Table of contents:
1. How to find loopholes
2. How to dig the loophole after finding it
3. How to submit the vulnerability
As long as you engage in infiltration, you will hear many seniors in the industry keep repeating: "Information collection" How important information collection is, and how much asset information you collect determines the extent of your follow-up series of actual combat!
How to find SQL injection loopholes, logic loopholes, payment loopholes, unauthorized loopholes, etc.
In fact, this is all the same reason, use Google grammar, find and kill with fofa, here are a few types of vulnerabilities, and the other is also the same reason.
Part 1: How to Find Vulnerabilities
The first one: SQL injection vulnerability AS: First of all, it is SQL injection. To be honest, this vulnerability is basically found quickly by Google grammar.
Grammar: inurl:asp?id=23 company, at this time you will ask: Isn’t inurl:asp?id= enough, of course!
This works! Use this if you want to find some weird sites like:
At this time, I understand the importance of picking up the company. I am looking for an asp website here. Why are you looking for an asp website?
One of the most important reasons is because of him, easy to dig!
【Help safe learning one by one, where all resources can be obtained one by one】
①Network security learning route
②20 penetration testing e-books
③Security offense and defense 357 pages of notes
④50 security offensive and defensive interview guides
⑤Security Red Team Penetration Toolkit
⑥Information collection 80 search syntax
⑦100 actual combat cases of vulnerabilities
⑧Internal video resources of major security factories
⑨Analysis of past CTF capture the flag questions
Of course, I only found a small number of sites here, what if I suddenly find that there are duplicates?
This is simple, just change the id, my friend!
inurl:asp?id-34 company, the id value here is constantly changing, you can also compare
Is this different? Of course, if you are interested, you can also search for inurl: php?id=12 company
This is also a lot of stations can be found, but the probability of adding WAF is very high
I found 9 out of 10 and added them all, so if you want to score fast, the asp site must not be left behind!
The second: loopholes in background management
I won’t go into details here, because this site is easy to find, really easy to find, but very few people want to get in with weak passwords
Go directly to the mirror station and put inurl: all ghosts and snakes have come out, there are so many background management stations
You can see a bunch of backends here, of course you have to infiltrate these backgrounds with weak passwords and you can rarely get in
Did you see me typing inur1: Did it automatically fill in the keywords for me, indicating that many people dig this thing
Generally engage in the background, first collect information, this will be discussed later, anyway, I haven’t gotten a few
Third, payment loopholes
Because the protection will be stricter than ordinary sites, and there are very few sites that are online shopping malls
In fact, you can pay attention to whether the site has the function of paypal when digging vulnerabilities. If so, you can do it. This is still a trick
Then there are logical loopholes, such as parallel and vertical overreach, arbitrary password resets and so on. There are still many such loopholes, and everyone can test them slowly!
The last one, how do you find the loopholes for killing?
At this time, we must rely on our almighty fofaQ. First of all, we need to know which cms has loopholes
Here you can find the vulnerability library on the Internet, which generally has a collection of vulnerabilities and here I will recommend one or two for you later.
See if there are so many cms, killing one is accurate, and there are necessary loopholes for the top score
However, some of them were submitted repeatedly, so I can show you the results of the students!
Of course, it was repeated a few times, but it was still pretty good.
Part 2: How to find the loophole after finding the loophole
After reading the beginning, I believe you already know how to find loopholes, then let’s talk about how to find loopholes, here are event-type and general-type vulnerabilities
The first thing to come, it must be our sq1 injection, first use our general syntax inurl:asp?id=xx company
Just click in, don't be afraid, as long as it's not illegal, we don't do bad things.
