Preface ： It hasn't been updated for a long time , I mainly read my previous articles , I feel like I'm just making up numbers , In the future, I will try my best to ensure the quality of each article , So the update cycle may be slower

Basic introduction

one . Basic concepts

domain name

1. What is domain name

domain name （ English ：Domain Name）, Also known as domain , It's a string of names separated by dots Internet The name of a computer or computer unit , Used to locate and identify the computer during data transmission （ Sometimes it also refers to geographical location ）
because IP The address is not easy to remember and can not display the name and nature of the address organization , People designed domain names , And through the domain name system （DNS,Domain Name System） To combine the domain name with IP Addresses map to each other , Make it easier for people to access the Internet , Instead of remembering what can be read directly by the machine IP Address number string . such as www.baidu.com, This is a domain name , In a nutshell ip Not easy to remember , So there are domain names to facilitate memory . You can think of the relationship between address and longitude and latitude

2. How to register a domain name

One is to find a special domain name provider to register , for example , Alicloud and so on .

One way is for individuals to complete registration by themselves through a professional registration platform

3. Top-level domain name （ First level domain name ）, Two level domain name , subdomain

3.1 Top-level domain name （ First level domain name ）

Top-level domains,first-level domains（TLDs）, Also translated into international top-level domain name , Also become a first-class domain name .

​ .com For commercial use , But no limit is most commonly used
　　.net Originally used by network service providers , Now there are no restrictions
　　.org Originally used by organizations that do not belong to other common top-level domain categories , Now there are no restrictions
　　.edu / .gov / .mil For American educational institutions / U.S. government agencies / American military establishment . Due to the problems left over by history, it is generally only used in the United States
　　.aero For air transportation industry
　　.biz For commercial use
　　.coop For the Federation （cooperatives） Use
　　.info For informational websites , But there is no limit
　　.museum For Museum use
　　.name For family and personal use
　　.pro For some professional use
　　.asia For Asian communities
　　.tel For services connecting the telephone network to the Internet
　　.post For postal services
　　.mail For email websites

3.2 Two level domain name

The secondary domain （ Or secondary domain name ; English ：Second-level domain; English abbreviation ：SLD） It's the Internet DNS Among the ranks , Domain under top-level domain name . The secondary domain name is the penultimate part of the domain name , For example, in domain name example.baidu.com in , The secondary domain name is Baidu.

.com Top-level domain name / First level domain name , More accurately, it is called top-level domain

baidu.com Two level domain name , More accurately, it is called secondary domain

tieba.baidu.com Three level domain name , More accurately, it is called tertiary domain

detail.tieba.baidu.com Four level domain name , More accurately, it's called the fourth level domain

3.3 subdomain

subdomain （ Or subdomains ; English ：Subdomain） Is in the domain name system level , A domain that belongs to a higher domain . such as ,mail.example.com and calendar.example.com yes example.com Two subdomains of , and example.com Is the top-level domain .com The subdomain of . All TLDs prefixed are subdomains of the TLD , Subdomains are divided into secondary subdomains according to the number of technologies , Three level subdomain name and multi-level subdomain name .

DNS

1. What is? dns

DNS It's the computer domain name system （Domain Name System or Domain Name Service） Abbreviation , It's made up of a parser and a domain name server , The function is to convert the domain name into a network recognizable ip Address

There is a in the computer HOST file , He can store the domain name and the corresponding IP Address

2.cdn and dns

cdn The full name is content distribution network . Its purpose is to enable users to get the requested data more quickly . simply ,cdn It's used to speed up , It allows users to access data nearby , In this way, the required data can be obtained faster . for instance , Now the server is in Beijing , Users in Shenzhen need to cross a long distance to get the data on the server , This is obviously slower than Beijing users accessing Beijing's servers . But now we set up a in Shenzhen cdn The server , It caches some data , Shenzhen users visit this first cdn The server , If there is data requested by the user on the server, it can be returned directly , In this way, the speed is greatly improved .

