First, the website information, website vulnerabilities.
1, the domain name whois query, the record information inquiry, subdomain mining, brush hole ideas.
2, CMS fingerprint recognition, CMS vulnerabilities inquiry, probing sensitive directory information, wordpress test.
3, information collection port, port attacks, defensive measures.
4, collecting sensitive information, Google Hacking, HTTP Server response collect information, Github information leakage.
5, CDN determines the presence, around the CDN, the principle of the IP address.
6, shodan search webcam, search for specific ports, specify ip, specific city.
7, shodan command line, look for the specific number service, the command line search function.
8, shodan get ip address information, access to account information, access to its own external ip address, whether or not detect honeypots.
9, python-shodan search query, ip query.
10, git information disclosure principle, the use.
Two, sql injection.
11, sql injection principle, CMS sql injection, log cases, Sqlmap.
12, mysql5.x injection, data structures, sql CRUD, mysql function, annotation.
13, phpstudy, Sqlmap, Firefox extension, sqli-lab.
14, sql injection classification, get sql injection based on an error of discovery, use, sqlmap test.
15, no longer display the wrong blinds, get time-based blind, based on Boolean blinds, sqlmap test.
16, mysql injection read files, write files, write webshell, sqlmap test.
17, post injection based on erroneous.
18, get error injection, GET single, double quotes given injection, SqlMap test.
19, sql injection bypass means: to bypass the case, bypassing the double write, bypassing coding, inline comments bypassed.
20, http post, post the blinds based on time, based on Boolean, sqlmap test.
21, http injection head, user-agent injection, referer injection, sqlmap test.
22, mysql update injection, filtering content, SqlMap test.
23, cookie injection, use, sqlmap test.
24, cookie base64 injection, sqlmap test.
25, mysql comment symbol, removing the comment character code analysis, bypassing the comment character removed sql injection, SqlMap test.
26, and removal and or code analysis, bypassing the injection and removal and or sql, SqlMap test.
27, remove the code space analysis, bypassing the sql injection remove spaces, sqlmap test.
28, removal of the union code analysis, bypass select and remove the union sql injection, SqlMap test.
29, byte wide code analysis injection, injection, SqlMap test.
30, secondary injection, code analysis, use, harm.
31, sql injection vulnerability mining: espcms, automated audit tools, digging select direct injection vulnerability verification POC.
32, sqlmap update parameters, presentation data table, The updatexml function, extractValue function.
33, configure IIS, load the source site, FAQs processing, source code test.
34, asp + access technology website, web vulnerability scanning, analysis, sql injection point use.
35, access offset injection principle, the use of scene, processes, formulas practice.
Three, sqlmap
36, sqlmap directly connected to the database, url detection, file read, Google has injected sweep bulk.
37, sqlmap disposed http method post submission parameter set, the parameter set delimiter, arranged cookie header.
38, sqlmap set user-agent, the first host is provided, disposed referer head set http header.
39, sqlmap set http authentication protocol, http proxy settings, network settings tor hidden, set the delay.
40, sqlmap set timeout, setting the number of retries, the random parameter set, set the target log filter.
41, sqlmap Ignored 401, the private key provided http protocol, set the security mode setting is ignored url encoding.
42, sqlmap persistent http connection is provided, http receiving body is not set, multi-thread provided, the output prediction set.
43, sqlmap settings specify implant parameters, set url injection position, the injection position arbitrarily set.
43, sqlmap forcibly set the DBMS, forcibly set OS system, off load transfer mechanism, closing character escape mechanism.
44, sqlmap invalid value is set forcibly Alternatively, custom injection load position, tamper set script settings DBMS authentication.
45, sqlmap set detection level, set risk parameters, set the page comparison parameters, parameter setting content comparison.
46, sqlmap sql injection technique particularly provided, the set time delay blinds, provided the number of fields UNION, UNION character set.
47, sqlmap set union lookup table, set the DNS exposed to attack, set up secondary injection, fingerprint identification.
48, sqlmap retrieve DBMS Banner, retrieve DBMS current user, retrieve DBMS current database, retrieve DBMS current host name.
49, sqlmap to detect the current user DBA, DBMS user enumeration, enumeration DBMS user password, enumerate DBMS authority.
50, sqlmap include the name of the database, table, column, data values.
51, sqlmap enumeration schema information, the number of tables to retrieve data, obtain data information, access information setting conditions.
52, sqlmap brute force data, read files, write files, retrieve all the information.
