Back to Details

pentest-report

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

渗透测试报告生成技能

Penetration Testing Report Generation Skill

授权声明

Authorization Declaration

本 Skill 仅用于生成授权渗透测试的报告。使用前请确保:
  • 测试已获得目标系统所有者的明确书面授权
  • 所有漏洞发现均来自合法授权的测试活动
  • 报告仅发送给授权人员
  • 遵守当地法律法规和数据保护要求
未经授权的渗透测试是非法行为。
This Skill is only used to generate reports for authorized penetration testing. Before use, ensure that:
  • The testing has obtained explicit written authorization from the owner of the target system
  • All vulnerability discoveries come from legally authorized testing activities
  • The report is only sent to authorized personnel
  • Comply with local laws, regulations, and data protection requirements
Unauthorized penetration testing is illegal.

技能用途

Skill Usage

在以下情况下使用此技能:
  • 用户要求生成渗透测试报告
  • 用户要求输出安全测试结果
  • 用户需要总结漏洞发现
  • 用户明确提到"按格式生成报告"或"按照模板"
Use this skill in the following situations:
  • Users request to generate penetration testing reports
  • Users request to output security testing results
  • Users need to summarize vulnerability discoveries
  • Users explicitly mention "generate report according to format" or "follow template"

报告格式要求

Report Format Requirements

必需章节

Mandatory Sections

所有报告必须包含以下章节,按顺序排列:
  1. 标题和项目信息表
    • 格式:
      # 渗透测试报告:[目标系统名称/项目名称]
    • 包含 4 字段表格:测试目标、测试时间、测试人员、报告日期
  2. 漏洞发现清单 (Vulnerability Summary)
    • 表格形式,包含列:ID、漏洞标题、风险等级、状态
    • ID 格式:VL-001, VL-002, VL-003...
    • 风险等级图标:🔴严重、🟠高危、🟡中危、🔵低危、⚪信息
  3. 漏洞详情 (Detailed Findings)
    • 每个漏洞一个独立章节
    • 章节标题:
      ### [VL-XXX] 漏洞标题
    • 必须包含 4 个子章节: 
      • #### 2.1 漏洞描述
      • #### 2.2 复现步骤 (Proof of Concept)
      • #### 2.3 证据截图
      • #### 2.4 修复建议
  4. 附录 (Appendix)
    • ### 3.1 风险等级定义
      - 风险等级表格
    • ### 3.2 CVSS 评分说明
      - CVSS v3.1 说明
    • ### 3.3 泄露凭证列表
      (如有)
    • ### 3.4 测试工具参考
      - 工具表格
    • ### 3.5 词汇表
    • ### 3.6 参考文档
  5. 报告签署
    • 测试人员信息
    • 免责声明
All reports must include the following sections in order:
  1. Title and Project Information Sheet
    • Format: 
      # Penetration Testing Report: [Target System Name/Project Name]
    • Contains a 4-field table: Testing Target, Testing Time, Testers, Report Date
  2. Vulnerability Summary
    • In table format, with columns: ID, Vulnerability Title, Risk Level, Status
    • ID format: VL-001, VL-002, VL-003...
    • Risk level icons: 🔴Critical, 🟠High, 🟡Medium, 🔵Low, ⚪Info
  3. Detailed Findings
    • Each vulnerability has an independent section
    • Section title: 
      ### [VL-XXX] Vulnerability Title
    • Must include 4 sub-sections: 
      • #### 2.1 Vulnerability Description
      • #### 2.2 Proof of Concept (Reproduction Steps)
      • #### 2.3 Evidence Screenshots
      • #### 2.4 Remediation Suggestions
  4. Appendix
    • ### 3.1 Risk Level Definition
      - Risk level table
    • ### 3.2 CVSS Scoring Explanation
      - CVSS v3.1 description
    • ### 3.3 Leaked Credentials List
      (if applicable)
    • ### 3.4 Testing Tools Reference
      - Tools table
    • ### 3.5 Glossary
    • ### 3.6 Reference Documents
  5. Report Sign-off
    • Tester information
    • Disclaimer