cdn It's actually a nearby visit , So now there is a problem , How do we know where the user is and assign him the best cdn Node . This requires dns Service to locate . When we use dns In service , According to what he uses LDNS Server for a location , For example, our dispatching server sees that he is from Shenzhen Telecom LDNS The server , Then we think the user is from Shenzhen Telecom , Then the dispatch server can let the user visit Shenzhen Telecom. CDN The server , This allows users to access the optimal cdn node . adopt dns Service we can quickly locate the user's location , Then assign users the best cdn node

3. common dns attack

1.) Cache poisoning （DNS Pollution ）

It is also commonly known as domain name system poisoning or DNS Cache poisoning . It is the use of false Internet Replace the address in the domain name system table with the address , And then create damage . When the network user searches the page with the false address , To access a link , The web browser has opened different web links due to the influence of the false entry . under these circumstances , worm 、 Trojan horse 、 Malicious software such as browser hijacking may be downloaded to local users' computers

2.） DNS hijacked

DNS Hijacking is also called domain hijacking , It refers to blocking domain name resolution requests within the scope of hijacked network , Analyze the requested domain name , Release requests outside the scope of review , Otherwise return to fake IP Address or do nothing to make the request unresponsive , The effect is that you can't visit a specific network or visit a fake website . Such attacks typically change end users through malware TCP/IP Set up , Point users at malicious DNS The server , The DNS The server will resolve the domain name , And finally point to phishing websites and other servers manipulated by attackers

3.） Domain name hijacking

Domain name hijacking is to intercept domain name resolution requests within the hijacked network , Analyze the requested domain name , Release requests outside the scope of review , Otherwise, it directly returns false IP Address or do nothing to make the request unresponsive , The effect is that you can't visit a specific website or visit a fake website . Once your domain name is hijacked , Users are led to fake websites and can't browse the web normally , Users may be lured to fake websites for login and other operations, resulting in the disclosure of privacy data

4.） DNS DDOS attack

in the light of DNS Of DDoS The attack takes advantage of the real world by controlling a large number of botnets DNS The protocol stack initiates a large number of domain name query requests , Using tool software to forge the source IP Send massive DNS Inquire about , Send massive DNS The query message causes the network bandwidth to be exhausted and cannot be transmitted normally DNS Query request . Sending a large number of illegal domain name query messages causes DNS The server continues to perform iterative queries , So as to achieve the purpose of less attack traffic and consume a lot of server resources

5.） Reflex DNS Enlarge the attack

DNS Reflection amplification attacks mainly use DNS The feature that the reply packet is larger than the request packet , Amplify the flow , Forge the source of the request packet IP The address is the victim IP, Introduce the traffic of the response packet to the injured server .

Scripting language

1. Common scripting languages

Scripting language is also called extended language , Or dynamic language , Is a programming language , Used to control software applications , Scripts are usually in text （ Such as ASCII) preservation , Interpret or compile only when called .
Scala、JavaScript,VBScript,ActionScript,MAXScript,ASP,JSP,PHP,SQL,Perl,Shell,python,Ruby,JavaFX,Lua,AutoIt etc.

Different scripting languages have different rules , The vulnerabilities generated by the program are naturally different （ Code audit ）

back door

1. What is the back door ？ What are the back doors ？

Backdoor programs generally refer to those program methods that bypass security control and gain access to programs or systems . Category ： Webpage 、 Thread insertion 、 Expand 、C/S back door

2. The practical significance of the back door in security testing ？

For example, the back door is hidden on the web page 、 In the software , Quietly carry out the operation that the attacker wants

3. What do you need to know about the back door ？（ How to play , No killing ）

Well aware of attack and anti reconnaissance , Prevent from being recognized by relevant software

web The composition architecture model

Website source code ： Divided into script types , Sub application direction

operating system ：Windows,Linux

middleware ( Build a platform )：apache,iis,nginx,tomcat etc.

database ：access,MySQL,mssql,Oracle etc.