53, sqlmap order execution system, combined with metasploit, registry, registry operations.
54, sqlmap sqlite load the session file, http text file, select the option to set the default, execute system commands.
55, sqlmap blind character set provided crawling url, CSV delimiter character used in the output, the output format is provided.
56, before the detection probe sqlmap internet connection, and parses the input field test form is provided estimated completion time, refresh session file.
57, ignoring the results stored in the session sqlmap using Hex function to retrieve the data, customize the output path is provided, from the response parsing error page.
58, sqlmap forcibly set encoding DBMS stores HTTP traffic to HAR, particularly Payload screening, filtering specific Payload.
59, sqlmap miscellaneous parameters.
60, sqlmap tamper script structure, tamper function, dependencies function, case.
61, sqlmap tamper constant script file, tamper analysis.
62, sqlmap adapted MSSQLTamper script, analytical methods, learning script analysis process, the role is determined according to the name.
Four, XSS, payload
63, XSS Cross Site Scripting Category: XSS vulnerability, radiation type XSS, storage type XSS, DOM type XSS.
64, the reflective XSS cookie theft, using a cookie session hijacking, hijacking sessions after the operation.
65, XSS link tampering, tampering with links to bad url, pointing it url.
66, steal user information principle, setookit tool cloning site, stored XSS jump cloning site to see steal account and password.
67, no filtering XSS: html Chinese this label B, XSS detection process, using a closed XSS text label.
68, arranged close Chrome XSS-Auditor, attribute XSS found properties XSS introduced Script closed, closure properties XSS introduction event.
69, the select list of XSS: html select labels, forms, burpsuite test XSS, the form, the closure trigger XSS.
70, html form hidden parameters XSS, burpsuite capture test, svg, closed trigger XSS.
71, form text input box to limit the length of XSS, XSS payload length calculation, review the browser tool to modify the source code, payload trigger XSS vulnerabilities.
72, html event XSS, XSS vulnerabilities, closed ideas, payload trigger XSS vulnerabilities.
73, separated by a space properties XSS, XSS detection, trigger XSS.
74, JavaScript pseudo-protocol trigger XSS, XSS vulnerabilities found, a link tag attribute href, payload trigger XSS vulnerabilities.
75, bypassing the filter domain is empty XSS: XSS vulnerability discovery, bypassing think, write double bypass, bypass coding.
76, bypassing the script and replace on events XSS: XSS vulnerability discovery, bypassing thinking, pseudo-protocol bypass, bypass spaces.
77, using the bypass IE XSS filtering characteristics: XSS vulnerabilities found use based XSS, IE characteristics explain, payload trigger XSS.
78, with CSS properties to bypass XSS filtering: XSS vulnerability discovery, based on the use of XSS, XSS characteristics explain, payload trigger XSS.
79, IE utilize CSS trigger XSS: css executed js, comment bypass keyword filters, payload trigger XSS.
80,16 binary filter bypassing the filter trigger XSS: XSS mining, double slash +16 ary bypass, payload trigger XSS.
81, unicode bypassing the filter trigger XSS: XSS mining, double slash + unicode bypass, payload trigger XSS.
82, special processing source, origin policy, IE source, document.domain.
83、清除cookie,cookie httponly。
84, xss filter filters: htmlspecialchars () function, htmlentitles () function, the strip_tags () functions, custom xss filter.
85, encoding escape: url coding, html coding, js, encoding meanings.
86, XSS filter bypass methods: xss payload testing, automated testing tools, focus on the latest html and so on.
87, the position of occurrence of XSS: get the url type xss, post-type form of xss, json the XSS, custom http header xss.
88, the storage-type XSS gray box testing: xss directional tap, audit blacklist, bypassing the filter, the trigger XSS.
89, automation XSS vulnerability discovery: xsser tools, principles, help, start-up mode.
90, XSS Fuzzing Tools: XSStrike tool to help information, examples.
Five, CSRF
91, CSRF vulnerabilities principles, code analysis, utilization.
92, unprotected CSRF exploit: GET type CSRF code analysis, GET type CSRF exploit, Post type CSRF code analysis, POST-type CSRF exploit.
93, manual detection principle, automatic detection tool use CSRF vulnerabilities.
94, bug fixes logic analysis, simple code model analysis, code analysis generated token, token used for CSRF vulnerability defense.
95, CSRF technique bypasses the Referer: Referer principle CSRF defense, defense write the code, bypassing referer skills, burpsuite automatic generation of POC.
