A person's martial arts: analysis of the general idea of penetration testing (1)
Preface
Penetration Testing is both a technology and an art.
This technology (ART) was not made by everyone at the beginning. It is said that no one will walk at birth, from being unfamiliar with getting started to being familiar with it, step by step. Everyone is like this; however, in this process, the idea is undoubtedly the most important, and there is no way to think about it, just like we have had the idea of solving problems in high school, we can solve the problem with a shovel in Our Hands (technical knowledge) however, it is not sad not to start from the path.
I will share some general penetration ideas I have summarized below.
The idea of sharing is like the index of a book. Not every point has detailed skills and analysis of various principles, but how can we proceed step by step, on each point, we know the idea. We can refer to the materials on each point to break through and move on. Like the tactics of martial arts, you can make great moves without changing the overall routines, and you can also restructure and innovate.
0 × 01 wild ball: Peripheral
Description
Nov boxing: It's basic, but it's very good at the end.
1. Information Leakage mainly due to server configuration and other reasons
Frequently Used search tools such as google and bing, lightweight search for some left-behind Backdoors that do not want to be found, medium-scale search for some user information leaks, source code leaks, unauthorized access, etc, the heavyweight is probably the download of mdb files, the CMS is not locked to the install page, the website configuration password filetype: lst password, php Remote File Inclusion Vulnerability and other important information.
Packet robots.txt does not want Baidu to know, and may not have the forbidden access permission, so we know that the path can be entered.
2. Port detection-Service
This item is also for server configuration. Some common service ports such as ftp and 3389.1433 may appear during server configuration, so you can try it with a weak password, or some basic service vulnerabilities (CVE) are processed using matesploit. Common tool NMAP-a ip.
3. crawler crawling website directory
This item uses a crawler scanner to scan the website domain name. The files in the root directory of the website may be pleasantly surprised. AWVS and WWWScan.
4. Web framework Vulnerabilities
Overall Web framework:
① Struts2 framework vulnerability, which can be exploited directly.
② ThinkPHP arbitrary code execution.
Background framework:
In fact, it can also be used to bypass verification and enter the background classification;
① Siteservercms, cookie bypass, you can find vulnerability fix information on sebug.
② Worldpress
③ Access the ewebeditor and fckeditor upload page directly. Based on the editor version,
Information available everywhere.
5. brute force, credential stuffing into the background
Whether it's front-end user login or backend management access, brute-force cracking is a method that consumes time and dictionary, or it is possible to enter.
However, the information obtained by the peripheral detection may help us easily enter the background.
Credential stuffing: You may only get some sensitive information, but on the internet, when your pants are full, you may find the password, this is much faster than brute-force cracking.
6. weak passwords
The most common, dangerous, and least risky
7. problems caused by improper middleware Configuration
① IIS Write Vulnerability (uncommon)
(Regular tool "Veterans ")
② Accessible directory
* 8. Problems Caused by parsing operating systems and middleware files,
Apache test. php. xx IIS test.asp;.jpg windows. asp. asp □
Not an in-depth topic. Pay attention to it during upload.
9. A series of problems caused by php
① ../Etc/passwd go deep
② Directory traversal caused by php
③ Remote File Inclusion caused by PHP (which can be directly used by google Search)
0 × 02 Taiji: intermediate layer (Application) between the periphery and the interior)
Description
Tai Chi: it is a disaster caused by applications if it is strong or weak.
1. If the user has not logged in
1. Injection
There are too many injection types,
① SQL injection during page calling. Generally, sqlmap runs out dbs and tables directly in the background to use or leak user information. (Whether DBS are complete or not. Use the website structure library directly)
② Use SQL Injection like universal passwords to access front-end applications or backend management.
③ If the site is not injected, it does not mean that it cannot be further penetrated. Try to add more information. But the process is different.
2. XSS
XSS is not a multi-storage or reflective type, but you can't think of it without it.
If it has nothing to do with depth, we will not talk about it.
① When XSS hits the background blindly, most of them also want to go to the background without any results. The probability is limited.
② XSS DDoS.
3. Information Leakage and order traversal
User access permission issues.
4. password retrieval Vulnerability (password email/SMS reset)
When the Burp field can be modified, retrieve the passwords of other users. Maybe the admin password will be recovered.
5. Background
The background is also a kind of business, just a kind of dictatorship hidden business.
How to enter the background? If you find the background address. Unrelated to applications: brute-force cracking, credential stuffing, information collection and utilization, weak passwords, and unauthorized access.
① SQL Injection like universal passwords, and sqlmap dump dbs for post injection.
② Use web Front-end SQL Injection
③ If the password is lucky, the admin password of the front-end application will be the same as the background password. (What is the query password 88)
④ XSS
Blind cookie (success rate)
⑤ Background framework siteservercms and other well-known background cms sebugs
1. first obtain the free version of the software, install and use it to check whether there is a test (admin) account, whether it can be used directly, and save the cookie for submission to see if it can be used. 2. Check the version, Sebug, and other methods for direct use. 3. Code audit (Beijing branch of Beijing 2014 Green League Security Flag successfully transferred funds using this method)
2. Simulate user registration and login
1. Authentication Bypass
① Universal password
② Cookie Spoofing
2. Unauthorized Access
① Parallel unauthorized access, reading and modifying other user information;
② Vertical authorization is mainly reflected in whether the administrator password can be changed through the special field.
3. Injection
Cookie post get type, user-related applications after login
4. There are too many XSS influences and types
① The content submitted by the user should be reviewed by the background administrator.
Understand the background submission and review process, CSRF, add users to yourself (article Management System)
XSS finds the background, and the Cookie is transmitted to the XSS platform when the Administrator browses
XSS worms
Order traversal
5. Upload point
① One-sentence Trojan
② Webshell upload
In many cases, if there is no injection, the backend cannot enter, and the upload point is the best position.
The website attaches great importance to the protection of uploaded files. It is familiar with the upload process, where the files are blocked, and where the files are broken.
6. SMS and email DDoS attacks
7. Payment Vulnerability
① Free of charge
②-1 RMB refund
③ Quantity integer/Long Integer Overflow
0 × 03 internal (management background)
Description:Trace Step (no trace, but need to go deeper)
Now that we have entered the management backend, we have a sense of accomplishment. The next step is to control the server and the entire network segment... The general web penetration has reached this point.
1. Upload webshell
If you have no place on the web Front-end or cannot upload webshells, uploading in the background is the best option. This is also the best way to help you control servers at the business layer.
① The type of the uploaded file can be modified in the background. The white list can be modified happily. | The Blacklist is uploaded successfully. Sometimes it is common that the file cannot be parsed.
② The Upload file type cannot be modified in the background, most of which are OH ~ However, in general, the backend upload verification is looser than the front-end upload verification.
It's okay. How can we bypass it? 88 if we can't bypass it .......
2. One-sentence Trojan
3. Administrator permission assignment
If the Administrator has been granted permission and the master Administrator with the highest permissions is obtained, the administrator needs to escalate the permission.
Elevation of Privilege in the background
For more information about Intranet penetration, see the next issue. This article will share some ideas and hope to make progress together with you.