Shulou(Shulou.com)06/01 Report--

PTES Test execution Standard (penetration testing execution standard)

1. Information collection

(1) Sub-domain name

(2) Port scanning:

21, 22, 23: weak passwords and other loopholes

3306, mysql database, weak password, injection and other vulnerabilities

Rsync port, weak password, unauthorized access vulnerability

6379, redis port, unauthorized access vulnerability

11211, memcache port, unauthorized access vulnerability.

(3) fingerprint identification: wordpress, weblogic, struts2.

(4) Information inquiry of mailbox / webmaster: whois, social engineering.

(5) directory and sensitive file detection: www.zip, www.rar, .git, .svn / entries.

two。 Loophole discovery

(1) sql injection vulnerability

(2) XSS vulnerability (cross-site scripting vulnerability)

(3) upload vulnerabilities: 1.jpg, png, 1.php.

(4) CSRF (cross-site request forgery): referer.

(5) × × F (forgery requested by the server), which can scan the private network and load images.

Www.XXX.con/?img= https://cache.yisu.com/upload/information/20200310/69/132155.jpg

(6) Command execution / code execution vulnerability: you can write shell scripts.

(7) the file contains vulnerabilities: read the source code, which can contain webshell.

(8) download vulnerability: www.XXX.com?down.jsp?filename=1.doc

Www.XXX.com?down.jsp?filename=../etc/paswd

(9) logical loophole: payment loophole: modify the price or change it to a negative number

Password reset: when sending CAPTCHA, there is a mobile phone number that can intercept data packets and tamper with mobile phone numbers.

When the number of verification codes is relatively small, it can be violently cracked, 4 digits for 15 seconds, 6 digits for 90 minutes.

Ultra vires vulnerability: horizontal ultra vires: users of the same website access each other's user data A-> B

Vertical ultra vires: low permissions can access high permission data A-> admin

Conditional competition

Any user login (third party interface): Weibo, qq, Wechat, etc., authorize login-> query whether to bind account-> login

3. Vulnerability exploitation

4. Get permission

Upload webshell

5. Privilege promotion

(1) Windows: overflow claim: (ms17_010, the system needs to turn off the firewall, post)

Database lifting

Third-party software rights: for example, 360360 runs with administrator privileges.

(2) Linux: overflow claim.

6. Internal screen infiltration tou (lateral movement)

(1) web, Apps: vulnerabilities in vulnerability discovery

(2) sniffing: arp cheats the middleman

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.