Website penetration experience

1. no matter what station, no matter what language, I want to penetrate, the first thing is to scan the directory, it is best to scan an upload point, directly upload the shell, don't laugh, sometimes it takes you a long time to build a website and finally find a ready-made upload point, which is easy to guess. However, this situation occurs mostly in asp! 2. asp (aspx) + MSSQL first considers injection. Generally, injection has the DBowner permission to directly write the shell. If it cannot be written, or the web is separated from the database, guess the data, starting from the background, you can upload or modify the configuration file in the background. 3.asp( aspx) + ACCESS has only three methods to use shell. One is to upload or inject data to the background at the front end; the second is to inject the configuration file into the background, and the third is to inject the configuration file into the background backup database or the violent database, and then write a sentence directly after it is known to be an asp or asa database; 4.php+ MYSQL is generally injected into the background for upload, occasionally, you may be lucky enough to inject select into outfile; then include local and remote inclusion, which is not supported by php in later versions, so I tried to upload an image file locally or write it to the log. Then, php program has some undisclosed vulnerabilities. If you are lucky, you can write the shell directly. 5. jsp + MYSQL uses the database to obtain permissions basically the same as php, and jsp upload rarely checks the file suffix, so as long as there are injection points and the background, shell is quite easy. I have not met many sites in jsp + ORACLE, but I also tried to guess the user name and password from the background. 6. no matter what the station is, the main station is generally very safe (otherwise it will be played early), so generally starting from the second-level domain name, guess the user name and password of the master site, or obtain the source code of the master site, or bypass the cain or arp after obtaining the server of the same network segment. 7. generally, a large site rarely uses a ready-made CMS, so if you are lucky enough to find the source code, you will launch the injection vulnerability, upload vulnerability, and file Write Vulnerability, all in your hands. Let's take a look at the new test sites from those major sites. Those sites are still being tested and can be easily won. 8. there is a file name Truncation in the upload, which includes two aspects: one is 00 truncation, the other is long file name truncation (we used this to get hw); then there are a lot of file writing places, it can be 00, which has been tried and tested repeatedly. Do not forget to upload the. asp Directory (of course. asa,. cer,. cdx. 9. the php site has magic_quotes_gpc problems in both windows and linux. When magic_quotes_gpc is on, you can still select into outfile when injecting server variables, this is the case when I started a non-open-source cms this year. Generally, don't consider writing files for on. But if you have this permission, don't forget to read the file source code, because the load_file parameter can be encoded. Surprise. 11. the use of tools is very important. WVS scanning before the intrusion will help the intrusion. Although there are many injection tools, it is not necessarily good. Today's hard and soft firewalls and anti-injection tools are getting worse and worse, at that time, you should not be lazy. More manual work will help you grow. 12. Have you ever encountered any first-class monitoring or other post-protection firewalls? Sometimes you can't upload a trojan when you go in one sentence. At that time, you should first learn the encoding and then learn to change and bypass it. 13. if you want to make a general website, remember to check the copyright of the website, find the company that is the website, and start from other websites of the company. Then, get the source code and go back to it, I used this method to win a well-known pharmaceutical company site. 14. the concept of bypass is never out of date. When dbowner is injected, shell can be easily written to the site you need, saving you trouble in Elevation of Privilege. If you're lucky, step-by-Step shell authorization to get what you need. 15. never forget about social engineering. Using social engineering to treat yourself as a person with nothing, start with qq, ID card, email, and so on of XX Webmaster. Sometimes there may be exceptions; in addition, do not forget the simple attempt of admin, admin; test, test; 123456,123456. Of course, you can also perform brute force cracking. 16. Do not ignore XSS. Do not ignore cookies. XSS can steal cookies. You can learn how to use them. Cookies can be forged and logged on, cookies can be injected, and cookies can be injected around the vast majority of firewalls. 17. we usually collect a lot of paths, source code, tools, and enrich our "weapons" database. We recommend you record your intrusion steps or review them afterwards, I usually keep it in txt, and I also want to do the opposite. 18. Learn more, read the source code, and read the published 0day. scripts are the prerequisite for intrusion, not a tool.