Recently, I found that many friends who are new to penetration do not know the tricks of actually digging vulnerabilities, so I plan to write some tips for digging loopholes by myself.
src recommends the loophole box as the first choice for beginners, because the loophole box has a wide range, and all domestic sites accept it. Compared with other src platforms, mining is very suitable for novices.
Vulnerability mining, information collection is very important.
Tips in the front row: There is SRC vulnerability mining data at the end of the article
Here are some practical explanations.
Let's talk about Google grammar first! ! !
Google mirrors can be searched through cyberspace search engines such as fofa, Zhongkui's Eye, and shodan as follows.
SQL injection hole digging is basically smooth
-
Find loopholes, through the basic site:, inurl: Google syntax.
-
Find a site, all kinds of dots, find his injection point.
-
Injection point not found, information collected.
-
Then there are some column operations.
Open the Google mirror and enter our Google syntax site:.com company.
In this way, the company name related to the domain name suffixed with .com will be obtained. The meaning of adding a company after the domain name is to designate it as a company name filter.
Google grammar, search via Google Chrome: site:.com inurl:php?id=22 company
Add php?id=22 here, because the core of our injection point is to pass parameters, so searching for passed parameters will make it easier to find vulnerabilities.
Below we find a website to test.
First, we enter single quotation marks: ' to see that the page has changed.
This shows that the single quotes we entered were executed and an error occurred. There is a great possibility of SQL injection here.
Further use, and 1=1 && and 1=2, to verify whether the vulnerability exists.
Here and 1=1, the page is normal, but when and 1=2, the page echo is normal, further verification.
We continued to use the SQL statement function and concluded that we were blocked by the website firewall.
Without bypassing the website firewall, I tried the inline comment method casually here, and the execution was successful. Going around the firewall is too cumbersome, so I will do more operations. For novices, they can retreat directly when encountering a firewall.
Find a station below, enter single quotes ', the page is abnormal, we find the input and 1=1 | 1=2, and find that 1=2 is abnormal.
It shows that the function we input is executed by the database, and there is SQL injection.
The vulnerability has been tested, and the next step is to see if the vulnerability can be verified. In the above SQL statement, we use order by 11 | order by 12.
The order by 11 page is normal, but the order by 12 page is abnormal (indicating that there are 11 fields).
Then we used the SQL statement and found that there is a Boolean blind injection here. The query data of the Boolean blind injection is cumbersome, so we just throw the SQLmap and run away.
sqlmap command: Python sqlmap.py -u target URL --dbs (specify the name of the target running library), and finally successfully get the name of the library.
Digging holes is so easy, and there are still a lot of SQL injections. If you encounter waf, you can try to bypass it if you have ideas.
XSS vulnerability
Generally, you can try to blindly type XSS through the searched site to see if there is a message board. Generally, an XSS is a medium risk, and you can directly construct the xss statement:, see the box and insert it directly, and just submit the pop-up window directly to the src platform.
XSS general message board! ! !
Weak password vulnerability mining
Google syntax for weak passwords: inurl:admin/login.php company.
In this way, you can search the background of many companies.
After entering the background, you can use tools to blast weak passwords in batches, such as admin/111111, etc. You can also check whether there are account passwords by checking the js code.
You can use or build weak password blasting tools yourself. There are so many such tools, so I won’t elaborate more.
Some verification codes are just for decoration, and there are also verification codes that will not change after grabbing the package.
These are the recommended vulnerabilities for mining src, I wish you all the best on the list as soon as possible! ! !
Finally, friends who are interested in SRC vulnerability mining & penetration testing can scan the CSDN official cooperation code below to get it!
