0x01 information collection
1. Google Hack Practical Grammar
Quickly find vulnerability syntax such as information leakage and management background exposure, for example:
filetype:txt 登录
filetype:xls 登录
filetype:doc 登录
intitle:后台管理
intitle:login
intitle:后台管理 inurl:admin
intitle:index of /Find the specified website, plus site:example.com, for example:
site:example.com filetype:txt 登录
site:example.com intitle:后台管理
site:example.com admin
site:example.com login
site:example.com system
site:example.com 管理
site:example.com 登录
site:example.com 内部
site:example.com 系统The keywords can be adjusted according to the actual situation. Google and Bing are recommended. If the search content is deleted, the webpage snapshot will generally still be recorded.
2. Shodan, fofa network asset search engine
Network asset search engines such as Shodan and foda can be used to search for online devices in cyberspace, and their functions are very powerful, equivalent to Google in the network security world:
In particular, the powerful search engine shodan can even query Internet assets according to the logo :
for example, to perform information retrieval on an IP, click view raw data:
Find the data.0.http.favicon.data field:
Search for the corresponding value to query assets according to the company logo:
http.favicon.hash:-1507567067It is recommended to install the shodan chrome plugin for easy viewing and use:
https://chrome.google.com/webstore/detail/shodan/jjalcfnidlmpjhdfepjhjbhnhkbgleap
fofa is a domestic cyberspace asset search engine, similar to shodan, common search syntax:
title="abc" 从标题中搜索abc。例:标题中有北京的网站
header="abc" 从http头中搜索abc。例:jboss服务器
body="abc" 从html正文中搜索abc。例:正文包含Hacked by
domain="qq.com" 搜索根域名带有qq.com的网站。例: 根域名是qq.com的网站
host=".gov.cn" 从url中搜索.gov.cn,注意搜索要用host作为名称。例: 政府网站, 教育网站
port="443" 查找对应443端口的资产。例: 查找对应443端口的资产
...Practical query statement:
body="关键词1" && country=CN&&title="关键词2"You can quickly locate the website information you want to search in China.
3. Subdomain collection
Recommend several useful tools:
- JSFinder(https://github.com/Threezh1/JSFinder)
In the JS file of the website, there will be various content that is helpful for testing. JSFinder can help us obtain the information of url and subdomain name in JS, and expand our penetration scope. Crawling is divided into normal crawling and deep crawling. Deep crawling will go deep into the next layer of pages to crawl JS, and the time will be longer. The process is as follows:
- Sublist3r( GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testers )
Sublist3r is a python version of the tool, its design principle is based on the use of search engines to enumerate the subdomains of the site. Sublist3r currently supports the following search engines: Google, Yahoo, Bing, Baidu and Ask, and more search engines will be supported in the future. Currently, Sublist3r also obtains subdomains through Netcraft and DNSdumpster.
- Yunsee ( yunsee.cn-2.0 )
Yunsee can collect sub-domain names, ip segments, CMS fingerprints and other information online
4. Real-time monitoring of github sensitive information leakage
GSIL (GitHub Sensitive Information Leakage) project, address:
GitHub - FeeiCN/GSIL: GitHub Sensitive Information Leakage (GitHub Sensitive Information Leakage Monitoring)
By configuring keywords, real-time monitoring of github sensitive information leakage, and send to the designated mailbox:
5. Internet disk search engine
Similar to github, there are often internal information leaked by the company in the network disk, which also needs to be paid attention to. The common network disk search engine:
Panduoduo: http://www.panduoduo.net/pan
search search: network disk search, just go to it Pan Sou - An easy-to-use Baidu cloud search
engine
6. Pay attention to official account, service account, applet, APP
The enterprise’s WeChat account, service account, applet, and APP will help us expand the attack surface. Some application portals are not available on the web. We need to start with the official account, applet, and APP. The official account even has a public account used by the enterprise for testing. number, service number, these information need to focus on:
7. Register non-ordinary users (merchants, enterprise users, etc.)
Merchants and enterprise users generally need to submit multiple materials for registration: business license, enterprise certificate number, etc., which is cumbersome:
But don't give up because of the trouble. The difficulty of registration for such users means that there are fewer testers and often more loopholes. Some platforms are not strictly audited. In many cases, registration can be passed by providing information or a simple phone verification can be passed.