漏洞详情章节格式

Detailed Vulnerability Section Format

每个漏洞章节必须以属性表格开始:
markdown
| 属性 | 详情 |
| :--- | :--- |
| **风险等级** | 🔴 **严重 (Critical)** / 🟠 **高危 (High)** / 🟡 **中危 (Medium)** / 🔵 **低危 (Low)** |
| **CVSS 评分** | 0.0 - 10.0 |
| **漏洞类型** | [漏洞类型] |
| **受影响URL** | `[完整URL]` |
| **参数** | `[参数名]`(如有)|
Each vulnerability section must start with an attribute table:
markdown
| Attribute | Details |
| :--- | :--- |
| **Risk Level** | 🔴 **Critical** / 🟠 **High** / 🟡 **Medium** / 🔵 **Low** |
| **CVSS Score** | 0.0 - 10.0 |
| **Vulnerability Type** | [Vulnerability Type] |
| **Affected URL** | `[Full URL]` |
| **Parameter** | `[Parameter Name]` (if applicable)|

代码块格式

Code Block Format

  • HTTP 请求使用 
    http
    语言标识
http
POST /api/login HTTP/1.1
Host: example.com
Content-Type: application/json

{"username":"admin","password":"123456"}
  • Bash 命令使用 
    bash
    语言标识
bash
sqlmap -u "http://target.com" --dbs
  • PHP 代码使用 
    php
    语言标识
php
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$id]);
  • HTTP requests use 
    http
    language identifier
http
POST /api/login HTTP/1.1
Host: example.com
Content-Type: application/json

{"username":"admin","password":"123456"}
  • Bash commands use 
    bash
    language identifier
bash
sqlmap -u "http://target.com" --dbs
  • PHP code uses 
    php
    language identifier
php
$stmt = $pdo->prepare("SELECT * FROM users WHERE id =?");
$stmt->execute([$id]);

工作流程

Workflow

生成渗透测试报告时遵循以下步骤:
Follow these steps when generating penetration testing reports:

步骤 1: 收集信息

Step 1: Collect Information

从用户获取以下信息:
  • 测试目标(URL 或系统名称)
  • 测试日期范围
  • 测试人员信息
  • 发现的漏洞列表
  • 每个漏洞的详细信息(类型、影响、证据、PoC)
Obtain the following information from the user:
  • Testing target (URL or system name)
  • Testing date range
  • Tester information
  • List of discovered vulnerabilities
  • Detailed information for each vulnerability (type, impact, evidence, PoC)

步骤 2: 确定漏洞 ID

Step 2: Assign Vulnerability IDs

为每个漏洞分配 ID:
  • 第一个漏洞:VL-001
  • 第二个漏洞:VL-002
  • 以此类推
Assign IDs to each vulnerability:
  • First vulnerability: VL-001
  • Second vulnerability: VL-002
  • And so on

步骤 3: 评估风险等级

Step 3: Assess Risk Level

根据 CVSS 评分确定风险等级:
CVSS 范围风险等级图标
9.0 - 10.0严重 (Critical)🔴
7.0 - 8.9高危 (High)🟠
4.0 - 6.9中危 (Medium)🟡
0.1 - 3.9低危 (Low)🔵
0.0信息 (Info)
Determine risk level based on CVSS score:
CVSS RangeRisk LevelIcon
9.0 - 10.0Critical🔴
7.0 - 8.9High🟠
4.0 - 6.9Medium🟡
0.1 - 3.9Low🔵
0.0Info

步骤 4: 生成报告主体

Step 4: Generate Report Body

按以下顺序生成
  1. 项目信息表 - 填充 4 个必需字段
  2. 漏洞发现清单 - 创建表格,包含所有漏洞的摘要信息
  3. 漏洞详情 - 为每个漏洞创建独立章节:
    • 属性表格(风险等级、CVSS、类型、URL、参数)
    • 2.1 漏洞描述(2-3 段,说明原理、影响、危害)
    • 2.2 复现步骤(详细的步骤,包含 HTTP 请求和命令)
    • 2.3 证据截图(占位符或描述)
    • 2.4 修复建议(包含错误和正确代码示例)
  4. 附录 - 按模板包含所有必需子章节
Generate in the following order:
  1. Project Information Sheet - Fill in the 4 mandatory fields
  2. Vulnerability Summary - Create a table with summary information of all vulnerabilities
  3. Detailed Findings - Create independent sections for each vulnerability:
    • Attribute table (risk level, CVSS, type, URL, parameter)
    • 2.1 Vulnerability Description (2-3 paragraphs explaining principle, impact, harm)
    • 2.2 Reproduction Steps (detailed steps including HTTP requests and commands)
    • 2.3 Evidence Screenshots (placeholder or description)
    • 2.4 Remediation Suggestions (including incorrect and correct code examples)
  4. Appendix - Include all mandatory sub-sections as per template

