Introduction
This document focuses on the knowledge required for penetration testing. Pentesterlab is ready to summarize the basics of testing and the most common vulnerabilities to a CD. about this document
Treaty of Compliance
Pentersterlab's penetration strategy complies with the creative Commons Attribution-noncommercial-noderivs 3.0 Unported License Treaty. To get a description of this Treaty, please poke the HTTP ://creativecommons.org/licenses/by-nc-nd/3.0/.
Some notes about the document
Later will provide some relevant work, there are reference links for you to learn more deeply
Web application
After the system starts, you can obtain the current IP address with the ifconfig command: View Source
|
Eth0 Link encap:ethernet HWaddr 52:54:00:12:34:56 |
|
inet addr:10.0.2.15 bcast:10.0.2.255 mask:255.255.255.0 |
|
Inet6 ADDR:FE80::5054:FF:FE12:3456/64 Scope:link |
|
Up broadcast RUNNING multicast mtu:1500 metric:1 |
|
RX packets:88 errors:0 dropped:0 overruns:0 frame:0 |
|
TX packets:77 errors:0 dropped:0 overruns:0 carrier:0 |
|
collisions:0 txqueuelen:1000 |
|
RX bytes:10300 (10.0 KiB) TX bytes:10243 (10.0 KiB) |
|
Interrupt:11 Base address:0x8000 |
In this example, the IP address is 10.0.2.15.
Throughout the training, the host we used to simulate the victim machine was named vulneralble. You can use the IP address instead of the hostname, or you can add the host name and the corresponding IP address in the host file.
Under Windows, the host file is located in the view source
|
C:\Windows\System32\Drivers\etc\hosts |
Unix/linux and Mac OS X, the host file is located in the view source
Tip: After IP restarts the machine, the IP address will change, perhaps you need to do some corresponding updates in the host file.
After you access the Web program, you can see the following page
Web
Many companies may have open Web services, and many applications now have web versions.
The importance of web security is self-evident.
Web security Model
The essence of the Web security model is simple: don't trust the data submitted by the customer. Most of the information that the server receives is submitted by the client. We'd better filter and escape user-submitted data.
Web Security Risks
The risks associated with Web applications are the same as those of other types of programs: information leakage, loss of image information, loss of financial loss, Web technology
Framework
Three components since most Web applications: client: In most cases, the Web server that the browser uses to accept client requests.
An application server handles this request, in which case the Web server simply passes the request to the application server. The storage backend used to store information: typically a database.
The different behaviors of these components can expose weaknesses and security issues.
Client Technology
Most of the client technology used every day is html,javascript,flash ... Connect to the server via the browser (Google, Firefox, etc). However, a Web application's client may also be a script that connects to a Web service.
Service-Side Technology
There are a lot of technologies on the service side that can be used, even if these technologies are vulnerable to attack.
These technologies can be subdivided into the following types of Web servers
such as Apache,lighttpd,nginx,iis ... Application Server
such as the Tomcat,jboss,oracle Application Server programming language
into PHP, Java, Ruby, Python, asp,c#, ... Programming languages can also be used in a number of frameworks, such as Ruby-on-rails,.net Mvc,django.
Storage Back-end
The storage backend can reside on the same machine as the Web server or on a different machine.
Some examples of storage backend: file storage relational database
such as mysql,oracle, SQL Server, PostgreSQL. The other database
such as MongoDB, CouchDB. Directory
such as OpenLDAP or Active Directory.
An application can use a variety of stored methods. For example, some programs use LDAP to save usernames and passwords, while using Oracle to save other users ' information. HTTP protocol
HTTP is the basis of the entire web, and you want Web testing, it is important to have a deep understanding of the protocol. Familiarity with the HTTP specification helps to exploit vulnerabilities.
A session on the client and server side
HTTP is a session between a client and a server. The client, assuming the browser, sends a request to the server, and the server returns a response to the request. HTTP is a text protocol, so it's easy for us to read. In general, the ports that the Web service listens on are tcp/ 80. When you enter http://pentesterlab.com/on the browser address bar and return to the is actually connected to the 80 port of the pentesterlab.com corresponding IP. Most requests occur when browsing the web. The browser sends a request consisting of the following elements: HTTP method
This lets the server understand what the browser is doing with the resources
Explains what version information the client wants to access on the server
Description of which version of the HTTP protocol the server is using a variety of header information
This information tells the server browser the name and version of the user's preferred language (e.g. English, German, French ...). Request Body
Different interpretations depending on the HTTP method
An example of opening http://vulnerable/index.php will generate the following HTTP request View Source
|
User-agent:mozilla Firefox |
Request
Method
There are a number of HTTP methods: Get Methods
Get the Web content, the most common method of the browser post method
The Post method, which is used to send more data, is often used in many forms and files. Head method
The head method is similar to the Get method, and the only difference is the response returned by the server. The response from the head method contains only the head, not the entity. Web spiders check that a page has not changed when used to this method, so that spiders do not need to download the entire page content.
There are many other HTTP methods: Put,delete,patch,trace,options,connect ...
Parameters
Another important part of the request is the parameter. When the client accesses the following page http://vulnerable/article.php?id=1&name=2
, the following request is sent to the Web server:
The POST request is very similar, but the actual parameters are contained in the request entity. As in the following form: View Source
|
<form action= "/login.php" method= "POST" > |
|
Username: <input type= "text" name= "Username"/> <br/> |
|
Password: <input type= "Password" name= "Password"/> <br/> |
|
<input type= "Submit" value= "Submit" > |
This HTML code corresponds to the following login forms:
If the value of the form is the following
Username is ' admin '
Password is ' password123′.
When the form is submitted, the following request is sent to the server: view Source
|
User-agent:mozilla Firefox |
|
Username=admin&password=password123 |
If a Get method is used in the <form tag, the request is sent as follows: View Source
|
Get/login.php?username=admin&password=password123 http/1.1 |
|
User-agent:mozilla Firefox |
If the form tag contains the attribute enctype= "Multipart/form-data", the request sent is as follows. View Source
|
post/upload/example1.php http/1.1 |
|
user-agent:mozilla/5.0 [...] AppleWebKit |
|
Content-type:multipart/form-data; boundary=-- |
|
Webkitformboundaryflw6ogspqzkvxzja |
|
--webkitformboundaryflw6ogspqzkvxzja |
|
Content-disposition:form-data; Name= "image"; Filename= "Myfile.html" |
|
--webkitformboundaryflw6ogspqzkvxzja |
|
Content-disposition:form-data; Name= "Send" |
|
--webkitformboundaryflw6ogspqzkvxzja– |
We can see that the Content-type is very special in the request head:Content-type:
Multipart/form-data; Boundary=--webkitformboundaryflw6ogspqzkvxzja.
"WebKit" appears in a browser based on the WebKit kernel, and the browser of the other kernel is replaced with a random string. The string appears in several places. The string after the last line is followed by a-string. When you upload a file, the browser sends something like this.
File name: myfile.html
Parameter name: image
File type: text/html
Contents: My File
You can also pass the array as a parameter in the past (or hash encryption parameters, as long as the server can parse it out). You can also use/index.php?id[1]=0 to encode an array that contains the value 0.
This encoding is often used by some of the automated requests that are built to map objects. For example, the following request: User[name]=louis&user[group]=1 will be mapped to a user object that has a property name value of Louis, There is also a group property value of 1. Auto-mapping can sometimes be attacked. By sending other property values, if the program does not protect this property, you may be able to change the properties of that object. In our previous example, you can add a user[admin]=1 to the request, See if you can get admin privileges.