WEB Related security vulnerabilities

1. web Source code corresponding vulnerabilities

   SQL Inject
   Upload files
   XSS
   Code execution
   Variable coverage
   Logical loopholes
   Deserialization and so on

2. web Middleware corresponding vulnerabilities

   Unauthorized access

3. web Database corresponding vulnerabilities

   Kernel vulnerability

4. web System layer corresponding vulnerabilities

   There are loopholes in rights raising , Secure code execution

5. Other third-party corresponding vulnerabilities

   Computer third-party software

6. APP or PC Application binding class

   Mobile ,PC End , Web side

Ii. . Packet expansion

1.http and https The difference between (https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Methods)

• http It's the hypertext transfer protocol , The message is transmitted in clear text ,https It is safe ssl Encrypted transport protocol .
• http and https It USES a completely different connection , The ports are different , The former is 80, The latter is 443.
• http The connection is simple , It's stateless ;HTTPS Agreement is made SSL+HTTP The protocol is built for encrypted transmission 、 identity Authenticated network protocol , Than http Security agreement .

2.tcp/ip system

3.IP And port

What is? ip?

ip The address is electronic equipment （ Computer , Router ） Unique identification on the Internet , Equivalent to the house number of your electronic device on the Internet

Intranet IP And the public network ip

Intranet IP： The network within the route , You can connect to the Internet , But the Internet cannot be directly connected to the intranet （ Port mapping required ）

Public network IP： In the Internet IP, It can directly communicate with internet resources , No port mapping is required

What is a port ？

The port is the unique identification of the application in the computer

Common ports ：

21/tcp FTP File transfer protocol

22/tcp SSH Secure login , File transfer and port redirection

23/tcp Telent Insecure text transfer

25/tcp SMTP Simple Mail Transfer Protocol (E-mail)

80/tcp HTTP Hypertext Transfer Protocol (WWW)

443/tcp HTTPS Can provide encryption and transmission through a secure port HTTP

4. Implementation of website access

CS The architecture and BS The difference in Architecture

The main difference ： Client/Server It's based on LAN .Browser/Server It's based on the wan .）

What is? http？ Hypertext transfer protocol

effect ： The transmission protocol defines the format of data transmitted by browser and client

HTTP Characteristics of the agreement ：

1. be based on tcp/ip agreement

2. Default port 80

3. Request and response correspond one by one

4. Each request is independent of each other , Is stateless protocol

The request message -request

1 Request line

Request mode request url Agreement and version

GET /page/jointleboratory HTTP/1.1

GET and POST Different ways of requesting ：

1.post The request has one more line in the request header ：content-type

2.get Request in url And there is an upper limit ,

2 Request header

Identify yourself

*Host： Request host domain name /IP Address

Host: www.baidu.com

*User-Agent: Tell the server browser version information , A total of servers solve the problem of browser compatibility

User-Agent:Mozilla/5.0(Windows NT 10.0);Win64;x64)…

*Accept: Transfer file type

Accept:text/html,application/xhtml+xml,…

*Referer: Tell the server where it comes from

Referer：http://www.baidu.com/

*Accept-Encoding: The browser declares the encoding method it can receive

Accept-Encoding:gzip,deflate,br

*Accept-Language: The browser declares the language it can receive

Accept-Language:zh-CN,zh;q=0.9,la;q=0.8,en;q=0.7

*Cookie: token

because http It's stateless , In order to avoid problems such as repeated login , And the introduction of

3 Request a blank line

This is an empty line

4 Request body

The response message -response

1 Response line

Agreement and version Response status code Status code description

HTTP/1.1 200 OK

HTTP The response status code indicates specific HTTP Whether the request has been successfully completed . There are five types of responses ： Information response (100–199), Successful response (200–299), Redirect (300–399), Client error (400–499) And server errors (500–599).

2 Response head

3 Respond to blank lines

4 Response body

use IP Visiting the website is higher than using the domain name to visit the directory where the website is located

3 .web Source code expansion

Web Source code is a very important source of information in security testing , It can be used for code audit vulnerabilities and information breakthrough , among Web There are many technologies in the source code that need concise analysis . such as ： Get some ASP The source code can be downloaded from the default database , To obtain the source code vulnerability of some other script, you can conduct code audit, mine or analyze its business logic, etc , In short, the acquisition of source code will provide more ideas for later security testing .

