1. Get a site to be tested or give you a website, what do you think should be done first?
1. Information collection
1. Get the whois information of the domain name, get the registrant's email name, phone number, etc.
2. Query server side sites and subdomain sites through the webmaster’s home, Mingboy, k8, etc., because the master site is generally more difficult, so first check if there are any common cms or other loopholes in the side site.
3. Obtain corporate domain name and ip through DNS domain transmission vulnerability, backup number query, SSL certificate, APP, WeChat official account, brute force cracking, DNS history, K8 C segment query, Jsfinder, 360 or Huawei threat intelligence, and certificate serial number.
4. Check the server operating system version and web middleware through Nmap, Wappalyzer, Yujian, etc. to see if there are known vulnerabilities, such as IIS, APACHE, NGINX parsing vulnerabilities
5. Scan the website directory structure with 7KB and broken shell to see if you can traverse the directory or leak sensitive files, such as php probes and administrator backup files.
6. Google hack to further detect website information, background, and sensitive files
7. Collection of sensitive information, such as github source code, using 7kb, cracking and scanning source code leakage (.hg, .git, cvs, svn, .DS_store source code leakage), google hack, interface information leakage, social work information leakage, email address Information collection, network disk search, Zhong Kui's Eye, Tianyan Check, threat intelligence, Weibu online, etc.
8. Use Wappalyzer and Yujian tools to identify website fingerprints (including cms, cdn, certificates, etc.), dns records
2. Vulnerability scanning
1Use AWVS, APPSCAN, Changting Technology's Xray and other scanners to detect Web vulnerabilities, such as XSS, XSRF, sql injection, code execution, command execution, unauthorized access, directory reading, arbitrary file reading, downloading, file inclusion, remote commands Execution, weak password, upload, editor vulnerability, brute force cracking, etc.
2 Use the scanning system ip of namp, sky mirror, Nessus, Aurora, etc. to test the scanned high-risk vulnerabilities, such as ms08-067, ms17-010, ms12-020, ms15-035, ms19-0708, Eternal Blue 2nd generation , Cve-2017-7494 (samba), cve-2014-6271 (broken shell), php cgi and other related vulnerabilities verification.
3 exploit
Use the above methods to get webshell, or other permissions
4 privilege escalation
Privilege escalation server, such as mysql udf privilege escalation under windows, serv-u privilege escalation, windows low version vulnerabilities, such as iis6, pr, Brazilian barbecue, linux dirty cow vulnerability, linux kernel version vulnerability privilege escalation, mysql system under linux Right escalation and oracle low-privilege escalation
5 log cleanup
Operating system, middleware, database and other logs are cleared
6 Summary report and repair plan
2. You usually go to those websites to learn, dig loopholes and submit them to those platforms
Generally go to seebug, freebuf, my love cracking, watching snow forum, Alibaba Security, PentesterLab, Alibaba Cloud Prophet Community, Clover Security, etc.
Digging holes are generally submitted to 360 patching, cnvd, education vulnerability platform, vulnerability bank, wooyun, vulnerability box public testing platform
3. What is the significance of determining the CMS of the website for penetration?
Find program vulnerabilities that have been exposed online. If open source, you can also download the corresponding source code for code audit
4. Common web server container (middleware)
IS、Apache、nginx、Lighttpd、Tomcat、Weblogic、Jboss
5. A mature and relatively safe CMS, what does it mean to scan the catalog when infiltrated?
Sensitive files, scanning of secondary directories, misoperations by the webmaster, etc., such as: website backup compressed files, description .txt, secondary directories may store other sites.
6. A gives you a target station and tells you that the /abc/ directory exists in the root directory, and the editor and admin directories exist in this directory. What do you think?
Scan sensitive files and directories directly under the secondary directory /abc/ of the website with 7KB or broken shell dictionary.
7. In the process of infiltration, what value does it have to us to collect the mailboxes of registrants at the target site?
Lost the social work library to see if there is any leaked password, and then try to log in to the background with the leaked password.
Use mailboxes as keywords to throw them into search engines.
Use the searched related information to find out other postal messages and then get commonly used social accounts.
The social worker finds out the social account, which may find out the habit of the administrator to set the password.
