当前位置:网站首页>(4) Web security | penetration testing | network security web site source code and related analysis
(4) Web security | penetration testing | network security web site source code and related analysis
2022-07-06 07:07:00 【Black zone (rise)】
as everyone knows :
web Source code is a very important source of information in security testing , It can be used for code audit vulnerabilities and information breakthrough , among WEB There are many technologies in the source code that need concise analysis .
eg: obtain ASP The source code can be downloaded from the default database , To obtain the source code vulnerability of some other script, you can conduct code audit, mine or analyze its business logic, etc , Therefore, the acquisition of source code will provide more ideas for later security testing
Web Source directory structure
Database configuration file , Background Directory , The template directory , Database directory, etc
admin---------------------------------- Website background Directory
data------------------------------------ Database related directories
install---------------------------------- The installation directory
member------------------------------- Membership directory
template------------------------------ The template directory ( Build an overall architecture related to the website )
data(confing.php)-------------- Database configuration file , Communication information of website and database , Connection account password , You can connect to each other's database , From the database to get the source code of this website, which involves the administrator's account and password .
You can see how to open a source code of Baidu online , Some small ones may only have some directories
Web Source script type
ASP,PHP,ASPX,JSP,JAVAWEB And other script type source code security issues
Check the type of website through the file directory
About Web Source application classification
Portal site --------------------------- comprehensive
Online retailers --------------------------------- Business logic
Forum ---------------------------------XSS
Blog --------------------------------- Less
The third party ------------------------------ Look at its function
Access to source code : Search for , Free fish Taobao , Third party source station , Corresponding to various industries .
Open source : You can search the vulnerability related articles on the Internet .
Inside : Routine penetration tests , Use scanning tools to judge .
If you can't get the source code, you can find the same type of source code analysis
Identify the cms, Here's a asp Script written website
The bottom display technical support is GOOMAY company-developed ,
Then I want to find out if he is using cms Developed , Developed by ourselves
Add /robots.txt See if you can see
The result is the login page
Now I'm going to try this one that provides technical support , It is developed by ourselves , still cms Developed
① If we analyze the used cms edition , You can find the vulnerability of the corresponding version of Baidu online
② If the website has been patched , Then consider scanning tools and related source code for analysis
③ If they developed it bit by bit , No source code , It's time to scan bit by bit
边栏推荐
- 前缀和数组系列
- Call, apply, bind rewrite, easy to understand with comments
- 《从0到1:CTFer成长之路》书籍配套题目(周更)
- Interface automation test framework: pytest+allure+excel
- The psychological process from autojs to ice fox intelligent assistance
- When my colleague went to the bathroom, I helped my product sister easily complete the BI data product and got a milk tea reward
- LeetCode Algorithm 2181. 合并零之间的节点
- Upgraded wechat tool applet source code for mobile phone detection - supports a variety of main traffic modes
- ROS2安装及基础知识介绍
- TS基础篇
猜你喜欢
基于PyTorch和Fast RCNN快速实现目标识别
ROS学习_基础
Attributeerror: can 't get attribute' sppf 'on < module' models. Common 'from' / home / yolov5 / Models / comm
Missing monitoring: ZABBIX monitors the status of Eureka instance
Leetcode 78: subset
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
Wechat brain competition answer applet_ Support the flow main belt with the latest question bank file
Idea console color log
leetcode35. 搜索插入位置(简单,找插入位置,不同写法)
《从0到1:CTFer成长之路》书籍配套题目(周更)
随机推荐
Latex文字加颜色的三种办法
《从0到1:CTFer成长之路》书籍配套题目(周更)
Due to high network costs, arbitrum Odyssey activities are suspended, and nitro release is imminent
Oracle database 11gr2 uses TDE transparent data encryption to report an error ora28353. If you run to close the wallet, you will report an error ora28365. If you run to open the wallet, you will repor
AttributeError: Can‘t get attribute ‘SPPF‘ on <module ‘models.common‘ from ‘/home/yolov5/models/comm
The first Baidu push plug-in of dream weaving fully automatic collection Optimization SEO collection module
微信公众号无限回调授权系统源码 全网首发
Upgraded wechat tool applet source code for mobile phone detection - supports a variety of main traffic modes
UWA pipeline version 2.2.1 update instructions
Call, apply, bind rewrite, easy to understand with comments
3. Business and load balancing of high architecture
TS Basics
18. Multi level page table and fast table
idea控制台彩色日志
接口自动化测试框架:Pytest+Allure+Excel
Embed UE4 program into QT interface display
[advanced software testing step 1] basic knowledge of automated testing
简单描述 MySQL 中,索引,主键,唯一索引,联合索引 的区别,对数据库的性能有什么影响(从读写两方面)
Bio model realizes multi person chat
Librosa audio processing tutorial