Web routine problem-solving steps
You must first collect information
Types of questions
SQL injection
Simple injection
Injection byte wide ( directed to jbk coding )
Fancy about mysql
Around the keyword detection interception
MongoDB injection
http header injection
ip address
Secondary injection
Problem-solving ideas
Simple injection, manual or sqlmap run
Determine the injection point, whether it is http header injection? Whether the injection in the picture? and many more
The use of injection error message
Try a variety of methods to bypass filtering
Look for the existence of a common template injection vulnerability
Small way:
Insert data truncation, insert "admin x" to bypass or unauthorized access.
Note secondary injection
Some username from session brought directly query the database using the cut-off field length, \ is gpc after as \\ , but after being truncated to \ , triggering injection.
If you could not guess fields in the database, search the background, view the source code, source code form when the login fields in general and of the same field in the database.
Bypass security dog
select
For ASP + Access , first to excavate what characteristics of the database.
1, can replace the space characters are: % O9 , % OA , % OC , % OD
2, may be cut back with a comment character statement: % OO , % 16 , % 22 is , % 27
3, when the % O9 , % OA , % OC or % OD over a certain length, defense security dog fail.
4, UserAgent : change BaiduSpider
Offset launch
1, Union merger query requires equal columns, the same order
2、Select * from admin as a inner join
3, * represents all fields, if you check the admin table, he has several fields, then * represents several fields
Xss
Simple Storage xss comfortably administrator background
A variety of browsers auditor bypass
Rich Text bypass the filter white and black lists
CSP bypass
Flash xss
Angular JS client template xss
XSS - Tools
Xss platform
Swf decompiler
Flasm
DoSWF ( SWF encryption)
Flow crypt ( SWF encryption)
Methods do questions
Simple xss , without any filter, the direct use xss platform comfortably administrator cookie
Filter tag, bypassing try various methods
Security policy csp , etc., try to bypass the appropriate method
Reverse .swf files, source code auditing, construction xss payload
XSS - csp bypass
1, bugpass AngularJS series bypass
2. Policy Priority bypass
Iframe sandbox and CSP sandbox
When Iframe sandbox allows execution JS , and CSP is not allowed JS , CSP will be ignored
XSS - using html5 tags bypass
Code audit (follow the prompts can do title)
asp code audit
php code audit
python code audit
A variety of techniques to find the source code
tool
seay audit
Code audit tools rips
githack
Problem-solving ideas
1, follow the prompts, guessing whether to audit the source code
2, directly to the source code, or use a variety of techniques to find the source to find the source code, source files or exploit View
3, artificial audit the code, with the topic, find a place there is injected, or write the corresponding script
4, retrieval key function, ADMIN (), Check (), Upload ()
5, retrieving critical files config.php , check.lib.php , xxx.class.php .
File Upload
00 cut upload
Multipart / form-data uppercase bypassed
Fancy file suffix
(.php345 .inc .phtml .phpt .phps)
Various file content inspection
Various Parsing Vulnerability
Fancy kind of stick method
Online editor vulnerability ( Fckeditor )
File contains
tool
Webshell script
Chinese ant sword
Problem-solving ideas
1, a simple file upload, view the
2, if only the front filter extension, file format, bypassing the packet capture
3, whether there is a truncated upload vulnerability
4, whether the file header detection
5, if the contents are detected, try to bypass method
6, if the horse is killing upload, free to kill
7, the existence of various Parsing Vulnerability
. 8, http first two CRLF (corresponding to \ r \ n \ r \ n ) as the end, \ R & lt \ n- time is not filtered, may be utilized \ r \ n \ r \ n as the url parameter truncated http header followed keep injects code
php characteristics
Weakly typed
Intval
strpos and ===
Deserialization + destruct
\ 0 truncate
iconv cut
Parse_str function
Pseudo-protocol
tool
Problem-solving ideas
1, determines whether there php Truncated characteristics
2, View source, determines whether there php weakly typed questions
3, see the source code, pay attention to some special functions
Eval(),system(),intval()
4, configuration variables, get flag
5, if there is hpp
6, magic hash