Xiaodi notes

kitchen knife , Ant sword , Advantages and disadvantages of ice scorpion
kitchen knife ： Status not updated , No plug-ins , Single encrypted transmission
Ant sword ： Update status , There are plug-ins , Strong expansion , Single encrypted transmission
Ice scorpion ： Update status , Unknown plugin , Two way encrypted transmission . Strong expansion , Applicable post penetration .

Idea of vulnerability mining
Fixed point mining keywords ：
Controllable variable
Variables accept get post Accept keywords $_GET

Specific functions
Output print
Database operation
Specific keywords ：
select,insert,update,sql Execute statement ==sql Inject holes
Search for specific keywords and try to find specific vulnerabilities
Such as ： Search for echo,print What you're trying to dig is XSS Loophole
Such as ： Search for $_GET $_POST, What I'm trying to dig is security vulnerabilities

Fixed point mining function point ：
Such as ： I want to mine files to upload , There is an operation address for uploading files in the member center , Packet capture analysis finds specific file code segments in the source code , File upload code analysis and mining ,

expand ： Depending on the vulnerability
sql Inject , Database monitoring - Monitor the interaction between the current page and the database （sql Execute statement )
Breakpoint debugging ： Visit the corresponding code of the page for breakpoint debugging （ The sequence of the execution process , Call file list, etc ）.

Registered users ：insert xiaodi union select’
Filter ：xiaodi union select’
Access to database ：xiaodi union select’
Modify the user ：update xiaodi union select’ Conditions = Who is the user name ,xiaodi’ union select update Inject

The principle of secondary injection ： Bypass escape injection , Magic quotes 、

Upload files ：
# Keyword search ：（ function , Key word , Global variables, etc ）
Upload files $_files move_uploaded_file etc.
# Application function capture ：（ Any application function point that may have upload ）
Front desk member center , There may be upload places such as background news addition

Knowledge point

Elevated privileges ：
webshell（
backstage ： The function point （ Upload files , Template modification ,SQL perform , The data backup ） Thinking point （ Known procedures , Unknown program ）
Loophole ： Single point vulnerability （ Upload files , File contains ,RCE perform ,SQL Inject ...） Combined vulnerabilities （ Cooperation in all aspects ）
The third party （ compiler , Middleware platform ,PHPadmin

Other permissions （ database （mysql,mssql,oracle...）
( The server FTP RDP SSH…)
Third party interface （ mail , payment , Space quotient …）
Server system
windows（ For environment ：web Local ）
（ The way to claim rights ： database , Overflow vulnerability , Token stealing , Third party software ,AT&SC&PS, Unsafe service permissions , Service path without quotes ,Unattended installs,AlwayssiinstallElevated）
（ For version ：windows XP,windows 7/8/10,windows2ks/o8,windows2012/16

Intranet

Working group ： Family, for example , dormitory Small LAN
Domain environment ： There will be a computer to control , School computer room . Belongs to the upgraded version of the working group

Working group ：ARP cheating ,DNS end
Domain environment ：
DC domain controller ： The highest permission of the domain ,

ipconfig /all Determine the domain of existence -dns
net view /admin Determine the domain of existence
net time /domain Determine the primary domain

Emergency response ：
Protection phase , analysis phase , Recurrence stage , Repair phase , Proposal stage ,
Purpose ： Analyze the attack time , Attack operations , The consequences of the attack , Safe repair, etc. and give reasonable solutions ,

Essential knowledge ：
Be familiar with the common web Security attack technology
Be familiar with log activation, storage, viewing, etc
Be familiar with the classification and analysis of data recorded in logs