Shulou(Shulou.com)05/31 Report--

This article analyzes "How to get started WEB information collection" with everyone. The content is detailed and easy to understand. Friends interested in "How to get started WEB information collection" can read it slowly and deeply with the idea of Xiaobian. I hope it can help everyone after reading. Follow the small series to learn more about "How to get started WEB information collection".

Information gathering refers to obtaining the required information through various means. Information gathering is the first and crucial step in making information available. The quality of information collection is directly related to the quality of the whole information management work.

In actual combat, the completeness of the information collected in the early stage largely determines the success rate of the test on the website. The more we can collect, the more important it is to our help.

1. CMS identification

When building websites, many websites often build platforms through various websites for convenience, directly using the source code to build them directly, but often because of the open source of the source code and lead to vulnerabilities, there are also various CMS vulnerabilities disclosed on the Internet, through the exploitation of these vulnerabilities, thus successfully implementing attacks.

CMS Identification Online Website:(1) scan.top15.cn/web/ (2) whatweb.bugscaner.com/look/

Recognized as thinkphp, we test the disclosed vulnerability by searching

But the website that has been disclosed on the Internet may have been repaired. How do we get the source code?

You can use the website source code platform to load the source code or through github to see if there is no open source code

Website source code platform: down.chinaz.com/ Of course, there are many can search for their own

Github platform: https://www.githubs.cn/ for thinkphp query whether there is no open source code

Architecture information acquisition

Site construction analysis

II. Collection of website construction

When building a website, there is often not only one page, in different pages, there may be different CMS or there may be weaker protection relative to the main page, we can use the penetration of other pages to win the authority of the main site, simply to obtain multiple targets, rather than using a single site for testing.

1. Subdomain name collection

Subdomain names refer to second-level domain names, which are the next level below the top-level domain name.

For example:http://xxx.com is a top-level domain, http://xxx.xxx.com is its subdomain

We can collect subdomain names through online platforms or tools to crawl

Crawl with Layer Subdomain Mining Machine

2. port scanning

There may be the same URL in a website, but different pages are displayed through different ports.

For example:www.xxx.com:80 and www.xxx.com:8080 Although the website URL is the same, the interface presented is completely different.

While scanning out the open ports, we can also use the corresponding ports to attack.

3. Website Directory Collection

There may be background landing pages or places to interact with databases in different directory pages, and we can also use these pages for testing.

We can use tools to scan catalogs directly

Tools background scanning, webpathbrute directory crawling to target sites

4. site-specific query

Side stations are simply different sites on the same server, and multiple websites may be built on a server. We can choose to use one of the weaker websites for penetration.

Online site-query: stool.chinaz.com/same

5.C Inquiries

C segment is simply different sites on different servers, website construction with different servers to build different sites, but all belong to the same site, we can attack one of the sites, through the intranet penetration to obtain the permissions of other sites.

Online Section C Query: chapangzhan.com/

6. similar sites

In the use of the website, there may be migration of the website or there may be some illegal websites. In order not to be caught, multiple or different URLs will be used, but only minor differences.

For example: www.xxx.com can become www.xxx.cn or www.xxx01.com and so on

I'm not sure what platforms or tools are available for this, but it can be used as a means of daily information collection.

Similar Domain Names Site. org.com.cn.net

7. Building software feature sites

In order to facilitate the construction of the website, the use of integrated building platforms such as phpstudy, pagoda, etc. to build, usually there will be characteristic information, you can judge whether to use the building software to build, once you know the building software, we can search for vulnerabilities in the building software, test it, and take down the permissions.

For example, I use the local phpstudy to build a website to capture packets by reviewing the network of elements to view the information of packets

We can see that it contains

Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38 Server:Apache/2.4.23 (Win32) Open Server at www.hjs.com Port 80

The specific server style needs to be built by yourself to know.

And once we do, we can exploit the vulnerability directly.

8. Determine operating system

The easiest way to tell is that upper-case windows is case-insensitive, while linux is case-sensitive.

For example: the URL is www.xxx.com/1.php, we modify it to www.xxx.com/1.PHp, which can be accessed for windows system but not for linux system.

