/**cdn Bypass      7. information gathering ——CDN Bypass technology · Language sparrow

One 、 framework 、 build 、waf

1、 Site construction type ：

（1） Directory site construction ：

         Same website , But in different directories , Building source code is also different , But a problem with one website will affect the other website .

        Such as

        Probe ： Yujian and other directory scanning tools can find

（2） Port class site

        The website is located on the same server , But ports are different , For example, those target aircrafts built in practice ,dvwa yes 8023 port ,pikachu yes 8022 port

        nmap Port scanning 、 Surf the Internet query

（3） Sub domain name class site

        Search the subdomain name online ip,ip Different does not belong to the same server .

（4） Similar domain name sites

        The domain name suffix is different , Such as .com and .cn, But from the same server or company .

（5） sidenote 、c Segment site

      /** Excerpt from ：  8. information gathering —— Site construction and WAF · Language sparrow   **/

          1） sidenote

         Marginal note is an intrusion method , Literally, it means －" Inject... From the side ", Exploit the vulnerabilities of different websites on the same host to get webshell, Thus, the physical path of the user exposed by the program or service on the host can be used for intrusion . Different sites on the same server . Two or more websites are placed on the same server , One of the websites is the target .

        Implementable premise ：

                 There are multiple site servers ;

                www.a.com（ The goal is ）

                www.b.com

                ........

                 Stand alone site server

          2）c paragraph

         Different servers and different sites in the same network segment . The website has one or more sites , Through the server IP Address of the network segment to test .              

                192.168.1.1

                www.a.com（ The goal is ）

                www.b.com

                ........             

                192.168.1.101

                www.a.com

                www.b.com

                ........

         By querying the network segment 1-254, To get 101 Network segment server permissions , The test method of implementing intranet security through the target host of the same network segment of the server , To obtain the permission of the specified web server .

（6） Build software

        Such as phpstudy、 Pagoda and other building software ; f12 View site information , Generally, software with complete information is built , Such as ：        Apache/2.4.41(win32)OpenSSL/1.1.1c mod_fcgid/2.3.9a;

        Similar building software usually has a default account password or security settings , Such as ：/phpmyadmin Catalog

2、WAF

        （1） brief introduction （ Baidu Encyclopedia ）

        Web Application protection system （ Also known as ： Website Application level intrusion prevention system . english ：Web Application Firewall, abbreviation ： WAF）. utilize The international A generally accepted saying ：Web application A firewall It's through the execution of a series of HTTP/HTTPS Of The security policy Come for Web An application that provides protection ;

        Web Application protection system （Web Application Firewall, abbreviation ：WAF） It represents a new kind of information security technology , To solve the problem that traditional devices such as firewalls are helpless Web Application security issues . Unlike traditional firewalls ,WAF Working in the application layer , So right. Web Application protection has inherent technical advantages . Based on the Web Apply a deep understanding of business and logic ,WAF from Web All kinds of requests from application clients are used for content detection and verification , Ensure its security and legitimacy , Block illegal requests in real time , So as to effectively protect all kinds of websites .    

   （2） How to quickly identify waf：wafw00f

        1）wafw00f Download and install ：

                github Address ：https://github.com/EnableSecurity/wafw00f

               kali Bring their own wafw00f：

                        a、 Start command ：wafw00f -l

                       b、 Use command ：wafw00f domain name /ip

        2）sqlmap：

                command ：python sqlmap.py -u “url” --identify-waf

Two 、app And other assets

        1、app Extraction, bag capturing and subsequent cooperation

        （1） some apk One click extraction decompilation

                A big hole is missing for installation and use ：

             APK Extract decompile Missing a big hole to download _ A rookie who loves programming -CSDN Blog _ There's a big hole missing

        （2） Use burp History catches more url

        2、 some ip nothing web Third party testing ideas under the framework

        （1） Random scanning of various ports

        nmap、 Search engine （shodan、 Zhong Kui's eyes 、fofa.info etc. ）

        /**  Friends, yuan fofa By b Station a live broadcast to * standing , Leading to fofa It was hacked by the Ministry of industry and information technology and can't be used    ***/

        eg：

        （2） Various interfaces are scanned randomly

        （3） Various interface tests

        3、 example （ A pyramid selling website ）

        （1） Check out the website

         （2） Collect all kinds of information ：

                1） Search domain name , Check various ports

                Find login port

                2）ping The website finds the truth ip

                Subdomain query

                Marginal query

                3） Record query

3、 ... and 、 Asset monitoring expansion

1、POC、EXP、Payload And Shellcode

         Penetrating POC、EXP、Payload And Shellcode The difference between _ Shallow blog -CSDN Blog _poc and exp     

（1） POC： Full name ' Proof of Concept ', chinese ' Proof of concept ' , It often refers to a piece of code that proves a vulnerability .

