1. No matter what site, no matter what language, I want to infiltrate, the first thing is to scan the directory, it is best to scan out an upload point, upload the shell directly, everyone, don’t laugh, sometimes you spend a long time building a site, and finally find There is a ready-made upload point, and it is easy to guess, but this happens mostly in asp!
2.asp ( aspx )+MSSQL considers injection first, and the general injection has DBowner permission to write directly to the shell; if it cannot be written, or the web is separated from the database, then guess the data and start from the background, which can upload or change the configuration File;
3.asp ( aspx )+ACCESS There are generally only 3 ways to get the shell, one is uploading in the foreground or injecting into the background to upload; the other is injecting into the background to modify the configuration file; Asp or asa database, so write a sentence directly;
4. php+MYSQL is usually injected into the background to upload, occasionally lucky enough to inject select into outfile; and then include, divided into local and remote, remote included in high version php is not Supported, so I found a way to upload the image file locally or write it to the log; then the undisclosed vulnerability of the php program, if you are lucky, you can directly write the shell.
5. Jsp+MYSQL is basically the same as php in terms of using the database to obtain permissions, and the upload of jsp rarely checks the file suffix, so as long as there is an injection point and a background, it is quite easy to use the shell. I haven't encountered many jsp+ORACLE sites, and the ones I have encountered are also guessed user names and passwords from the background.
6. No matter what the big site is, the main site is generally very safe (otherwise it would have been played by someone), so we usually start from the second-level domain name, guess some user names and passwords of the main site or get the source code of the main site, Or sidenote cain or arp after getting the server on the same network segment.
7. General large websites rarely use ready-made CMS, so if you are lucky enough to find the source code, then you can post it. Injection vulnerabilities, upload vulnerabilities, and file writing vulnerabilities are all in your hands. Take a look at the new test sub-sites of those big sites. Those sites are still in the test and can be easily won.
8. There is a file name truncation in uploading, which includes two aspects, one is 00 truncation, and the other is long file name truncation (I used this to get hw); and many places where files are written can be 00, which has been tried repeatedly. Don’t forget the magical effect of the .asp (of course, .asa, .cer, .cdx) directory when uploading.
9. Whether it is windows or linux, there is a problem with magic_quotes_gpc on php stations. When magic_quotes_gpc is on, you can still select into outfile when server variables are injected. This is the case with an unopened cms I worked on this year, and it is usually on Don't think about writing files, but don't forget to read the source code of the file if you have this permission, because the parameters of load_file can be encoded.
10. Guessing the path or file is very necessary in the intrusion. When you can’t guess the path, don’t forget Google (Baidu is too bad, Google is very comprehensive), so you can consider looking at the robots.txt or robots.txt under the site, there will be surprise.
11. The use of tools is very important. Scanning with WVS before intrusion will help the intrusion; although there are many injection tools, not all of them are easy to use. Now the soft and hard firewalls and anti-injection are getting more and more powerful, so don’t be lazy at that time , more manual work will help you grow.
12. Have you ever encountered top-notch surveillance or other anti-post firewalls? Sometimes a sentence cannot be transmitted to Malaysia after entering it. At that time, you should first learn to code and learn to transform to bypass it.
13. If you want to build a general small website, remember to check the copyright of this small website, find the company that makes this website, and then start from other websites made by this company, get the source code and then go back to it. I used this method to win a well-known pharmaceutical company. company website.
14. The idea of side note is never outdated. When encountering the injection of dbowner, you can comfortably write the shell to the site you need, so as to save the trouble of raising the rights; if you are unlucky, you can use the shell step by step to get what you need.
15. Never forget social engineering, use social workers to treat yourself as a person who knows nothing, start from the qq, ID card, email, etc. of a certain webmaster, there may be accidents sometimes; don’t forget admin, admin; test,test; 123456,123456 This simple attempt, of course, you can also brute force.
16. Don't ignore XSS, don't ignore cookies, XSS can steal cookies, and there are some magical uses, learn to understand by yourself; cookies can be forged to log in, cookies can be injected, and cookie injection can bypass most firewalls.
17. Usually use the website to collect more paths, source codes, and tools to enrich your "weapons" library; it is best to record your own intrusion steps, or reflect on them afterwards. I usually record them in txt. Make inferences about other cases from one instance.
18. Go to GoogLe, search for some keywords, edit.asp? There are many broilers in Korea, and most of them are MSSQL databases!
19. Go to Google, site:cq.cn inurl:asp
20. Use digging chicken and an ASP Trojan horse. The file name is login.asp path group is /manage/ key word is went.asp use 'or'='or' to log in
21, key word: Co Net MIB Ver 1.0 website background management system account password is 'or'='
22. Dynamic shopping system inurl:help.asp login, if not registered as a member! Choose any of upLoad_bm1.asp and upLoad_c1.asp, general administrators ignore these 2 loopholes
23. Default database address blogdata/acblog. asa keyword: acblog
24, Baidu/htdocs registration can directly upload asa files!
25. /Database/#newasp.mdb Keyword: NewAsp SiteManageSystem Version
26. Excavator keyword: Powered by WEBBOY Page: /upfile.asp
27. Search keyword in baidu Ver5.0 Build 0519 (upload vulnerability exists)
28 .Upfile_Article.asp bbs/upfile.asp Input keyword: powered by mypower,
29. inurl:winnt\system32\inetsrv\ Enter this in google and you can find many websites
30. Now GOOGLE search keyword intitle: website assistant inurl :asp
31. Keyword: Home pageLatest news Beginner's guideDance music download centerClassic articlesPlayer demeanor and equipment purchaseRumours on the siteFriendly linkThis site's forum digs chicken keywordsAdd setup.asp
32. VBulletin forum database default database address! /includes/functions.php Tools: 1. Website hunter download address: Baidu Google! 2. Google keywords: Powered by: vBulletin Version 3.0.1 Powered by: vBulletin Version 3.0.2 Powered by: vBulletin Version 3.0.3 One of them will do.
