Shulou(Shulou.com)06/01 Report--

This article shows you what is the principle of cracking the background of the website, the content is concise and easy to understand, it can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

1) find the website management portal

First, guess the common website backstage.

1. Http:// your URL / login.asp

2. Http:// your URL / admin/login.asp

3. Http:// your URL / admin/ / admini/

Second, check the robots.txt of the website

For example, the website is http://www.mmfi.net/

Add: robots.txt after

Get:

User-agent: *

Disallow: / wp-

Disallow: / feed/

Disallow: / comments/feed

Disallow: / trackback/

Disallow: / page/

Disallow: / category/*/page/

Sitemap: http://www.mmfi.net/sitemap_baidu.xml

Disallow is followed by those who do not want to be searched. It may be the background page.

Here, you can use the "Sword background scanning tool" or some other background directory scanning tools to scan the directory / file information in the background of the website.

The "Sword background scan" tool will return the matching directory / file in the form of a list for our reference. We need to find the background login entry of the website through the information returned by the analysis tool.

We have scanned the directory of the 192.168.1.171 website and have scanned the relevant file information, including a file called login.html, which is generally the login interface entry in the background.

In the above explanation, we have learned how to get the relevant login interface information in the background, and then we begin to attack the acquired login interface.

In order to facilitate the demonstration, let's take the background management interface of the exploding router as an example.

When performing the following operations, because we want to use the burpsuite tool, we need to install a Kali system (which can be installed using a virtual machine). The specific installation process is not discussed here, so please download and install it yourself.

2) preparation before blasting

First, open the burpsuite tool on the desktop of the Kali system, and first configure the tool as follows:

For the newly added listening address in figure 3, the default IP address is set to 127.0.0.1, and the listening port is set to 9999, where 9999 is optional (it is recommended to set the value after 1024).

The purpose of this configuration is to allow the burpsuite tool to listen for all packets flowing through the port of the network card 9999. To put it bluntly, it is to eavesdrop on all the contents of the interaction between the administrator and the server and save it.

Next, we use the browser of the Kali system to imitate the administrator logging into the background of the website, and implement data eavesdropping.

First of all, let's configure the proxy settings of the browser as follows:

The proxy IP address and port set here must be the same as the address used when setting up the burpsuite tool above!

3) officially start the attack

Finally, it's time to attack. Next, let's take the management background of the router as an example to implement the attack:

Suppose the administrator opens the router management background interface and performs a login operation:

After the user has logged in (assuming that the account and password are correct), we go back to the burpsuite tool and switch to the HTTP history option to view the packet capture information.

In the packet capture list, we can see that the burpsuite tool captures all the data packets flowing through port 9999. Here, we only need to find the same URL in the URL column that the administrator uses when logging in to the management background. Click View to view all the contents of the packet.

We easily found the correct account and password.

The above content is what is the principle of the backstage cracking of the website, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.