Given a site to test or a website, what do you think you should do first?

I. Information collection

1. Obtain the whoIS information of the domain name, obtain the email name and telephone number of the registrant, etc.

2. Through the home of webmaster, Ming Boy, K8 and other query server side sites and sub-domain sites, because the main site is generally more difficult, so first look at the side site has a universal CMS or other vulnerabilities.

3. Obtain the enterprise domain name and IP address through DNS domain transmission vulnerability, backup number query, SSl certificate, APP, wechat public account, brute force cracking, DNS history, K8 C segment query, Jsfinder, 360 or Huawei threat Intelligence, and certificate serial number.

4. Check the server operating system version and Web middleware through Nmap, Wappalyzer and Imperial Sword to see whether there are known vulnerabilities, such as parsing vulnerabilities of IIS, APACHE and NGINX

5. Shell scan the site directory structure with 7KB to see if the directory can be traversed or sensitive files leaked, such as PHP probes, administrator backup files.

6. Google Hack to further explore the site’s information, background, sensitive files

7. Collection of sensitive information, For example, github source code, use 7KB, break the shell of the source code leakage (.hg,.git, CVS, SVN,.ds_store source code leakage), Google hack, interface information leakage, social work information leakage, email address information collection, network disk search, Zhong Kueji eye, eye check, threat intelligence, micro step online and so on

8. Fingerprint websites (including CMS, CDN, certificates, etc.) and DNS records through Wappalyzer and royal Sword tools

Second, vulnerability scanning

1. Use AWVS, APPSCAN, Xray and other scanners to detect Web vulnerabilities, such as XSS,XSRF, SQL injection, code execution, command execution, unauthorized access, directory reading, arbitrary file reading, download, file including, remote command execution, weak password, upload, editor vulnerability, violent cracking, etc

2. Scan system IP addresses with NAMP, Skymirror, Nessus and Aurora to test the scanned high-risk vulnerabilities. Such as MS08-067, MS17-010, MS12-020, MS15-035, MS19-0708, Eternal Blue 2 generation, CVE-2017-7494 (samba), CVE-2014-6271 (cracked shell), PHP CGI and other related vulnerability verification.

3. Exploit loopholes

Use the above methods to get webshell, or other permissions

4. Permission promotion

Claim server, such as mysql UDF claim under Windows, Serv-U claim, Windows vulnerabilities such as IIS6, PR, Brazilian barbecue, Linux dirty Cow vulnerability, Linux kernel version vulnerability claim, Mysql system and Oracle low-permission authorization in Linux

5. Clear logs

Clear operating system, middleware, and database logs

6. Summary report and repair plan

Those are the sites you go to to learn, dig bugs and submit to

Generally go to seebug, Freebuf, I love cracking, watch the snow forum, Ali gather security, PentesterLab, Ali Yunwewin community, four-leaf clover security, etc

Hole digging is generally submitted to 360 Butian, CNVD, education Vulnerability platform, vulnerability bank, Wooyun, vulnerability box testing platform

What is the significance of determining a website’s CMS for penetration?

Look for bugs that have been exposed online. If open source, you can also download the corresponding source code for code audit

Common Web server containers (middleware)

IS, Apache, Nginx, Lighttpd, Tomcat, Weblogic, Jboss

What does it mean to scan directories when penetrating a mature and relatively secure CMS?

Sensitive files, secondary directory scanning, misoperation of the webmaster, such as: website backup compressed files, description. TXT, secondary directory may store other sites.

A gives you a destination site and tells you that the/ABC/directory exists under the root directory, and that the editor and admin directories exist under this directory. What do you think?

Scan sensitive files and directories directly under/ABC/with a 7KB or shell dictionary.

What is the value of collecting target site registrant email addresses during infiltration?

