vuln-research
- Repo stars 170
- Author updated Live
- Author repo xianzhi-research
- Domain
- Security
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @tanweai · no license declared
- Token usage
- Lean
- Setup complexity
- Plug-and-play
- External API key
- Not required
- Operating systems
- Unspecified (assume cross-platform)
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Network behavior
- Local-only
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: vuln-research
description: | 从先知社区5600+篇安全文档中提炼的漏洞挖掘核心思维框架。 ┌──────────────────────────────────────────────────────────────…
category: security
runtime: no special runtime
---
# vuln-research output preview
## PART A: Task fit
- Use case: | 从先知社区5600+篇安全文档中提炼的漏洞挖掘核心思维框架。 ┌─────────────────────────────────────────────────────────────────────────┐ │ 安全研究思维金字塔 │ ├─────────────────────────────────────────────────────────────────────────┤ │ L4: 防御反推 ← 从补丁/过滤规则/安全机制反推绕过点 │ runs entirely locally. Works with Claude Code, Cursor, Cline and 23 more..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “核心元思考模型 / 通用决策循环 / 跨领域核心公式” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “| 从先知社区5600+篇安全文档中提炼的漏洞挖掘核心思维框架。 ┌─────────────────────────────────────────────────────────────────────────┐ │ 安全研究思维金字塔 │ ├─────────────────────────────────────────────────────────────────────────┤ │ L4: 防御反推 ← 从补丁/过滤规则/安全机制反推绕过点 │ runs entirely locally. Works with Claude Code, Cursor, Cline and 23 more.”.
- **02** When the source has headings, the agent prioritizes “核心元思考模型 / 通用决策循环 / 跨领域核心公式” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files; mostly runs locally; usually needs no extra API key.
## Running Rules
- read files, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files.
Start with a small task and check whether the result follows “核心元思考模型 / 通用决策循环 / 跨领域核心公式”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: vuln-research
description: | 从先知社区5600+篇安全文档中提炼的漏洞挖掘核心思维框架。 ┌──────────────────────────────────────────────────────────────…
category: security
source: tanweai/xianzhi-research
---
# vuln-research
## When to use
- | 从先知社区5600+篇安全文档中提炼的漏洞挖掘核心思维框架。 ┌─────────────────────────────────────────────────────────────────────────┐ │ 安全研究思维金…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “核心元思考模型 / 通用决策循环 / 跨领域核心公式” and keep inference separate from source facts.
- read files, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "vuln-research" {
input -> user goal + target files + boundaries + acceptance criteria
context -> 核心元思考模型 / 通用决策循环 / 跨领域核心公式
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files | mostly runs locally
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} 安全研究元思考方法论
从先知社区5600+篇安全文档中提炼的漏洞挖掘核心思维框架。
核心元思考模型
┌─────────────────────────────────────────────────────────────────────────┐
│ 安全研究思维金字塔 │
├─────────────────────────────────────────────────────────────────────────┤
│ L4: 防御反推 ← 从补丁/过滤规则/安全机制反推绕过点 │
│ L3: 边界探索 ← 在已知攻击面上寻找corner case │
│ L2: 假设验证 ← 构建推理链条,逐步验证假设 │
│ L1: 攻击面识别 ← 寻找数据与指令不分离的接口 │
└─────────────────────────────────────────────────────────────────────────┘
通用决策循环
输入点识别 → 上下文分析 → 假设构建 → payload构造 → 响应分析 → 迭代优化
↑ │
└──────────────────────────────────────────────────────────────┘
跨领域核心公式
| 领域 | 核心公式 | 关键洞察 |
|---|---|---|
| 通用 | 漏洞 = 边界失控 + 状态不一致 + 信任假设违背 | 所有漏洞的本质 |
| 代码审计 | 漏洞 = Source可达Sink && 无有效Sanitizer | 污点传播分析 |
| 二进制 | 利用 = 信息泄露 + 原语构造 + 控制流劫持 | 原语组合与放大 |
| 域渗透 | 攻击 = 信任链逐级瓦解 | 委派错误=整域沦陷 |
快速导航
根据研究场景选择对应的方法论模块:
| 场景 | 参考文档 | 核心思维 |
|---|---|---|
| Web注入漏洞 | references/web-injection.md | 语义差异利用、WAF绕过策略树 |
| 反序列化漏洞 | references/deserialization.md | Gadget链构造、版本边界速查 |
| 二进制安全 | references/binary-exploitation.md | ROP谱系、House of系列 |
| 域渗透/内网 | references/domain-pentest.md | 委派攻击、持久化矩阵 |
| 代码审计 | references/code-audit.md | Source-Sink模型、框架审计 |
| 逆向分析 | references/reverse-engineering.md | VM对抗、沙箱绕过六维度 |
| Fuzzing | references/fuzzing.md | 目标选择矩阵、覆盖率驱动 |
| 提权/绕过 | references/privilege-bypass.md | 免杀技术层次、EDR规避 |
| 红队/CTF | references/redteam-ctf.md | 完整攻击链、云安全 |
| 案例索引 | references/case-index.md | 按技术/CVE分类的案例库 |
元思考原则
1. 假设-验证循环
所有安全研究都遵循:假设 → 测试 → 迭代优化
2. 边界条件思维
Corner case 是所有漏洞类型的共同温床
3. 防御反推
从已知防御措施反推攻击路径是高效的研究策略
4. 链式思维
单个漏洞价值有限,漏洞链才能完成完整攻击
5. 版本敏感
同一漏洞点在不同版本需要不同利用方法
6. 语义差异
不同组件对同一输入的解析差异是绕过的核心
使用指南
- 确定研究目标:明确要分析的漏洞类型或攻击场景
- 查阅对应模块:根据快速导航表选择合适的方法论文档
- 应用元思考框架:使用L1-L4思维金字塔指导分析过程
- 参考案例索引:查找相关CVE或技术的具体案例
- 迭代优化:根据实际情况调整策略
核心洞察速查
Web安全
- 漏洞本质 = 数据指令分离失效
- JNDI版本边界:JDK 8u191 后需不同利用路径
- WAF绕过 = 语义差异利用
反序列化
- "万物皆可Gadget":任何Serializable类都可能成为链的一环
- 二次反序列化是协议降级的关键(SignedObject)
- 黑名单必有遗漏,代理封装是高版本绕过通用思路
二进制安全
- 利用链本质:原语的组合与放大
- glibc版本决定可用技术(2.27 tcache、2.32 safe-linking)
- IO利用演进:vtable检查后,_wide_data成为突破口
域渗透
- SPN查询优于端口扫描(更精准更隐蔽)
- 委派配置错误可能导致整域沦陷
- 最隐蔽的攻击往往利用合法的域功能而非漏洞
逆向分析
- 逆向 = 信息熵降低过程
- VM保护三路径:opcode还原、z3约束、插桩爆破
- Triton + Z3 + AI 是 OLLVM 反混淆现代范式
红队攻防
- 完整链:边界突破→提权→穿透→横向→域控→维持
- "内网密码复用"是经验驱动的横向移动关键
- 云原生新攻击面:K8S hostPath + tolerations
Decide Fit First
Design Intent
How To Use It
Boundaries And Review