wordlist on Astroicers Bloghttps://astroicers.link/tags/wordlist.htmlRecent content in wordlist on Astroicers BlogHugo -- gohugo.ioenTue, 10 Mar 2026 00:00:00 +0000SecLists 滲透測試字典集合https://astroicers.link/p/seclists-%E6%BB%B2%E9%80%8F%E6%B8%AC%E8%A9%A6%E5%AD%97%E5%85%B8%E9%9B%86%E5%90%88.htmlTue, 10 Mar 2026 00:00:00 +0000https://astroicers.link/p/seclists-%E6%BB%B2%E9%80%8F%E6%B8%AC%E8%A9%A6%E5%AD%97%E5%85%B8%E9%9B%86%E5%90%88.html<h2 id="專案簡介">專案簡介</h2> <p><a class="link" href="https://github.com/danielmiessler/SecLists" target="_blank" rel="noopener" >SecLists</a> 是滲透測試和安全研究中最常用的字典集合。包含使用者名稱、密碼、URL、敏感資料模式、Fuzzing Payload 等,是 Bug Bounty 和紅隊演練的必備工具。</p> <p><strong>GitHub Stars</strong>: 68K+</p> <h2 id="安裝">安裝</h2> <h3 id="git-clone">Git Clone</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone --depth <span class="m">1</span> https://github.com/danielmiessler/SecLists.git </span></span></code></pre></td></tr></table> </div> </div><h3 id="kali-linux">Kali Linux</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt install seclists </span></span><span class="line"><span class="cl"><span class="c1"># 安裝位置:/usr/share/seclists</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="homebrew">Homebrew</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install seclists </span></span></code></pre></td></tr></table> </div> </div><h2 id="目錄結構">目錄結構</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">SecLists</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Discovery</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">DNS</span><span class="o">/</span> <span class="c1"># 子域名字典</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">Web</span><span class="o">-</span><span class="n">Content</span><span class="o">/</span> <span class="c1"># 目錄和檔案</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">Infrastructure</span><span class="o">/</span> <span class="c1"># 基礎設施</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Fuzzing</span><span class="o">/</span> <span class="c1"># Fuzzing Payload</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Passwords</span><span class="o">/</span> <span class="c1"># 密碼字典</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Usernames</span><span class="o">/</span> <span class="c1"># 使用者名稱</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Pattern</span><span class="o">-</span><span class="n">Matching</span><span class="o">/</span> <span class="c1"># 敏感資料模式</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">Payloads</span><span class="o">/</span> <span class="c1"># 攻擊 Payload</span> </span></span><span class="line"><span class="cl"><span class="err">└──</span> <span class="n">Miscellaneous</span><span class="o">/</span> <span class="c1"># 其他</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="常用字典">常用字典</h2> <h3 id="目錄掃描">目錄掃描</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 常見目錄</span> </span></span><span class="line"><span class="cl">Discovery/Web-Content/common.txt </span></span><span class="line"><span class="cl">Discovery/Web-Content/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 備份檔案</span> </span></span><span class="line"><span class="cl">Discovery/Web-Content/Common-Backups/common-backup-files.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># API 端點</span> </span></span><span class="line"><span class="cl">Discovery/Web-Content/api/api-endpoints.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="子域名列舉">子域名列舉</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 子域名字典</span> </span></span><span class="line"><span class="cl">Discovery/DNS/subdomains-top1million-5000.txt </span></span><span class="line"><span class="cl">Discovery/DNS/subdomains-top1million-20000.txt </span></span><span class="line"><span class="cl">Discovery/DNS/subdomains-top1million-110000.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># DNS 記錄類型</span> </span></span><span class="line"><span class="cl">Discovery/DNS/dns-jhaddix.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="密碼攻擊">密碼攻擊</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 常見密碼</span> </span></span><span class="line"><span class="cl">Passwords/Common-Credentials/10k-most-common.txt </span></span><span class="line"><span class="cl">Passwords/Common-Credentials/best1050.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 洩漏密碼</span> </span></span><span class="line"><span class="cl">Passwords/Leaked-Databases/rockyou.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 預設憑證</span> </span></span><span class="line"><span class="cl">Passwords/Default-Credentials/default-passwords.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="使用者名稱">使用者名稱</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 常見使用者名稱</span> </span></span><span class="line"><span class="cl">Usernames/Names/names.txt </span></span><span class="line"><span class="cl">Usernames/top-usernames-shortlist.