Seeing that there is ID parameter passing here, you can try to enter a single quote to see
Seeing an error, what does it mean? It means that there may be injection, my friend, directly insert and 1=1 |and 1=2
If you have time and are interested, you can try to go around. Here I will mention one point after the basic exercise of going around the dog. Generally, when you see this kind of station, just give up and go to the next one. Understand that WAF needs to measure the sense value one by one, which is a waste of time and progress
After some searching, we came to this site:
When you see the website, insert single quotation marks directly to see if he reports an error
Reported an error, explain what, there is a play! Then directly insert and1-1 | and 1-2
Seeing the effect is very obvious, in this case, throw sqlmap9 directly, anyway, I lost sqlmap, if you have enough time, you can get started
Don’t you just come out, digging is so simple, don’t make him think too complicated, the statement used here is sqlmap.py -u URL -p "Specify parameters" don't ask me why, because - p specifies parameters run faster
The next station, the vulnerability of this station is arbitrary password reset and CSRF vulnerability. The first is the CSRF vulnerability. I believe you should know it without me telling you. Here is the vulnerability.
You can test it yourself, here I am mainly talking about the arbitrary password reset vulnerability (this vulnerability has also been fixed now)
At this step, grab a bag
Change it to your own email here, so that your email can receive the verification link, just click it
Seeing this, logical loopholes such as payment loopholes and verification code bypasses feel + points are easy to dig, do you have this feeling!
There are many types here, and the length is too long to read. Take these two examples for reference~
How to submit bugs
3. Submit a report. For example, baidu.com found SQL injection Step 1: "Title" and "Vendor Information" and "Domain Name" webmaster tool icp.chinaz.com/baidu.co... Query domain name filing information, see this is the company name
Write the vulnerability category like this, if it is not 0day, just like the picture
The domain name to which it belongs should write the company's "website homepage" or "official website". Have you seen this?
Visit it first, copy it if there is no problem
Step 2: Other content
Vulnerability type: - Generally, it is a web vulnerability, and then write what the vulnerability is, here is a SQL injection.
Vulnerability level: SQL injection is generally high risk, but if the manufacturer is relatively small, it will be downgraded to medium risk.
Brief description of the vulnerability: describe what SQL injection is, what harm it does, and so on.
Vulnerability url: The URL where the vulnerability occurs.
Affecting parameters: write whichever parameter can be injected
Vulnerability POC request package: Burp grabs a package and copies and pastes it.
If you find it troublesome to type every time, you can create a new notepad, write the frame, and replace some content when submitting.
Putting the title, brief description of the vulnerability, reproduction steps, and repair plan can save a lot of time!
Although today’s content is long, it’s all dry stuff! From finding bugs to submitting in one step! The arrangement is clear!
Note: Any unauthorized infiltration is an illegal act. We dig SRC, fearing that it will break the law. Remember, click to the end, do not touch the data in it. After discovering the vulnerability, submit the vulnerability as soon as possible and contact the manufacturer for repair.
at last
Statistics show that there is currently a gap of 1.4 million cyber security talents in China...
Whether you are a cyber security enthusiast or a practitioner with certain work experience,
whether you are a fresh graduate or a professional who wants to change jobs ,
you all need this job. super super comprehensive information
almostBeats 90% of self-study materials on the market
And covers the entire network security learning category
to bookmark it!It will definitely help your study!
Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it)~
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing
1. A full set of toolkits and source codes necessary for network security
2. Video Tutorial
Although there are a lot of learning resources on the Internet, they are basically incomplete. This is the online security video tutorial I recorded myself. I have supporting video explanations for every knowledge point on the road map.
3. Technical documents and e-books
The technical documents are also compiled by myself, including my experience and technical points in participating in the network protection operation, CTF and digging SRC vulnerabilities.
I have also collected more than 200 e-books on Internet security, basically I have popular and classic ones, and I can also share them.
4. NISP, CISP and other certificate preparation packages
5. Information security engineer exam preparation spree
6. Interview questions for network security companies
The interview questions about cyber security that have been sorted out in the past few years, if you are looking for a job in cyber security, they will definitely help you a lot.
Friends, if you need a full set of network security introduction + advanced learning resource package, you can click to get it for free (if you encounter problems with scanning codes, you can leave a message in the comment area to get it)~
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing