This article is based on web analysis, vulnerability assessment and exploitation using BACKTRACK5 (http:// resources.infosecinstitute.com/web-analysis-bt-5/), Web Security analysis/Vulnerability utilization has been an important part of the risk assessment/Penetration testing process. It is sometimes the only breakthrough in the testing process of external network penetration. Hari Krishnan's article seems to simply introduce how to use some of the tools in BT5 for Web risk Assessment and vulnerability utilization, in essence, it can be seen in the web penetration test a basic idea or the basic idea. Personally feel that penetration testing or risk assessment, each case is a project. If the penetration tester can take each of the penetration test task as a project to do, and constantly experience and lessons, I believe that personal ability will be greatly improved.
My blog introduced a lot of various tools, the original idea is very simple, to share the good things to everyone. Not to spread the tools here, the tragedy is December 15, because the introduction of a tool blog is a short period of harmony, the article deleted after the restoration ..., someone sent an e-mail to ask me the reason, did not reply, here is a reply, thank you for reminding. A penetration tester will not use the tool is tragic, there are two kinds of circumstances that he can not do anything, the other is done, known as pure handmade, seemingly very advanced, in fact, the cost of rally. A penetration tester if only use tools that would be more tragic, because it is difficult to a level, tools can do he can do, tools do not do it, he can not do, this will lead to a situation is he dispensable, he who can replace. Attentive students will find the tools I introduced here, most are open source, not to say that the closed source of no good tools, but that we really can absorb some nutrients from the tool, a tool regardless of its value size, or whether it is successful or failure, always condensation of the developer's ideas and technology inside. We can learn from the success of things, the failure of things can also learn from the reference. Failure can at least take you down a path of failure.
So the tools that others share must be used and then studied. Take Whatweb as an example, get this tool first we need to use it, in BT5 you can use directly, if you do not want to use on the BT5, want to use on Windows, then you have to install it, to ensure that it can work properly. And then feel the effect, to actually test it, and since it's web fingerprint recognition, take some online Web application system tests that you can determine. If it's successful, we can add it to the arsenal, but it's definitely not a simple thing to do, so you'll find that he's not going to be handy in future applications. Chinese garbled, no domestic CMS system identification module, and so on some issues. The next thing, is the most you should do, study the technical principles of whatweb. In the course of research, you can learn at least what Web application recognition methods are currently available, whatweb How to do Web application recognition (Whatweb principle), Whatweb plug-in scheduling mechanism, how to develop Whatweb plug-ins, Get a discuz to identify the plugin to try, to say Whatweb's success and shortcomings, and so on, Whatweb research thoroughly, but also can think: if I do a Web application fingerprint recognition products How I should achieve it.
The above yy some things, but is to say not only to use the level of tools, but also to research tools, modify tools, customization of their own tools, development tools and so on. Learn from all the things that can be borrowed, everything can be used to learn things into their own things.
To get to the point of web penetration testing, everyone does the same thing more or less always a little different. In fact, the methods and angles may be different, in the final analysis or to follow the general law of things, violating the law, you have Apache 0day directly to attack IIS, the results may also be futile. There are several aspects of web penetration testing: Collecting information, exploiting vulnerabilities, and getting shells.
Information collection, we are interested in a lot of things, such as domain name information, subdomain information, dns,web application server information, Site directory structure, Web application name, Web application plug-ins, administrator user name, email address, security equipment information and so on.
Domain-related information acquisition: Dnsdataview, Maltego, Revhosts, Theharvestor, Srgn-infogather, Quickrecon, whoistd ...
Access to Web application Server information: Httprint, Httprecon ...
The website directory structure obtains: Dirbuster, Http-dir-enum,wfuzz,pywebfuzz ...
Web application recognition: blindelephant, Cms-explorer, Whatweb ...
Web application Plug-in identification: Plecost, Wpscan, Joomscan ...
WAF detection: Waffit, Ua-tester
Exploits, remote code execution, upload vulnerabilities, SQLI,LFI/RFI,XSS,CSRF, etc.
Web exploit tools: Sqlmap, Xsser, Beef, Fimap, W3af, Xssploit, Webexploitationframework, OWASP, Mantra, Pysqlin ...
Webshell too much, not listed.
Some typical web penetration testing tools are listed above, most of which are written in scripting languages and open source code. By studying these tools, you can refine, transform, and form your own penetration testing tool set. In fact, so many of the main expression of the web penetration test is a way of thinking: first identify the Web application, search for open vulnerabilities, if the main program has no vulnerabilities, and then identify the Web application plug-in information, search Plug-ins open vulnerabilities. If there is no public vulnerability, mining or other means of obtaining the 0day vulnerability of the Web application or plug-in. Social engineering can be considered if Web applications are truly unassailable. The key is to get as much information as possible and to find a practical attack path based on that information. According to this idea, to improve the penetration test efficiency and success rate, we need to accumulate, Web application identification, plug-in identification, open vulnerabilities, 0day, using a variety of web vulnerabilities to get the shell method, and so on.
Finally, I would like to say that my blog can be closed, but please remember that backward will be beaten, if the foreign public technology or tools to spread the domestic, then we and others overall technology gap can only be more and more distant. Here the overall gap is because there are many cattle after all, but there is no domestic environment for them to share their own research.
From: bugzone-http://www.pulog.org/ori/2349/web-exploitation/reprint must be indicated.