Shulou(Shulou.com)05/31 Report--

Today, I would like to talk to you about how to use F12 information collection, many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something from this article.

Information collection (Information Gathering), which refers to getting as much information as possible from the target site through various ways and with the help of relevant tools, is the first and very important step in the testing process. In web testing, information collection is an essential link. The quality of information collection largely determines the effect of later testing. Sufficient information collection can often get twice the result with half the effort, and may also be a key entry in the later stage. This article is mainly based on the actual combat to introduce F12 information collection and related skills!

F12 developer tool is a set of tools that can help developers generate and debug web pages, including elements, network, sources, timeliness, Profiles, resources, audits, console modules, as shown in figure 1-1:

Figure 1-1 figure 1-1 F12 developer tools page

F12 developers are I think the most basic information collection, but also the simplest and fastest information collection, through F12 we can collect a lot of information that is not obvious above, including annotation information collection, hidden information collection, relative path information collection, webserver information collection and JavaScript function information collection and so on.

1.1.1 Annotation information collection

When we visit the page at the front end, there is often comment information in the source code of the page, which often contains a lot of sensitive information, which may be the download link of a file, or some hidden function module. it's even more likely to be some sensitive information that you didn't expect. In the F12 elements module, we can expand a node to view the comment information step by step, but this efficiency is really too low, because in this module we can not use [Ctrl+F] to search for comment information, in addition, we can search for comment information by looking at the page source code, but the search results are not continuous, which is not very convenient for us to view.

In F12, we can click the show drawer flag () in the upper right corner to search for all the characters. Some administrators may forget to turn off the directory browsing function when deploying the website. We can visit p_w_picpaths to see if directory browsing is turned on. If directory browsing is turned on, we can slowly access many other sensitive files through directory browsing. Such as database files, some unauthorized pages in the background have some backup files, and so on.

Figure 1-2 figure 1-2 extract annotation information

Friends who have played ctf know that at the beginning of learning in the web item, most of the flag of the first question is in the annotated information in the source code of the page, as shown in figure 1-3 and figure 1-4.

Figure 1-3. Figure 1-3 get flag

Figure 1-4. Figure 1-4 get flag

In practice, I have obtained the address of the file download in the annotation information, and then obtained a lot of sensitive information, such as name, × ×, telephone, mailbox and so on. Through this information, we can make targeted dictionaries, thus violently cracking the background management. I also got a connection to forget my password in the comment message. There happens to be a SQL injection in this place where I forgot my password. Send the CAPTCHA to my mobile phone number through injection, and then reset my root account. After logging in, I can upload webshell in the place where the file is uploaded, and the front end is checked, so it is easy to bypass it.

For the information leakage of the annotation information class, one is to delete the annotation information displayed at the front end as far as possible, and the other is to delete the unused functional modules directly, which can not be hidden by means of annotations!

1.1.2 hidden Information Collection

When looking at the source code, we will find that the value of type of some controls is hidden, which means that the control is hidden on the page and does not show. Although some parameters are hidden, they will still be submitted to the server, which also gives us the opportunity to take advantage of the opportunity. We use the above search method to search hidden, as shown in figure 1-5, you can view all the controls with a type value of hidden.

Figure 1-5 figure 1-5 search for hidden-related content

We can display the control on the page by deleting the hidden, as shown in figure 1-6, and we can modify the value of the corresponding value.

Figure 1-6 figure 1-6 delete hidden

In practice, I have obtained the SMS verification code sent by resetting other people's accounts by searching hidden, and successfully reset the user's password, thus obtaining login access to the site. On another occasion, because this parameter of hidden is still submitted to the server, and it happens that this parameter has a XSS loophole, the other submitted explicit parameters are filtered to a certain extent.

Therefore, try not to use the hidden attribute to hide sensitive data, such as hiding the login account; the SMS CAPTCHA sent is forbidden to be displayed in the page source code. Either way, keep in mind that the parameters submitted to the server need to be checked and filtered!

1.1.3 relative path information collection

Relative path information collection, I mainly collect the relative path where the picture is located, as shown in figure 1-7, and then find (locate or find) the location of the corresponding picture, combined with the collected relative path to get the absolute path we want, so as to upload webshell!

Figure 1-7 figure 1-7 view picture properties

In addition, we can also view the relevant js files (such as conf.js) in the script under Resource to get relative path information, and some links may be accessed without authorization, so we can make further use of them, as shown in figure 1-8!

Figure 1-8 figure 1-8 find other pages

In practice, I often use this method to find the physical path to upload webshell, especially in combination with some command execution tools. You may ask, "all commands have been executed, so why upload webshell?" in fact, this is also because every tool always has some defects, so not all commands can be executed. Even if you have root permission, you need to upload a powerful webshell for use. Download files, etc.! In addition, I have encountered, that is, if the path of the picture is deleted step by step, it will directly get the background address!

1.1.4 webserver Information Collection

Webserver information collection is mainly to collect a deployment of the web server, what framework is used to build, is Apache, or Nginx, or other, the site is developed in what scripting language, is asp, or PHP and other information, we can use F12 for a simple view of these information.

First, we locate the network module of F12, select doc (document, document) to filter, and then refresh the data using F5, as shown in figure 1-9:

Figure 1-9. Figure 1-9 selects network module for filtering.

At this point, we click on the following document to view the details, we can see that the website is built using Apache, and version 2.4.23, using windows system, open script is PHP, version 5.4.45 and other information, as shown in figure 1-10. In addition, you can also see the cookie of the website here, if you find that the cookie contains admin=0, or flag=0 logo. You can use burpsuit to grab the package to truncate and change the package, change 0 to 1, you may be able to enter the system directly!

Figure 1-10. Figure 1-10 View webserver information

Webserver information is very important for *. By obtaining the version, you can find the corresponding vulnerability to exploit, so as to improve the efficiency of *! Therefore, when deploying a website, webmasters should remember to make security configuration, hide such information, or modify such information to interfere with it! If you set expose_php = Off in php.ini to hide the PHP version information, add the following two lines to the bottom of the Apache configuration file (vi / etc/apache2/apache2.conf), the last line, you can hide the Apache banner information!

ServerSignatureOffServerTokensProd

1.1.5 JavaScript feature information collection

The main purpose of JavaScript information collection is to see whether some functions are front-end js verification, as shown in figure 1-11. If it is front-end verification, we can bypass it by disabling js or directly using burpsuit to change packets. You can also go to the resource module (Resource) to see if there are any js files available, such as conf.js, which may involve some hidden links and other sensitive information.

Figure 1-11 figure 1-11 JavaScript information view

In practice, if the upload point is front-end verified, then we can disable js to upload webshell, and sometimes you can disable js on the login page, and then log in with any account password to successfully enter the system, which I have only encountered once! So when developers do relevant verification, keep in mind that all checks in the front end are not secure, try to check and filter the front end (client side) and back end (server side) together!

After reading the above, do you have any further understanding of how to use F12 information collection? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.