Manual vulnerability Mining
######################################################################################
Manual vulnerability Mining Principle "will be more than the automatic scanner discovered the vulnerability, to complete"
1. Try each variable
2. All headers "such as: Variables in cookies"
3. Delete variables individually
######################################################################################
Identity verification
1. Common Weak password/dictionary-based password blasting
2. Locking mechanism
Manual guessing, if there is no locking mechanism, then the blasting
3, Information collection "information collection on the station, guess the account password, such as: User Hall of Fame and so on." 】
Mobile phone Number: For the hidden part of the mobile phone number, guess its exact account (manual input, known mobile phone number, observe the password error message "such as: User name is wrong", then the explosion user name)
Password error message
(Burpsuite: Observing the contents of the return message "observing ErrorCode")
4, password sniffing "under the same network, can be captured by packet analysis, to obtain the user name password"
Burpsuite Demo
0, close the truncation agent, in the DVWA login page using the wrong account login, analyze the packet
A. The account password is wrong
B. The account is correct, the password is wrong
Right-click Compare sent to compare
# # # #通过比较, find out if there's any valuable information # # #
If two return results are different, then intruder "bombers" based on comparer
1. When unable to login with account password, turn to session Sessionid/cookie
A. Cross-site scripting in combination with social engineering, get a cookie "back to Introduction"
B. Some poorly-done web application will transmit SessionID in a URL that can be obtained through social workers
C. Under normal circumstances, the SessionID will be placed in a cookie or body, using sniffer
#嗅探注入 "SessionID: The existence of a computer in the form of a file; b. In-memory (most common)"
#将SessionID注入浏览器
Note: Pay attention to SessionID survival time, and whether each login is randomly generated
#SessionID生成算法
#使用burpsuite中的sequencer对某站点的SessionID生成算法进行考量 "If the probability of repetition is large or can be judged" recommends the use of a generic validated algorithm
If you use an insecure private algorithm, you can pre-contract the SessionID generated at the next login
2. Password recovery scene
Retrieve Password Link: (for example)
Https://www.example.com/[email protected]&key=b4c9a289323b21a01c3e940f150eb9b8c
542587f1abfd8f0e1cc1ffc5e475514
The key value is observed and guessed, such as: bytes. "128--md5 160--sha1 256--sha256"
# # # #有可能是根据邮箱账号, encryption algorithm, after modification, can be reset password directly
When a limited login to an account password, manual crawling, automatic scanning
#操作系统任意命令执行漏洞
A. Filter, show only requests with parameters
B. Using the Repeater test
Gradually delete useless variables and try out variables that can affect page content
For symbolic input, encode first
# #没对输入变量进行过滤
command-line mode to use the command, through the source to view the filter
#medium级别
Shell command mastering skills and techniques
"&": Executing commands in parallel
| : Pipe Break
"| |" : Previous command execution failed, execution of subsequent command
"Curl": Command line mode, custom URL, initiating HTTP request
#high级别
C. Exploit this vulnerability to allow operations such as open ports to be performed
such as:; Mkfifo/tmp/pipe;sh/tmp/pipe | NC-NLP 4444 >/tmp/pipe
D. Rebound Shell
The shell of the machine to which the shell script will be returned on the application service
Small white diary 36:kali Penetration Testing Web Penetration-Manual vulnerability Mining (ii)-Breakthrough authentication, operating system arbitrary command execution vulnerability