Experience Sharing of src Vulnerability Mining – Keeping Security in Control
1. Public Welfare src
Public Welfare src is a platform for white hats to submit randomly discovered vulnerabilities. We can submit the vulnerabilities we randomly discovered or actively found in the vulnerability box.
Do not cross the red line when mining src. In general, you only need to obtain the database name to prove the existence of the vulnerability when encountering SQL injection. It is best not to obtain it further. The xss vulnerability only obtains information such as its own cookie or ip to prove the existence of the vulnerability. When encountering information leakage, if there is a situation where sensitive files can be downloaded, the files must be deleted after the vulnerability is confirmed. (Other vulnerabilities were not encountered when digging src, so I can't give more suggestions, please forgive me)
The above is part of the content of src. (Students who have just participated in src activities can learn about it)
2. Generally, the vulnerabilities we are looking for (or the types of vulnerabilities that are recommended to look for when scoring points)
If we want to top the list, we must need a lot of vulnerabilities, because in most cases, the high-risk vulnerabilities we dig are only 4 points (small enterprises, etc.) ), but this deficiency can be made up if we increase the mining speed. So in the following I will introduce the vulnerabilities I recommend mining and the use of methods and tools to verify the existence of the vulnerabilities.
1.SQL injection
SQL injection is generally rated as a high-risk vulnerability, but there are also situations where some manufacturers are small or difficult to exploit and will be rated as a medium-risk vulnerability. Therefore, trying to dig out SQL injection is of great significance for ranking
SQL Injection verification is generally constructed after the id parameter is passed and 1=1 or and 1=2 to see if there is SQL injection by looking at the return of the page. If there is, first test the error injection and then try other types of injection, or It is to use sqlmap to run directly to get the database name and then submit it. However, there are also some cases where the library name or table name cannot be obtained by using sqlmap, so manual notes are required.
For mining SQL injection, we generally use sqlmap to first run to get the injection type and then run to get the database name, or there is no library name in access and other databases. In case of running directly to get the table name
1. SQL injection is generally rated as a high-risk vulnerability, but there are also situations where some manufacturers are small or difficult to exploit and will be rated as a medium-risk vulnerability. Therefore, trying to mine SQL injection is of great significance for the ranking. Big
2. The verification of SQL injection is generally constructed after the id parameter is passed and 1=1 or and 1=2. Check the return of the page to determine whether there is SQL injection. If there is, first test the error injection and then try other types injection, or directly use sqlmap to run to get the database name and submit it. However, there are also some cases where the library name or table name cannot be obtained by using sqlmap, so manual notes are required. 3.
For mining SQL injection, we generally use sqlmap to first run to get the injection type and then run to get the database name, or there is no library in access and other databases. In the case of name, run directly to get the table name
The effect diagram of sqlmap is as follows
Some commands of sqlmap are as follows
- python sqlmap -u xxx --dbs Run to get the library name After getting the library name, you can usually submit it`
- Python sqlmap -u xxx --tables access and other databases run to get the table name when there is no library name`
- python sqlamp -u xxx --delay=1 Instructions to prevent access from being banned ip too quickly
Other things about SQL injection
- The SQL injection vulnerability of the real site is actually not very different from the shooting range of our college, except that there may be a firewall and the ip will be banned (forbidden). The other parts are not much different. At the end of the article, I will put some SQL that I dug up. Injected renderings
2.xss
In general, xss has three DOM reflective storage types. When I dig src, I only dig reflective xss, and I have never encountered the other two. Therefore, I can only share some experience of reflective xss in the following content. .
- Reflective xss vulnerabilities are generally classified as low-risk vulnerabilities and can be added to 2 points. Therefore, we can only meet our ranking requirements by obtaining a large number of xss vulnerabilities when mining, but it is a little difficult to find sites that contain xss injection So I suggest testing xss by the way when testing SQL injection sites
`Testing xss is generally to construct a js pop-up statement, type the xss code in the form box, or construct an xss code after passing the id parameter in the url column to check whether the page pops up, but one thing that is more troublesome is that there are various js pop-up statements Therefore, we need to spend a lot of time to construct sentences. At this time, we can use some tools to achieve the effect (we will talk about tools later)
Xss effect diagram
3. Information leakage
When I dig this type of vulnerability, the most I encountered is that I can directly access the information of phpinfo, and the other is that I can download a file containing sensitive information. I did not specifically look for this type of vulnerability when I was digging I just tested it casually when testing the SQL injection vulnerability, so I put the specific process in the tool explanation part later.
