SecLists 字典分类详解¶

目录¶

简介
目录结构总览
Discovery - 信息发现
Fuzzing - 模糊测试
Passwords - 密码字典
Usernames - 用户名字典
Payloads - 攻击载荷
Web-Shells - Web后门
Miscellaneous - 杂项
AI - 人工智能测试
常用字典推荐
使用示例

简介¶

SecLists 是安全测试人员的字典集合，由 Daniel Miessler 创建和维护，包含各种类型的字典文件，用于：

🔍 信息发现（子域名、目录、文件）
🎯 模糊测试（XSS、SQL注入、LFI等）
🔑 密码破解
👤 用户名枚举
💣 攻击载荷测试

安装位置: /Volumes/D/ctf/wordlists/SecLists

目录结构总览¶

SecLists/
├── Ai/                      # AI/LLM 测试
├── Discovery/               # 信息发现
│   ├── DNS/                # 子域名枚举
│   ├── Web-Content/        # Web内容发现
│   ├── File-System/        # 文件系统路径
│   ├── Infrastructure/     # 基础设施
│   ├── SNMP/              # SNMP OID
│   └── Variables/         # 变量名
├── Fuzzing/                # 模糊测试
│   ├── XSS/               # XSS Payload
│   ├── SQLi/              # SQL注入
│   ├── LFI/               # 本地文件包含
│   ├── Databases/         # 数据库相关
│   └── ...
├── Passwords/              # 密码字典
│   ├── Common-Credentials/ # 通用凭证
│   ├── Default-Credentials/# 默认凭证
│   ├── Leaked-Databases/  # 泄露数据库
│   └── ...
├── Usernames/              # 用户名字典
├── Payloads/               # 攻击载荷
├── Web-Shells/             # Web后门
├── Miscellaneous/          # 杂项
└── Pattern-Matching/       # 模式匹配

Discovery - 信息发现¶

📂 Discovery/DNS - 子域名枚举¶

文件名	大小	用途	推荐场景
`subdomains-top1million-5000.txt`	5K	最常见5000个子域名	⭐⭐⭐⭐⭐ 快速扫描
`subdomains-top1million-20000.txt`	20K	常见20000个子域名	⭐⭐⭐⭐ 中等扫描
`subdomains-top1million-110000.txt`	110K	大型字典	⭐⭐⭐ 深度扫描
`dns-Jhaddix.txt`	~2M	Jhaddix整理的综合字典	⭐⭐⭐⭐⭐ Bug Bounty
`combined_subdomains.txt`	~487K	合并多个来源	⭐⭐⭐⭐ 全面扫描
`deepmagic.com-prefixes-top500.txt`	500	常见前缀	⭐⭐⭐ 快速测试
`deepmagic.com-prefixes-top50000.txt`	50K	大型前缀字典	⭐⭐⭐ 深度测试
`bitquark-subdomains-top100000.txt`	100K	Bitquark收集	⭐⭐⭐⭐ 全面扫描
`fierce-hostlist.txt`	~2K	Fierce工具字典	⭐⭐⭐ 传统扫描
`bug-bounty-program-subdomains-trickest-inventory.txt`	~8K	Bug Bounty子域名	⭐⭐⭐⭐⭐ Bug Bounty

使用示例:

