Red and Black League study notes
1
Introductory Lesson:
Penetration testing: It is found that the risk point is fully found, to find all the loopholes, must be completely swept, to discover
Hacker testing: Just need to find some of the loopholes can get permission to
Attack Mode:
Web penetration is typically based on 80 port
SQL injection:
Upload vulnerability:
XSS: (The victim is a user, not a server) does not directly affect the server
Code execution vulnerability: Code execution vulnerability is relatively small
Contains vulnerability: (Contains script features) contains vulnerability to detect antivirus software
Combination vulnerability:
Learning Route:
Learning SQL injection must learn the database, regardless of the script, platform-Independent
SQL injection is not related to scripting, platform-Independent
Mysql
Sqlsever ASP with Sqlsever as the benchmark
ORACLE PHP
Access is typically used by small sites
If you want to go deep, learn the single-line function in injection must learn a single-line function in each database
Upload related languages asp php. Net
Parsing Vulnerability (upload to Mate Parsing vulnerability)
XSS must learn JS with the syntax is JS is the best to learn a
Html
Strongly typed Java
Weakly typed PHP
Contains PHP
Jsp
Asp
Combinatorial vulnerability cross-Library query Logic Vulnerability
Social workers are very exciting.
Section C
Overflow (requires C, the basis of compilation)
Service
Things to do:
- Building a Web environment
- Information detection
- Vulnerability scanning NMAP contains many levels of vulnerability
- Authentication Vulnerability Scan
- Write a report
Environment Construction:
Common Popular Websites
Website structure:
- ASP + Access (the most common configuration environment) may also be ASP + Sqlseverà dependent on IIS, which can be compiled directly
- php + Mysqlàphpnow+lamp+wamp
- Java + Oracle | | java + mysql | | java + sqlsever (Java ignores suffix)
- ASP + sqlsever (very classic)--àiis
Add:
Lamp =linux + Apach +mysql+php
Wamp=windows+apach +mysql+php
JBOSS TOMCAT Web Container
Local Environment construction
- ASP. NET Environment
- PHP Environment
- JSP Environment JBoss TOMCAT
2.1 Website Software Introduction
2.1.1B/S Architecture Introduction
b/S structure is a network structure model after the rise of web, Web browser is the most important application software for clients. This mode unifies the client, and the core part of the system function is centralized to the server, which simplifies the development, maintenance and use of the system. On the client computer, just install a browser, server installation database, browser via web Sever
Data interaction with the database.
b/S The biggest advantage is that you can operate in any place without installing any special software, as long as there is a computer can be in the Internet can be used, the client only need to install a browser, page display, the rest of the task to the server processing.
2.1.2 Static Website Introduction
Static Web site refers to all the HTML code format pages composed of Web sites, all content contained in the Web page file, the Web page can also appear a variety of visual dynamic effects, such as GIF animation, Flash animation, scrolling subtitles and so on.
Each static page has a fixed address, the filenames are in HTM, HTML, shtml and so on as the suffix;
When a static web page is posted to the server, it is a standalone file, regardless of whether it is accessed or not;
The content of static Web pages is relatively stable, does not contain special code, so it is easy to be searched by search engine; HTML is more suitable for SEO search engine optimization;
Static website is the biggest feature is no database support, in the site production and maintenance of large workload;
Because there is no need to work through the database, so the static Web page access speed is relatively fast;
2.1.3 Dynamic Website Introduction
Dynamic site and static site The biggest difference is that static Web site is unable to access the database, and Dynamic Web site can be accessed by the database, is people can interact, but static pages can only be viewed, can not do other operations, such as: User registration, information publishing, product display.
2.2web Server Introduction
Web server is also known as www (World wideweb) server, the main function is to provide online information browsing service.
Simply put, the Web server is the corresponding server requesting the URL, the server is a passive program, only when the browser makes a request, the server will respond, or the server will not actively communicate with the client.
The Web server communicates primarily with the client using the HTTP protocol.
2.3IIS Environment Construction
2.3.1 ISS Introduction
Internet Information Services (IIS, Internet Information Services) is a basic Internet service based on running MicrosoftWindows provided by Microsoft Corporation.
IIS belongs to the Web container, and he can explain the execution of asp,php,asp. NET and other languages, with some extended capabilities.
IIS is a Web (Web page) service component that includes Web servers, FTP servers, NNTP servers, and SMTP servers for Web browsing, file transfer, news services, and mail delivery, which makes it easy to publish information on the network, including the Internet and local area networks.
2.3.2 Installing IIS
This time the operating system is Windows 2003 Enterprise Edition, some systems are lite, the system will not bring the IIS software package, we need to manually download the installation package, the installation package has been included in the relevant disk.
- First, go to the Control Panel, select Add/Remove Programs, add/Remove Windows components, remove the small tick before Internet information service (if any), and then follow the prompts again to complete the addition of the IIS components, including the Web, FTP , NNTP, and SMTP, all four services.
- This file is missing from the system, so add this software locally (Windowsserver2003sp2enterpriseedition.iso) to the C drive, such as
Now Tomcat is ready to be configured.
Red and Black League video notes