Penetration Testing Questions Overview (Abridged Version)

Common WEB Vulnerabilities 

1. One sentence Trojan horse

1. Basic principles:

Utilize the file upload vulnerability to upload malicious code to the target server to realize remote control of the target website.

2. Connection tool:

Common tools such as Chinese kitchen knife, ant sword, and ice scorpion can be used to connect and control the implanted one-word Trojan horse.

3. Defensive measures:

• Update and upgrade operating system applications in a timely manner, and fix known vulnerabilities.
• Strengthen the file upload verification and filtering mechanism, and limit the file type, size and access path.
• Regularly inspect and scan the server safely, and deal with abnormal situations in a timely manner.
• User account rights management to avoid abuse and unauthorized access.
• Configure firewalls and intrusion detection systems to monitor and block abnormal network traffic.

2. SQL Injection Vulnerabilities

1. The principle of SQL injection vulnerability

• User input lacks proper input validation
• String concatenation to build SQL statements
• Lack of filtering and escaping of user input

2. SQL injection defense and vulnerability repair

• Use parameterized queries or prepared statements
• Input Validation and Filtering
• The principle of least privilege (set the minimum privilege on the database, and ensure that the user has the privilege to perform necessary operations, and there are no other redundant privileges)
• Code Audit and Vulnerability Scanning
• Avoid displaying verbose error messages 

3. SQL injection classification

• Based on error injection
• Injection based on federated queries
• Injection based on time delay, Boolean blind injection
• overlay query injection
• Batch based injection

4. Which database exists in MySQL by default and is often used for injection?

• The database that exists by default in MySQL is  information_schema . It is a system database provided by MySQL to store metadata information about database objects (such as tables, columns, constraints, etc.).

5. Common SQL injection bypasses WAF technology

• Function sizes are also mixed and bypassed : such as changing "UNION" to "UnIoN".
• Multiple keyword bypass : For example, change the keyword "UNION SELECT" to "UNI // ON SEL // ECT".
• Encoding bypass : For example, use hexadecimal encoding, URL encoding, Unicode encoding, etc. to convert the keyword "UNION SELECT"
• Comment bypass : Common comment symbols include /**/, / ! /, / !12345 /, #, ---, --+, etc.
• Equivalent function or command bypass : For example, change the keyword "UNION SELECT" to "UNION DISTINCT", or use other similar functions and commands instead, such as updatexml, extractvalue, floor, etc.

6. General SQL manual annotation steps

• Judging the injection point (use single/double quotes to judge, and judge the closing character)
• Determine the injection type (whether it is an error injection or a blind injection)
• Determine the injection point submission method (GET or POST, etc.)
• Use the ORDER BY statement to query the number of fields in the database
• Use joint query to construct attack payload (the general steps are query library, table, field, field value)

7. What kind of websites may have SQL injection vulnerabilities?

• Dynamic websites : Websites written using dynamic scripts like PHP, ASP, etc.
• Pseudo-static website : Pseudo-static website looks like a static HTML page, but behind it is still a website that interacts with the database through dynamic scripts
• CMS website (Content Management System): Many CMS websites use a database to store and manage content.

8. Prerequisites for SQL injection vulnerability to successfully mount a horse

• Support for federated queries
• Know the absolute path of the website (the storage path of the Trojan file after injection)
• Trojans can be parsed and executed after they are uploaded

9. Generally, how to use SQL injection vulnerabilities

• access to sensitive information
• Hanging horses to obtain server permissions

 3. File upload vulnerability

1. Principle of file upload vulnerability:

Because the developer did not perform strict filtering and verification on the file name and content in the file upload function, the attacker can upload malicious scripts to the server.

2. What kind of Trojan horse is usually uploaded for file upload vulnerabilities?

• Pony (one-sentence Trojan horse or script with file upload function): Restricted, some connection tools (chopper, ant sword) are required to use
• Malaysia (malicious script with full functions)
• Trojan horse made by CS or metasploit
• virus file

3. File upload bypasses WAF method

• Bypass blacklist (case bypass) : For example, replace ".php" with ".pHp" or ".PHp
• Bypass Whitelist %00 Truncation Bypass : By appending %00 to the filename , the WAF can be tricked into thinking the file type meets the whitelist requirements. (This method takes advantage of the truncation vulnerability, which prevents WAF from correctly parsing the file)
• Bypass front-end verification : You can use proxy tools (such as Burp Suite) to intercept upload requests, and change the Content-Type field in the request to an allowed file type, thereby bypassing front-end verification. Or disable the JavaScript language directly in the browser.
• Bypass file content : For example, use Base64 encoding to convert malicious code, and then decode and execute it on the server side.
• Special file name bypass : change the file name such as: test.php to test.php . or test.php_ , etc.
• Uploading .htaccess  files : Uploading .htaccess files can bypass some detections because .htaccess files can be used to configure server behavior.
• Special file writing method : use a special file writing method, such as using 1.php :jpg to write malicious code
• Combining file inclusion vulnerabilities : using file inclusion vulnerabilities to parse malicious codes such as Trojan horses in uploaded images. This approach can bypass some detections, as a WAF may only detect file uploads without checking for file inclusion vulnerabilities. (provided you can find file inclusion bugs)

4. Common ways to upload files

The server is IIS

• Usually, asp or asp suffix type horses are uploaded . If the upload of the asp script file fails, you can try to change the file suffix name to asa, cdx or cer to upload, or because the IIS server has enabled the file suffix control function.

