[XD Learning Notes 8]: Architecture, Build, WAF, etc.

Preamble description

In security testing, information collection is a very important link. The information in this link will affect the subsequent probability of success. The amount of information you have will determine the size of the opportunity to discover vulnerabilities, in other words, whether you can complete the testing task of the target. You can also directly say to everyone: The idea of penetration testing is to start from information collection here, and the gap between you and the bull is also very important.It starts here!

Site Setup Analysis

Build Habits-Directory Sites

The simple understanding is that there are other cms programs on the main site
For example: the top of the student website found a bbs directory through a background scanning probe Click Discovery is a bbs forum website

For example: c:/www/root c:/www/root/bbs

But two websites are two sets of programs, one with a bug in the source code and the other with a disaster, which is equivalent to two sets of bug solutions.

This can be queried by the Directory Scanning Tool. We have two ideas to make this a directory-based site, one is the vulnerability of the main site, the other is the vulnerability of the bbs

Build Habits-Port Sites

Separating websites by ports on the same server can cause security problems for one site and another.

Some sites use other ports instead of the default site 80. You can use the shodan tool to collect ports

Build Habits - Subdomain Site

The two sites may not be on the same server

Reference: If IP addresses are different, it is possible that two sites are not on the same server

Note: Mainstream websites are using this model now, and it is very likely that subdomains and websites are not on the same server.

Set up habits - like domain name sites

Some companies abandon their original domain names and choose other domain names because of business development, but we can still access their old domain names, change their secondary domain names and change their top-level domain names. We can find some breakthroughs through their old domain names.

From a website in the same company

Change based on domain name suffix

Domain name-based changes

For example: Jingdong's website is jd.com, so it is possible that he uses domain names such as jd.net jd.cn. We use social workers to try to get information about his related domain names.

Set up habits - side notes, section c site

Side note: There are multiple sites on the same server, but what you are attacking is that the A site cannot complete the security test for various reasons. Just enter the server by testing the B site and attack the A site for final purpose.

Prerequisite:

There are multiple site servers
192.168.1.100
www.a.com (Goal)
www.b.com
...

Standalone Site Server

Segment C: There are different websites on different servers. Scanning reveals that the same segment you penetrated tested ultimately took down the server, and then the penetration server was taken down by intranet penetration.

192.168.1.100
www.a.com (Goal)
www.b.com
...

192.168.1.101
www.a.com
www.b.com
...

Obtain 101 segment server permissions by querying segments 1-254, and implement the test method of intranet security through the same segment target host of the server to obtain the permissions of the specified network server.

Online tools:https://www.webscan.cc/

A side note query reveals that two sites on the same server can break through another site.

Build Habits - Build Software Feature Sites

Some websites are built with third-party integrated building tools, such as PHPstudy, Pagoda, etc. The harm of building an integrated environment is to leak detailed version information.

Regular build software has the default account password of the regular database, if the builder does not change it, it will become a breakthrough idea.

Example:
Apache/2.4.41(win32)OpenSSL/1.1.1c mod_fcgid/2.3.9a Pagoda (the information is mostly about building software)

Apache/2.4.41(win32)OpenSSL/1.0.2j PHP/5.4.45 Default security settings (/phpmyadmin root/root)

After phpstudy is set up, phpmyadmin is installed on the default site. Some websites are not secure and can enter directly through the user name: root password: root login

WAF Protection Analysis

What is a WAF application?

Web application protection systems (also known as Web site application-level intrusion prevention systems) are divided into hardware and software forms. Firewalls purchased in security company units are hardware, and personal websites and small businesses are software. A wall in security testing.

How to quickly identify WAF?

1. Using the tool wafwoof

Get address:https://codeload.github.com/EnableSecurity/wafw00f/zip/refs/heads/master

Be sure to have a python environment before installing or you won't be able to install it

# unzip wafw00f-master.zip
# python3.8 setup.py install
# ls -ld wafw00f
drwxr-xr-x 6 root root 4096  6 January 1017:22 wafw00f
# cd wafw00f 
#python main.py https://www.hlszsb.com/

[*] Checking https://www.hlszsb.com/
[+] Generic Detection results:
[-] No WAF detected by the generic detection
[~] Number of requests: 7
2. In some websites, some websites do not make security information, leaving information about waf

3. Use nmap fingerprint detection
nmap --script==http-waf-fingerprint
nmap --script=http-waf-detec
4,identYwaf

Reference address:https://github.com/stamparm/identywaf

C:\Users\admin\Desktop\security\Software\identYwaf-master>python identYwaf.py https://www.manjaro.cn/
                                    __ __
 ____  ___      ___  ____   ______ |  T  T __    __   ____  _____
l    j|   \    /  _]|    \ |      T|  |  ||  T__T  T /    T|   __|
 |  T |    \  /  [_ |  _  Yl_j  l_j|  ~  ||  |  |  |Y  o  ||  l_
 |  | |  D  YY    _]|  |  |  |  |  |___  ||  |  |  ||     ||   _|
 j  l |     ||   [_ |  |  |  |  |  |     ! \      / |  |  ||  ]
|____jl_____jl_____jl__j__j  l__j  l____/   \_/\_/  l__j__jl__j  (1.0.134)

[o] initializing handlers...
[i] checking hostname 'www.manjaro.cn'...
[i] running basic heuristic test...
[i] rejected summary: 200 ('<title>����ҳ��</title>')
[-] non-blind match: -
[i] running payload tests... (45/45)
[=] results: '.xx.xxxxx..xxxxxxxx.xxx.x...x.xxx......x..xxx'
[=] hardness: hard (60%)
[=] blocked categories: SQLi, XSS, XPATHi, XXE, PHPi, PT
[=] signature: '90fa:RVZXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AA16FcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD'
[+] blind match: 'Safedog' (100%)

Identify what WAF means for security testing?

If a website uses waf and the Infiltrator doesn't recognize the direct use of the tool to scan, it may cause waf to blacklist your ip address and not access it. While identifying waf depends on specific ways of bypassing WAFS from different manufacturers.

Tags: Information Security

Posted on Sun, 12 Sep 2021 22:24:12 -0400 by jtrost