Vuln Research
Apply a layered security-research playbook—attack surface, hypothesis loops, bypass thinking—for audits, pentests, red team paths, and CTF-style analysis.
Overview
Vuln Research is an agent skill most often used in Ship (also Build integrations, Operate errors) that delivers a four-level security meta-thinking framework and scenario-specific modules for systematic vulnerability dis
Install
npx skills add https://github.com/tanweai/xianzhi-research --skill vuln-researchWhat is this skill?
- Four-level meta-thinking pyramid from attack-surface identification through defense-aware bypass (L1–L4)
- Universal decision loop: input → context → hypothesis → payload → response → iterate
- Cross-domain formulas for web audit (Source–Sink), binary exploitation, and domain-trust attacks
- Scenario routing for injection, deserialization, binary, lateral movement, WAF/EDR evasion, and fuzzing
- Framework distilled from 5600+ community security writeups as reusable mental models
- Methodology distilled from 5600+ security community documents
- Four-level (L1–L4) security thinking pyramid
- Cross-domain core formulas table for general, code audit, binary, and domain attacks
Adoption & trust: 1 installs on skills.sh; 170 GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
You face a new target or codebase without a repeatable way to move from vague hunches to validated attack paths across web, binary, and enterprise contexts.
Who is it for?
Builders and researchers with legal scope who need structured methodology for audits, pentests, red team planning, or CTF-style challenges.
Skip if: Unauthorized testing, checkbox compliance-only scans, or beginners who only need a single CVE PoC without methodology.
When should I use this skill?
漏洞挖掘、安全研究、渗透测试、代码审计、红队攻防、CTF、逆向分析、WAF绕过、免杀、提权、横向移动、域渗透、反序列化、二进制安全、Fuzzing
What do I get? / Deliverables
You follow documented attack-surface, hypothesis, and defense-reverse models to choose the right module and iterate payloads or audit paths with explicit success criteria.
- Scenario-selected methodology module and decision loop
- Documented hypotheses, attack surface notes, and iteration log
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is ship/security because the methodology centers on finding and reasoning about vulnerabilities before and after release. Content maps to appsec review, bypass patterns, and attack-chain planning rather than generic PM or marketing tasks.
Where it fits
Run Source–Sink sanitizer reasoning while auditing a new API before merge.
Apply the L1–L4 pyramid to map injection and deserialization paths ahead of release.
Use the hypothesis loop to design fuzzing and response-analysis iterations for a staging target.
Reverse from defensive signals (EDR, WAF blocks) to likely bypass corners during incident analysis.
How it compares
Use a research methodology skill instead of ad-hoc “give me exploits” chat without attack-surface or sanitizer reasoning.
Common Questions / FAQ
Who is vuln-research for?
Security-minded solo developers, auditors, and red-team learners who want agent-guided frameworks for lawful vulnerability research and code review.
When should I use vuln-research?
During ship security reviews, build-time code audit, operate incident forensics, CTF practice, or whenever triggers like 漏洞挖掘, WAF bypass, or Source-Sink analysis apply.
Is vuln-research safe to install?