The server is Apache

• usually upload php suffix type horse

The server uses Tomcat middleware

• usually upload jsp suffix type horse

The server uses WebLogic middleware

• usually upload jsp suffix type horse

The server uses Nginx

• usually upload php suffix type horse

5. File upload vulnerability protection

• Use the whitelist or blacklist to judge the file type and limit the uploaded file type
• Rename the uploaded file to avoid directly using the file name uploaded by the user
• Limit the size of uploaded files to prevent malicious users from uploading too large files
• Thorough content verification and filtering of uploaded files , prohibiting uploads of files containing malicious code
• Regularly update server and middleware patches to fix known file upload vulnerabilities
• Strengthen access control and limit the permissions of users to upload files

4. The file contains loopholes

1. The principle of the file containing the vulnerability

In program development, in order to reduce code redundancy and improve code maintainability, developers usually use the file inclusion mechanism to introduce some repeated code fragments or external files into the main program.

2. The difference between remote file inclusion (RFI) and local file inclusion (LFI)

• The source is different:

  • Remote file contains: The file originates from the remote server.
  • Local file inclusion: Files are sourced from the local file system .

• The range of influence is different:

  • Remote file contains: can execute the code on the remote server, which may lead to attacks such as remote command execution and cross-site scripting.
  • Local file contains: can access sensitive files on the local file system, and may obtain sensitive information such as configuration files and user data.

• It operates differently:

  • Remote file inclusion: By constructing a malicious URL, the file on the remote server is introduced into the target application for execution.
  • Local file inclusion: By constructing a malicious request, the file on the local file system is obtained by using the application's inclusion or reference mechanism of the file path.

3, include, include_once, require, require_oncethe difference between these functions

• include():找不到被包含的文件时只会产生警告，脚本继续运行
• require():找不到被包含的文件时会发生致命错误，停止脚本运行
• include_once():与include()类似，唯一区别是如果该文件的Daum已经被包含过，则不会再次包含。
• require_once():与require()类型，如果该文件的代码已经被包含过，则不会再次包含。

4. The file contains bug fixes

• Search files for sensitive content, restrict file types, etc.
• Strict validation and filtering of user input
• Use a whitelist mechanism to allow only specific files or folders to be included
• Pay attention to the path security introduced by the file and avoid using user-controllable paths

Five, XSS vulnerability (cross-site scripting attack)

1. The principle of XSS vulnerability

XSS attacks can be triggered when an application does not validate and re-encode user-submitted content, but instead presents itself to website visitors.

2. XSS vulnerability protection means

• Filter dangerous characters entered by users
• Limit the content length of user input
• Entity encoding of page HTML
• Use a whitelist for validation, only allow specific HTML tags and attributes, and prohibit the use of other tags and attributes
• For reflected and stored XSS, sensitive characters can be escaped when the data is returned to the client browser.
• For DOM-type XSS, context-sensitive data encoding can be used.

3. XSS types and hazards

• Reflective XSS : Inject malicious scripts into the target page through input points such as URL parameters, one-time attack, relatively low harm
• Stored XSS : Store malicious scripts in the database of the target website, resident attacks, and high harm. Malicious scripts are triggered to execute when other users visit pages containing malicious scripts.
• DOM-type XSS : The attack does not pass through the server. In the JavaScript code of the client, the malicious script is triggered by manipulating the DOM. The harm depends on the content of the malicious script and the function of the target website.

4. Why stored XSS is the most harmful?

• Stored XSS is a persistent attack in which malicious scripts are stored directly in the database of the target website
• When other users request pages containing malicious scripts, the malicious scripts will be read from the database and executed, thereby causing harm to other users.

5. XSS protection measures

• Validate and filter user input 
• Before the user's input data is output to the page, perform HTML entity encoding on the user's data
• Use CSP, configure CSP policies, limit the resources that pages can load, and prevent the execution of malicious scripts
• Use HttpOnly and Secure flags: Set the HttpOnly and Secure flags of cookies to prevent malicious scripts from stealing users' cookies.
• Education and training: Increase user and developer awareness of XSS vulnerabilities and increase security awareness.

6. CSRF Vulnerability (Cross Site Request Forgery)

1. Principle of CSRF vulnerability

CSRF attacks use the victim's unexpired identity information (such as cookies, sessions, etc.) to trick them into clicking malicious links or visiting pages containing attacks. Then, the victim sends a request to the server in the identity of the victim without knowing it, and completes the illegal operation.

2. CSRF repair method

• Verify the Referer of the HTTP header : the server only responds to requests with the domain in the Referer header, which can prevent cross-domain CSRF attacks.
• Add Token verification to the request address : Add a randomly generated Token to the request parameter or form, and the server verifies whether the request carries a valid Token, and if it is valid, continue processing the request.
• Use Local Storage and Session Storage to save sessions : Store session information in the client's Local Storage or Session Storage instead of relying solely on Cookies. This can increase the difficulty for attackers to obtain session information and improve security.

3. CSRF attack types (the common ones are GET and POST)

• GET request type CSRF : only need to construct the URL, and then induce the victim to visit the URL
• POST request type CSRF : construct an automatically submitted form, and induce the victim to visit or click on the form

4. The danger of CSRF attack

• Illegal operations : Attackers can use the victim's identity to perform various illegal operations, such as: sending malicious emails, publishing false information, modifying personal data or deleting important data, etc. This can lead to information breaches, social engineering attacks, reputational damage, or financial loss.
• Stealing user accounts : By inducing victims to click on malicious links or visit pages containing attack code, attackers can steal the victim's account information without knowing it. This allows attackers to log in as victims and access their sensitive information, which can be further abused and exploited.
• Data Tampering : CSRF attacks can also lead to data tampering or hijacking. Attackers can modify the victim's personal data, order information, payment amount, etc. by constructing malicious requests, thereby causing confusion, loss, and destruction.
• Trust breach : Once users realize that their account or information has been compromised, they may develop suspicion and distrust of the affected website or service. This can negatively impact a business' reputation and customer relationships.

