当前位置:网站首页>On the idea of vulnerability discovery
On the idea of vulnerability discovery
2022-07-06 14:07:00 【Lazy and talented】
Catalog
Operating system vulnerability discovery
WEB Application vulnerability discovery
CMS Identification and scanning
Unknown CMS( Switch to detailed information collection )
The service agreement ( contain web Security )
Operating system vulnerability discovery
Brain map
Leakage and
Use the missing scan tool to scan .
Goby
Download address :https://cn.gobies.org/
Usage method :https://cn.gobies.org/features.html
A simple example :
Insert picture description here
If there are loopholes , You can see directly
Nmap
nmap If you do a missed scan , You can use the built-in missed scan script .
| Port number | Port specification | Direction of attack | |
| 80/443/8080 | common web Service port | web attack , Blast , Corresponding server version vulnerability | |
| 7001/7002 | weblogic Console | java Deserialization , Weak password | |
| 8080/8089 | jboss/Resin?Jetty/Jenkins | Deserialization , Console weak password | |
| 9090 | WebShphere Console | Java Deserialization , Weak password | |
| 4848 | GlassFish Console | Weak password | |
| 1352 | Lotus domino The mail service | Weak password , Information disclosure , Blast | |
| 10000 | Webmin-Web Control panel | Weak password | |
| See the agreement security below for details ... |
CVE scanning :
nmap -script=vuln ip
utilize
The next step is MSF Find the loophole number, a shuttle , I won't go into that
WEB Application vulnerability discovery
Brain map
## Ideas
CMS Identification and scanning
Online identification whatcms
Detect which CMS a site is using - What CMS?
https://whatcms.org/ Online fingerprint recognition , On-line cms Identify small plug-ins -- Online tools (bugscaner.com)http://whatweb.bugscaner.com/look/
It is known that CMS
As is common dedecms,discuz,wordpress And so on , This is generally developed using non framework classes , However, a few of them adopt framework class development , Security checks for such source programs , To take advantage of open vulnerabilities for testing , If there is no , White box code audit can be used to mine by ourselves
Three major foreign open source enterprises php CMS
drupal 【 No dedicated scanner , however msf Built in modules 】
wordpress 【 There is a special scanner 】
joomla 【 There is a special scanner 】
Development framework
As is common thinkphp,spring,flask And so on , The detection idea of this source program :
First, get the corresponding development framework information ( name , edition ), Then test through the exposed framework class security problems , If it doesn't exist , You can use white box code audit to mine by yourself .
Unknown CMS( Switch to detailed information collection )
Such as the common enterprise or individual internal program source code , It can also be based on CMS Secondary development .
If it can be confirmed that it is based on CMS Secondary development , Just as you know CMS The idea of , If you are not sure , Use conventional scanning tools to detect , Or manual inspection .
APP application
Brain map
Ideas : obtain APP The site visited at runtime , Then infiltrate the site .
The service agreement ( contain web Security )
Brain map
1. web Service
tomcat-- 80/8080/8009
- manager Weak password
- put Upload webshell
- HTTP Slow attack
- ajr The file contains a vulnerability :cve-2020-1938
Jboss --8080
- Weak background password
- Arbitrary file disclosure
- JAVA Deserialization
webSphere --9080
- Weak background password
- Arbitrary file disclosure
- JAVA Deserialization
weblogic --7001/7002
- Weak background password
- console Background deployment war package
- SSRF
- Test page upload webshell
- JAVA Deserialization
- cve-2018-2628
- cve-2018-2893
- cve-2017-10271
- cve-2019-2725
- cve-2019-2729
Glassfish --8080/4848
- Brute force
- Arbitrary file reading
- Authentication bypasses
Jetty --8080
- Remote shared buffer overflow
Apache --80/8080
- HTTP Slow attack
- Parsing vulnerabilities
- Directory traversal
Apache Solr --8983
- Remote command execution
- cve-2017-12629
- cve-2019-0193
IIS --80
- put Upload shell