        EXP： Full name ' Exploit ', chinese ' utilize ', It refers to the action of using system vulnerability to attack .

        Payload： chinese ' Payload ', Success exploit after , Code or instruction actually executed in the target system .

        Shellcode： Simple translation ' shell Code ', yes Payload A kind of , Because of its positive establishment / reverse shell And get the name .

（2）POC Is used to prove the existence of vulnerabilities ,EXP Is used to exploit vulnerabilities , The two are usually not in the same category , Or say ,PoC It's usually harmless ,Exp Usually harmful , With POC, Only then EXP.

        Payload There are many kinds of , It can be Shellcode, It can also be a system command directly . The same Payload Can be used for multiple vulnerabilities , But each vulnerability has its own EXP, In other words, there is no universal EXP.

        Shellcode There are many kinds , Including positive , In reverse , even to the extent that meterpreter.

        Shellcode And Shellshcok Is not a ,Shellshock especially 14 Discovered in 2003 Shellshock Loophole .

2、github monitor

3、 Various collections

 4、 demonstration ： Monitor the latest EXP Release and others

  （1） The code is as follows ：

#Title: wechat push CVE-2020
#Date: 2020-5-9
#Exploit Author: weixiao9188
#Version: 4.0
#Tested on: Linux,windows
#cd /root/sh/git/ && nohup python3 /root/sh/git/git.py &
#coding:UTF-8
import requests
import json
import time
import os
import pandas as pd
time_sleep = 60 # every other  20  Climb once a second 
while(True):
    headers1 = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3741.400 QQBrowser/10.5.3863.400"}
    # Judge whether the file exists 
    datas = []
    response1=None
    response2=None
    if os.path.exists("olddata.csv"):
    # If the file exists, each crawl  10  individual 
        df = pd.read_csv("olddata.csv", header=None)
        datas = df.where(df.notnull(),None).values.tolist()# In the extracted data  nan  Turn into  None
        requests.packages.urllib3.disable_warnings()
        response1 = requests.get(url="https://api.github.com/search/repositories?q=CVE2020&sort=updated&per_page=10",headers=headers1,verify=False)
        response2 = requests.get(url="https://api.github.com/search/repositories?q=RCE&ssort=updated&per_page=10",headers=headers1,verify=False)
    else:
    # There is no crawling all 
        datas = []
        requests.packages.urllib3.disable_warnings()
        response1 = requests.get(url="https://api.github.com/search/repositories?q=CVE2020&sort=updated&order=desc",headers=headers1,verify=False)
        response2 = requests.get(url="https://api.github.com/search/repositories?q=RCE&ssort=updated&order=desc",headers=headers1,verify=False)

    data1 = json.loads(response1.text)
    data2 = json.loads(response2.text)
    for j in [data1["items"],data2["items"]]:
        for i in j:
            s = {"name":i['name'],"html":i['html_url'],"description":i['description']}
            s1 =[i['name'],i['html_url'],i['description']]
            if s1 not in datas:
                #print(s1)
                #print(datas)
                params = {
                    "text":s["name"],
                    "desp":" link ："+str(s["html"])+"\n brief introduction "+str(s["description"])
                }
                print(" The current push is "+str(s)+"\n")
                #print(params)
                requests.packages.urllib3.disable_warnings()
                requests.get("https://sct.ftqq.com/SCT120223TgU9or8Qt2deaV50HnarzVRBN.send",params=params,headers=headers1,timeout=10,verify=False)
                time.sleep(1)   # Prevent pushing too hard 
                print(" Push complete \n")
                datas.append(s1)
            else:
                pass
                print(" Data already in !")
    pd.DataFrame(datas).to_csv("olddata.csv",header=None,index=None)
    time.sleep(time_sleep)

（2） step ：

1） stay sct.ftqq.com Scan wechat account , obtain sendkey：

2） take sendkey Copy value to requests.get here ：

3） Execution results ：