5. The difference between CSRF and XSS

Attack targets are different:

• CSRF attacks are mainly aimed at the background interfaces and functions of the Web application layer, and perform illegal operations by forging the victim's identity request.
• The XSS attack is mainly aimed at the user's browser, by injecting malicious scripts to obtain user information or perform other malicious acts .

Attacks are different:

• CSRF attacks use the user's identity authentication information to trigger the attack by inducing the victim to visit the page containing the attack code or click on the malicious link.
• The XSS attack is to inject malicious scripts into the webpage. When the user browses the infected page, the malicious script will be triggered and executed in the browser.

The range of influence is different:

• The impact of CSRF attacks is mainly limited to the interaction between the victim and the target website, and the attacker cannot directly steal user information.
• The impact of XSS attacks is wider, and can directly steal sensitive information of users, such as: login credentials, payment information, etc.

Defenses are slightly different:

• In order to prevent CSRF attacks, common defense measures include using CSRF Token verification, checking the Referer header, and using verification codes, etc.
• In order to prevent XSS attacks, common defense measures include input validation and filtering, output encoding, setting HTTP headers, etc.

6. The difference between CSRF and SSRF

Attacks are different:

• CSRF attack is to perform illegal operations by forging the victim, and use the user's identity authentication information to attack.
• The SSRF attack uses a vulnerable web application as a proxy to carry out remote attacks, and obtains data on the target server or performs other malicious operations by sending malicious requests.

Attack targets are different:

• CSRF attacks are mainly aimed at the interaction between the victim and the target website. The attacker sends a request as the victim to perform certain operations.
• The SSRF attack is mainly aimed at the target server itself. An attacker can use a vulnerable web application to access internal resources on the target server, such as files and databases.

The range of influence is different:

• The scope of impact of CSRF attacks is limited to the interaction between the victim and the target website, and the attacker cannot directly access or steal the sensitive information of the user.
• The impact of SSRF attacks is more extensive, and attackers can access internal systems through the target server, obtain sensitive data, or use the server to carry out further attacks.

Defenses are slightly different:

• To prevent CSRF attacks, common defense measures include using CSRF Token verification, checking the Referer header, and using verification codes.
• In order to prevent SSRF attacks, common defense measures include restricting access rights of web applications, filtering user input, and using whitelists to restrict access to external resources. 

7. SSRF vulnerability (server request forgery)

1. Principle of SSRF vulnerability

The server provides the function of obtaining data from other servers, but it does not filter and restrict the target address, so that the attacker can forge the request to realize the attack by tampering with the target address of the request.

2. SSRF vulnerability repair method

• Use URL whitelist to restrict access to intranet IP addresses
• filter return information
• Unified error message
• Restrict only requests to web ports, only allow access to HTTP and HTTPS requests

3. Exploitation method of SSRF vulnerability

• Port scanning to obtain the Banner information of the service
• Attack intranet or local applications
• Fingerprint identification for intranet web applications and access to default files
• Attack the web application of the internal and external network, and use the GET parameter to realize the attack
• Use the file protocol to read local files
• Getshell via HTTP CRLF injection using Readis with unauthorized access
• DOS attacks, requesting large files, keeping connections, etc.

4. SSRF vulnerability bypass posture

• Convert IP to bypass blacklist
• Using @embedded credentials in URLs to bypass whitelisting
• Use 302 redirection to bypass restrictions (302 redirection is a common HTTP redirection method, usually used to redirect users from one URL to another URL)
• Exploiting DNS Rebinding Attacks

8. XXE Vulnerability (External Entity Injection)

1. The principle of XXE vulnerability

• The XXE vulnerability (XML External Entity Injection Vulnerability) exploits references to external entities when an improperly configured XML processor parses an XML document. An attacker can attack a vulnerable XML processor by deleting an XML document that contains malicious content.
• Simply put, the principle of the XXE vulnerability is that due to improper configuration of the XML processor, attackers can inject malicious code or entity references into XML documents to obtain sensitive information or conduct denial of service attacks.

 2. XXE exploit method

• arbitrary file read
• system command execution
• Intranet port scanning
• Attacking Intranet Websites
• phishing attack

3. XXE vulnerability repair

• Use a safe XML parser
• Disable external entity references
• Validate and filter user input
• Use the whitelist mechanism to limit the external resources that are allowed to be parsed during the parsing process
• Follow safe coding practices, such as: avoid storing sensitive information in XML documents, use APIs that fully validate input, etc.

9. Logic loopholes

1. The principle of logical loopholes

Logical vulnerability is a kind of security problem, which does not involve the technical level of the system, application or network, but the flaw in the design level. Attackers can use these flaws to bypass and operate business processes, thereby obtaining sensitive information or Compromise the integrity of the business.

2. Common logic loopholes

• Privilege: Refers to authentication without proper access control, allowing attackers to access or operate beyond privilege restrictions. There are two types of unauthorized access vulnerabilities: horizontal unauthorized access and vertical unauthorized access. Horizontal unauthorized access: users with the same permission level can directly access each other with unauthorized access, which may lead to privacy leaks or illegal operations. Vertical overreach: That is, low-privileged users can access the resources of high-privileged users, which may obtain sensitive information or perform restrictive operations. (For example: ordinary users have accessed sensitive information that can only be seen by administrators or performed operations that can only be used by administrators)
• Payment logic loopholes : Refers to design flaws and judgment errors in the payment process, which allow attackers to obtain currency or items in an improper way
• SMS logic vulnerability (SMS bombing) : Due to the flaw in the SMS business logic design, there is no limit to the number of SMS sending times, resulting in attackers being able to send unlimited SMS, causing harassment or increasing operator SMS charges.
• Command execution vulnerability : An attacker can use system command execution functions (such as system, exe, shell-exec in php, etc.) to execute malicious code or system commands, thereby obtaining system permissions or accessing sensitive data.
• Code execution vulnerability : refers to a vulnerability in which an attacker can execute back-end script commands (such as php scripts), thereby executing malicious code and obtaining system permissions or sensitive data.