Find a way to provide various information for registration (online purchase of business license, public information collection, PS)
find a way to obtain an account (crash pants, library, QQ group, github leak, etc.)
borrow/rent an account/buy an account
0x02 Wechat public account capture skills
The enterprise WeChat official account can greatly broaden our testing scope. Some links of the official account can be directly copied to the browser to open, and then follow the conventional penetration testing method. However, after some links are copied to the browser, the following situation will appear:
For this situation, it can be solved by capturing WeChat packets through the Android emulator, or capturing WeChat packets on the real machine, but they are relatively inconvenient. I will share with you the method of directly capturing WeChat PC-side traffic through SocksCap64.
SocksCap64 is a very powerful proxy client that supports protocols such as http/https, socks4/5, TCP, UDP, etc. Forward to burp, you can capture and analyze packets.
First, set up monitoring in burp:
Then set the proxy server to the address and port of burp in SocksCap64, and the proxy method is HTTP:
Test it, whether it is successful:
Then use SocksCap64 to start WeChat:
You can successfully capture the traffic on the PC side of WeChat:
0x03 Login interface ideas
0x04 SMS & email bombing bypass
In the process of website testing, mobile phone number/email registration often occurs when users register and log in. Here, there may be SMS & email bomb vulnerabilities. This kind of vulnerability testing is more convenient. Although some sites are protected, there are also some bypasses. way.
Here is a collection of some of the currently popular websites that temporarily receive text messages for easy testing:
https://www.pdflibr.com/
http://www.z-sms.com/
https://www.receive-sms-online.info/
[国内] http://www.smszk.com/
[国外] http://receive-sms-online.com/
[国外] https://smsnumbersonline.com/
[国外] https://www.freeonlinephone.org/
[国外] https://sms-online.co/receive-free-smsWhen using mobile phone number/email and verification code as user login credentials, the generally involved website function points mainly include:
- Register an account
- User identity verification when setting a password for the first time
- account login
- reset Password
- Bind mobile phone/email
- Modify the bound mobile phone/email
- Free Trial/Activity Collection/Feedback Office
- ...
Common tests and bypasses:
0x05 Logic Vulnerabilities
With the increasing security awareness of developers and the continuous deployment of protective equipment such as IPS/IDS, WAF, and full traffic detection, traditional SQL injection vulnerabilities and command execution vulnerabilities are becoming less and less, or more and more difficult to exploit. (Need to bypass various defensive devices). But business logic loopholes can bypass almost all traditional security protection equipment, and there is no very effective defense method yet. At the same time, the business logic is complicated, and even experienced programmers may dig holes, so as long as the foundation is solid, logical thinking ability is strong, patience is careful, and no step is missed, such loopholes are easier to dig.
1. Modify the unauthorized return package
Scenario 1: Modifying the mobile phone number
The general modification logic is: verify the original mobile phone number -> fill in the new mobile phone number -> submit the modification
If the authentication in the previous step is not verified in the next step, there will be a logical defect bypass.
For example, when authenticating the original mobile phone number in the first step, you can enter the verification code at will and modify the relevant fields in the response package, such as changing 0 to 1, changing false to true, and you can bypass the first step of verification and enter the new mobile phone No. interface, if the result of the first step is not verified when the third step submits the modification, it will cause a logical loophole.
Wuyun case: http://www.anquan.us/static/bugs/wooyun-2015-0120951.html
Scenario 2: Login Bypass
The identity verification of some websites is placed on the front end, so you only need to modify the relevant fields in the response package, such as changing 0 to 1, changing false to true, and you can log in to any user account.
Wuyun case: http://www.anquan.us/static/bugs/wooyun-2015-0151201.html
2. Horizontal ultra vires
Scenario 1: Traverse ID
In some requests, there are obvious id numeric parameters (mobile phone number, employee number, bill number, bank card number, order number, etc.) in GET or POST, you can try to traverse, if the program does not have the current permission Judgment, there will be a level of ultra vires.
Wuyun case: http://www.anquan.us/static/bugs/wooyun-2016-0204958.html
Scenario 2: ID replacement
If the program hashes or encrypts the user ID, but cannot crack the encryption method used, it is impossible to obtain other user information by traversing the ID. At this point, you can try to register two accounts. By replacing the encrypted values of the two IDs, you can judge whether the program has verified the permissions. If not, there will also be a problem of overreach.
3. Vertical overreach
Observe the session field in the cookie, guess the modification, and find:
level=1: admin
level=2: vip user
level=3: normal user
Note, this tutorial article is only for learning and research purposes, please do not use it for illegal purposes. Vulnerability mining should abide by the relevant rules in the SRC.