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 特定服務</span> </span></span><span class="line"><span class="cl">Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt </span></span></code></pre></td></tr></table> </div> </div><h2 id="實戰應用">實戰應用</h2> <h3 id="目錄-fuzzingffuf">目錄 Fuzzing(ffuf)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -u https://target.com/FUZZ <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -mc 200,301,302,403 </span></span></code></pre></td></tr></table> </div> </div><h3 id="子域名掃描subfinder">子域名掃描(Subfinder)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">subfinder -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="密碼爆破hydra">密碼爆破(Hydra)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> target.com ssh </span></span></code></pre></td></tr></table> </div> </div><h3 id="參數-fuzzingburp">參數 Fuzzing(Burp)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 使用 Burp Intruder 載入</span> </span></span><span class="line"><span class="cl">Fuzzing/LFI/LFI-Jhaddix.txt </span></span><span class="line"><span class="cl">Fuzzing/SQLi/Generic-SQLi.txt </span></span><span class="line"><span class="cl">Fuzzing/XSS/XSS-Jhaddix.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="api-測試nuclei">API 測試(Nuclei)</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nuclei -u https://api.target.com <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt </span></span></code></pre></td></tr></table> </div> </div><h2 id="常用字典推薦">常用字典推薦</h2> <h3 id="web-安全測試">Web 安全測試</h3> <table> <thead> <tr> <th>用途</th> <th>字典路徑</th> </tr> </thead> <tbody> <tr> <td>目錄掃描</td> <td><code>Discovery/Web-Content/raft-large-directories.txt</code></td> </tr> <tr> <td>檔案掃描</td> <td><code>Discovery/Web-Content/raft-large-files.txt</code></td> </tr> <tr> <td>參數名稱</td> <td><code>Discovery/Web-Content/burp-parameter-names.txt</code></td> </tr> <tr> <td>敏感檔案</td> <td><code>Discovery/Web-Content/quickhits.txt</code></td> </tr> </tbody> </table> <h3 id="sql-injection">SQL Injection</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Fuzzing/SQLi/Generic-SQLi.txt </span></span><span class="line"><span class="cl">Fuzzing/SQLi/Generic-BlindSQLi.txt </span></span><span class="line"><span class="cl">Fuzzing/SQLi/quick-SQLi.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="xss">XSS</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Fuzzing/XSS/XSS-Jhaddix.txt </span></span><span class="line"><span class="cl">Fuzzing/XSS/XSS-Cheat-Sheet-PortSwigger.txt </span></span><span class="line"><span class="cl">Fuzzing/XSS/xss-payload-list.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="lfipath-traversal">LFI/Path Traversal</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Fuzzing/LFI/LFI-Jhaddix.txt </span></span><span class="line"><span class="cl">Fuzzing/LFI/LFI-gracefulsecurity-linux.txt </span></span><span class="line"><span class="cl">Fuzzing/LFI/LFI-gracefulsecurity-windows.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssrf">SSRF</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Fuzzing/SSRF/SSRF-HTTP.txt </span></span><span class="line"><span class="cl">Fuzzing/SSRF/SSRF-DNS.txt </span></span></code></pre></td></tr></table> </div> </div><h2 id="自訂字典">自訂字典</h2> <h3 id="建立專案字典">建立專案字典</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 從網站收集關鍵字</span> </span></span><span class="line"><span class="cl">cewl https://target.com -d <span class="m">3</span> -w custom-wordlist.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 合併字典</span> </span></span><span class="line"><span class="cl">cat /usr/share/seclists/Discovery/Web-Content/common.txt custom-wordlist.txt <span class="p">|</span> sort -u &gt; combined.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="密碼變形">密碼變形</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 使用 hashcat 規則</span> </span></span><span class="line"><span class="cl">hashcat --stdout -r /usr/share/hashcat/rules/best64.rule passwords.txt &gt; mutated.txt </span></span></code></pre></td></tr></table> </div> </div><h2 id="工具整合">工具整合</h2> <h3 id="ffuf-設定">ffuf 設定</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># ~/.ffufrc</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>input<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">wordlist</span> <span class="o">=</span> /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>output<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">format</span> <span class="o">=</span> json </span></span></code></pre></td></tr></table> </div> </div><h3 id="burp-suite">Burp Suite</h3> <ol> <li>Intruder → Payloads → Load</li> <li>選擇 SecLists 字典</li> <li>設定 Payload Processing</li> </ol> <h3 id="nuclei">Nuclei</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># 自訂模板使用 SecLists</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">GET</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{BaseURL}}/{{path}}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">payloads</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/usr/share/seclists/Discovery/Web-Content/common.txt</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="相關連結">相關連結</h2> <ul> <li><a class="link" href="https://github.com/danielmiessler/SecLists" target="_blank" rel="noopener" >GitHub Repository</a></li> <li><a class="link" href="https://github.com/fuzzdb-project/fuzzdb" target="_blank" rel="noopener" >FuzzDB</a></li> <li><a class="link" href="https://github.com/swisskyrepo/PayloadsAllTheThings" target="_blank" rel="noopener" >PayloadsAllTheThings</a></li> </ul> <h2 id="延伸閱讀">延伸閱讀</h2> <ul> <li><a class="link" href="https://astroicers.link/p/nuclei-vulnerability-scanner/" >Nuclei 漏洞掃描工具</a></li> <li><a class="link" href="https://astroicers.link/p/ffuf-web-fuzzer/" >ffuf 網頁 Fuzzing 工具</a></li> <li><a class="link" href="https://astroicers.link/p/subfinder-subdomain-enumeration/" >Subfinder 子域名列舉工具</a></li> </ul>