# DNSRecon
dnsrecon -d target.com -t brt -D /Volumes/D/ctf/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

# Amass
amass enum -brute -d target.com -w /Volumes/D/ctf/wordlists/SecLists/Discovery/DNS/dns-Jhaddix.txt

# ffuf
ffuf -u https://FUZZ.target.com -w /Volumes/D/ctf/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt

📂 Discovery/Web-Content - Web内容发现¶

文件名	条目数	用途	推荐场景
`common.txt`	4,613	常见目录/文件	⭐⭐⭐⭐⭐ 快速扫描
`big.txt`	20,469	大型目录字典	⭐⭐⭐⭐ 标准扫描
`raft-large-directories.txt`	62,284	大型目录	⭐⭐⭐⭐ 深度扫描
`raft-large-files.txt`	37,050	大型文件	⭐⭐⭐⭐ 文件发现
`directory-list-2.3-medium.txt`	220,560	DirBuster中等字典	⭐⭐⭐⭐⭐ 标准扫描
`directory-list-2.3-big.txt`	1,273,833	DirBuster大字典	⭐⭐⭐ 完整扫描
`directory-list-lowercase-2.3-medium.txt`	207,629	小写版本	⭐⭐⭐⭐ Linux系统
`RobotsDisallowed-Top1000.txt`	1,000	robots.txt常见禁止项	⭐⭐⭐⭐ 敏感路径
`api/api-endpoints.txt`	~200	API端点	⭐⭐⭐⭐⭐ API测试
`Apache.fuzz.txt`	8,724	Apache特定路径	⭐⭐⭐ Apache服务器
`nginx.txt`	457	Nginx特定路径	⭐⭐⭐ Nginx服务器
`spring-boot.txt`	372	Spring Boot路径	⭐⭐⭐⭐ Java应用
`graphql.txt`	~30	GraphQL端点	⭐⭐⭐⭐ GraphQL API
`swagger.txt`	~20	Swagger文档路径	⭐⭐⭐⭐ API文档

使用示例:

# Gobuster
gobuster dir -u https://target.com -w /Volumes/D/ctf/wordlists/SecLists/Discovery/Web-Content/common.txt

# ffuf
ffuf -u https://target.com/FUZZ -w /Volumes/D/ctf/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt

# dirb
dirb https://target.com /Volumes/D/ctf/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt

📂 Discovery/Infrastructure¶

文件名	用途
`common-ports.txt`	常见端口列表
`cloud-metadata.txt`	云元数据端点
`IP-Ranges-AWS.txt`	AWS IP范围
`IP-Ranges-Azure.txt`	Azure IP范围

📂 Discovery/Variables¶

文件名	用途
`generic-variables.txt`	通用变量名
`secret-keywords.txt`	敏感关键词

Fuzzing - 模糊测试¶

📂 Fuzzing/XSS¶

文件名	条目数	用途	场景
`XSS-Bypass-Strings-BruteLogic.txt`	~134	XSS绕过字符串	⭐⭐⭐⭐⭐ WAF绕过
`XSS-Cheat-Sheet-PortSwigger.txt`	~200	PortSwigger XSS备忘单	⭐⭐⭐⭐⭐ 全面测试
`XSS-RSNAKE.txt`	681	RSnake XSS向量	⭐⭐⭐⭐ 经典测试
`XSS-BruteLogic.txt`	528	BruteLogic收集	⭐⭐⭐⭐ 实战测试
`XSS-Somdev.txt`	1,114	Somdev收集	⭐⭐⭐⭐ 综合测试

📂 Fuzzing/Databases/SQLi¶

文件名	用途	数据库类型
`Generic-SQLi.txt`	通用SQL注入	全部
`MySQL.fuzzdb.txt`	MySQL注入	MySQL
`MSSQL.fuzzdb.txt`	MSSQL注入	MS SQL Server
`Oracle.fuzzdb.txt`	Oracle注入	Oracle
`Generic-BlindSQLi.fuzzdb.txt`	盲注测试	全部
`sqli.auth.bypass.txt`	认证绕过	全部
`SQLi-Polyglots.txt`	SQL注入多语言payload	全部
`quick-SQLi.txt`	快速测试	全部
`NoSQL.txt`	NoSQL注入	MongoDB等
`time-based-sqlinjection.txt`	时间盲注	全部

使用示例:

# SQL注入测试
ffuf -u "https://target.com/search?q=FUZZ" \
  -w /Volumes/D/ctf/wordlists/SecLists/Fuzzing/Databases/SQLi/Generic-SQLi.txt \
  -mr "error|sql|syntax"

# XSS测试
ffuf -u "https://target.com/comment?text=FUZZ" \
  -w /Volumes/D/ctf/wordlists/SecLists/Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt \
  -mr "<script>|onerror"

📂 Fuzzing/LFI¶

文件名	用途
`LFI-gracefulsecurity-linux.txt`	Linux LFI路径
`LFI-gracefulsecurity-windows.txt`	Windows LFI路径
`LFI-Jhaddix.txt`	Jhaddix LFI收集
`LFI-InterestingFiles-linux.txt`	Linux敏感文件
`LFI-InterestingFiles-windows.txt`	Windows敏感文件