3. Logic bug fixes

• Close unused ports and services
• Enable the firewall to limit network traffic : Configure firewall rules to limit the traffic entering and leaving the network, allowing only legal network communication and preventing the transmission of malicious traffic. Also, disallowing the insertion of external USB devices prevents the spread of malware via removable media (turn off windows autoplay).
• Database access control : Anonymous login is not allowed, and user permissions to the database are restricted to ensure that only authorized users can perform legal operations.
• Filter and verify user input content : such as verifying the input length, type, format, etc., to prevent malicious input and unauthorized access.

 10. Command Execution Vulnerabilities

1. The principle of command execution vulnerability

Command execution vulnerabilities refer to the use of functions that can execute system commands in program applications. Attackers can execute arbitrary code or system commands by constructing malicious input, and even control the entire website or server, and even further penetrate into the intranet.

2. Exploitation and harm of command execution vulnerabilities

• execute arbitrary code
• read sensitive files
• Reverse shell (in Windows systems, the common shell is Command Prompt (command prompt))
• Take control of a website or server
• Intranet penetration (that is, attacking the internal network)

3. Command execution vulnerability repair

• Try to avoid executing external instructions
• Use custom functions or libraries instead of dangerous functions
• Handle command arguments using escape functions
• Regularly update and maintain the various libraries and frameworks used by the application

11. Deserialization vulnerability

1. Principle of deserialization vulnerability

Serialization and deserialization are the process of converting an object into a specific format for persistent storage or transmission. In Java , serialization works by converting an object into a byte stream , while deserialization works by converting the byte stream back into an object .

The cause of the deserialization vulnerability is that when the input deserialization data can be controlled by the user, the attacker can construct malicious input, causing the deserialization process to generate unexpected objects and execute malicious code at the same time .

2. Common functions for deserialization vulnerabilities

In PHP, commonly used serialization and deserialization functions are:

• serialize() : Serialize an object or array to a string.
• unserialize() : Restores a serialized string to an object or array. This function can lead to deserialization vulnerabilities if it handles untrusted data without proper validation and filtering.

In Python, commonly used serialization and deserialization functions are:

• pickle.dumps() : Serialize an object into a byte stream.
• pickle.loads() : Restores a serialized byte stream to an object. Similar to unserialize() in PHP, unserialization vulnerabilities may exist if untrusted data received by pickle.loads() is not properly validated and filtered.

In Java, commonly used serialization and deserialization functions are:

• ObjectOutputStream.writeObject() : Serializes an object into a byte stream.
• ObjectInputStream.readObject() : Restores a serialized byte stream into an object. Using ObjectInputStream.readObject() can lead to deserialization vulnerabilities if not properly validated and filtered when processing data received from untrusted sources or over the network.

3. Commonly used magic methods for deserialization vulnerabilities

• __construct() : A method that is called automatically when an object is created.
• __destruct() : A method that is called automatically when an object is destroyed.
• __toString() : A method that is called automatically when an object is converted to a string.
• __sleep() : A method that runs before the object is serialized.
• __wakeup() : A method called immediately after the object is deserialized.

These magic methods play an important role in the deserialization process, and attackers can use them to perform malicious operations.

It is recommended to memorize the web vulnerability part as much as possible, because the interview may ask, other understanding is enough.

Relevant knowledge supplement 

1. Shell and reverse shell

1、shell

Shell (Forward Shell) refers to a way for an attacker to gain control of the target system in some way and execute commands or operations on the target system . Attackers can directly interact with the target system, execute commands, view files, etc.

2. Reverse shell

Reverse Shell means that the attacker successfully implants malicious code on the target system, so that the target system actively connects to the server controlled by the attacker , and transfers the control of the command line to the server controlled by the attacker .

3. Shell attack methods usually include

• Uploading a Webshell : The attacker uploads a Webshell with malicious code to the target server through vulnerability exploitation or other means, and then links the Webshell through a browser or other tools to execute commands and operate the target system.
•  Command injection: By injecting malicious code at the application input point of the target system to perform the operation desired by the attacker.

4. Reverse Shell attacks usually include

• Reverse Shell connection : The attacker implants malicious codes on the target system, so that the target system actively establishes a reverse connection with the server controlled by the attacker, and transmits the command line to the attacker. This allows the attacker to execute commands and manipulate the target system on their own server.
• Reverse proxy : By setting up a reverse proxy on the target system, the traffic is forwarded to the server controlled by the attacker, so as to achieve the control of the target system.

Two, HTTP request

1. HTTP request method and its meaning: (the common ones are GET and POST)

• GET : Used to request to get a specified resource. GET requests should only be used to fetch data and should not be used to make modifications to the server.

• POST : Used to submit data to the server and request the server to accept it as part of the request. Typically used to create new resources, submit form data, or perform operations on the server.

• PUT : It is used to upload the specified resource to the server. If the resource exists, it will be replaced, if it does not exist, it will be created.

• DELETE : Used to request the server to delete the specified resource.

• PATCH : Used to partially update resources, only modifying part of the specified resources.

• HEAD : Similar to a GET request, but only returns the header information of the requested resource, not the actual content.

• OPTIONS : Used to request the server to return the communication options supported by the resource.

• TRACE : Used to trace the path from the client to the server.

• CONNECT : Used to establish a two-way connection with the target resource, often used for encrypted transmission through a proxy.

Among them: using the OPTIONS method can be used to detect which HTTP methods are enabled by the server. 

