Small white diary 36:kali Penetration Testing Web Penetration-Manual vulnerability Mining (ii)-Breakthrough authentication, operating system arbitrary command execution vulnerability

Source: Internet
Author: User

Manual vulnerability Mining

######################################################################################

Manual vulnerability Mining Principle "will be more than the automatic scanner discovered the vulnerability, to complete"

1. Try each variable

2. All headers "such as: Variables in cookies"

3. Delete variables individually

######################################################################################

Identity verification

1. Common Weak password/dictionary-based password blasting

2. Locking mechanism

Manual guessing, if there is no locking mechanism, then the blasting

3, Information collection "information collection on the station, guess the account password, such as: User Hall of Fame and so on." 】

Mobile phone Number: For the hidden part of the mobile phone number, guess its exact account (manual input, known mobile phone number, observe the password error message "such as: User name is wrong", then the explosion user name)

Password error message

(Burpsuite: Observing the contents of the return message "observing ErrorCode")

4, password sniffing "under the same network, can be captured by packet analysis, to obtain the user name password"

Burpsuite Demo

0, close the truncation agent, in the DVWA login page using the wrong account login, analyze the packet

A. The account password is wrong

B. The account is correct, the password is wrong

Right-click Compare sent to compare

# # # #通过比较, find out if there's any valuable information # # #

If two return results are different, then intruder "bombers" based on comparer

1. When unable to login with account password, turn to session Sessionid/cookie

A. Cross-site scripting in combination with social engineering, get a cookie "back to Introduction"

B. Some poorly-done web application will transmit SessionID in a URL that can be obtained through social workers

C. Under normal circumstances, the SessionID will be placed in a cookie or body, using sniffer

#嗅探注入 "SessionID: The existence of a computer in the form of a file; b. In-memory (most common)"

#将SessionID注入浏览器

Note: Pay attention to SessionID survival time, and whether each login is randomly generated

#SessionID生成算法

#使用burpsuite中的sequencer对某站点的SessionID生成算法进行考量 "If the probability of repetition is large or can be judged" recommends the use of a generic validated algorithm

If you use an insecure private algorithm, you can pre-contract the SessionID generated at the next login

2. Password recovery scene

Retrieve Password Link: (for example)

Https://www.example.com/[email protected]&key=b4c9a289323b21a01c3e940f150eb9b8c
542587f1abfd8f0e1cc1ffc5e475514

The key value is observed and guessed, such as: bytes. "128--md5 160--sha1 256--sha256"

# # # #有可能是根据邮箱账号, encryption algorithm, after modification, can be reset password directly

When a limited login to an account password, manual crawling, automatic scanning

#操作系统任意命令执行漏洞

A. Filter, show only requests with parameters

B. Using the Repeater test

Gradually delete useless variables and try out variables that can affect page content

For symbolic input, encode first

# #没对输入变量进行过滤

command-line mode to use the command, through the source to view the filter

#medium级别

Shell command mastering skills and techniques

"&": Executing commands in parallel

| : Pipe Break

"| |" : Previous command execution failed, execution of subsequent command

"Curl": Command line mode, custom URL, initiating HTTP request

#high级别

C. Exploit this vulnerability to allow operations such as open ports to be performed

such as:; Mkfifo/tmp/pipe;sh/tmp/pipe | NC-NLP 4444 >/tmp/pipe

D. Rebound Shell

The shell of the machine to which the shell script will be returned on the application service

Small white diary 36:kali Penetration Testing Web Penetration-Manual vulnerability Mining (ii)-Breakthrough authentication, operating system arbitrary command execution vulnerability

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.