滲透測試報告

Vibe Prompt

「幫我建立一個自動化滲透測試工具,對指定 API 進行完整測試並產出 HTML 報告。」

import requests, json, time
from datetime import datetime

class PentestReport:
    def __init__(self, target_url):
        self.target = target_url
        self.findings = []
        self.start_time = datetime.now()
    
    def add_finding(self, severity, title, description, payload, fix):
        self.findings.append({
            "severity": severity,
            "title": title,
            "description": description,
            "payload": payload,
            "fix": fix
        })
    
    def test_sqli(self, endpoint):
        payloads = ["'", "\"", "' OR '1'='1", "' UNION SELECT NULL--"]
        for p in payloads:
            try:
                r = requests.get(f"{self.target}{endpoint}?id={p}", timeout=5)
                if any(e in r.text.lower() for e in ["sql", "syntax", "mysql"]):
                    self.add_finding("高", "SQL Injection",
                        f"端點 {endpoint} 存在 SQL Injection", p,
                        "使用參數化查詢")
                    break
            except:
                pass
    
    def test_idor(self, endpoint, auth_token):
        headers = {"Authorization": f"Bearer {auth_token}"}
        for uid in [2, 100, 999]:
            r = requests.get(f"{self.target}{endpoint}/{uid}", headers=headers)
            if r.status_code == 200 and uid != 1:
                self.add_finding("高", "IDOR 漏洞",
                    f"可存取其他用戶資源: {endpoint}/{uid}", uid,
                    "加入權限檢查")
                break
    
    def test_rate_limit(self, endpoint):
        start = time.time()
        for i in range(100):
            r = requests.get(f"{self.target}{endpoint}")
        elapsed = time.time() - start
        if elapsed < 10:
            self.add_finding("中", "缺少 Rate Limiting",
                f"100 次請求僅耗時 {elapsed:.1f}s", "",
                "加入 Rate Limiter")
    
    def run(self):
        print(f"\n=== 滲透測試開始: {self.target} ===\n")
        self.test_sqli("/api/search")
        self.test_idor("/api/users", "test_token")
        self.test_rate_limit("/api/login")
        self.generate_report()
    
    def generate_report(self):
        elapsed = (datetime.now() - self.start_time).seconds
        print(f"\n{'='*60}")
        print(f"滲透測試報告")
        print(f"目標: {self.target}")
        print(f"耗時: {elapsed} 秒")
        print(f"漏洞總數: {len(self.findings)}")
        print(f"{'='*60}\n")
        
        for f in self.findings:
            severity_color = "🔴" if f["severity"] == "高" else "🟡"
            print(f"{severity_color} [{f['severity']}] {f['title']}")
            print(f"  說明: {f['description']}")
            print(f"  修復: {f['fix']}")
            print()

# 執行測試
report = PentestReport("https://test-target.com")
report.run()

課程總結

API Security 完成!

  • ✅ API 攻擊面分析
  • ✅ JWT 漏洞測試
  • ✅ IDOR 測試
  • ✅ Rate Limiting 測試
  • ✅ 完整滲透測試報告

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!