2. Common HTTP methods used to detect and obtain target server information

• Scan method : The GET method is one of the most commonly used HTTP methods for scanning. By sending a GET request, the actual content and metadata information of the specified resource can be obtained. This is useful for understanding the files and directory structure on the target server and the status of the response returned.

• Quick scan method : The HEAD method is one of the HTTP methods used for quick scan. Unlike the GET method, the HEAD method only returns the header information of the requested resource, not the actual content. This makes the HEAD method faster than the GET method because it only needs to fetch the resource's metadata without transferring large amounts of actual data.

3. HTTP status code analysis

• 1xx (Information Response): Indicates that the request has been received and processing continues.
• 2xx (Successful Response): Indicates that the request was successfully received, understood, and accepted.
• 3xx (redirect): Indicates that further action by the client is required to complete the request.
• 4xx (Bad Request): It means that the request sent by the client is wrong and the server cannot process it.
• 5xx (Server Error): Indicates that the server encountered an error while processing the request.

Specific HTTP status codes include 100, 200, 301, 302, 400, 401, 403, 404, 500, 503 and so on.

4. HTTP field analysis

• Host : The domain name address of the requested web server (the other party's IP).
• User-Agent : The client browser category of the current HTTP request, including browser type, operating system and version, CPU type, browser rendering engine, browser plug-in, and other information.
• Accept : Tell the server what media types it can accept.
• Accept-Charset : Tell the server the character set it can accept.
• Accept-Encoding : Tell the server the encoding methods it can accept.
• Accept-Language : Tell the server which languages ​​it can accept.
• Content-Encoding : Arbitrary encoding performed on the body.
• Content-Length : The length or size of the body.
• Content-Type : The object type of the body.
• Authorization : Contains the authentication data provided by the client to the server.
• Cookie : The data that the client sends the token to the server.
• Referer : Tell the server which page the page is linked from.
• DNT : Indicates the user's preference for tracking on the target site.
• X-Forwarded-For : used to indicate the real IP of the HTTP request end.
• Connection : Indicates whether a persistent connection is required.
• Keep-Alive : Keep the connection between the client and the server persistently valid.
• X-Requested-With : Indicates that the request is XMLHttpRequest.
• Date : The time of the response.
• Server : server middleware and source code information.

3. CDN (Content Distribution Network)

1 Introduction

        The full name of CDN is content distribution network. Its main principle is to allow users to obtain the required data nearby by deploying server nodes located all over the world, thereby improving the speed and stability of data transmission. For example, if the server is located in Beijing, users in Shenzhen need to travel a long distance to obtain data, but by setting up a CDN server in Shenzhen, users can first access the CDN server to obtain data, thereby improving access speed.

2. Detect whether the website has CDN enabled

        You can use the multi-region ping service to check whether the corresponding IP address is unique. If it's not unique, then there's a good chance the site is using a CDN.

3. CDN query real IP

       When we enter a domain name in the browser, we first need to convert the domain name into an IP address, which is the function of the DNS service. The DNS server will recursively query the domain name to find the corresponding IP address. By querying the real IP address of the CDN, you can know the location of the underlying server.

4. Background and working principle of the EternalBlue vulnerability

1. Working principle

        The EternalBlue vulnerability is a security vulnerability that uses the Server Message Block (SMB) protocol vulnerability of the Windows operating system to obtain the highest privilege. The SMB protocol is a protocol for file sharing, printing, and other network communications, and is widely used in Windows systems.

2. Background

        The exploit was originally developed by the US National Security Agency (NSA) and leaked into the public domain in 2017. An attacker can exploit the EternalBlue vulnerability to execute arbitrary code and take full control of the compromised computer. This means attackers can access, modify, or delete files on the computer, install malware, even create backdoors on the infected computer, and more.

3. Usage 

        Attackers typically look for potential targets by scanning the network for Windows machines that have port 445 open for file sharing. Once a computer affected by the vulnerability is located, the attacker sends specially crafted network packets that exploit the vulnerability to inject malicious code into the targeted computer. After successfully exploiting the vulnerability, the attacker can gain the highest privileges of the compromised computer and thus take control of it.

Five, TCP three-way handshake and four-way wave

        TCP is a connection-oriented protocol used to transmit data in the network. The three-way handshake is the process of establishing a TCP connection, and the four-way handshake is the process of closing the TCP connection. The three-way handshake includes the client sending a SYN request, the server sending a SYN and ACK response, and the client sending an acknowledgment. Four waves of hands include the client sending a release signal, the server sending an acknowledgment and release signal, and the client sending a confirmation message, and finally closing the connection.

detailed process

The steps of the three-way handshake are as follows:

1. The client sends a SYN (synchronous) request to the server, indicating that the client wants to establish a connection.
2. After the server receives the SYN request, it sends a SYN and ACK (confirmation) response to the client, indicating that the server accepts the connection request and informs the client that data transmission can begin.
3. After receiving the server's SYN and ACK responses, the client sends an ACK confirmation message to the server, indicating that the client has accepted the server's response and the connection is established.

The steps for the four-wave wave are as follows:

1. The client sends a release signal to the server, indicating that the client wants to close the connection.
2. After the server receives the release signal, it sends an acknowledgment signal to the client, indicating that the server is ready to close the connection.
3. The server closes the connection to the client, but can still receive data from the client.
4. After receiving the confirmation signal from the server, the client sends the last confirmation message to the server, indicating that the client also closes the connection. At this point, the connection is completely closed.

Through the three-way handshake, the two parties ensure that they can communicate with each other normally. The four waves are used to gracefully close the connection to ensure the integrity and reliability of data transmission.

