First, information collection
To detect a station should first collect information such as whois information, website real IP, marginal notes, C section of the site, the server version of the system, container version, program version, database type, two domain names, firewall, maintainer information, and so what
Second, the collection target station registered email address
- With a social worker to see Curry did not reveal a password, and then try to sign in the background with compromised passwords.
- Keywords do with email, thrown into the search engine.
- Use search to find relevant information and then get other common social-mail account.
- Social workers to find a social account, which might identify the administrator password habits.
- Dictionary generated special use of existing information.
- What non-public nature observation site administrators often visit to see what
Third, determine the CMS website
- Search Online program exposed their vulnerability and penetration
- If open source, but also to download the corresponding source code audit.
- Search for sensitive files, directory scan
Fourth, the common web server container .
IIS、Apache、nginx、web logic 、Tomcat
Fifth, the injection point and vulnerability
- Manual testing to see what loopholes
- To see whether they have the injection point
- Tools and test platform to test the vulnerability which can take advantage of loopholes
6, how to quickly determine the destination station is manual windows or linux server?
inux case sensitive, windows is not case sensitive.
Seven, how to break the upload detected?
- Wide-character injection
- hex encoding bypass
- Bypass the detection
- Truncated bypass
Eight, to see if the editor
You should see the editor's name version, and then search for vulnerabilities disclosed
Nine, after uploading garbled visit Malaysia
Change the browser encoding.
X. review Uploading Point elements
Upload some type of restriction sites in the front-end implementation, then upload type as long as the increase can break through the limit.
XI, an anti-injection system, when injected will prompt: The system detects that you have injected illegal behavior. Has record your ip xx.xx.xx.xx time: XXXX submit the page: xxxx submission: and 1 = 1
We can use this system to get direct-injection shell, submit a word directly inside the URL, so put your website word record into the database file at this time you can try to find the site's configuration files directly on the chopper links.
XII discover upload path and return txt Download
Download vulnerability in index.php file = later try to enter his home to download the file and then continue to look for other sites on the first page document profiles can identify and address database password database site.
XIII presence / abc / directory under the root directory and if the editor and admin directories exist under this directory
Scan directly sensitive files and directories on the site secondary directory / abc / down.
Fourth, the background change the administrator password, the primary password is displayed as *
We can review the elements of the password at the password change text attributes can be explicitly shows
Fifth, the target station unprotected, upload pictures can access, upload script format visit the 403. What is the reason? Many reasons, it is possible to configure the web server upload directory write dead not execute the appropriate script, try to change the suffix bypass
XVI scans the URL directory
Use software to view his catalog, chances will sweep out backstage address and other sensitive directory
XVII directory when scanning the background
Blasting can be password attempts administrator password information we collect is used for password attempts background
Next time passing Chenghua Avenue, Xian Qiao go two together.