1.cms

CMS yes Content Management System Abbreviation , Meaning for " Content management system ". Content management system is the new favorite of enterprise information construction and e-government , It is also a relatively new market

It contains ：

• Templates

• Scripting language or markup language

• Integration with database

2.cms distinguish

Online identification tools ：

http://whatweb.bugscaner.com/look/
https://www.yunsee.cn/

[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-mYzTqrSP-1645844356361)(C:\Users\ Yang Shibin \AppData\Roaming\Typora\typora-user-images\image-20220213143519108.png)]

3. Source code access

Scan tool detects backup files
CMS Identification technology acquisition CMS Name and then download from the Internet
Baidu direct search ： Source code
Salted fish will be sold
Third party source station ： For example, rookie source code
Corresponding to various industries

4. summary

Focus on application classification and script types, and estimate possible vulnerabilities （ The framework is an exception ）, After obtaining the source code, you can conduct local security testing （ Local security testing （ Manually use tools to scan , No need to touch code ）） Or code audit , You can also analyze how its directory works （ Database backup ,bak Documents, etc. ）, The source code not obtained adopts various methods to obtain

5. demonstration

ASP Inject Demo

1. Open the range , open asp Inject
   

2. Go to the website , Open any interface , View the suffix of the page , According to the suffix
   

3. See the bottom of the page , Find key words XYCMS
   

4. Search for XYCMS Source code , download
   

5. Open folder , Find the critical database path file xydata, file found xycms.mdb(asp Unique files )
   
   

6. This file contains the administrator's account and password
   

7. According to the downloaded source code path , You can try to visit the directory of the website ： http://192.168.139.137:8003/xydata/xycms.mdb, Download to file
   

8. Try to access the background
   

9. In the database admin data password MD5 Decrypt
   

10. Use the user password to log in
    

boss . Database and system

Preface

Remove the middleware to build the platform , Outside the website source code , The operating system is also vulnerable , database , Third party software platform, etc , Such attacks can also directly affect Web Or server security , Result in the acquisition of website or server permissions

1. operating system

1.1 How to judge what operating system the website is equipped with

stay url in ,windows The operating system is case insensitive ,Linux Case sensitive .

If no website domain name is given , Only the website IP, Can pass ttl Value judgement , But by ttl Value judgment is not completely accurate ,ping This ip We can know ttl value ; More accurately nmap scanning

[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-NEFqddoH-1645844356368)(C:\Users\ Yang Shibin \AppData\Roaming\Typora\typora-user-images\image-20220212100856029.png)]

1.2 Difference between them

Website path 、 Case write 、 Applicability of documents between the two systems , Compatibility
If you decide which operating system it is , Will start with the types of vulnerabilities supported by the operating system