Penetration ideas

1. Steps of penetration testing login box:

1) Collect information

First, collect information about the target login box and application, including URL, login form fields, error messages, etc. This information will help you better understand your target and test against its specific characteristics.

2) Identity verification blasting

Attempts to guess the correct username and password combination through a brute force attack. Use common username and password dictionaries, and use tools (such as Burp Suite, Hydra, etc.) to conduct automated blasting attacks. Observe whether there is an echo prompt on the page to judge whether it is successfully cracked.

3) Error echo analysis

Take corresponding strategies according to different echo situations

• If the page echoes that the password is wrong , use a packet capture tool such as Burp Suite to capture the request packet, set the password as a variable, and import the password book into the blasting tool for password blasting.
• If the page shows that the user name is wrong , a similar method can also be used to blast the user name.
• If it is impossible to determine whether the user name exists or not , you can use double-variable blasting to import the user name and password book for blasting.

4) Other vulnerability detection

In addition to authentication tests, you can also try other vulnerability detection, such as SQL injection, command execution, logic vulnerabilities, etc. Verify whether the target has other security vulnerabilities by entering a specific test string or utilizing a specific vulnerability detection tool.

For example: if there are other security vulnerabilities, then further scan and verify

Use a vulnerability scanning tool (such as AWVS) to scan the target application and generate a vulnerability report. Then, manually verify the scan results to ensure that the vulnerabilities listed in them are real and conduct further penetration testing.

Second, the penetration testing steps for a website

1) Information collection:

        Knowing the language and middleware used by the target website can help identify possible vulnerabilities and attack surfaces.

2) Port scanning:

        Use a port scanning tool (such as Nmap) to scan the open ports of the target website to find sensitive port leaks or unauthorized service exposure.

3) Directory scanning:

        Use directory scanning tools (such as Yujian, dirsearch) to scan the website to find possible sensitive files, unauthorized access paths or background management pages.

4) Subdomain and IP collection:

        Use DNS record query tools or subdomain name collection tools to obtain the subdomain name or C-segment IP address of the target website to expand the attack surface.

5) Vulnerability analysis and mining:

        Based on the previously collected information, use various techniques and tools for vulnerability analysis and mining, such as trying weak passwords, SQL injection, etc., to discover potential vulnerabilities.

6) Vulnerability scanning and verification:

        Use a vulnerability scanning tool (such as AWVS, Nessus) to conduct a comprehensive scan on the target website, verify the previously discovered vulnerabilities, and confirm the actual existence of the vulnerabilities.

7) Logical vulnerability check:

        Review the functional items and logic of the website to find possible logical loopholes, such as unauthorized access, arbitrary file upload, etc.

8) Penetration test report:

        Organize the results of the penetration test into a report, including the exploit point of the vulnerability, repair suggestions, tools and methods used, etc., so that developers can fix the vulnerability and improve the security of the website.

3. Domain penetration ideas

1) Locate the IP of the domain controller and the domain administrator account:

        First, information collection is required to find the domain controller in the target network and obtain its IP address. At the same time, it is also necessary to determine the domain administrator account.

2) Use domain member hosts as a springboard to expand the scope of penetration:

        By invading a domain member host, it can be used as a springboard to further penetrate the target network. You can use loopholes, weak passwords, etc. to gain access to domain member hosts.

3) Mechanism to log in to any member host with domain administrator privileges:

        The domain administrator has the privilege to log in to any member host in the domain, and can use this privilege to find the IP of the host that the domain administrator has logged in. You can obtain relevant information by viewing logs and audit tools.

4) Obtain domain administrator password:

        Through memory forensics and other technical means on domain member hosts, the passwords used by domain administrators on the hosts can be obtained. You can use common password cracking tools, weak password dictionaries, etc. to try.

5) Obtain the control authority of the domain controller:

        After obtaining the password of the domain administrator, you can use this password to log in to the domain controller to obtain control rights to the domain controller. This allows for deeper penetration and attack operations.

4. The difference between penetration testing and mining SRC

1) The purpose is different:

        The main purpose of penetration testing is to assess the security of a system, application or network, discover potential vulnerabilities and weaknesses, and provide recommendations for remediation. The main purpose of mining SRC is to proactively find unknown vulnerabilities in systems, software or platforms, and report them to relevant parties for repair.

2) The range and depth are different:

        Penetration testing is usually performed under the client's mandate and within a defined scope, and involves conducting a series of tests against a specific target, such as an application, a network or an entire system. Mining SRC is more free, and attackers can mine vulnerabilities on any target, including large software platforms and operating systems.

3) Reports vary in complexity:

        Penetration testing reports are usually more complex, including detailed descriptions of vulnerabilities found, risk assessments, examples of attack paths, remediation recommendations, and more. The report of digging SRC mainly focuses on the discovery process and method of the vulnerability, including the process of exploiting the vulnerability, the steps to reproduce it, and the impact and potential threats of the vulnerability.

4) Different legal authorizations:

        Penetration testing must be performed within the scope of the authorization, and usually requires obtaining a legal authorization letter or agreement in advance. Mining SRC relies on the Bug Bounty Program or the authorization of the employer, and is carried out under the legal framework and ethical norms.

5. Understand the vulnerability collection website

1) Make up the sky:

        Butian Security Team is the first non-profit SRC platform in China's Internet industry, aiming to provide a compliant, legal and ethical vulnerability mining platform for Internet security enthusiasts. Butian's mining scope covers a wide range, including government agencies, finance, telecommunications, new media, e-commerce and other fields. Bug hunters can get rewards by submitting bug reports.

2) Vulnerability box:

        Vulnerability Box is a relatively large vulnerability mining platform in China, providing services including public welfare SRC, enterprise SRC and security scanning. Vulnerability Box provides companies with security testing and vulnerability verification by establishing partnerships with companies, and at the same time gives independent security researchers the opportunity to submit reports. Vulnerability Box identifies and evaluates the discovered vulnerabilities, and rewards them according to the severity of the vulnerabilities.

