 自訂模板使用 SecLists</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">GET</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{BaseURL}}/{{path}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">payloads</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/usr/share/seclists/Discovery/Web-Content/common.txt</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="相關連結">相關連結</h2> <ul> <li><a class="link" href="https://github.com/danielmiessler/SecLists" target="_blank" rel="noopener" >GitHub Repository</a></li> <li><a class="link" href="https://github.com/fuzzdb-project/fuzzdb" target="_blank" rel="noopener" >FuzzDB</a></li> <li><a class="link" href="https://github.com/swisskyrepo/PayloadsAllTheThings" target="_blank" rel="noopener" >PayloadsAllTheThings</a></li> </ul> <h2 id="延伸閱讀">延伸閱讀</h2> <ul> <li><a class="link" href="https://astroicers.link/p/nuclei-vulnerability-scanner/" >Nuclei 漏洞掃描工具</a></li> <li><a class="link" href="https://astroicers.link/p/ffuf-web-fuzzer/" >ffuf 網頁 Fuzzing 工具</a></li> <li><a class="link" href="https://astroicers.link/p/subfinder-subdomain-enumeration/" >Subfinder 子域名列舉工具</a></li> </ul>Nuclei 漏洞掃描工具完整指南https://astroicers.link/p/nuclei-%E6%BC%8F%E6%B4%9E%E6%8E%83%E6%8F%8F%E5%B7%A5%E5%85%B7%E5%AE%8C%E6%95%B4%E6%8C%87%E5%8D%97.htmlFri, 06 Mar 2026 00:00:00 +0000https://astroicers.link/p/nuclei-%E6%BC%8F%E6%B4%9E%E6%8E%83%E6%8F%8F%E5%B7%A5%E5%85%B7%E5%AE%8C%E6%95%B4%E6%8C%87%E5%8D%97.html<h2 id="專案簡介">專案簡介</h2> <p><a class="link" href="https://github.com/projectdiscovery/nuclei" target="_blank" rel="noopener" >Nuclei</a> 是 ProjectDiscovery 開發的快速漏洞掃描工具,使用 YAML 模板定義掃描規則。擁有社群維護的數千種模板,涵蓋 CVE、錯誤設定、敏感資訊洩露等。</p> <p><strong>GitHub Stars</strong>: 27K+</p> <h2 id="主要功能">主要功能</h2> <ul> <li><strong>模板驅動</strong> - 使用 YAML 定義掃描規則</li> <li><strong>高效能</strong> - Go 語言開發,支援大規模掃描</li> <li><strong>社群模板</strong> - 數千種現成的漏洞檢測模板</li> <li><strong>自訂模板</strong> - 可撰寫自己的檢測規則</li> <li><strong>多協定支援</strong> - HTTP、DNS、TCP、SSL 等</li> </ul> <h2 id="安裝">安裝</h2> <h3 id="go-install">Go Install</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="homebrew">Homebrew</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install nuclei </span></span></code></pre></td></tr></table> </div> </div><h3 id="docker">Docker</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker pull projectdiscovery/nuclei:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="更新模板">更新模板</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nuclei -update-templates </span></span></code></pre></td></tr></table> </div> </div><h2 id="基本使用">基本使用</h2> <h3 id="掃描單一目標">掃描單一目標</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nuclei -u https://example.com </span></span></code></pre></td></tr></table> </div> </div><h3 id="掃描多個目標">掃描多個目標</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nuclei -l targets.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="指定模板">指定模板</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 使用特定模板</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -t cves/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 使用多個模板目錄</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -t cves/ -t vulnerabilities/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 排除模板</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -exclude-templates dos/ </span></span></code></pre></td></tr></table> </div> </div><h3 id="依嚴重度過濾">依嚴重度過濾</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 只掃描 critical 和 high</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -severity critical,high </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 排除 info 等級</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -exclude-severity info </span></span></code></pre></td></tr></table> </div> </div><h2 id="進階選項">進階選項</h2> <h3 id="效能調整">效能調整</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 調整並行數</span> </span></span><span class="line"><span class="cl">nuclei -l targets.txt -c <span class="m">50</span> -rl <span class="m">150</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># -c: 並行模板數</span> </span></span><span class="line"><span class="cl"><span class="c1"># -rl: 每秒請求限制</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="輸出格式">輸出格式</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># JSON 輸出</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -json -o results.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Markdown 輸出</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -me output/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># SARIF 格式(整合 CI/CD)</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -sarif-export results.sarif </span></span></code></pre></td></tr></table> </div> </div><h3 id="代理設定">代理設定</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># HTTP 代理</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -proxy http://127.0.0.1:8080 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 搭配 Burp Suite</span> </span></span><span class="line"><span class="cl">nuclei -u https://example.com -proxy http://127.0.0.1:8080 -H <span class="s2">&#34;Cookie: session=xxx&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="模板語法">模板語法</h2> <h3 id="基本結構">基本結構</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">example-detection</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">info</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Example Vulnerability Detection</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">author</span><span class="p">:</span><span class="w"> </span><span class="l">your-name</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">high</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l">描述這個漏洞</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span><span class="l">cve,example</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">GET</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{BaseURL}}/vulnerable-endpoint&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">word</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">words</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;vulnerable response&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="http-請求模板">HTTP 請求模板</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">sql-injection-check</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">info</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">SQL Injection Check</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">critical</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">GET</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{BaseURL}}/search?q=test&#39;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchers-condition</span><span