📂 Fuzzing/通用¶

文件名	用途
`special-chars.txt`	特殊字符
`file-extensions.txt`	文件扩展名
`http-request-methods.txt`	HTTP方法
`User-Agents/`	User-Agent字符串
`big-list-of-naughty-strings.txt`	恶意字符串合集

Passwords - 密码字典¶

📂 Passwords/Common-Credentials¶

文件名	条目数	用途	推荐场景
`10k-most-common.txt`	10,000	最常见10K密码	⭐⭐⭐⭐⭐ 快速测试
`100k-most-used-passwords-NCSC.txt`	100,000	NCSC统计	⭐⭐⭐⭐ 标准测试
`500-worst-passwords.txt`	500	最弱密码	⭐⭐⭐⭐⭐ 快速检查
`10-million-password-list-top-1000000.txt`	1,000,000	百万级密码	⭐⭐⭐ 深度爆破
`2023-200_most_used_passwords.txt`	200	2023年最常用	⭐⭐⭐⭐⭐ 最新数据

📂 Passwords/Default-Credentials¶

文件名	用途
`default-passwords.csv`	默认密码大全
`ssh-betterdefaultpasslist.txt`	SSH默认密码
`telnet-betterdefaultpasslist.txt`	Telnet默认密码
`ftp-betterdefaultpasslist.txt`	FTP默认密码
`postgres-betterdefaultpasslist.txt`	PostgreSQL默认密码
`mysql-betterdefaultpasslist.txt`	MySQL默认密码
`mssql-betterdefaultpasslist.txt`	MSSQL默认密码
`tomcat-betterdefaultpasslist.txt`	Tomcat默认凭证

📂 Passwords/Leaked-Databases¶

文件名	来源	用途
`rockyou.txt`	RockYou泄露	最著名的密码字典
`Ashley-Madison.txt`	Ashley Madison	真实泄露数据
`alleged-gmail-passwords.txt`	Gmail泄露	Gmail密码

📂 Passwords/其他¶

目录	用途
`Keyboard-Walks/`	键盘走位模式
`Software/`	软件默认密码
`WiFi-WPA/`	WiFi密码字典
`Permutations/`	密码变体
`Books/`	书籍密码（如哈利波特）

使用示例:

# Hydra密码爆破
hydra -l admin -P /Volumes/D/ctf/wordlists/SecLists/Passwords/Common-Credentials/10k-most-common.txt ssh://target.com

# 默认凭证测试
hydra -C /Volumes/D/ctf/wordlists/SecLists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt ssh://target.com

Usernames - 用户名字典¶

文件名	条目数	用途	场景
`top-usernames-shortlist.txt`	17	最常见用户名	⭐⭐⭐⭐⭐ 快速测试
`xato-net-10-million-usernames.txt`	8,295,455	大型用户名库	⭐⭐⭐ 深度枚举
`Names/names.txt`	10,177	常见姓名	⭐⭐⭐⭐ 用户枚举
`cirt-default-usernames.txt`	828	默认用户名	⭐⭐⭐⭐ 默认账户
`CommonAdminBase64.txt`	60	Base64编码管理员	⭐⭐⭐ 特殊场景

使用示例:

# 用户名枚举
ffuf -u "https://target.com/login" \
  -X POST \
  -d "username=FUZZ&password=test" \
  -w /Volumes/D/ctf/wordlists/SecLists/Usernames/top-usernames-shortlist.txt \
  -fs 2500

Payloads - 攻击载荷¶

📂 Payloads/File-Names¶

文件名	用途
`file-extensions.txt`	危险扩展名
`sensitive-filenames.txt`	敏感文件名

📂 Payloads/其他¶

目录	用途
`Anti-Virus/`	反病毒测试文件
`Images/`	恶意图片样本
`Zip-Bombs/`	Zip炸弹
`Flash/`	Flash漏洞利用

Web-Shells - Web后门¶

目录	语言	用途
`PHP/`	PHP	PHP后门
`JSP/`	JSP	Java后门
`ASP/`	ASP	ASP后门
`CFM/`	ColdFusion	CF后门
`WordPress/`	PHP	WordPress后门

Miscellaneous - 杂项¶

目录	内容
`Web/`	各种Web相关字典
`Words/`	英文单词列表
`Security-Question-Answers/`	安全问题答案
`Danish-Wordlists-n0kovo/`	丹麦语字典