3）CNVD

        CNVD (China National Information Security Vulnerability Database) is an official vulnerability information database managed by China National Information Security Product Quality Supervision and Inspection Center (CAC). It collects and manages various vulnerability information, and provides vulnerability query and download services to the public. CNVD's vulnerability information is identified, categorized, and assigned a corresponding number for reference.

6. Reasons for failing to submit vulnerability review

1) Unable to contact the manufacturer:

        Before submitting a vulnerability, it is very important to establish an effective communication channel with the vendor. Vulnerability reports may be rejected if the vendor cannot be contacted or a response is not received in a timely manner. This may be due to not providing enough information or not being contacted through the appropriate channels.

2) Vulnerabilities are less harmful:

        In some cases, even if a vulnerability exists, if it is less harmful, such as reflected XSS (cross-site scripting attack), the platform or vendor may consider fixing the vulnerability as a low priority, resulting in the failure of the review. It depends on the severity of the vulnerability and the possible impact of the attack.

3) The platform does not include specific types of vulnerabilities:

        Certain platforms may have their own inclusion rules and vulnerability type restrictions. For example, some platforms may not accept widely publicized vulnerabilities such as directory traversal, phpinfo leaks, etc., because these issues are considered common security configuration issues rather than actual vulnerabilities. Platforms may pay more attention to vulnerabilities that are novel, serious, or pose a substantial threat to users.

7. Commonly used vulnerability scanning tools

1）AWVS（Acunetix Web Vulnerability Scanner）：

        AWVS is a tool specially designed for scanning website vulnerabilities. It can automatically discover common web application vulnerabilities, such as cross-site scripting (XSS), SQL injection, etc., and provide detailed reports and remediation recommendations.

2）Goby：

        Goby is a comprehensive network security scanning tool that can perform host discovery, port scanning and vulnerability scanning. Goby supports scanning of various protocols and services, including HTTP, FTP, SMTP, SSH, etc., and can detect common vulnerabilities.

3）Nessus：

        Nessus is a widely used vulnerability scanning and assessment tool. It comprehensively scans network devices, operating systems, and applications to discover and assess various vulnerabilities. Nessus has powerful customization and report generation capabilities.

4）AppScan：

        AppScan is a vulnerability scanning and security assessment tool focused on web applications. It can automatically discover and verify web application vulnerabilities, such as code injection, path traversal, etc., and provide repair suggestions and reports.

5）X-Ray：

        X-Ray is a machine learning-based network security scanning tool. It uses machine learning algorithms to discover and identify potential vulnerabilities, including undisclosed ones. X-Ray has adaptive learning ability to provide more accurate scan results.

8. The general process of intermediate research and judgment 

1) Traffic analysis:

        Analyze network data packets and detect abnormal traffic behaviors, such as large amounts of data transmission, frequent connection attempts, etc., to discover possible attack activities or abnormal behaviors.

2) Vulnerability retest and verification:

        Reproduce and verify the discovered vulnerabilities, ensure the exploitability and harmfulness of the vulnerabilities, and evaluate their impact on system security.

3) Baseline reinforcement:

        Perform operations such as security configuration and patch management on the system to ensure that the system has a high protection capability based on basic security settings and reduce potential security risks.

4) Penetration testing:

        Penetration testing is carried out for specified assets, simulating real attack scenarios, assessing system security and discovering existing loopholes and weaknesses.

5) Report writing:

        Create a disposal recommendation report or a daily traffic analysis report, summarize the security situation, and provide solutions and suggestions to help relevant personnel understand the current security situation and take corresponding measures to improve security protection.

6) Emergency response:

        Participate in emergency response work, conduct source tracing analysis, track the attacker's activities, restore the attack process and attack methods as much as possible, so as to take measures to eliminate and repair the threat.

9. In the HW offensive and defensive exercise, the submitted daily and weekly reports may include the following 

1) Overview of security incidents:

        Summary of security events that occurred in the past day or week, including attack attempts, malicious behaviors, etc.

2) Statistics of the number of alarms:

        Record the number of alarms triggered every day or every week, including the alarm status of various security devices such as intrusion detection systems, firewalls, and log monitoring.

3) Successful attack event:

        List the incidents of successful infiltration or attack, and analyze the attacker's means and attack path.

4) Response actions taken:

        Describe the countermeasures that have been taken, such as shutting down the source IP of the attack, isolating the infected host, etc.

5) Trend analysis of security incidents:

        Analyze and predict the development trend of attack events, so as to adjust the security protection strategy in time.

6) Summary of Vulnerabilities and Weaknesses:

        Summarize the vulnerabilities and weaknesses found, and provide corresponding suggestions and solutions to improve the security of the system.

7) Response time statistics:

        Record the discovery time and response time of each security incident, and evaluate the response speed and efficiency of the security team.

8) Exercise effect evaluation:

        Evaluate the overall effect of the exercise, including the problems found, improvement measures, etc.

9) Suggestions and improvement plans:

        Provides recommendations and improvements to security drills to help organizations better address future security challenges.

10. The company security report usually includes two parts : the penetration test report and the monthly report

1) Penetration test report:

1. Target system description: describe in detail the target system or website to be tested, including system architecture, functional characteristics, etc.
2. Test scope and method: Clarify the scope of the test and the penetration testing method used, such as black box testing or white box testing.
3. Problems and vulnerabilities found: List the problems and vulnerabilities found during the penetration test in detail, including system configuration errors, code vulnerabilities, permission problems, etc.
4. Vulnerability risk assessment: Evaluate each discovered vulnerability, determine its risk level and potential impact, and give a suggested repair plan.
5. Repair suggestions: Provide specific repair suggestions, including repair measures, patch updates, security configurations, etc., to enhance system security.

