HW blue team intermediate interview reply

 Zero basic hacker , Search official account ： White hat left 

author ： Control the safety trainees - tit 7

1、 Let me introduce myself first

xxxxxx, I'm here to apply for an intermediate position in the blue team …

2. Let me ask you a few simple questions first , Say you are right sql Injected understanding

sql Injection means that the data entered by the user is treated as sql Statement to execute , Then the first one is that the user should have input points , The second is that the backstage will regard it as SQL Statement execution , You can pass in some malicious statements .
SQL Injected with federated queries , Report errors , Blind note （ Boolean , Time ）.

3. If you can classify the data according to the data submission method ？

I ：get,post,post The words are divided into UA,XFF
interviewer ： anything else ？ That's the way to submit ？
I ：emmmm
interviewer ： The one you just talked about UA
I ： also head,cookie

4.sql Injection point type classification of injection ？

Digital , Character , Search type

5. According to the execution effect ？

Look at the sentences you constructed , For example, to view database information select, want webshell Just into outfile perhaps dumpfile
interviewer ： This is no problem , But according to the execution effect, it is generally divided into Boolean , There is still a time error

I ： Oh, oh, oh , I've got the wrong idea , I see , Then inject these three into balabala Tell him , Brother Feng talked in detail in class , There's no more verbosity here

6. Digital ？

The joint query , The stack , Wide bytes .

sql Partial end , We must make a summary after learning , Make a classification ！！ I just know that everyone knows , But I stuttered

7. The way shiro There are some loopholes

550,721, Let's just say that the process of self reproduction is too long. I won't describe it here , Students who don't know can search the community for articles in this field , I will finish my interview in two days shiro,fastjson,weblogic,log4j Wait for several commonly used vulnerability replication articles to be published .
Flow characteristics ？

There will be remmberme, The returned package will have remmberme=deletme

8. Let's talk about shiro721 Several outgoing protocols ？

jndi,ldap,rmi
interviewer ： And? ？
I ： I know these
interviewer ： There should be seven commonly used , Go down and have a look again .

9.sql Do you know the optimization of blind injection ？

Dichotomy , perhaps load_file use UNC Path initiate request , go smb service , use dnslog To display

10. Let's talk about forward proxy and reverse proxy

Forward agency ： Client agent , The server doesn't know the real ip
Reverse proxy ： Server agent , The client does not know the real access address

11. Let's talk about mysql and redis The port of

3306,6379

12.php What are the danger functions ？

eval,asset,exec,shell_exec,system

13.tomcat What are the loopholes ？

Upload any file , File contains , unauthorized , Weak password ,war Back door upload

14.redis Loopholes, you know

know , Unauthorized access
interviewer ： How to use ？
kali Write webshell, Write plans and tasks , Write ssh Public key
windows Write webshell, Startup item

15.webloogic Let's talk about the loophole

14882+14883 Combined boxing ,14882 Make an unauthorized access , Log on to the console , And then through 14883 Command execution , Write a xml File write the command in , Let it visit your vps Then load xml.
Weak password
weblogic Deserialization
ssrf

16. Let's talk about fastjson

autotype To deal with json When , No, right @type Conduct safety verification , You can pass in dangerous classes , Remote connection rmi host , rebound shell Something like that .
interviewer ： Does it have any fingerprints ？
@type, Then most versions ???payload also autocommit:ture

17. Let's talk about right raising ,windows What else is there besides the potato family barrel to raise the right ？

systeminfo Check system information , Then, the rights are raised by checking its vulnerabilities through the rights raising auxiliary page , But there are some risks , It is generally not used in business .
interviewer ： Um. , Right , anything else ？
I ：emmm, I don't know.
interviewer ： You can also register for authorization , Very useful , You can go down and learn .

18.linux Let's also talk about raising rights

The right of a dirty cow ,suid Raise the right , use find Order to claim power ,rbash,git Raise the right ,sudoer Raise the right

19. Which one to use for Space Surveying and mapping

fofa, Eagle chart platform ,zoomeye

20. Talk about the threat intelligence platform

Micro step is used more online , also 360, Deeply convinced

21.linux More important Directory

The first is the log ,/var/log Inside message Save important information , Generally, when something goes wrong, I will go to see it first .
also lastb Check the log of login errors ,last View all login logs ,lastlog View the log of the last login ,
also /var/log/secure Information about authentication and authorization is recorded , As long as the account and password involved in the program will be recorded , such as SSH Sign in ,su Switching users ,sudo to grant authorization .
home There is one under the catalogue .bash_history, If etc/passwd If you find any new suspicious users, you will go and have a look , He recorded historical orders .
var/spool/cron There are planned tasks , If you leave the back door, you may rebound regularly shell.
home/ user name /ssh Recorded ssh Public key , Check if there is a back door left .
etc/rc.local Boot up .

interviewer ： Which directory is the temporary file in ？
var/tmp

22. Have you learned about safety equipment ？

Take a small step Hfish Honeypot , Safe dog waf, Read the alarm log , use excel Create a pivot table to count the dimensions of alarm log aggregation ,
Such as source ip+ Attack types are two-dimensional , Observe the source ip Type of attack triggered , If there is more than one, it is scanned by the scanner
Attack types + Source ip Two dimensions , Observe the specified attack type , Then quickly get the source that triggers this type ip
Attack types + Source ip+ Purpose ip, Quickly identify specific business systems ip The high-level source of the attack ip
Attack types + Source ip+ Purpose ip+ The four dimensions of time , Analyze what the attacker did at what time , Portrait the attacker

23.socks Can the agent go to ping？

You can't , Between the transport layer and the session layer , use tcp To transmit data , I won't support it icmp, Out-of-service ping command

24.windows How to download files from the command line ？
I haven't heard of this at all , Baidu ：certutils,bitsadmin,powershell

25.ssrf The protocol used ？
gopher,dict,file. It was embarrassing that I didn't remember http,https

summary ：

The interview is difficult ： ok

Suggest ： Friends must learn to sum up their knowledge , And then expand , I was in a hurry to learn. I didn't make good use of the day between classes to expand my knowledge and summarize my knowledge .