1.3 Operating system level vulnerability types

• • SQL Inject holes
    SQL Injection attack (SQL Injection), Short for injection attack 、SQL Inject , It is widely used to illegally gain control of websites , It's a security vulnerability in the database layer of an application . In designing programs , Ignore the... Contained in the input string SQL Inspection of instructions , Mistaken for normal by the database SQL Command to run , So that the database is attacked , May cause data to be stolen 、 change 、 Delete , And further cause the website to be embedded with malicious code 、 Being implanted with backdoor programs and other hazards .
  • Cross-site scripting vulnerability
    Cross-site scripting attacks (Cross-site scripting, Usually abbreviated as XSS) Occurs on the client side , Can be used to steal privacy 、 A fishing scam 、 Steal the code 、 Spreading malicious code and other attacks .XSS The techniques used in the attack are mainly HTML and Javascript, Also include VBScript and ActionScript etc. .XSS Attack on WEB Although the server has no direct harm , But it spreads through websites , Make the users of the website vulnerable , Cause the website user account to be stolen , This has also caused serious harm to the website .
• • Weak password vulnerability
    Weak password (weak password) There is no strict and accurate definition , It is generally believed that it is easy to be ( They may know you well ) The passwords guessed or cracked by the cracking tool are weak passwords . Setting a password usually follows the following principles ：
    (1) Do not use empty command or system default password , These passwords are well known , It's a typical weak password .
    (2) The password length is not less than 8 Characters .
    (3) The password should not be a continuous character ( for example ：AAAAAAAA) Or repeat some combination of characters ( for example ：tzf.tzf.).
    (4) The password should be a combination of the following four types of characters , Capital (A-Z)、 Lowercase letters (a-z)、 Numbers (0-9) And special characters . Each type of character contains at least one . If a certain type of character contains only one , Then the character should not be the first or last character .
    (5) The password should not contain me 、 Parents 、 Names and dates of birth of children and spouses 、 Mark the date 、 Login name 、E-mail Address and other information related to me , And words from dictionaries .
    (6) Passwords should not be words that use numbers or symbols instead of certain letters .
    (7) The password should be easy to remember and can be entered quickly , Prevent others from seeing your input easily from behind you .
    (8) At least 90 Change your password within days , Prevent undetected intruders from continuing to use the password .
  • HTTP Header tracking loopholes
    HTTP/1.1(RFC2616) The specification defines HTTP TRACE Method , It is mainly used for client passing to Web Server commit TRACE Request to test or get diagnostic information . When Web Server enable TRACE when , The submitted request header will respond to the content of the server (Body) The complete return of , among HTTP The head probably includes Session Token、Cookies Or other certification information . Attackers can use this vulnerability to trick legitimate users and get their private information . This vulnerability is often combined with other methods to effectively attack , because HTTP TRACE Requests can be initiated through client browser scripts ( Such as XMLHttpRequest), And can pass through DOM Interface to access , Therefore, it is easy to be exploited by attackers
• • Struts2 Remote command execution vulnerability
    Apache Struts It's a creation Java web Open source architecture for applications .Apache Struts There is an input filtering error , If a conversion error is encountered, it can be injected and executed arbitrarily Java Code . Most of the reasons for the existence of remote code execution vulnerabilities in the website are due to the adoption of Apache Struts Xwork As a website application framework , Due to the high-risk vulnerability of remote code execution in the software , Cause the website to face security risks .CNVD Handled many of these vulnerabilities
  • Framework phishing vulnerability ( Framework injection vulnerability )
    The framework injection attack is aimed at Internet Explorer 5、Internet Explorer 6、 And Internet Explorer 7 A type of attack . This attack leads to Internet Explorer Do not check the destination site of the result frame , This allows arbitrary code like Javascript perhaps VBScript Cross frame access . This attack also occurs when code is injected through multiple frameworks , Because the script does not confirm the input from multiple frameworks . This other form of framework injection will affect all vendor browsers and scripts that do not confirm untrusted input .
• • File upload vulnerability
    File upload vulnerability is usually caused by the lax filtering of file upload path variables in web page code , If the file upload function implementation code does not strictly limit the user upload file suffix and file type , An attacker can use Web Upload any file in the directory accessed , Including backdoor files (webshell), And then remote control website server . therefore , In the process of developing websites and Applications , Strictly limit and verify the uploaded files , It is forbidden to upload malicious code files . At the same time, the execution permission of relevant directories is limited , To guard against webshell attack .
  • Application test script leak
    Because the test script lacks sufficient filtering for the submitted parameter data , Remote attackers can use the hole to WEB Process permission to view the contents of any file on the system . Defending against such vulnerabilities usually requires strict filtering of submitted data , Effectively detect attacks
• • private IP Address disclosure vulnerability
    IP Address is an important sign of network users , This is what an attacker needs to know before attacking . There are many ways to obtain , Attackers will also take different methods according to different network conditions , Such as ： Use in LAN Ping Instructions ,Ping The name of the other party in the network IP; stay Internet Upper use IP Version of QQ Direct display . The most effective way is to intercept and analyze each other's network packets . Attackers can find and directly parse the intercepted data packets through software IP Baotou information , Based on this information, we can understand the specific IP.

