A small web site infiltration of conventional ideas to stimulate

First of all, we know. When we get a goal, of course, the goal is only a small site for a thought, large-scale website is another way of thinking.

Information collection

The first thing to do is information collection, is the so-called sharpening does not mistake wood work.

The following references the OWASP penetration Guide version 4.0

• Search engine information discovery and Reconnaissance (otg-info-001)
• Identify the Web server (otg-info-002)
• Web server meta-file information Discovery (OTG-INFO-003)
• Server App App enumeration (OTG-INFO-004)
• Comment Information Discovery (otg-info-005)
• Application entry identification (OTG-INFO-006)
• Identify app workflows (otg-info-007)
• Identify the Web application framework (otg-info-008)
• Identify Web applications (otg-info-009)
• Drawing the Application Architecture diagram (otg-info-010)

So let's just talk about some of the information we used to collect.Google hacking

For example, use Google Hacking command to find some sensitive files such as site:xxx.com Inurl:bak|txt|doc and other information. There is the collection of two-level domain name and corresponding IP, of course, we need to distinguish between the real IP or CDN. Recommended Pig man's information collection artifact: Https://github.com/ring04h/wydomain or http://fofa.so/lab/ips root domain perspective, and robots.txt files, etc.

the fingerprints . 

identify the corresponding Web server, see Yes Apache,iis, Tomcat,jboss, and the use of the web system is commonly used, such as DZ, commonly used CMS, WordPress and other commonly used general procedures, fingerprint identification out of the words, you can find the CVE has come out, see if the patch in time to hit, Can be taken directly with CVE.

DNS Information Collection

For example, common DNS domain delivery vulnerabilities

Port Collection

depending on the real IP of the website, use Nmap to sweep the port and see which ports are open. Which ports can be exploited, such as SSH,TELNET,FTP, and the ports of some test systems.

Background Sensitive directory scan

For example, run a dictionary with the sword, run some sensitive directory, such as FCK Editor, background directory, sensitive interface and other information, this information may help you directly take the other side of the server

Site Directory structure crawl

For example, the site system directory with burp Suite crawler features, crawl the basic site directory structure, the directory to crawl out, in accordance with the research and development of those thinking background, upload file path.

Vulnerability Scanning Host Layer Scan

This needless to say, directly to the real IP lost Nessus inside to sweep is enough, and then according to the results of the scan combined with MSF payload directly to the past.

Web Vulnerability Scanning

For example, use Awvs,netsparker to go through it first, and then try to see the vulnerability by hand, trying different ways depending on the vulnerability .

Manual Testing Common test and vulnerability combination punches

such as common SQL injection test, XSS, XXe vulnerability, CSRF, file upload, etc.

Then based on the previously collected content, as well as the results of the scanner comprehensive screening, and then use, based on a variety of small details of the vulnerability attempt, and based on a combination of several small vulnerabilities, multiple vulnerabilities combination of attacks: for example, some time ago in a bank test, there are several interesting loopholes,   One vulnerability is that an alias account login can be bypassed by an infinity pool (weak password) + A transfer Verification code vulnerability. Those two loopholes together, the impact is big.

XSS: This needless to say, see if you can directly hit admin cookie backstage

SQL injection: Database to find sensitive information, such as Administrator account password, or directly according to permissions, see if can directly Getshell

File upload: The use of some FCK and other editor vulnerability, IIS and other parsing vulnerabilities, and program verification is not strict, directly upload horses, Getshell

Web Framework vulnerability: such as STRTUS2 vulnerability, Spring MVC XXe vulnerability, etc.

Weak password blasting

Turn around, really did not find the impact of large loopholes, then we try to test the background password blasting, as well as SSH blasting, ftp blasting, and so on, which is absolutely no way to do things, sometimes luck to block are not able to block, accidentally weak password blasting directly into the backstage, into the background, the background general security is weaker, And then you know that.

The above is for some small web site of conventional infiltration ideas, throw bricks, lead Daniel Jade.

A small web site infiltration of conventional ideas to stimulate