Use existing information to generate a dedicated dictionary.
Observe which non-popular websites the administrators often visit, take it, and you will get more good things
8. What are the main functions of Nmap, several scanning methods, bypassing ping scanning, vulnerability detection, etc.
1. Four major functions: host discovery (parameter -sn), port scanning (-sS -sU), version detection (-sV), OS detection (-O)
2. Scanning methods are: tcp connect() , TCP SYN scanning, TCP FIN scanning, Null scan, etc.
3. Bypass the ping scan parameter: nmap -Pn XXX.XXX.XXX.XXX
4. Vulnerability detection can directly nmap target --script=auth,vuln
9. How many types of SQL injection?
1 Error injection 2 Bool type injection 3 Delay injection 4 Wide byte injection
10. How to judge delayed injection?
Blind SQL injections are divided into three categories: Boolean-based SQL blind injections, time-based SQL blind injections, and error-based SQL blind injections
Blind injection based on Boolean SQL: XXX' and ascii(substr(database(),1,1))=112#
Blind SQL injection based on time: XXX' and sleep(x)#
11. How to inject sqlmap into an injection point?
1) If it is get injection, directly, sqlmap -u "injection point URL".
- If it is post injection, you can sqlmap -r "burp address access package"
3) If it is a cookie, X-Forwarded-For, etc., when you can access it, use burpsuite to capture the package, replace the injection location with a number, and put it in the file, and then sqlmap -r "file address", remember to add the -level 3 parameter
12. SQL injection protection method?
1. Numerical filtering, such as !is_numeric Numerical // Determine whether the variable id is a number
2. Directly download the relevant anti-injection files and include them in the website configuration file through incloud, such as anti-injection scripts provided by 360, Alibaba Cloud, and Tencent
3. Use whitelists to standardize input verification methods
4. Use PDO preprocessing 5. Use Waf interception
13. What are the default configuration files for commonly used middleware, databases, third-party applications, and operating systems?
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
/root/.ssh/id_ras.keystore
/root/.ssh/known_hosts //Record the public key of each user who accesses the computer
/etc/passwd
/etc/shadow
/etc/my.cnf //mysql configuration file
/etc/httpd/conf/httpd.conf //apache configuration file
/root/.bash_history //User history command record file
/root/.mysql_history //mysql history command record file
/proc/mounts //Record system mount devices
/porc/config.gz //Kernel configuration file
/var/lib/mlocate/mlocate.db //full file path
/porc/self/cmdline //cmdline parameters of the current process
14. What are the preventive methods for downloading arbitrary files?
(1) Filter "." so that users cannot go back to the parent directory in the url
(2) Regular judgment strictly judges the format of user input parameters
(3) php.ini configures open_basedir to limit file access range
15. What is the difference between CSRF and XSS and XXE, and how to fix it?
XSS is a cross-site scripting attack. In the data submitted by users, codes can be constructed to execute, so as to realize attacks such as stealing user information. Repair method: Escape character entities, use HTTP Only to prohibit JavaScript from reading cookie values, verify when inputting, and use HTML entity encoding when outputting.
CSRF is a cross-site request forgery attack, and XSS is one of the many means to achieve CSRF, because it does not confirm whether the user voluntarily initiates during the execution of key operations. Repair method: filter out the pages that need to guard against CSRF, then embed the Token, enter the password again, and check Referer
XXE is an XML external entity injection attack. In XML, entities can be called to request local or remote content. Similar to remote file protection, it will cause related security issues, such as reading sensitive files. Repair method: The XML parsing library strictly prohibits the parsing of external entities when invoking.
16. What is the difference between CSRF, SSRF and replay attacks?
CSRF is a cross-site request forgery attack, initiated by the client;
SSRF is server-side request forgery, initiated by the server;
A replay attack is to replay the intercepted data packet to achieve identity authentication and other purposes.
17. How to prevent CSRF?
1. Verify referer 2. Verify token 3. Add verification code
18. Types of logic vulnerabilities
1 Arbitrary modification of the order amount
2 Verification code return
3 No login credential verification
4 Interface unlimited enumeration
5 Cookie design flaws
6 Design flaws to retrieve passwords
7 Simple reading of memory value data as user credentials