Throw it into the social worker database to see if it’s compromised, and then try to log in to the background using the compromised password. Use email as a keyword to drop it into search engines. Use the associated information to find other posts and get popular social media accounts. Social workers dig into social accounts, which may reveal the administrator’s password habits. Generate specialized dictionaries from existing information. Watch what non-popular sites admins visit. Take them down and you’ll get more good stuff

The main functions of Nmap include scanning methods, bypassing ping scanning, and vulnerability detection

I. Four functions: host discovery (parameter -SN), port scanning (-SS-SU), version detection (-SV), OS detection (-O)

Scanning modes include TCP Connect (), TCP SYN scanning, TCP FIN scanning, and Null scan

3. Bypass ping: nmap-pn xxx.XXX.xxx.xxx

Vulnerability detection can be directly nMAP target –script=auth,vuln

How many types of SQL injection are there?

Error injection 2. Bool injection 3. Delay injection 4

How to judge the delayed injection?

SQL blind injection is divided into three categories: SQL blind injection based on Boolean, SQL blind injection based on time, AND SQL blind injection based on error reporting

Substr (database(),1,1))=112#

SQL > sleep(x)#

Sqlmap, how to inject an injection point?

Sqlmap -u sqlmap -u

2. Sqlmap -r “Burp address access package”

If cookie is forwarded-for, set it to httpd_forwarded-for. If cookie is forwarded-for, set it to httpd_forwarded-for. If cookie is forwarded-for, set it to Httpd_forwarded-for, set it to Httpd_forwarded-for

SQL injection protection method?

1, culvert number filtering, such as! Is_numeric culvert number // Determines whether the variable ID is a number

2. Directly download the relevant anti-injection files, including the anti-injection scripts provided by 360, Aliyun and Teng Xun in the configuration file of the website through incloud

3. Use whitelists to normalize input validation methods

4. PDO preprocessing 5. Waf interception

What are the default configuration files for common middleware, databases, third-party applications, and operating systems?

SSH /authorized_keys /root/.ssh/id_rsa /root/.ssh/id_ras.keystore /root/.ssh/known_hosts // Records the public key of each user who accesses the computer / etc/passwd/etc/shadow/etc/my CNF / / mysql configuration file/etc/HTTPD/conf/HTTPD/conf/apache configuration file/root /. Bash_history/command/user history records file / root/mysql_history/proc / / / mysql command history log file mounts / / recording system mounted equipment/porc/config. Gz / / kernel configuration file/var/lib/mlocate/mlocate db // full file path /porc/self/cmdline // cmdline parameter of the current processCopy the code

What are the prevention methods for arbitrary file download?

(1) Filter “.” so that the user cannot go back to the upper directory in the URL

(2) Regex strictly determines the format of user input parameters

(3) php.ini configures open_basedir to restrict file access

What is the difference between CSRF and XSS and XXE, and how to fix it?

XSS is a cross-site scripting attack, which can be executed by constructing codes in the data submitted by users to realize attacks such as stealing user information. Fixes: Escape character entities, use HTTP Only to prevent JavaScript from reading Cookie values, input validation, output HTML entity encoding.

CSRF is a cross-site request forgery attack, and XSS is one of many ways to implement CSRF because there is no user-initiated verification when a critical operation is performed. Fix: Screen out pages that need to be protected against CSRF and embed Token, re-enter password, verify Referer

XXE is an XML external entity injection attack. XML can be used to request local or remote content by calling entities. Similar to remote file protection, XXE can cause related security problems, such as sensitive file reading. Fix: The XML parsing library strictly disallows parsing of external entities when invoked.

What is the difference between CSRF, SSRF and replay attacks?

CSRF is a cross-site request forgery attack initiated by the client.

SSRF is server-side request forgery initiated by the server.

Replay attack is to replay captured data packets for identity authentication.

How can CSRF be prevented?

2. Verify token 3. Add verification code

Type of logic vulnerability

Any modification of the order amount 2. Verification code is returned 3. Login certificate verification is not performed 4. Interface unrestricted enumeration 5. Defect in cookie design 6. Defect in password retrieval 7. Simply read memory value data as user credentials

Feel useful please point to like, not point that please go up my home page, I send you this life all see not over of infiltration data, then please come back point to like, you think OK?