Remove the middleware to build the platform , Outside the website source code , The operating system is also vulnerable , database , Third party software platform, etc , Such attacks can also directly affect Web Or server security , Result in the acquisition of website or server permissions .

At the operating system level

Common ways to identify operating systems
If there is a website, go through the website , No, it can be identified by scanning relevant software

significance ： Website path 、 Case write 、 Applicability of documents between the two systems , Compatibility

Different types of vulnerabilities will create conditions for exploiting this vulnerability , Exploit vulnerabilities to gain privileges or interfere with certain services

①windows The server is not case sensitive , So case has no effect on Web pages, that is windows

  Changing the upper case and then loading will make it lower case and load it

Linux It's case sensitive , Case error , The page will go wrong

② adopt pnig after , Observe the returned data TTL Value , To determine the operating system

But when the user changes TTL When the value of , Can judge wrong , So this method is not necessarily accurate .

Of the original operating system TTL value ：( This can be found online in Baidu )
WINDOWS NT/2k/2000/2003/XP-32bit   TTL：128
WINDOWS 95/98   TTL：32
UNIX   TTL：255
LINUX   TTL：64
WIN7   TTL：64

 64-13+1=52, It may be after 13 Nodes

It may also be a change ttl Of

③ Through the scanning tool , To determine the operating system

nmap -o ip (ip Determine the truth through scanning and analysis ip, Don't sweep it into cnd 了 )

sudo nmap -O ip

Device type ：WAP | mobile phone function ：Linux 2.4.x | 2.6.x, Sony Ericsson embedded OS CPE：CPE：/ O：Linux：Linux_kernel：2.4.20 CPE：/ O：Linux：Linux_Kernel：2.6.22 CPE：/ H：Sonyericsson：U8I_Vivaz

Sometimes true ip Scanning tools are still unreliable , Or do it yourself

Database level

Different database types , Its security mechanism , The writing structure will be different , The loopholes are different

Generally encounter weak password , Database vulnerability attack , Database permissions will be affected , Website permission , Content integrity

① Common methods for identifying database types

asp+Access/Mssql

php+Mysql         port ：3306

Aspx+Mssql         port ：1433

Jsp+Mssql/oracle         port ：1521

Python+mongodb         port ：27017

Common database port numbers

mysql The default port is 3306
sqlserver The default port number is ：1433
oracle The default port number is ：1521
PostgreSQL The default port number is ：5432
DB2 The default port number is ：5000
Non relational database ：
MongoDB The default port number is ：27017
Redis The default port number is ：6379
memcached The default port number is ：11211
 

This is through nmap Wait for software to scan ports

  I opened a port when scanning , It hasn't been opened yet

Third party level

Multi level judgment ： Port scanning + Application type analysis, etc

After identifying the third-party platform and version , It can be exploited according to the vulnerabilities of the latest relevant version that has been released on the Internet , If not patched , Will be successful

nmap and masscan Their respective advantages and disadvantages , Basic commands are commonly used to mix , Increase output _ Black zone ( The rise of ) The blog of -CSDN Blog

Port scan tool ：
nmap Official website ：

https://nmap.org/

masnmapscan:
https://github.com/hellogoldsnakeman/masnmapscan-V1.0