96, get type CSRF exploit methods: using the link, iframe use, img label use, css-backgroud use.
97, the defense codes, referer check defense, anti csrf token defense, token leakage.
Sixth, file upload
98, bypassing verification js: js verification code analysis, burpsuite remove js response, the browser removed js audit tool, upload webshell, chopper connected.
99, bypassing the mime-type verification: code analysis, burpsuite bypassing verification mime-type knife connection, a virtual terminal function.
100, based on the file extension validation, based on blacklist validation code analysis, burpsuite bypass blacklist validation, upload webshell chopper connection.
101, to bypass blacklist validation: .htaccess files, configuration files http.conf, audit blacklist filtering code, create an image and upload phpinfo probe.
102, to bypass blacklist validation: sensitive to bypass the principle, based on blacklist validation code analysis, directly modify the php extension to upload files, webacoo upload webshell.
103, to bypass blacklist validation: Space bypass principle, based on the blacklist verification code analysis, burpsuite bypass blacklist validation, webshell generate and upload.
104, bypassing verification blacklist: No. bypass principle, based on the blacklist validation code analysis, burpsuite bypass blacklist authentication, generates upload webshell.
105, to bypass blacklist validation: special symbols to bypass the principle, based on blacklist validation code analysis, direct upload 1.php :: $ DATA, upload third-party webshell.
106, to bypass blacklist validation: stitching path to bypass the principle, based on a blacklist code analysis, change the file name to bypass blacklist validation, upload webshell small big webshell.
107, to bypass blacklist validation: write to bypass the double principle, based on blacklist validation code analysis, to bypass blacklist validation, upload webshell.
108, to bypass blacklist validation: 00 cut-off principle, get 00-type cut, post type 00 truncated. Word code execution webshell.
109, making pictures webshell, upload pictures webshell file, the file contains the code analysis vulnerability, combined with file contains the output phpinfo.
110, describes the file upload process, the principle of competitive conditions, competitive conditions code analysis, competitive conditions file upload use.
Seven, IIS6.0
111, IIS6.0 parsing vulnerability, put principle upload, upload detection, upload use.
112, IIS6.0 parse the file type, file parsing vulnerability remediation program.
Eight, apache
113, apache parsing vulnerabilities, exploits, using the scene.
Nine, SSRF
114, SSRF loopholes in principle, code analysis, vulnerability exploit.
115, generating vulnerability SSRF php functions, file_get_contents, fsockopen (), curl_exec ().
116, SSRF exploit code analysis, the use of SSRF conducted within the network resource access, use SSRF port scan.
Ten, XML, DTD
117, DTD declaration types, data types, entities, injection generation principle.
Eleven, XXE
118, XXE Vulnerability Code: file_get_content function, php: // input, simplexml_load_string function, xml injection echo output functions.
119, using the vulnerability XXE read arbitrary files: the test code, php test POC, read text documents, read the php file.
120, using the vulnerability XXE read arbitrary files, no echo: test principle, request XML, server dtd.
121, XXE vulnerability Disappeared, XXE loophole defense.
Twelve, command execution
122, the principle of command execution vulnerability, php command execution function, command execution vulnerability analysis code, vulnerable cases.
123, window command code examples, exploit the idea, the command execution vulnerability splicing character, exploits.
124, linux command code examples, exploit the idea, the command execution vulnerability splicing character, exploits.
125, linux command breaks stitching supplement, commix tools, help information, tools.
126, exploits the command line: php command execution supplement, eval function, command execution vulnerability case.
XIII, brute force
127, brute principles, methods, code analysis, burpsuite presentation.
128, brute html form content: post data submission, verification code code analysis, code brute force.
129, http basic authentication generated by burpsuite analysis of the certification process, brute force http basic authentication.
130, http basic authentication dictionary generation: thinking, python dictionary codes, extension ideas.
131 reasons set burpsuite http authentication, burpsuite settings certification.
132, dictionary creation tool cupp basis.
133, dictionary creation tool pydictor basis.
134, dymerge dictionary merge tool for basic use, the use of high-level output merge content.
135, offline password cracking: Offline crack, break off the site, local off-line crack, crack the code extension offline.
Fourth, the logical flaw
136, arbitrarily modify order amount: order logic loopholes, loopholes in the order of the logic, the logic loopholes defense.
137, password reset or recover your password, password reset logic analysis, password reset at logic vulnerabilities, defense.
