Because there are many systems in the testing process, we can only contact one login interface , So we should fully tap the loopholes , Go deep

Sign in & register

SQL Inject

Universal password bypass login

There is SQL In the case of Injection , It is possible to log in directly with a universal password

admin' or '1'='1'--
admin' OR 4=4/*
"or "a"="a
' or''='
' or 1=1--

There are super many

Login port SQL Inject

There is SQL If you inject, you can directly inject the account secret

Some can construct user injection login , Like bear sea cms Background login exists sql Inject

$login=$_POST['login']; 
$user=$_POST['user']; 
$password=$_POST['password']; 
$checkbox=$_POST['checkbox']; 

if ($login<>""){
     
$query = "SELECT * FROM manage WHERE user='$user'"; 
$result = mysql_query($query) or die('SQL There is a mistake in the sentence ：'.mysql_error()); 
$users = mysql_fetch_array($result); 

The universal password doesn't work here , Because he goes to the database to check the password through the user name , Then match , Another method is very clever

user:1' union select 1,2,'test','c4ca4238a0b923820dcc509a6f75849b',5,6,7,8# 
password:1 

This is a mysql Characteristics of , When federating data that does not exist , The federated query will construct a virtual data , It is equivalent to constructing a virtual account , You can log in with this account

Unauthorized access

Background unauthorized access

List several ways to find unauthorized access

• Use the directory scanning tool , Such as dirsearch Wait for scanning path , Some may have directory traversal
• see js Jump after successful login in the code url
• Use jsfind Find suspicious url
• utilize web Known vulnerabilities in the program, such as ：druid Unauthorized urls、springboot mapping Wait for the unauthorized vulnerability interface to find suspicious url, Access to see if there are unauthorized
• Some may enter the background without authorization for a moment , Reset to login page , You can use burp Grab the bag, jump the bag drop fall

Component not authorized

The components used may be vulnerable , Common unauthorized vulnerabilities , The collection of ports is also crucial , Can improve vulnerability utilization

• Redis Unauthorized access vulnerability
• MongoDB Unauthorized access vulnerability
• Jenkins Unauthorized access vulnerability
• Memcached Unauthorized access vulnerability
• JBOSS Unauthorized access vulnerability
• VNC Unauthorized access vulnerability
• Docker Unauthorized access vulnerability
• ZooKeeper Unauthorized access vulnerability
• Rsync Unauthorized access vulnerability
• Atlassian Crowd Unauthorized access vulnerability
• CouchDB Unauthorized access vulnerability
• Elasticsearch Unauthorized access vulnerability
• Hadoop Unauthorized access vulnerability
• Jupyter Notebook Unauthorized access vulnerability

https://www.freebuf.com/vuls/265318.html

https://xz.aliyun.com/t/6103

Other function points ( register )( Retrieve password )

Super long user name registration

Registered users

admin+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++1

Cover up the original admin user , Less common

Reset the password arbitrarily

At this time, the client will send a verification code package , This is a random input verification code , Contract awarding , Return package
The echo of the returned package error is {“status”:0}, Replace the returned package with {“status”:1}, You can reset the password

User enumeration vulnerabilities

Retrieve the password interface , Enter user name to capture packets , View the information leaked in the return package

such as ：TerraMaster TOS User enumeration vulnerabilities CVE-2020-28185

enter one user name admin Click ok , see Burp Captured packets , There is a request package to confirm the user admin Whether there is , If it exists, return the user's mailbox information

Verification code problem

Verification code does not refresh

The verification code will not be refreshed automatically , As a result, a verification code can be used many times

The captcha is invalid

The verification code is invalid and can still be exploded , When mining weak passwords , The picture verification code is often invalid , At this time, you only need to enter the correct account password and verification code , Use burpsuite Blasting can still continue

The verification code front end returns

Some platforms may verify the verification code at the front end , Return the background verification code to the front end in error , This allows an attacker to grab the verification code in the returned packet

Verification code burst

Some platforms may have simple verification codes with only a few digits , And there is no limit on the number of logins , There is blasting , Use burp Grab blasting

The verification code can be reused

example ： Send once per minute , Multiple valid verification codes can exist at the same time , Arbitrary password reset vulnerability is reached through burst verification

Verification code SMS

There is no limit on the number of sending verification codes , Cause short-term SMS retransmission , Use burp Grab the package to get the verification code and put it into repeater Keep replaying , More violent, you can use intruder

Verification Code OCR

Use tools for the login page, such as xcode Identify the verification code and burst the user account password

Verification code verification logic error

That is, the verification code can modify the receiver , Change the verification code of the account password to other mobile phone numbers , There is no verification in the background

Universal captcha

There may be a universal verification code 0000 perhaps 9999, Less common

Ultra vires

Too simple cookie

If the user logs in cookie It's not random , It's like this

cookie:Guest

This overly simple authentication method , Can lead to ultra vires , If there is another user registration , You can register an ordinary user and then exceed your authority to admin

HTML Source code information disclosure

Fixed encrypted account secret

such as ： Zhongke Wangwei The next generation firewall control system has an account and password disclosure vulnerability , The attacker obtains the password through the front end Md5 After decryption, you can obtain the complete password and log in to the background

fofa sentence ：body="Get_Verify_Info(hex_md5(user_string)."