- IIS Parsing vulnerabilities
- IIS Raise the right
- IIS Remote code execution
- cve-2017-7269
Resin --8080
- Weak background password
Lutos --1352
- Weak background password
- Information disclosure
- Cross-site scripting attacks
Nginx --80/443
- http Slow attack
- Parsing vulnerabilities
2. The database class
Mysql --3306
- Weak password
- Authentication vulnerability
- cve-2012-2122
- Denial of service attacks
- phpmyadmin Universal password 、 Weak password
- UDF、MOF Raise the right
Mssql --1433
- Weak password
- Stored procedure Authorization
Oracle --1521
- Weak password
- TNS Loophole
Redis --6379
- Weak password
- out of buffer
- cve-2014-2669
MongoDB --27001
- Weak password
- Unauthorized access to
DB2 --5000
- Security restrictions bypass unauthorized operations
- cve-2015-1922
SysBase --5000/4100
- Weak password
- Command injection
Memcache --11211
- Unauthorized access
- Configuration vulnerability
ElasticSearch --9200/9300
- Unauthorized access
- Remote code execution
- Document handling
- write in webshell
3. Big data
Hadoop --50010
- Remote command execution
Zookeeper --2181
- Unauthorized access to
4. File sharing
ftp --21
- Weak password
- Anonymous access
- Upload back door
- Remote overflow
- Jump attack
NFS --2049
- Unauthorized access
Samba --137
- Weak password
- Unauthorized access
- Remote code execution cve-2015-0240
LDAP --389
- Weak password
- Inject
- Unauthorized access
5. The remote access
SSH --22
- Weak password
- 28 Fallback vulnerability
- OpenSSL Loophole
- User name enumeration
Telent --23
- Weak password
VNC --5901
- Weak password
- Authentication password bypass
- Denial of service attacks cve-2015-5239
- Elevated privileges cve-2013-6886
Pcanywhere --5632
- Denial of service attacks
- Elevated privileges
- Code execution
X11 --6000
- Unauthorized access to cve-1999-0526
6. The mail service
SMTP --25/465
- Weak password
- Unauthorized access
- Mail forgery
POP3 --110/995
- Weak password
- Unauthorized access
IMAP --143/993
- Weak password
- Arbitrary file reading
7. Other services
DNS --53
- DNS Zone transfer
- DNS hijacked
- DNS cheating
- DNS Cache poisoning
- DNS Tunnel
DHCP --67/68
- DHCP hijacked
- DHCP cheating
SNMP --161
- Weak password
Rlogin --521/513/514
- rlogin Sign in
Rsync --873
- Unauthorized access
- Local privilege promotion
Zabbix --8069
- Remote command execution
RMI --1090/1099
- JAVA Deserialization
Docker --2375
- Unauthorized access to
Reprint https://blog.csdn.net/weixin_44288604/article/details/120709567
边栏推荐
- XSS之冷门事件
- HackMyvm靶機系列(3)-visions
- 7-6 local minimum of matrix (PTA program design)
- 记一次edu,SQL注入实战
- Detailed explanation of network foundation
- Hackmyvm Target Series (3) - vues
- 强化學習基礎記錄
- Implementation principle of automatic capacity expansion mechanism of ArrayList
- Brief introduction to XHR - basic use of XHR
- HackMyvm靶机系列(6)-videoclub
猜你喜欢
Nuxtjs quick start (nuxt2)
. Net6: develop modern 3D industrial software based on WPF (2)
Wei Shen of Peking University revealed the current situation: his class is not very good, and there are only 5 or 6 middle-term students left after leaving class
Nuxtjs快速上手(Nuxt2)
"Gold, silver and four" job hopping needs to be cautious. Can an article solve the interview?
UGUI—Text
HackMyvm靶机系列(2)-warrior
The difference between cookies and sessions
扑克牌游戏程序——人机对抗
1. Preliminary exercises of C language (1)
随机推荐
【头歌educoder数据表中数据的插入、修改和删除】
Attach the simplified sample database to the SQLSERVER database instance
Experiment five categories and objects
xray与burp联动 挖掘
Poker game program - man machine confrontation
HackMyvm靶機系列(3)-visions
7-15 h0161. Find the greatest common divisor and the least common multiple (PTA program design)
记一次猫舍由外到内的渗透撞库操作提取-flag
HackMyvm靶机系列(6)-videoclub
A complete collection of papers on text recognition
扑克牌游戏程序——人机对抗
Implementation of count (*) in MySQL
浅谈漏洞发现思路
[three paradigms of database] you can understand it at a glance
Yugu p1012 spelling +p1019 word Solitaire (string)
Only 40% of the articles are original? Here comes the modification method
Hackmyvm target series (4) -vulny
Experiment 4 array
JS several ways to judge whether an object is an array
XSS之冷门事件