2) Monthly report:

1. Security Incident Summary: Summarize the security incidents that occurred in the current month, including attack incidents, malware infections, abnormal behaviors, etc., and corresponding countermeasures.
2. Vulnerability analysis: analyze the vulnerabilities discovered in the current month, including vulnerability type, quantity, repair progress, etc., to provide a panoramic understanding for the security team and management.
3. Security event trend: Analyze the trend of security events, compare the situation in previous months, and provide observations and speculations on changes in vulnerabilities and threats.
4. Overall security assessment: assess the overall security situation, including a comprehensive assessment of defense capabilities and emergency response capabilities.
5. Suggestions and improvement plans: According to the problems and trends found, provide corresponding suggestions and improvement plans to help the company further strengthen safety management and protection measures.

11. Work content of primary flow monitoring and monitoring

1) Daily flow alarm detection:

        Monitor network equipment and system traffic conditions, set corresponding traffic alarm thresholds, and perform regular or real-time traffic detection. Once the traffic exceeds the set threshold, the alarm notification will be triggered in time to quickly find abnormal conditions.

2) Preliminary flow analysis and monitoring:

        Preliminary analysis of the monitored traffic data, including monitoring network bandwidth utilization, traffic peak hours, traffic sources, etc. By analyzing traffic conditions, you can understand the current network load status and traffic distribution, and find problems such as abnormal traffic or network congestion.

3) Upgrade the device as needed:

        Based on the traffic monitoring results and requirements, evaluate whether the performance and capacity of network equipment meet the requirements. If it is found that the network equipment has reached the upper limit of the carrying capacity or there is a bottleneck, it is necessary to promptly propose equipment upgrade suggestions and participate in the upgrade implementation process.

4) Write the traffic daily report of the day:

        According to the traffic monitoring results and analysis, compile the traffic daily report of the day, including the summary of important information such as traffic statistics, traffic change trends, abnormal traffic conditions, and network bottlenecks. Daily reports should clearly and succinctly present traffic conditions, and provide necessary analysis and suggestions to provide decision-making reference for management and relevant teams.

12. HW project (that is, network security project) includes the following groups

1) Monitoring group:

        Responsible for monitoring device traffic, detecting abnormal traffic and attack behaviors in a timely manner, and performing traffic analysis.

2) Judging group:

        Conduct in-depth analysis and vulnerability verification on the traffic reported by the monitoring group to determine whether there are vulnerabilities or attack events, and evaluate their threat level.

3) Disposal group:

        Block and dispose of malicious IP addresses or malicious behaviors, and take defensive measures to limit attackers' access and influence.

4) Emergency response team:

        Emergency response to successfully attacked servers or systems, including isolating infected devices, repairing vulnerabilities, restoring system functions, etc.

5) Traceability counter group:

        Responsible for tracing the source of the attack event, tracking the identity and behavior of the attacker, and taking corresponding countermeasures.

6) Expert group:

        Responsible for the overall command and coordination of project work, and provide professional technical support and guidance to ensure the smooth progress of the project and the achievement of goals.

The usual process is: the monitoring group reports the monitored malicious attack traffic to the research and judgment group, and the research and judgment group analyzes and confirms whether it is attack traffic, and then transfers it to the disposal group for blocking. If there is a successful attack, the research and judgment team needs to cooperate with the traceability and countermeasure team and the emergency response team. The personnel of the source traceability and countermeasure team and the research and judgment team will trace the source, and the emergency response team will conduct emergency response to the affected machines. 

13. Points to note when repairing vulnerabilities

1) Business Continuity:

        In the process of fixing vulnerabilities, business continuity and stability must be ensured. Repair actions should be carried out without affecting normal business operations, and avoid negative impacts on business processes and user experience.

2) Risk assessment:

        Before repairing the vulnerability, it is necessary to assess the risk of the vulnerability. Understand the severity of the vulnerability, its likely impact, and the risk and reach of remediation actions. This allows for better repair planning and fewer surprises.

3) Vulnerability patch:

        According to the type of vulnerability and the repair suggestion, install the corresponding patch or updated version in time. Make sure to use the latest security patches to fix known vulnerabilities and enhance your system's security.

4) Vulnerability verification:

        After the vulnerability repair is completed, the vulnerability verification test is carried out to ensure that the repair measures are effective and can prevent the vulnerability from being exploited again.

5) Repair plan:

        Develop a detailed repair plan and communicate and coordinate fully with the relevant teams. Clear the time window for repair, avoid the peak period of business use, and minimize the impact on business.

6) Monitoring and rollback:

        In the process of repairing vulnerabilities, timely monitor and backup. Monitor system health to ensure the effectiveness of remediation actions. At the same time, make a rollback plan in case of emergency, and can quickly roll back to the original state when a problem occurs during the repair process.

14. Common methods of traceability

1) The security device looks up the attacker's IP:

        The IP addresses used by attackers can be found through the logs of network security devices (such as firewalls, intrusion detection systems, etc.). This can help trace the source of the attack and determine the approximate location of the attacker.

2) Check the mobile phone number and email:

        Through related websites and tools (such as ipwhois, Weibu, Webmaster's Home, etc.), you can reverse check the mobile phone number and email address used by the attacker. This information can sometimes be correlated with other attack events or malicious behavior, providing more clues about the attacker.

3) Description of information such as social software and shopping platforms:

        Attackers leave many footprints on the Internet. Using information such as social software, shopping platforms, and forums, you can collect the attacker's personal information, hobbies, work experience, etc., so as to draw a portrait of the attacker. This information can help in further investigation and traceability work.