AI - 人工智能测试¶

📂 Ai/LLM_Testing¶

文件名	用途
`LLM-Injection/`	LLM注入测试
`prompt-injection.txt`	提示词注入
`jailbreak-prompts.txt`	越狱提示词

常用字典推荐¶

🌟 必备字典（Top 10）¶

序号	字典路径	用途	优先级
1	`Discovery/DNS/subdomains-top1million-5000.txt`	子域名快速扫描	⭐⭐⭐⭐⭐
2	`Discovery/Web-Content/common.txt`	目录文件快速发现	⭐⭐⭐⭐⭐
3	`Discovery/Web-Content/directory-list-2.3-medium.txt`	标准目录扫描	⭐⭐⭐⭐⭐
4	`Passwords/Common-Credentials/10k-most-common.txt`	密码爆破	⭐⭐⭐⭐⭐
5	`Usernames/top-usernames-shortlist.txt`	用户名测试	⭐⭐⭐⭐⭐
6	`Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt`	XSS测试	⭐⭐⭐⭐⭐
7	`Fuzzing/Databases/SQLi/Generic-SQLi.txt`	SQL注入	⭐⭐⭐⭐⭐
8	`Discovery/DNS/dns-Jhaddix.txt`	综合子域名	⭐⭐⭐⭐⭐
9	`Passwords/Default-Credentials/default-passwords.csv`	默认凭证	⭐⭐⭐⭐⭐
10	`Discovery/Web-Content/api/api-endpoints.txt`	API端点	⭐⭐⭐⭐⭐

📊 按场景分类¶

Bug Bounty必备¶

# 子域名枚举
Discovery/DNS/dns-Jhaddix.txt
Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt

# Web内容发现
Discovery/Web-Content/raft-large-directories.txt
Discovery/Web-Content/api/api-endpoints.txt

# 模糊测试
Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt
Fuzzing/Databases/SQLi/Generic-SQLi.txt

CTF比赛必备¶

# 快速扫描
Discovery/Web-Content/common.txt
Discovery/DNS/subdomains-top1million-5000.txt

# 常见漏洞
Fuzzing/LFI/LFI-Jhaddix.txt
Fuzzing/Databases/SQLi/quick-SQLi.txt

渗透测试必备¶

# 信息收集
Discovery/Web-Content/directory-list-2.3-medium.txt
Discovery/DNS/subdomains-top1million-20000.txt

# 凭证爆破
Passwords/Common-Credentials/10k-most-common.txt
Passwords/Default-Credentials/default-passwords.csv
Usernames/xato-net-10-million-usernames.txt

使用示例¶

场景1：Web应用快速扫描¶

#!/bin/bash
TARGET="https://target.com"
SECLISTS="/Volumes/D/ctf/wordlists/SecLists"

# 1. 目录扫描
gobuster dir -u $TARGET \
  -w $SECLISTS/Discovery/Web-Content/common.txt \
  -x php,html,txt \
  -o dirs.txt

# 2. API端点发现
ffuf -u $TARGET/FUZZ \
  -w $SECLISTS/Discovery/Web-Content/api/api-endpoints.txt \
  -mc 200,401,403

# 3. 备份文件查找
ffuf -u $TARGET/FUZZ.FUZ2Z \
  -w $SECLISTS/Discovery/Web-Content/raft-large-files.txt:FUZZ \
  -w $SECLISTS/Discovery/Web-Content/web-extensions.txt:FUZ2Z

场景2：子域名完整枚举¶

#!/bin/bash
DOMAIN="target.com"
SECLISTS="/Volumes/D/ctf/wordlists/SecLists"

# 1. 快速扫描
amass enum -passive -d $DOMAIN -o passive.txt

# 2. 暴力破解（小字典）
amass enum -brute -d $DOMAIN \
  -w $SECLISTS/Discovery/DNS/subdomains-top1million-5000.txt \
  -o brute_small.txt

# 3. 深度扫描（大字典）
amass enum -brute -d $DOMAIN \
  -w $SECLISTS/Discovery/DNS/dns-Jhaddix.txt \
  -o brute_large.txt

# 4. 合并去重
cat passive.txt brute_small.txt brute_large.txt | sort -u > all_subs.txt

场景3：登录爆破¶

#!/bin/bash
TARGET="https://target.com/login"
SECLISTS="/Volumes/D/ctf/wordlists/SecLists"

