On the idea of vulnerability discovery

Catalog

Operating system vulnerability discovery

Brain map

​ Leakage and

Nmap

CVE scanning ：

WEB Application vulnerability discovery

Brain map

 CMS Identification and scanning

It is known that CMS

Development framework

Unknown CMS（ Switch to detailed information collection ）

APP application

Brain map

The service agreement ( contain web Security )

Brain map

​1. web Service

2. The database class

3. Big data

4. File sharing

5. The remote access

6. The mail service

7. Other services

Operating system vulnerability discovery

Brain map

Leakage and

Use the missing scan tool to scan .
Goby
Download address ：https://cn.gobies.org/
Usage method ：https://cn.gobies.org/features.html
A simple example ：

Insert picture description here

If there are loopholes , You can see directly

Nmap

nmap If you do a missed scan , You can use the built-in missed scan script .

CVE scanning ：

nmap -script=vuln ip
utilize
The next step is MSF Find the loophole number, a shuttle , I won't go into that

WEB Application vulnerability discovery

Brain map

## Ideas

 CMS Identification and scanning

Online identification whatcms

Detect which CMS a site is using - What CMS?https://whatcms.org/ Online fingerprint recognition , On-line cms Identify small plug-ins -- Online tools (bugscaner.com)http://whatweb.bugscaner.com/look/

It is known that CMS

As is common dedecms,discuz,wordpress And so on , This is generally developed using non framework classes , However, a few of them adopt framework class development , Security checks for such source programs , To take advantage of open vulnerabilities for testing , If there is no , White box code audit can be used to mine by ourselves

Three major foreign open source enterprises php CMS
drupal        【 No dedicated scanner , however msf Built in modules 】
wordpress     【 There is a special scanner 】
joomla        【 There is a special scanner 】

Development framework

As is common thinkphp,spring,flask And so on , The detection idea of this source program ：
First, get the corresponding development framework information （ name , edition ）, Then test through the exposed framework class security problems , If it doesn't exist , You can use white box code audit to mine by yourself .

Unknown CMS（ Switch to detailed information collection ）

Such as the common enterprise or individual internal program source code , It can also be based on CMS Secondary development .
If it can be confirmed that it is based on CMS Secondary development , Just as you know CMS The idea of , If you are not sure , Use conventional scanning tools to detect , Or manual inspection .

APP application

Brain map

Ideas ： obtain APP The site visited at runtime , Then infiltrate the site .

The service agreement ( contain web Security )

Brain map

1. web Service

tomcat-- 80/8080/8009

• manager Weak password
• put Upload webshell
• HTTP Slow attack
• ajr The file contains a vulnerability ：cve-2020-1938

Jboss --8080

• Weak background password
• Arbitrary file disclosure
• JAVA Deserialization

webSphere --9080

• Weak background password
• Arbitrary file disclosure
• JAVA Deserialization

weblogic --7001/7002

• Weak background password
• console Background deployment war package
• SSRF
• Test page upload webshell
• JAVA Deserialization
• cve-2018-2628
• cve-2018-2893
• cve-2017-10271
• cve-2019-2725
• cve-2019-2729

Glassfish --8080/4848

• Brute force
• Arbitrary file reading
• Authentication bypasses

Jetty --8080

• Remote shared buffer overflow

Apache --80/8080

• HTTP Slow attack
• Parsing vulnerabilities
• Directory traversal

Apache Solr --8983

• Remote command execution
• cve-2017-12629
• cve-2019-0193

IIS --80

• put Upload shell
• IIS Parsing vulnerabilities
• IIS Raise the right
• IIS Remote code execution
• cve-2017-7269

Resin --8080

• Weak background password

Lutos --1352

• Weak background password
• Information disclosure
• Cross-site scripting attacks

Nginx --80/443

• http Slow attack
• Parsing vulnerabilities

2. The database class

Mysql --3306

• Weak password
• Authentication vulnerability
• cve-2012-2122
• Denial of service attacks
• phpmyadmin Universal password 、 Weak password
• UDF、MOF Raise the right

Mssql --1433

• Weak password
• Stored procedure Authorization

Oracle --1521

• Weak password
• TNS Loophole

Redis --6379

• Weak password
• out of buffer
• cve-2014-2669

MongoDB --27001

• Weak password
• Unauthorized access to

DB2 --5000

• Security restrictions bypass unauthorized operations
• cve-2015-1922

SysBase --5000/4100

• Weak password
• Command injection

Memcache --11211

• Unauthorized access
• Configuration vulnerability

ElasticSearch --9200/9300

• Unauthorized access
• Remote code execution
• Document handling
• write in webshell

3. Big data

Hadoop --50010

• Remote command execution

Zookeeper --2181

• Unauthorized access to

4. File sharing

ftp --21

• Weak password
• Anonymous access
• Upload back door
• Remote overflow
• Jump attack

NFS --2049

• Unauthorized access

Samba --137

• Weak password
• Unauthorized access
• Remote code execution cve-2015-0240

LDAP --389

• Weak password
• Inject
• Unauthorized access

5. The remote access

SSH --22

• Weak password
• 28 Fallback vulnerability
• OpenSSL Loophole
• User name enumeration

Telent --23

• Weak password

VNC --5901

• Weak password
• Authentication password bypass
• Denial of service attacks cve-2015-5239
• Elevated privileges cve-2013-6886

Pcanywhere --5632

• Denial of service attacks
• Elevated privileges
• Code execution

X11 --6000

• Unauthorized access to cve-1999-0526

6. The mail service

SMTP --25/465

• Weak password
• Unauthorized access
• Mail forgery

POP3 --110/995

• Weak password
• Unauthorized access

IMAP --143/993

• Weak password
• Arbitrary file reading

7. Other services

DNS --53

• DNS Zone transfer
• DNS hijacked
• DNS cheating
• DNS Cache poisoning
• DNS Tunnel

DHCP --67/68

• DHCP hijacked
• DHCP cheating

SNMP --161

• Weak password

Rlogin --521/513/514

• rlogin Sign in

Rsync --873

• Unauthorized access
• Local privilege promotion

Zabbix --8069

• Remote command execution

RMI --1090/1099

• JAVA Deserialization

Docker --2375

• Unauthorized access to

Reprint https://blog.csdn.net/weixin_44288604/article/details/120709567