class="p">:</span><span class="w"> </span><span class="l">and</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">word</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">words</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;SQL syntax&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;mysql_fetch&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="l">or</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">status</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">500</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="使用變數">使用變數</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">raw</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> POST /login HTTP/1.1 </span></span></span><span class="line"><span class="cl"><span class="sd"> Host: {{Hostname}} </span></span></span><span class="line"><span class="cl"><span class="sd"> Content-Type: application/json </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> {&#34;username&#34;:&#34;{{username}}&#34;,&#34;password&#34;:&#34;{{password}}&#34;}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">payloads</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">admin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">administrator</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">admin123</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">password</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">attack</span><span class="p">:</span><span class="w"> </span><span class="l">clusterbomb</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="workflow-模板">Workflow 模板</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">wordpress-workflow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">info</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">WordPress Security Check</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">author</span><span class="p">:</span><span class="w"> </span><span class="l">your-name</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">workflows</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">template</span><span class="p">:</span><span class="w"> </span><span class="l">technologies/wordpress-detect.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">subtemplates</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">template</span><span class="p">:</span><span class="w"> </span><span class="l">vulnerabilities/wordpress/*.yaml</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="實戰範例">實戰範例</h2> <h3 id="bug-bounty-流程">Bug Bounty 流程</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 子域名收集</span> </span></span><span class="line"><span class="cl">subfinder -d target.com -o subdomains.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 存活檢測</span> </span></span><span class="line"><span class="cl">httpx -l subdomains.txt -o alive.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. 漏洞掃描</span> </span></span><span class="line"><span class="cl">nuclei -l alive.txt -t cves/ -t vulnerabilities/ -severity critical,high -o findings.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="cicd-整合">CI/CD 整合</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># .github/workflows/security-scan.yml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Security Scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">on</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">push]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nuclei</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">projectdiscovery/nuclei-action@main</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l">https://example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">templates</span><span class="p">:</span><span class="w"> </span><span class="l">cves/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sarif-export</span><span class="p">:</span><span class="w"> </span><span class="l">nuclei.sarif</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">github/codeql-action/upload-sarif@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sarif_file</span><span class="p">:</span><span class="w"> </span><span class="l">nuclei.sarif</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="自動化監控">自動化監控</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="c1"># daily-scan.sh</span> </span></span><span class="line"><span class="cl">nuclei -l targets.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -t cves/ <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -severity critical,high <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -new-templates <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -json -o <span class="s2">&#34;scans/</span><span class="k">$(</span>date +%Y%m%d<span class="k">)</span><span class="s2">.json&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 比對新發現</span> </span></span><span class="line"><span class="cl">diff scans/<span class="k">$(</span>date +%Y%m%d<span class="k">)</span>.json scans/<span class="k">$(</span>date -d <span class="s2">&#34;yesterday&#34;</span> +%Y%m%d<span class="k">)</span>.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="常用模板分類">常用模板分類</h2> <table> <thead> <tr> <th>分類</th> <th>說明</th> </tr> </thead> <tbody> <tr> <td><code>cves/</code></td> <td>CVE 漏洞檢測</td> </tr> <tr> <td><code>vulnerabilities/</code></td> <td>已知漏洞</td> </tr> <tr> <td><code>exposures/</code></td> <td>敏感資訊洩露</td> </tr> <tr> <td><code>misconfiguration/</code></td> <td>錯誤設定</td> </tr> <tr> <td><code>default-logins/</code></td> <td>預設憑證</td> </tr> <tr> <td><code>takeovers/</code></td> <td>子域名接管</td> </tr> <tr> <td><code>technologies/</code></td> <td>技術偵測</td> </tr> </tbody> </table> <h2 id="相關連結">相關連結</h2> <ul> <li><a class="link" href="https://github.com/projectdiscovery/nuclei" target="_blank" rel="noopener" >GitHub Repository</a></li> <li><a class="link" href="https://github.com/projectdiscovery/nuclei-templates" target="_blank" rel="noopener" >模板庫</a></li> <li><a class="link" href="https://docs.projectdiscovery.io/tools/nuclei" target="_blank" rel="noopener" >官方文件</a></li> </ul> <h2 id="延伸閱讀">延伸閱讀</h2> <ul> <li><a class="link" href="https://astroicers.link/p/subfinder-subdomain-enumeration/" >Subfinder 子域名列舉工具</a></li> <li><a class="link" href="https://astroicers.link/p/ffuf-web-fuzzer/" >ffuf 網頁 Fuzzing 工具</a></li> <li><a class="link" href="https://astroicers.link/p/seclists-pentest-wordlists/" >SecLists 滲透測試字典</a></li> </ul>