# 1. 用户名枚举
ffuf -u $TARGET \
  -X POST \
  -d "username=FUZZ&password=test123" \
  -w $SECLISTS/Usernames/top-usernames-shortlist.txt \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -fs 2500

# 2. 默认凭证测试
hydra -C $SECLISTS/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt \
  target.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"

# 3. 常见密码爆破
hydra -l admin \
  -P $SECLISTS/Passwords/Common-Credentials/10k-most-common.txt \
  target.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"

场景4：漏洞模糊测试¶

#!/bin/bash
TARGET="https://target.com"
SECLISTS="/Volumes/D/ctf/wordlists/SecLists"

# 1. XSS测试
ffuf -u "$TARGET/search?q=FUZZ" \
  -w $SECLISTS/Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt \
  -mr "<script>|onerror|onload"

# 2. SQL注入测试
ffuf -u "$TARGET/product?id=FUZZ" \
  -w $SECLISTS/Fuzzing/Databases/SQLi/Generic-SQLi.txt \
  -mr "error|sql|syntax|mysql"

# 3. LFI测试
ffuf -u "$TARGET/file?path=FUZZ" \
  -w $SECLISTS/Fuzzing/LFI/LFI-Jhaddix.txt \
  -mr "root:|admin:|password"

# 4. 命令注入测试
ffuf -u "$TARGET/ping?host=FUZZ" \
  -w $SECLISTS/Fuzzing/command-injection-commix.txt \
  -mr "uid=|root|www-data"

场景5：API安全测试¶

#!/bin/bash
API_URL="https://api.target.com"
SECLISTS="/Volumes/D/ctf/wordlists/SecLists"

# 1. API端点发现
ffuf -u $API_URL/FUZZ \
  -w $SECLISTS/Discovery/Web-Content/api/api-endpoints.txt \
  -mc 200,201,401,403,405

# 2. API版本枚举
ffuf -u $API_URL/FUZZ/users \
  -w $SECLISTS/Discovery/Web-Content/api/api-versions.txt \
  -mc 200,201

# 3. 参数模糊测试
ffuf -u "$API_URL/v1/user?FUZZ=test" \
  -w $SECLISTS/Discovery/Web-Content/burp-parameter-names.txt \
  -mc 200,400,500

快速查找命令¶

# 查找特定类型的字典
find /Volumes/D/ctf/wordlists/SecLists -name "*subdomain*"
find /Volumes/D/ctf/wordlists/SecLists -name "*password*"
find /Volumes/D/ctf/wordlists/SecLists -name "*xss*"

# 查看字典大小
wc -l /Volumes/D/ctf/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

# 搜索包含特定内容的字典
grep -r "admin" /Volumes/D/ctf/wordlists/SecLists/Discovery/Web-Content/ | head

# 列出某个目录下所有字典
ls -lh /Volumes/D/ctf/wordlists/SecLists/Passwords/Common-Credentials/

字典组合技巧¶

合并多个字典¶

# 合并并去重
cat wordlist1.txt wordlist2.txt | sort -u > combined.txt

# 合并子域名字典
cat /Volumes/D/ctf/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt \
    /Volumes/D/ctf/wordlists/SecLists/Discovery/DNS/deepmagic.com-prefixes-top500.txt \
    | sort -u > my_subdomain_list.txt

创建自定义字典¶

# 提取特定长度的密码
awk 'length($0) >= 8 && length($0) <= 12' passwords.txt > 8-12char.txt

# 转换大小写
tr '[:upper:]' '[:lower:]' < wordlist.txt > lowercase.txt

# 添加前缀后缀
sed 's/^/admin-/' wordlist.txt > prefixed.txt
sed 's/$/-2024/' wordlist.txt > suffixed.txt

字典更新¶

# 更新SecLists到最新版本
cd /Volumes/D/ctf/wordlists/SecLists
git pull

# 查看更新内容
git log --oneline -10

参考资源¶

官方仓库: https://github.com/danielmiessler/SecLists
作者博客: https://danielmiessler.com
贡献指南: https://github.com/danielmiessler/SecLists/blob/master/CONTRIBUTING.md

最后更新: 2025-10-04 SecLists路径: /Volumes/D/ctf/wordlists/SecLists 版本: 持续更新中