1. Overview of website analysis
1. No matter which method or tool is used for inspection, the server inspection materials will only be extracted and fixed in the following common forms:
- Website page data;
- Server image file;
- Website code + database file;
2. The analysis of server image files is divided into static analysis and dynamic analysis:
- Static analysis: Static analysis can be completed through automatic identification by evidence analysis software;
- Dynamic analysis: Use simulation software to start the mirrored operating system, and configure and access the website;
3. Commonly used basic commands in Linux:
- Enter the directory cd
- list files ls
- Network card configuration ifconfig
- port netstat
- History command last
2. During dynamic forensics and emulation startup mirroring, remote connections often fail to connect to the server. How to solve this problem:
1. First, you need to understand the corresponding relationship between the virtual machine network card and the local network card:
vmware provides us with three network working modes, which are: Bridged (bridge mode) , NAT (network address translation mode) , and Host-Only (host-only mode) .
Open the vmware virtual machine. We can see VMnet0 (bridge mode), VMnet1 (host only mode), and VMnet8 (NAT mode) in the "Virtual Network Editor" under "Edit" in the option bar. So what are these? What's the role? In fact, the VMnet0 we see now represents the virtual switch used in bridge mode; VMnet1 represents the virtual switch used in host-only mode; VMnet8 represents the virtual switch used in NAT mode.
- In bridge mode, the local connection and the virtual machine are in a peer relationship, and the virtual machine is also connected to the router on the upper level of the local machine;
- NAT mode, VMnet8 network card, connected through the local machine;
2. The following situations may require manual settings:
----The network card in the server image is not set to start automatically;
ifconfig has no data, it means that the network card has not started;
solution: ifup network card name
, for example: ifup ens33
----Static IP is configured in the server image
. vi edit.
Temporarily modify the ifcong network card name to 192.168.1.3.
3. Obtain relevant data through commands
1. The common command netstat -anpt outputs a form to see the opened ports and services;
if there is no response, you can use ss -anpt to see almost the same thing;
confirm the network status;
2. History command;
or open this file: cat /root/.bash_history
3. Find the website backend:
4. When Navicat connects to the database, if it fails to connect, you can try to use ssh connection to bypass it;
4. Various server type configuration files
1. Apache server configuration file:
file name httpd.conf
default path: /etc/httpd/conf/httpd.conf
Important configuration:
listen port number;
ServerName host name, domain name;
DocumentRoot website directory;
CustomLog access log;
2. Nginx server configuration file:
file name nginx.conf
default path: /etc/nginx/conf/nginx.conf
Important configuration:
listen port number;
Server_name host name, domain name;
root website directory;
access_log access log;
Both apache and nginx can use the include field to call additional configuration files;
3. Tomcat server configuration file:
Tomcat is a server based on Java language; apache and nginx are servers based on PHP;
configuration file: server.xml;
war package; placed directly under Tomcat's webapps directory; directly retrieve the war package, and fix the website after getting the package;
4. spring and spring boot;
one component in spring and spring boot is Tomcat, a jar package, which is also a compressed file; manifests file, similar to APP parsing
The war package can be run in any Tomcat; the jar package is relatively complex;
5. Database configuration file
1. MySQL database:
File name: my.cnf/my.ini
Default path: /etc/my.cnf
port port;
datadir data directory;
default-storage-engine storage engine;
innodb-file-per-table independent space table;
6. Website integration environment
LAMP website environment: Linux apache mysql php