Vulnerability discovery - vulnerability probe type utilization and repair of web applications

Site judgment

 It is known that  CMS
 As is common  dedecms.discuz,wordpress  And so on , This is generally developed using non framework classes , But there are also a few 
 Is framework class development , Security detection for such source programs , We're going to test with open holes , If not, use 
 White box code audit self mining .


 Development framework 
 As is common  thinkphp,spring,flask  And so on , This kind of source code procedure normal security test mentality ： Get right first 
 The development framework information should be ( name , edition ), Test through the exposed framework class security issues , If it does not exist, white box code review can be used 
 Plan to dig by yourself .


 Unknown  CMS
 Such as the common enterprise or individual internal program source code , It can also be some  CMS  Secondary development of the source structure , For this kind of source code program testing 
 Try ideas ： If you can identify the secondary development, just press the known  CMS  Train of thought , If the secondary development cannot be determined, the conventional comprehensive class scanning can be adopted 
 Tools or scripts to probe , You can also use artificial probes （ The function point , Parameters , Blind guess ）, Similarly, when there is source code, you can 
 Conduct code audit and mine by yourself .

The demo case

 Development framework class source code penetration test report - information -thinkphp,spring
 It is known that CMS Non framework penetration test report - Tool scripts -wordpress
 It is known that CMS Non framework penetration test report - Code audit -qqyewu_php
 Unknown CMS Non framework penetration test report - artificial - You and I love wg Oh ~

CVE-2018-1273 Demonstrate the execution of commands （ Known framework ：spring frame ）

vulhub Up lookup

Capture the registration page , modify payload Corresponding poc Submit Successfully in the other server directory tmp Created in succes Folder

It is known that CMS by wordpress

（ Because it is known as wordpress, Tools are used here wpscan To test ）
It can be identified by various methods cms
Direct start kali Of wpscan Scan the target

The new version of the wpscan You need to apply for an account on the official website , And get the account api-token, Only when copied into the tool can it be used normally
https://wpscan.com/register

Add parameters again api-token To test

The red exclamation point is the corresponding vulnerability scanned , Can be used （ adopt sqlmap Wait for tools to test ）

It is known that CMS Non framework class — Code audit —qqyewu_php

1. Identify website cms
2. Look for a match cms Loophole , see cms Upgrade time
3. Looking for backstage , Weak password test
4. Scan ports to collect information
5. Looking for website backup files