Third, CDN bypass to find real IP

First of all, know what CDN is. The full name of CDN is Content Delivery Network, that is, Content Delivery Network. The basic idea is to avoid bottlenecks and links that may affect the speed and stability of data transmission on the Internet as much as possible, so as to make content transmission faster and more stable. Through a layer of intelligent virtual network based on the existing Internet, which is composed of node servers placed everywhere in the network, the CDN system can redirect users 'requests to the service nodes closest to users in real time according to comprehensive information such as network traffic, connection, load status, distance to users and response time of each node. Its purpose is to enable users to get the desired content nearby, solve the Internet congestion situation, and improve the response speed of users visiting websites.

1. How to determine if CDN exists

Use multi-node technology to request return judgment: Super ping with the help of ping detection in various places, multiple IP addresses can be judged to exist, a single IP address can be judged to have no CDN. Example: Super ping detection on www.baidu.com found that there are two different IP addresses. It can be judged that there is CDN protection.

2. How to bypass CDN1. Subdomain name query

Principle of utilization: In order to save money, the website only protects the domain name with large traffic volume, and the subdomain name does not have CDN protection.

(1)Remove www

After removing www, ping detection principle: When entering xxx.com, it will automatically jump to www.xxx.com without CDN protection for xxx.com. For example, ping detection through www.xxx.com found multiple IP addresses

But ping through xxx.com found that the IP address is unique

(2)Ping detection of subdomains by subdomain scanning

2. Mail Service Inquiry

Principle of utilization: Most mail servers will not do CDN. Use websites such as registration and password recovery to send emails for verification, obtain Captcha, and view email codes to obtain IP addresses.

3. foreign address request

Principle of utilization: cdn protection is only carried out for China, and access nodes of CDN for foreign visits are not deployed.

(1)ping detection of targets using foreign ping (try to use rare countries)

(2)Using VPN Global Proxy to Detect PING Using CMD

4. legacy files

Use principle: When the website is built, the legacy file contains the real IP address. For example, phpinfo() may have ip on it.

5. Dark Engine

(1)Search with dark engine google shodan zoomeye etc.(2) Search for specific ico icon Many cache nodes will not cdn protect this hash value

6. dns history

View the dns utilization principle of the website: it may not use DNS before using CDN

7. Third-party interface queries

3. Possible problems 1. Why are IP addresses found differently using different methods

(1)You can use the filing number or company address to inquire

Determine the address where the IP is located and then manually determine the authenticity of the IP address. Example: Two IP addresses are found in two different cities through different ways. We find that if the filing number starts with Guangdong, we can determine that the real IP address is located in Guangdong Province.

2)Modify local host

The hosts file is located at:C: \Windows\System32\drivers\etc. Then ping with cmd to detect the real IP address can be opened

4. Determine if there is WAF

WAF is a Web Application Protection System (also known as: Web Application Level Intrusion Prevention System). Web Application Firewall (WAF). Using an internationally accepted saying:Web Application Firewall is a product that specifically protects Web applications by enforcing a series of security policies against HTTP/HTTPS.

Simply put, it is to protect the website, and then restrict access to it, so as to achieve the purpose of protecting the website.

Online judgment whether there is WAF: scan.top15.cn/web/

However, it is impossible to determine the waf type. It can be determined by using the tool wafw00f.

But not all wafs can be identified.

5. Sensitive documents leaked

Common examples include phpinfo Rebot.

6. How to prevent cc attack when crawling WAF

Common waf will block or take certain measures to access too fast ip addresses, so it is difficult for us to crawl the target to get the information we want.

Here I explain with some simple bypasses of webpath

CC attack prevention is to limit our access too fast or illegal access

1. delay

By modifying the access interval to slow us down, we can bypass waf

2. Whitelist access

Using tools to crawl, if you use tool scanning, there will be tool characteristics in the http header us, and waf will detect this, and then prohibit access, we can modify the us information to bypass.

3. proxy pool bypass

Simply put, it is to use multiple ip addresses to access, seal off and change, and realize directory crawling. I'll write a separate article later on about proxy pool utilization

About how to get started WEB information collection will be shared here, I hope the above content can make everyone improve. If you want to learn more, please pay more attention to the updates of Xiaobian. Thank you for your attention to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.