步骤 5: 验证格式

Step 5: Verify Format

生成报告后检查:
  • 标题格式正确
  • 项目信息表包含 4 个字段
  • 漏洞发现清单包含 ID、标题、风险等级、状态
  • 每个漏洞有属性表格
  • 每个漏洞有 4 个子章节(2.1-2.4)
  • 附录包含所有必需子章节
  • 风险等级使用正确的图标
  • 代码块使用正确的语言标识
After generating the report, check:
  • Correct title format
  • Project information sheet contains 4 fields
  • Vulnerability Summary includes ID, title, risk level, status
  • Each vulnerability has an attribute table
  • Each vulnerability has 4 sub-sections (2.1-2.4)
  • Appendix includes all mandatory sub-sections
  • Correct icons used for risk levels
  • Correct language identifiers used for code blocks

步骤 6: 输出报告

Step 6: Output Report

将生成的报告保存到用户的 reports 目录:
/Users/huimingliao/Documents/code/pentest-skills/reports/
文件命名格式:
pentest_report_[目标系统]_[日期].md
Save the generated report to the user's reports directory:
/Users/huimingliao/Documents/code/pentest-skills/reports/
File naming format:
pentest_report_[Target System]_[Date].md

重要注意事项

Important Notes

必须遵守的格式规则

Mandatory Format Rules

  1. 表格格式:所有表格必须包含表头分隔行 
    | :--- | :--- |
  2. 风险等级图标:必须使用指定的 emoji 图标
  3. 章节编号:严格遵守 2.1、2.2、2.3、2.4 的子章节编号
  4. 代码语言:所有代码块必须指定语言标识
  5. ID 格式:漏洞 ID 必须是 VL-XXX 格式,3 位数字
  1. Table Format: All tables must include header separator line 
    | :--- | :--- |
  2. Risk Level Icons: Must use the specified emoji icons
  3. Section Numbering: Strictly follow sub-section numbering 2.1, 2.2, 2.3, 2.4
  4. Code Language: All code blocks must specify language identifiers
  5. ID Format: Vulnerability IDs must be in VL-XXX format with 3-digit numbers

避免常见错误

Avoid Common Mistakes

❌ 不要省略附录章节 ❌ 不要混合使用不同的风险等级表示方式 ❌ 不要在属性表中缺少必需字段 ❌ 不要在复现步骤中省略 HTTP 请求示例 ❌ 不要在修复建议中只提供文字说明(必须包含代码示例)
✅ 每个漏洞必须包含完整的 4 个子章节 ✅ 修复建议必须包含代码对比(错误 vs 正确) ✅ 所有表格必须有正确的 Markdown 格式 ✅ 必须包含免责声明
❌ Do not omit appendix sections ❌ Do not mix different risk level representations ❌ Do not miss mandatory fields in attribute tables ❌ Do not omit HTTP request examples in reproduction steps ❌ Do not provide only text descriptions in remediation suggestions (must include code examples)
✅ Each vulnerability must include all 4 complete sub-sections ✅ Remediation suggestions must include code comparisons (incorrect vs correct) ✅ All tables must have correct Markdown format ✅ Must include disclaimer

模板资源位置

Template Resource Locations

  • 报告模板
    /Users/huimingliao/Documents/code/pentest-skills/templates/pentest_report_template.md
  • 参考报告
    /Users/huimingliao/Documents/code/pentest-skills/reports/pentest_report_localhost_9999_v2.md
  • 报告目录
    /Users/huimingliao/Documents/code/pentest-skills/reports/
  • Report Template: 
    /Users/huimingliao/Documents/code/pentest-skills/templates/pentest_report_template.md
  • Reference Report: 
    /Users/huimingliao/Documents/code/pentest-skills/reports/pentest_report_localhost_9999_v2.md
  • Report Directory: 
    /Users/huimingliao/Documents/code/pentest-skills/reports/