33. 1. Open Baidu or GOOGLE search, enter powered by comersus ASP shopping cart open source. This is a mall system. 2. At the bottom of the website, there is a Comersus Open Technologies LC. Open it and look at ~~comersus system~ Guess, comersus.mdb. is the database name. Databases are placed after database/, so database/comersus.mdb comersus_listCategoriesTree.asp is replaced with database/comersus.mdb, which cannot be downloaded. In that way, remove the previous ''store/'', and add database/comersus.mdb to try
34. The official site program of Wuyou Legend. 1. Background management address: http://your domain name/msmiradmin/ 2. Default background management account: msmir 3. Default background management password: msmirmsmir The database file is http://your domain name/msmirdata/msmirArticle.mdb Database connection The file is *************/Conn.asp
35. Enter /skins/default/ in Baidu
36. Use excavator key machine: power by Discuz Path: /wish.php Cooperate with: Discuz! Forum wish.php remote contain vulnerability tool use
37. Upload vulnerability. Tool: Domain3.5 Website Hunter version 1.5 keyword powered by mypower detection Insert the page or file into upfile_photo.asp
38. New Cloud Vulnerability This vulnerability takes both ACCESS and SQL versions. Google search keywords "About this site - Website Help - Advertising Cooperation - Download Statement - Friendship Links - Site Map - Management Login" Submit flash/downfile.asp?url=uploadfile/../../conn.asp to the website Root directory. You can download conn.asp Most of the download sites are source code and software. You often come across databases, if there is a + in front or in the middle, you can replace it with %23 and you can download \database\%23newasp.mdb For example: #xzws.mdb is changed to %23xzws.mdb
39. Take all malls + power upload system Tools used: Digging Chicken v1.1 Ming Xiaozi Mall Invasion: Keyword: Purchase->Add to shopping cart->Go to the cash register->Confirm consignee information->Select payment method->Select delivery method->Online payment or Remittance after placing an order->Remittance Confirmation->Delivery->Completion Vulnerability page: upload.asp upfile_flash.asp Power invasion: Keyword: powered by mypower Vulnerability page: upfile_photo.asp Upfile_Soft.asp upfile_adpic.asp upfile_softpic.asp 40
、 Dongyi column directory admin_articlerecyclebin.asp inurl:admin_articlerecyclebin.asp
41. Tool: Website Hunter Keyword: inurl: Went.asp Suffix: manage/login.asp Password: 'or'='or'
42. Tools needed to invade Warcraft private server: ASP Trojan horse. Domain3.5 Ming Xiaozi Keyword: All Right Reserved Design: Game Alliance background address: admin/login.asp Database address: chngame/#chngame.mdb
43. The loophole is the mistake of using the administrator's iis settings. The Baidu keyword is the comparison Rare script name Dongwang: ReloadForumCache.asp Leadbbs: makealltopanc.asp BBSXP: admin_fso.asp Dongyi: admin_articlerecyclebin.asp
44. Keyword of foreign website's database explosion vulnerability: sad Raven's Guestbook Password address: /passwd.dat Background address: / admin.php
45. Keyword: Shannex background path /system/manage.asp Directly upload ASP Trojan horse
46. Tool 1: Website Hunter 2: One keyword in Malaysia: Do not turn off the Cookies function, otherwise you will not be able to log in Insert diy.asp
47. Keyword: Team5 Studio All rights reserved Default database: data/team.mdb
48. Tool: Excavator Fuchen Database Reader Keyword: Company Profile Product Display Product List Add suffix: /database/myszw .mdb background address: admin/Login.asp
49. Key sub XXX inurl:Nclass.asp Write a Trojan horse in "System Settings". Will be stored in config.asp.
50. Take Dongwang WEBSHELL data.asp?action=BackupData Dongwang database backup default path without entering the background 36. Tool: Website Hunter WebShell Keyword: inurl: Went.asp Suffix: manage/login.asp Weak password: 'or '='or'
51. Invasion of Leichi News Release System Keyword: leichinews Remove the following leichinews. Type: admin/uploadPic.asp?actionType=mod&picName=xuanran.asp and then upload horse..... Enter and visit uppic anran.asp 52.
1. Find a large number of injection point keywords through GOOGLE search: asp?id=1 gov.jp/ asp?id= Pages: 100 Language: Fill in the language you want to invade any country 53. Keyword
: Powered by: 94KKBBS 2005 Retrieve the admin by using the function of retrieving the password Question: ddddd Answer: ddddd
54. Keyword: **** inurl: readnews.asp Change the last / to %5c, directly storm the library, and see the password , enter the background and add a news at will, enter our one-sentence Trojan horse in the title
55. Tool: one-sentence Trojan horse BBsXp 5.0 sp1 administrator guess key words: powered by bbsxp5.00 Enter the background, backup one-sentence horse!
56. Keyword : Program core: BJXSHOP online shop expert background: /admin
The Common Law of Hacking
Guess you like
Origin blog.csdn.net/2301_77162959/article/details/131285751
Ranking