2. database

2.1 Common database open ports

1433　　sqlserver

1521　　oracle

1527　　Derby

3306　　mysql

5432　　postgresql

5000　　db2

9092　　pointbase

6379 redis

27017 mongodb

2.2 Common script and database collocation

phpmysql

aspaccess,aspsql server（mssql）

asp.net（aspx）sql server（mssql）

jspOracle

2.3 The collocation of common containers with databases and scripts

IIS+access+asp

IIS+sql server+asp

apache+mysql+php

nginx+mysql+php

tomcat+Oarcle+jsp

tomcat+mysql+jsp

2.4 The difference of database type and its recognition significance

The security mechanism in each database , The internal structure is a little different , Similarly, the loopholes are different . Different databases , Attack methods 、 Vulnerability types and impacts vary

2.5 Common database vulnerability types and attacks

Weak password attack ： Log in to the database with a weak password , Get webmaster data information , Log in to the website backstage , Make changes

2.6 Briefly describe the impact scope of vulnerabilities at the database level

Through loopholes , The attack , You can also obtain the relevant permissions of the database , Carry out a series of operations

/*****************************************************************************/

/*****************************************************************************/

wu . Encryption algorithm

Preface

In the penetration test , Common passwords and other sensitive information will be encrypted , As a security tester, we must understand the common encryption methods , In order to prepare for the subsequent safety test .

Common encryption algorithms

MD5,SHA,ASC, Base number , Time stamp ,URL,BASE64,Unescape,AES,DES etc.

1.MD5（ Irreversible ）

16 Bit and 32 position , The encrypted ciphertext string consists of A-Z,0-9 Random allocation ,80% Webmaster or user password plus MD5 encryption .( Irreversible )

Online MD5 The decryption adopts the enumeration method

2.SHA

from A-Z,0-9 Random combination ,SHA1,SHA256,SHA384,SHA512 Fixed length .( Irreversible )

3. Base number

16 Base encryption

4. Time stamp

Web sites or server scripting languages often use , Users will log in and log out in the database , Registration will use

5.URL

The browser only encrypts once , Secondary... May be used during infiltration bypass , Triple encryption

6.BASE64

Random combination of upper and lower case , One or two equal signs often appear after a string
The longer the plaintext , The longer the ciphertext
Common applications ： Code 、 password 、 Parameters
The browser only encrypts once , Secondary... May be used during infiltration bypass , Triple encryption

7.unescape

%u+4 Digit number , Corresponding to two characters , Main application WEB On the application

8.AES

Is a secure encryption method , When it comes to passwords , Offset , Data blocks , fill , Encryption involves 4 Kind of randomness . Decryption is difficult . use base64 The decryption is garbled , It's probably AES encryption . occasionally / Appear in the string . Pay more attention to security and large websites 、 Safety game
notes ： Must have password and offset , Otherwise, it cannot be decrypted

9.DES

Be similar to BASE64, occasionally + Will appear in the string
]

4. Time stamp

Web sites or server scripting languages often use , Users will log in and log out in the database , Registration will use

5.URL

The browser only encrypts once , Secondary... May be used during infiltration bypass , Triple encryption
[ Outside the chain picture transfer in …(img-aXwaP7LU-1645844356372)]

6.BASE64

Random combination of upper and lower case , One or two equal signs often appear after a string
The longer the plaintext , The longer the ciphertext
Common applications ： Code 、 password 、 Parameters
The browser only encrypts once , Secondary... May be used during infiltration bypass , Triple encryption
[ Outside the chain picture transfer in …(img-SjxHan1Y-1645844356373)]

7.unescape

%u+4 Digit number , Corresponding to two characters , Main application WEB On the application
[ Outside the chain picture transfer in …(img-TrPmkg00-1645844356373)]

8.AES

Is a secure encryption method , When it comes to passwords , Offset , Data blocks , fill , Encryption involves 4 Kind of randomness . Decryption is difficult . use base64 The decryption is garbled , It's probably AES encryption . occasionally / Appear in the string . Pay more attention to security and large websites 、 Safety game
notes ： Must have password and offset , Otherwise, it cannot be decrypted
[ Outside the chain picture transfer in …(img-PKc7tUHp-1645844356374)]

9.DES

Be similar to BASE64, occasionally + Will appear in the string