First of all, we know. When we get a goal, of course, the goal is only a small site for a thought, large-scale website is another way of thinking.
Information collection
The first thing to do is information collection, is the so-called sharpening does not mistake wood work.
The following references the OWASP penetration Guide version 4.0
- Search engine information discovery and Reconnaissance (otg-info-001)
- Identify the Web server (otg-info-002)
- Web server meta-file information Discovery (OTG-INFO-003)
- Server App App enumeration (OTG-INFO-004)
- Comment Information Discovery (otg-info-005)
- Application entry identification (OTG-INFO-006)
- Identify app workflows (otg-info-007)
- Identify the Web application framework (otg-info-008)
- Identify Web applications (otg-info-009)
- Drawing the Application Architecture diagram (otg-info-010)
So let's just talk about some of the information we used to collect.Google hacking
For example, use Google Hacking command to find some sensitive files such as site:xxx.com Inurl:bak|txt|doc and other information. There is the collection of two-level domain name and corresponding IP, of course, we need to distinguish between the real IP or CDN. Recommended Pig man's information collection artifact: Https://github.com/ring04h/wydomain or http://fofa.so/lab/ips root domain perspective, and robots.txt files, etc.
the fingerprints .
identify the corresponding Web server, see Yes Apache,iis, Tomcat,jboss, and the use of the web system is commonly used, such as DZ, commonly used CMS, WordPress and other commonly used general procedures, fingerprint identification out of the words, you can find the CVE has come out, see if the patch in time to hit, Can be taken directly with CVE.
DNS Information Collection
For example, common DNS domain delivery vulnerabilities
Port Collection
depending on the real IP of the website, use Nmap to sweep the port and see which ports are open. Which ports can be exploited, such as SSH,TELNET,FTP, and the ports of some test systems.
Background Sensitive directory scan
For example, run a dictionary with the sword, run some sensitive directory, such as FCK Editor, background directory, sensitive interface and other information, this information may help you directly take the other side of the server
Site Directory structure crawl
For example, the site system directory with burp Suite crawler features, crawl the basic site directory structure, the directory to crawl out, in accordance with the research and development of those thinking background, upload file path.
Vulnerability Scanning
Host Layer Scan
This needless to say, directly to the real IP lost Nessus inside to sweep is enough, and then according to the results of the scan combined with MSF payload directly to the past.
Web Vulnerability Scanning
For example, use Awvs,netsparker to go through it first, and then try to see the vulnerability by hand, trying different ways depending on the vulnerability .
Manual Testing
Common test and vulnerability combination punchessuch as common SQL injection test, XSS, XXe vulnerability, CSRF, file upload, etc.
Then based on the previously collected content, as well as the results of the scanner comprehensive screening, and then use, based on a variety of small details of the vulnerability attempt, and based on a combination of several small vulnerabilities, multiple vulnerabilities combination of attacks: for example, some time ago in a bank test, there are several interesting loopholes, One vulnerability is that an alias account login can be bypassed by an infinity pool (weak password) + A transfer Verification code vulnerability. Those two loopholes together, the impact is big.
XSS: This needless to say, see if you can directly hit admin cookie backstage
SQL injection: Database to find sensitive information, such as Administrator account password, or directly according to permissions, see if can directly Getshell
File upload: The use of some FCK and other editor vulnerability, IIS and other parsing vulnerabilities, and program verification is not strict, directly upload horses, Getshell
Web Framework vulnerability: such as STRTUS2 vulnerability, Spring MVC XXe vulnerability, etc.
Weak password blasting
Turn around, really did not find the impact of large loopholes, then we try to test the background password blasting, as well as SSH blasting, ftp blasting, and so on, which is absolutely no way to do things, sometimes luck to block are not able to block, accidentally weak password blasting directly into the backstage, into the background, the background general security is weaker, And then you know that.
The above is for some small web site of conventional infiltration ideas, throw bricks, lead Daniel Jade.
A small web site infiltration of conventional ideas to stimulate