The skill is instructional text; confirm authorization for any live testing and review the Security Audits panel on this page before installing third-party skills.
SKILL.md
READMESKILL.md - Vuln Research
# 安全研究元思考方法论 从先知社区5600+篇安全文档中提炼的漏洞挖掘核心思维框架。 ## 核心元思考模型 ``` ┌─────────────────────────────────────────────────────────────────────────┐ │ 安全研究思维金字塔 │ ├─────────────────────────────────────────────────────────────────────────┤ │ L4: 防御反推 ← 从补丁/过滤规则/安全机制反推绕过点 │ │ L3: 边界探索 ← 在已知攻击面上寻找corner case │ │ L2: 假设验证 ← 构建推理链条,逐步验证假设 │ │ L1: 攻击面识别 ← 寻找数据与指令不分离的接口 │ └─────────────────────────────────────────────────────────────────────────┘ ``` ### 通用决策循环 ``` 输入点识别 → 上下文分析 → 假设构建 → payload构造 → 响应分析 → 迭代优化 ↑ │ └──────────────────────────────────────────────────────────────┘ ``` ### 跨领域核心公式 | 领域 | 核心公式 | 关键洞察 | |------|----------|----------| | **通用** | 漏洞 = 边界失控 + 状态不一致 + 信任假设违背 | 所有漏洞的本质 | | **代码审计** | 漏洞 = Source可达Sink && 无有效Sanitizer | 污点传播分析 | | **二进制** | 利用 = 信息泄露 + 原语构造 + 控制流劫持 | 原语组合与放大 | | **域渗透** | 攻击 = 信任链逐级瓦解 | 委派错误=整域沦陷 | --- ## 快速导航 根据研究场景选择对应的方法论模块: | 场景 | 参考文档 | 核心思维 | |------|----------|----------| | Web注入漏洞 | [references/web-injection.md](references/web-injection.md) | 语义差异利用、WAF绕过策略树 | | 反序列化漏洞 | [references/deserialization.md](references/deserialization.md) | Gadget链构造、版本边界速查 | | 二进制安全 | [references/binary-exploitation.md](references/binary-exploitation.md) | ROP谱系、House of系列 | | 域渗透/内网 | [references/domain-pentest.md](references/domain-pentest.md) | 委派攻击、持久化矩阵 | | 代码审计 | [references/code-audit.md](references/code-audit.md) | Source-Sink模型、框架审计 | | 逆向分析 | [references/reverse-engineering.md](references/reverse-engineering.md) | VM对抗、沙箱绕过六维度 | | Fuzzing | [references/fuzzing.md](references/fuzzing.md) | 目标选择矩阵、覆盖率驱动 | | 提权/绕过 | [references/privilege-bypass.md](references/privilege-bypass.md) | 免杀技术层次、EDR规避 | | 红队/CTF | [references/redteam-ctf.md](references/redteam-ctf.md) | 完整攻击链、云安全 | | 案例索引 | [references/case-index.md](references/case-index.md) | 按技术/CVE分类的案例库 | --- ## 元思考原则 ### 1. 假设-验证循环 所有安全研究都遵循:假设 → 测试 → 迭代优化 ### 2. 边界条件思维 Corner case 是所有漏洞类型的共同温床 ### 3. 防御反推 从已知防御措施反推攻击路径是高效的研究策略 ### 4. 链式思维 单个漏洞价值有限,漏洞链才能完成完整攻击 ### 5. 版本敏感 同一漏洞点在不同版本需要不同利用方法 ### 6. 语义差异 不同组件对同一输入的解析差异是绕过的核心 --- ## 使用指南 1. **确定研究目标**:明确要分析的漏洞类型或攻击场景 2. **查阅对应模块**:根据快速导航表选择合适的方法论文档 3. **应用元思考框架**:使用L1-L4思维金字塔指导分析过程 4. **参考案例索引**:查找相关CVE或技术的具体案例 5. **迭代优化**:根据实际情况调整策略 --- ## 核心洞察速查 ### Web安全 - 漏洞本质 = 数据指令分离失效 - JNDI版本边界:JDK 8u191 后需不同利用路径 - WAF绕过 = 语义差异利用 ### 反序列化 - "万物皆可Gadget":任何Serializable类都可能成为链的一环 - 二次反序列化是协议降级的关键(SignedObject) - 黑名单必有遗漏,代理封装是高版本绕过通用思路 ### 二进制安全 - 利用链本质:原语的组合与放大 - glibc版本决定可用技术(2.27 tcache、2.32 safe-linking) - IO利用演进:vtable检查后,_wide_data成为突破口 ### 域渗透 - SPN查询优于端口扫描(更精准更隐蔽) - 委派配置错误可能导致整域沦陷 - 最隐蔽的攻击往往利用合法的域功能而非漏洞 ### 逆向分析 - 逆向 = 信息熵降低过程 - VM保护三路径:opcode还原、z3约束、插桩爆破 - Triton + Z3 + AI 是 OLLVM 反混淆现代范式 ### 红队攻防 - 完整链:边界突破→提权→穿透→横向→域控→维持 - "内网密码复用"是经验驱动的横向移动关键 - 云原生新攻击面:K8S hostPath + tolerations # 案例索引 按技术类型和CVE分类的安全研究案例库,基于先知社区5600+篇文档提炼。 --- ## 按漏洞类型分类 ### Web注入类 | 案例ID | 标题 | 核心技术点 | |--------|------|------------| | 10041 | Java SQL注入深入分析 | JDBC、MyBatis、预编译绕过 | | 10042 | SQL注入之Mysql注入姿势及绕过总结 | 绕过技术大全 | | 10538 | 关于SSTI注入的二三事 | Jinja2、Thymeleaf模板注入 | | 10433 | LDAP注入的深入利用 | LDAP查询语法、绕过 | | 10122 | JNDI注入分析 | JNDI、RMI、LDAP协议 | | 10119 | 高版本JDK下的JNDI注入浅析 | JDK版本绕过 | ### 反序列化类 | 案例ID | 标题 | 核心技术点 | |--------|------|------------| | 10011 | WeblogicT3反序列化浅析 | T3协议、CC链 | | 10017 | ysoserial-CommonsBeanutils的shiro无依赖链改造 | CB链、Shiro | | 10088 | 最新Laravel反序列化漏洞 | PHP反序列化 | | 10144 | 利用shiro反序列化注入