F12 Check the front end and find admin Of md5 Encrypted password

Note disclosure of information

Must be disclosed url, Or sensitive information

ELSE

URL Redirect

It often appears in the successful login jump , You can modify the parameters and jump to any page , It can be used for fishing

such as ：www.ocean.com?redir=aHR0cDovL2FkbWluLmFhYS5jb20=

redir The following may be base64 code

redirect、redirect_to、redirect_url、url、jump、jump_to、target、to、link、linkto、Domain

Known exploits

Because a web Services use many components , As long as one component has a vulnerability , The airtight wall was pushed to , So asset collection is very important , Collect enough information , Knowing one's own and knowing one's other will win every battle

If possible, a scanner can be used to scan for known vulnerabilities

• web Frame history vulnerability
• cms Historical loopholes
• oa Historical loopholes
• Use fofa、 Browser plug-in wappalyzer Wait to collect assets , Then take the leak of the cavern poc To try

Weak password

Default password

Many devices have default account passwords

In particular, weak passwords are common in some manufacturers' devices

Weak password sorting of common devices

A simple weak password makes expensive devices useless

Test account not deleted

such as test,ceshi

Pinyin Name Dictionary

Pinyin Name Dictionary 、 User name dictionary （ Such as root,system,admin1 etc. ）+ Weak password burst , Use a regular Pinyin Name Dictionary +123456,123, Wait for weak password to explode

If the website has registration function , When cracking a user's password, you can first register and check the registration mechanism , If you can use 123456 etc.

Password, then use pinyin dictionary to explode 123456 Wait for the weak password , If it doesn't , The password can be made according to the complexity of the password , For example, the password needs to be a word

The eight digits of the mother plus number , You can try abcd1234 And other passwords that meet the password rules

* User name enumeration

Enumerate with two and three letters , Blast 123456 Wait for the weak password , Successfully exploded an administrator background account password , The backstage weak password of a previous school failed ,SQL After injection, it is found that the user name is all initials , password 1111

The prompt is too detailed

When blasting, return the packet display Incorrect password and The username does not exist When , We can collect these user names for special weak password blasting , For example, I burst out that there are multiple existing user names , First collect these user names , Then set the burpsuite, Blasting shall be carried out by the method in the following format , for example ：Lihua,lihua123 lihua lihua lihua [email protected] lihua lihua1234 And pay attention to whether there is establishment time at the bottom of the website , If time is 2017 The station was built in , Our password can be set to [email protected] [email protected] And so on

Domain name as a dictionary

Intercept a part of the subdomain name as a dictionary to mine weak passwords

Like school wlzx（ Network Center ）,tw（ Youth League Committee ）,jxzl（ The quality of teaching ） And other common system user names are also sub domain names

Guess the user name according to the nature of the website , For example, educational administration websites often have teacher,student1 Wait for the user name , Or the enterprise abbreviation is user name

Collect the name of the publisher of the article

Collect the name of the publisher of the article , When digging for weak password vulnerabilities , I often collect the names of the publishers of articles , There will be some names of the publishers on the web page , I will use it to collect other user names for the blasting background of the website , And integrate the previous methods for blasting . If you encounter an administrator with Chinese name , I will convert it into English name , Like the publisher : Li Gang , There will be more in my dictionary lilgang,lg,lig,lgang, These user names , Cooperate with the first several postures for blasting . Of course, I've met some wonderful , The user name is in Chinese

information gathering

Don't let go of the details ,qq The group number is very important

I met a case like this before , There is a customer service on the website qq Group number , The website requires company users to log in , The verification code can't explode , After I understand the business of the website , Through... On the website qq Group number plus group , The default password found in the group announcement is [email protected], But I don't know the user name , I asked in the group that I couldn't log in , Then I chatted with other users in the group and got the user name, which is the unified credit code of the enterprise , The group business card is the name of the enterprise . I learned the user names of these enterprises through the Chinese enterprise unified code query website . Then through the default password into the background, continue to dig . In addition to src Similar problems have been dug up in , Directly through the enterprise user name and enterprise credit code, you can reset the enterprise user password and view the student resume , To make a long story short , Information on any web page can be used as a user name , Need careful collection

Registered account search information

When the website login can't explode , You can bear to register , Collect user names by searching friends in the background . Then, after understanding the complexity mechanism of registration password, try the user name and password manually one by one . For example, I collected lihao user name , You can manually try by referring to the previous method lihao lihao123 Wait for the password to log in , This method requires a lot of patience , But it works

Installation document

Collect the installation documents of the website , Use documents, etc. to find the default account password or no code （ You can also use Baidu , Google , Baidu network disk collection ）

Fuzz

Job number 、 Student number 、 ID number, etc fuzz, When the user name may be the job number ,fuzz A wave of digital job numbers , Or find out if there is a job number leak , Continue blasting according to the job number

Expand

Think about what variables are controllable when blasting

When we encounter a test task of a segment , A simple weak password dictionary can be used to burst the entire segment of the service in batch . Both intranet and extranet are practical , For example, the intranet wants to explode ssh When , have access to

hydra -l root -Psmallpass.txt ssh:10.10.0.0/24