2016.5.15 Penetration Experience Summary

Yesterday was too late to write, today even yesterday's piece written on.

Check all client code, such as HTML and JS code, for any hidden server-side clues, and hidden

Table elements and so on. Authentication Check comment content, often can bring us surprises, such as part of the general program will be placed on the homepage of the site

A link to the site management background, but the site manager does not want this link to be known by normal visitors,

is to comment on the content, we can see the HTML code to know this specific address, and most of the management background

The calling JS often stores the link address of all the function modules in the background, but after judging the current user rights, the

It hides, we can also see the specific content by directly viewing the JS code, and some developers will

Some sensitive information is recorded in the comment content, I get the name of the database from the annotation information several times, and can even get

Database specific connection information, SQL query statements, and so on.

Try to put the content that we have inferred to be enumerated elsewhere.
If the file a.php exists under the/111/directory, then we can try to save it in the/222/directory.

In the same file, put all the enumerated filenames using some regular suffixes to try to access, such as index.php this

The file is known to exist, and we can use suffixes such as txt,bak,src,inc,tmp to try

Index.txt,index.bak or added on the basis of the original suffix, index.php.bak and so on. This will help me.

The files are not compiled, developed, or backed up, and can be pushed through the language used by the website.

such as the. cs suffix used in Java.

Search for temporary files created by developers using developer tools or text editors. Like SVN's. Svn/entries, and

or ultraedit the. bak file created by the automatic backup feature of such a text editor, which is heavily used by the. tmp suffix,

And the legacy files such as index.php~1, which are details that are likely to find important clues, are certainly not

To omit these steps.

Transfer from: {reprint} Talk about penetration testing methods and processes
Http://www.cnhonkerarmy.com/forum.php?

mod=viewthread&tid=182245&fromuid=880485

Penetration case: Scan port open 3389 and 22 ports, link 3389 Port, first press 5 down SHIFT does not eject cmd

Window

Burpsuite upload a sentence, with 00 truncation upload failed (upload or JPG format filtered ASP) sometimes

The cookie is followed by a uploadpath=%2fuploadfiles%2f similar typeface, which is the path of the file upload, if

Server or iis6.0 so you can change the path to uploadpath/xx.asp;. " /;." URL code, and then the pony

change to JPG format upload, get path uploadfiles/xx.asp;. 201406162302.jpg re-use the chopper link is

Can

Today saw a 163 screen disk of a infiltration process, the author first with Nmap scan, found that the Linux system has

DDoS Firewall, 22 ports open, no WAF detected with Wafwoof test, dnsenum Check for Domains with no DNS

Pass the vulnerability, check for load balancing, and then start using Hydra to blast ssh and MySQL, but none

Work, with Owasp-zap and WVS and Nessus scanning are not found, and finally with a bugscan scanning in addition to a compressed package

Address downloaded after the code audit, found a successful exploit.

The author got the administrator's account password, I would like to upload a word by scanning the upload path, but did not become

Work, grab the bag look at the upload when the path of the picture does not have a drive letter, manually add a result or not

Work, and then thought to execute the SQL command to write the shell results or not, had to go backstage, into the discovery, after

Taiwan function Less and no way to upload, with the Royal Sword Sweep found the phpMyAdmin, solved the root password successfully login

Land Direct execution Command export a word, success! In the right to set up an account is found because the password is too simple for reasons not

Work.

Take a look at this through phpMyAdmin's shell approach.
Http://www.i0day.com/234.html

This article is from the "Xiao Yu" blog, please be sure to keep this source http://791120766.blog.51cto.com/10836248/1773760

2016.5.15 Penetration Experience Summary