3. Using tools
The most common tools should be crawler scanners and so on. Using crawlers, we can find some sites and using scanners, we can scan sites for vulnerabilities to obtain vulnerability information. Below I describe the two tools I use most often when digging for vulnerabilities.
1. Crawler tool
Using the crawler tool, we can find some sites that may have certain vulnerabilities, or some sites that we did not find when we used Google grammar to find the site.
Injection point batch collection tool
Use this tool to fill in Google grammar in the content to search for certain keywords in the url bar, for example: inurl:php?id= Using this tool, we can find some sites and try to find them after testing Vulnerabilities such as SQL injection xss
2. Scanning tool
I use Chaitin Technology’s xray more often to scan certain sites for vulnerabilities and obtain vulnerability information. If we have passed the construction parameters and found that a site has SQL injection vulnerabilities, then we can use the scanner again. Scan the site for additional vulnerability information.
4. How to find sites
When we are mining src vulnerabilities, it is very important to find sites. At this time, knowing how to find sites is very important for ranking. Here I will share how I found vulnerabilities when I was digging vulnerabilities.
The first is to use Google grammar to search in Google Mirror Station or Bing and other search engines that support Google grammar. If we are digging for SQL injection, we can construct inurl:php?id= to find loopholes, and we can also search for vulnerabilities according to certain companies. Words in the industry such as energy, pharmaceuticals, etc., then use Google grammar to find sites. Then the industry terms can be changed by yourself in the column of the vulnerability box.
The second is to use crawler tools to search sites in batches, just like injection point batch collection tools. We can also construct Google syntax information in the content box, such as inurl:php?id=, and change industry content, such as pharmaceutical construction. Using this tool, we can find
some There are sites with SQL injection but there are also some cases where there is no SQL injection, which is a tool false positive.
The above method of finding a site is just my personal method. There are still many bigwigs in the community who have their own methods. Students can also learn more from them.
5. Personal feeling that
src is a process of exercising oneself. I personally think it is very good and meaningful for the college to hold this event. In some cases, the real site and the college’s shooting range are similar, but in some cases they are different. For example, when I was digging the first real site’s vulnerability, I used sqlmap to run to get the database name. I couldn't access the site either. I didn't know it was because the ip was banned until I asked Mr. Nie Feng. In addition to this point, there are some other differences, but it is also very helpful to our vulnerability mining experience.
The existence of src is very important for a novice like me, who can gain some experience in exploiting real site vulnerabilities. When I first joined src, some bosses said that src has low technical content, but after a month of vulnerability mining, I think src is a platform for gaining experience, which is very suitable for students who have just finished the course or are participating for the first time.
Finally, I would like to share my current feelings. When I finished digging src, I worked hard to get on the list, but now I still feel that I need to learn in many aspects, so I suggest that students still need to maintain it after digging src. Work hard to learn new knowledge, and then often go to our community and other forums to learn new knowledge! ! !
SQL injection site map
at last
Statistics show that there is currently a gap of 1.4 million cyber security talents in China...
Whether you are a cyber security enthusiast or a practitioner with certain work experience,
whether you are a fresh graduate or a professional who wants to change jobs ,
you all need this job. super super comprehensive information
almostBeats 90% of self-study materials on the market
And covers the entire network security learning category
to bookmark it!It will definitely help your study!
Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it) ~
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing
1. A full set of toolkits and source codes necessary for network security
2. Video Tutorial
Although there are a lot of learning resources on the Internet, they are basically incomplete. This is the online security video tutorial I recorded myself. I have supporting video explanations for every knowledge point on the road map.
3. Technical documents and e-books
The technical documents are also compiled by myself, including my experience and technical points in participating in the network protection operation, CTF and digging SRC vulnerabilities.
I have also collected more than 200 e-books on Internet security, basically I have popular and classic ones, and I can also share them.
4. NISP, CISP and other certificate preparation packages
5. Information security engineer exam preparation spree
6. Interview questions for network security companies
The interview questions about cyber security that have been sorted out in the past few years, if you are looking for a job in cyber security, they will definitely help you a lot.
Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it) ~
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing