Article Directory
- First, information collection
- Two, sqlmap parameters
- Three, SQL injection
- 1. Prerequisites
- 2. Classification
- 3.GET error injection
- 4.GET based on blind time Note
- 5.GET Blind Bull Note
- 6.POST error injection
- 7.SQL injection bypass means
- 8.SQL manual injection test
- Four, XSS Cross Site Scripting
- Fifth, file upload
First, information collection
1. Domain Name
Collected using whois tool.
Subdomain collection tools include:
- maltegoce
- Browser
- As home owners
- wydomain
2. Port
Common port
- 21
- 80
- 443
- 3306
- 3389 (remote port)
- 6379 (Redis port)
Detection tool
nmap
use the command:
nmap -A -v -t4 target
3. collect sensitive information
Google Hacking syntax:
site:域名
According to domain name searchintext:关键字
Search by keywordintitle:标题关键字
Keyword search titleinurl:地址
Search contains the url keyword
4. The real IP address
If the CDN (content delivery network) exists, is not easy to detect the real IP address, you need to bypass, you can be tested by ping.
5.shodan
shodan is a special browser, search servers, cameras, routers.
Before use need to register, obtain API Key to use the command line and Python and the like.
Browser common usage:
- webcam
search camera. - port
search port. - host
search address. - city
search City.
Use the command line:
- pip install
- initialization
shodan init api_key
- search for
Using Python in
- initialization
- search for
Two, sqlmap parameters
To download, extract can be used.
1.target
- -u
- -d
- -m
- -r
- -c
2.request
- –method
- –data
- –cookie
- –user-agent
- –referer
- –proxy
- –delay
- –time-out
- –retries
- -Randomize
random parameters - -Safe-url
every request several times, it will be some normal request.
3.Optimization
- -Keep-alive
maintained long connection - -Null-connection
air connection - threads
thread.
4.Injection
- -Skip
skip - –dbms
- -the
- -Predix
prefix - -Suffix
suffix
5.Technique
- –technique
- –union-cols
- –union-char
- –union-from
6.Enumeration
- -b
- –dbs
- –dump
- -D
- –where
- –start
- –stop
7.Sqlmap practice
Test environment for the college's online ink range, the presentation is as follows:
Mozi School sqlmap Boolean blind test
Three, SQL injection
1. Prerequisites
- Controllable parameters
- There interact with the database parameters
2. Classification
The data type
- String
- Integer
According to the results of return
- Significant fault injection
- Mekurachu
- Time blinds
- Boolean blinds
3.GET error injection
- Detect whether there is an injection point
- It is determined by the number of fields in order by
- Gets the table name by union select
- Through a system table query fields
- Gets the field value
4.GET based on blind time Note
For example:
if(ascii(substr(database(),1,1))=115,1,sleep(3))
See page if there is a delay.
5.GET Blind Bull Note
For example:
select ascii(substr(database(),1,1)) = N;
6.POST error injection
Principle: The
closing quotation marks.
7.SQL injection bypass means
- Doublewrite
- Case
- coding
- MySQL inline comments
- Closing quotation mark
' or 1=1
' or '1'='1
8.SQL manual injection test
Test environment for the college's online ink range, test as follows:
Mozi School of manual SQL injection test
Four, XSS Cross Site Scripting
1. Category
- Reflective
non-persistent attacks - Storage type
of persistent attack - DOM-type
server does not process the response.
2.payload
<script>alert(document.domain);</script>
123"> <script>alert(document.domain);</script>
"</b><script>alert(document.domain);</script>
" onmouseover=alert(document.domain)
- javascript pseudo-protocol
javascript:alert(123)
- CSS properties
background:url("javascript:alert(document.domain);");
- Hidden form fields
type=hidden
- Entity doublewrite
- base64 encoding
- Hexadecimal encoding
- Unicode encoding
- IE browser features
Fifth, file upload
Common bypass authentication as follows:
- JS bypass validation
- BurpSuite remove JS
- Remove the browser JS code and save, submitted HTML page after saving
- MIME-Type
to modify the file type - Modify the file suffix
- Case
- Doublewrite
- Path splicing