pentest-exploit-validation

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Pentest Exploit Validation

渗透测试漏洞利用验证

Purpose

目的

Validate vulnerability findings through proof-driven exploitation using Shannon's 4-level evidence system. Consumes the exploitation queue from white-box code review, attempts structured exploitation with bypass exhaustion, collects mandatory evidence per vulnerability type, and classifies each finding as EXPLOITED, POTENTIAL, or FALSE_POSITIVE.

通过基于Shannon四级证据系统的循证漏洞利用，验证漏洞发现结果。接收白盒代码审查生成的漏洞利用队列，采用结构化利用方式并穷尽绕过手段，针对不同漏洞类型收集强制证据，将每个发现分类为EXPLOITED、POTENTIAL或FALSE_POSITIVE。

Prerequisites

前提条件

Authorization Requirements

授权要求

Written authorization with explicit scope for active exploitation testing
Exploitation queue JSON from pentest-whitebox-code-review output
Test accounts at multiple privilege levels for authz testing
Data exfiltration approval — confirm acceptable proof-of-concept scope
Rollback plan for any data-mutating exploits

书面授权：明确包含主动利用测试的范围
漏洞利用队列JSON：来自pentest-whitebox-code-review的输出结果
多权限测试账号：用于权限验证测试
数据导出审批：确认可接受的概念验证范围
回滚计划：针对任何会修改数据的漏洞利用方案

Environment Setup

环境搭建

sqlmap for automated SQL injection exploitation
Burp Suite Professional with Repeater, Intruder, and Turbo Intruder
curl for manual HTTP request crafting
Playwright for browser-based exploitation (XSS, CSRF)
nuclei with custom templates for automated validation
Isolated testing environment or explicit production testing approval

sqlmap：用于自动化SQL注入利用
Burp Suite Professional：搭配Repeater、Intruder和Turbo Intruder组件
curl：用于手动构造HTTP请求
Playwright：用于基于浏览器的漏洞利用（如XSS、CSRF）
nuclei：搭配自定义模板进行自动化漏洞验证
隔离测试环境或明确的生产环境测试授权

Core Workflow

核心工作流

Queue Intake: Parse exploitation queue JSON, validate schema, prioritize by confidence score and impact severity. Group findings by vulnerability type for parallel exploitation.
Injection Exploitation: Confirm injectable parameter → fingerprint backend (DB type, OS) → enumerate databases/tables → demonstrate data exfiltration with minimal footprint.
XSS Exploitation: Graph traversal from source → processing → sanitization → sink. Craft context-appropriate payload, demonstrate session hijack or DOM manipulation.
Auth Exploitation: Attack authentication weaknesses → demonstrate account takeover via credential stuffing, token forgery, or session hijack.
Authz Exploitation: Horizontal access (cross-user data) → vertical escalation (admin functions) → workflow bypass (state manipulation).
SSRF Exploitation: Internal service access → cloud metadata retrieval (169.254.169.254) → internal network reconnaissance.
Bypass Exhaustion: For each finding, attempt 3 initial payloads → if blocked, escalate to 8-10 bypass variations → if still blocked, deploy automated tool variants.
Impact Escalation: Escalate from proof-of-concept to real impact demonstration — data exfiltration, session hijacking, or remote code execution.
Evidence Collection: Collect mandatory evidence per vulnerability type using per-type checklists.
Classification: Assign final classification — EXPLOITED, POTENTIAL, or FALSE_POSITIVE — based on 4-level proof system.

队列接收：解析漏洞利用队列JSON，验证schema，按置信度评分和影响严重程度排序。按漏洞类型分组以并行开展利用工作。
注入漏洞利用：确认可注入参数 → 识别后端信息（数据库类型、操作系统）→ 枚举数据库/表 → 以最小痕迹演示数据导出。
XSS漏洞利用：从源头→处理→sanitization→输出点的全链路遍历。构造符合上下文的payload，演示会话劫持或DOM操纵。
认证漏洞利用：攻击认证机制弱点 → 通过凭证填充、令牌伪造或会话劫持演示账号接管。
授权漏洞利用：横向越权（跨用户数据访问）→ 纵向提权（管理员功能访问）→ 工作流绕过（状态操纵）。
SSRF漏洞利用：访问内部服务 → 获取云元数据（169.254.169.254）→ 内部网络侦察。
绕过穷尽测试：针对每个漏洞发现，先尝试3个初始payload → 若被拦截，升级为8-10种绕过变体 → 若仍被拦截，部署自动化工具变体。
影响升级：从概念验证升级为实际影响演示——数据导出、会话劫持或远程代码执行（RCE）。
证据收集：针对不同漏洞类型，使用对应检查清单收集强制证据。
分类标记：基于四级证据系统，分配最终分类——EXPLOITED、POTENTIAL或FALSE_POSITIVE。

4-Level Proof System

四级证据系统

Level	Description	Classification
L1	Weakness identified in code but not confirmed exploitable	POTENTIAL
L2	Partial bypass achieved but full exploitation not demonstrated	POTENTIAL
L3	Vulnerability confirmed with reproducible evidence	EXPLOITED
L4	Critical impact demonstrated (data exfil, RCE, account takeover)	EXPLOITED CRITICAL

级别	描述	分类
L1	代码中识别到弱点，但未确认可被利用	POTENTIAL
L2	实现部分绕过，但未完成完整利用演示	POTENTIAL
L3	漏洞已确认，且有可复现的证据	EXPLOITED
L4	演示了严重影响（数据导出、RCE、账号接管）	EXPLOITED CRITICAL

Classification Criteria

分类标准

Classification	Criteria
EXPLOITED	Reproducible proof with evidence: HTTP request/response, extracted data, or demonstrated impact
POTENTIAL	Code-level weakness confirmed but exploitation blocked by defense-in-depth or environment constraints
FALSE_POSITIVE	Taint analysis flagged but manual review confirms effective sanitization or unreachable code path

分类	判定标准
EXPLOITED	具备可复现的证据：HTTP请求/响应、提取的数据或已演示的影响
POTENTIAL	代码级弱点已确认，但因纵深防御或环境限制无法被利用
FALSE_POSITIVE	污点分析标记，但手动审查确认存在有效的sanitization或代码路径不可达

Tool Categories

工具分类

Category	Tools	Purpose
SQL Injection	sqlmap, manual payloads	Automated and manual SQLi exploitation
Request Crafting	Burp Repeater, curl	Manual HTTP request manipulation
Fuzzing	Burp Intruder, Turbo Intruder	Payload variation and bypass testing
Browser Exploitation	Playwright	XSS demonstration, session hijack
Automation	nuclei, custom scripts	Template-based vulnerability validation
Evidence Capture	Burp Logger, screenshot tools	Request/response logging and proof

分类	工具	用途
SQL注入	sqlmap、手动payload	自动化与手动SQL注入利用
请求构造	Burp Repeater、curl	手动HTTP请求操纵
模糊测试	Burp Intruder、Turbo Intruder	Payload变体测试与绕过验证
浏览器利用	Playwright	XSS演示、会话劫持
自动化工具	nuclei、自定义脚本	基于模板的漏洞验证
证据捕获	Burp Logger、截图工具	请求/响应日志记录与证据留存

References

参考资料

```
references/tools.md
```
- Tool function signatures and parameters
```
references/workflows.md
```
- Exploitation workflows, evidence checklists, and classification tree

```
references/tools.md
```
- 工具函数签名与参数说明
```
references/workflows.md
```
- 漏洞利用工作流、证据检查清单与分类树