Familiar with the infiltration process, the attack will be as simple as building blocks!
First Step: Information collection
Collecting site information is very important to penetration testing, and the information you collect is often an unexpected surprise in your infiltration.
1. Website structure
You can use the Scan tool to scan the directory, mainly sweep out the site administrator portal, some sensitive files (. mdb,.excel,.word)
Determine the language in which the system is written (php,jsp,asp), depending on the language, subsequent tests can use different techniques
It is also a kind of technique to judge whether there is a subsystem and the infiltration subsystem.
2. Directory of crawling Sites
Use crawling tools to crawl directories and scan with directory Scan Tool again
Crawling tools here use crawlers to grab the links that exist in the web, so the results are not very reliable
Reptiles do not crawl robots.txt, we can manually view the file (for example, Niang: baidu.com/robots.txt) may be found in the backstage entrance.
3. Collection of site whois information
Use Baidu, Google (link not on the students themselves to solve OH ~) to inquire about the site information
or a dedicated Whios query site, recommend Toolbar.netcraft.com/site_report, or record-searching site
This is to use multi-mode query, multi-collection Web container, Os,email ... This information is useful to social workers.
4. Collecting Web Container information
Iis,apache,tomcat,nginx on the web to find out if there is a corresponding version of the exploit code.
5. Collect all sub-domains
such as Baidu.com sub-domain has youxi.baidu.com,pan.baidu.com,tieba.baid.com
Of course, www.baidu.com is also a subdomain of Baidu, the sub-domain name again for information detection.
6. Collection of site-side station information
Many websites are hosted on a cloud host, and multiple sites can be run on one server
When the target site is impregnable, the side station may be vulnerable, we can also achieve the purpose
Search for websites with IP: s.tool.chinaz.com
7. Collect host Open ports
Using the scan King Nmap to scan all ports, service and security are always proportional to the service more threats
Step Two: Vulnerability scanning
Main scan SQL injection, XSS, file contains, command execution and other high-risk vulnerabilities. Beginners can use the automated Scanning Tool to scan,
Note: The results of the tool scan are not perfect, and some bugs cannot be swept out.
1. Automated Scanning Tools
burpsuit--Integrated agent, crawling directory, leak sweep, form crack, encoding and decoding, absolute artifact!
awvs--can and burp exchange, the effect will be better!
APPSCAN--IBM produced, used to be a fire scanning tool!
2. Manual Testing
Need Patience!
Scanners do not sweep out logical vulnerabilities, some storage-type XSS, and SQL injection vulnerabilities, all of which require manual testing.
Step three: Vulnerability verification
Borrow Grandpa Mao's sentence "practice is the only standard to test the truth", not to mention the results of the scan may not be correct
This part of the content is the focus, is not an article two can be said to finish
Common high-risk vulnerability types:
"SQL injection"
"Store XSS"
"CSRF"
"Upload Vulnerability"
"Command Execution"
"File contains"
Write here today, I will be each of them in a separate opening introduction!
I am Anka9080, welcome small partners to my blog Hut, interested in a communication ~
In addition: I skin rough meat thick immune all kinds of spit groove, shoot bricks, lost rotten eggs @#
Penetration testing process of "safety science" web security