Web security Attack and defense
Web Security Zero Basics introduction
From penetration test information collection to penetration offense and defense, learning penetration test this book is enough
Security expert practical explanation, from the principle to the scenario application
Content abstract
This book from the simple to the deep, comprehensive, systematic introduction of the current popular high-risk vulnerability attack means and defense methods, and strive to make the language easy to understand, simple and clear examples, easy for readers to read and understand. Combined with specific cases to explain, readers can be immersive, quickly understand and master the mainstream vulnerability utilization technology and penetration testing skills. A background in penetration testing is not required for this book, but relevant experience will be helpful. This book can also be used as a teaching material for information security in universities and colleges.
Author's brief introduction
Xu Yan is a security researcher at the Yangtze River Delta Institute of Beijing Jiaotong University. I got involved in network security in 2002, and my main research direction is Intranet penetration and APT attack. I have rich experience in network security penetration. Has published a book "Network attack and defense practical research: Vulnerability exploitation and rights", has published a number of technical articles in "Hacker Defense", "Hacker X-Files", "Hacker Handbook", FreeBuf, 360 security customer, Ali Cloud Shield Prophet, Shouhao and other magazines and media. Li Wenxuan, common ID: Oblivion. He used to be a penetration test engineer of Tianrongxin, and now he is a security researcher of Qihoo 360 Attack and Defense Laboratory. He is good at penetration testing and radio security. He has been active in multiple vulnerability reporting platforms, reported multiple CVE vulnerabilities, and participated in the editorial review of 360 Security Quarterly. Dong-a Wang, common ID 0xExploit. He used to be the senior security consultant of Green Alliance Technology and Tianrongxin. Now he is the security director of Anhui Sanshi and the initiator of ATK team. Good at penetration testing and code audit, active in multiple vulnerability reporting platforms, reported thousands of security vulnerabilities, including multiple CNVD, CVE vulnerabilities. He has published several professional technical articles in FreeBuf, Green League Technology Quarterly and other magazines and media, and won many CTF competition rankings.
directory
Chapter 1 Information Collection for Penetration Testing 1
1.1 Collecting Domain Name Information 1
1.1.1 Whois Query 1
1.1.2 Record Information Query 2
1.2 Collecting Sensitive Information 2
1.3 Collecting Subdomain Name Information 4
1.4 Collecting Common Port Information 7
1.5 Fingerprint recognition 10
1.6 Searching for the Real IP Address 11
1.7 Collecting Sensitive Directory Files 14
1.8 Social Engineering 15
Chapter 2 Build vulnerability environment and actual combat 17
2.1 Installing LANMP 17 on a Linux VM
2.2 Installing WAMP 19 on a Windows VM
2.3 Build DVWA vulnerability environment 21
2.4 Building an SQL Injection Platform 23
2.5 Building XSS Test Platform 24
Chapter 3 Common penetration testing tools 28
3.1 SQLMap Details 28
3.1.1 Installing SQLMap 28
3.1.2 SQLMap Introduction 29
3.1.3 SQLMap Advanced: Parameter Description 36
3.1.4 SQLMap comes with an explanation to bypass script tamper 40
3.2 Details of Burp Suite 50
3.2.1 Installation of Burp Suite 50
3.2.2 Getting Started with Burp Suite 51
3.2.3 Burp Suite 55
3.3 Details of Nmap 70
3.3.1 Installing Nmap 71
3.3.2 Nmap 101
3.3.3 Nmap advanced 83
Chapter 4 Web Security Principles 90
4.1 Basics of SQL injection 90
4.1.1 Introduction to SQL injection 90
4.1.2 Principles of SQL injection 90
4.1.3 Knowledge Points related to MySQL injection 91
4.1.4 Union Injection Attack 95
4.1.5 Union Injection Code Analysis 99
4.1.6 Boolean Injection attack 99
4.1.7 Boolean Injection code analysis 103
4.1.8 Error injection attack 104
4.1.9 Error injection code analysis 106
4.2 SQL Injection advanced 107
4.2.1 Time Injection Attack 107
4.2.2 Time Injection code analysis 109
4.2.3 Stack Query Injection Attack 110
4.2.4 Stack Query Injection Code Analysis 112
4.2.5 Secondary Injection 113
4.2.6 Secondary Injection Code Analysis 114
4.2.7 Wide Byte Injection Attack 116
4.2.8 Wide Byte injection Code Analysis 119
4.2.9 cookie injection Attack 120
4.2.10 cookie Injection Code Analysis 121
4.2.11 base64 Injection Attack 122
4.2.12 base64 Injection Code Analysis 123
4.2.13 XFF Injection Attack 124
4.2.14 XFF Injection Code Analysis 125
4.3 SQL Injection Bypass Technology 126
4.3.1 Case bypass injection 126
4.3.2 Double write bypassing injection 128
4.3.3 Encoding bypasses injection 129
4.3.4 Inlining comments bypasses injection 131
4.3.5 SQL Injection Repair Suggestion 131
4.4 XSS base 135
4.4.1 XSS Vulnerabilities 135
4.4.2 XSS Vulnerability Principle 135
4.4.3 Reflective XSS Attack 137
4.4.4 Reflection XSS Code Analysis 138
4.4.5 Storage XSS Attack 139
4.4.6 Stored XSS code analysis 140
4.4.7 DOM XSS attack 142
4.4.8 DOM XSS Code analysis 143
4.5XSS advanced 144
4.5.1 XSS Common Statements and codes bypass 144
4.5.2 Testing XSS Vulnerability 145 using the XSS Platform
4.5.3 XSS Vulnerability Repair Suggestions 148
4.6 CSRF Vulnerability 148
4.6.1 Describes CSRF Vulnerability 148
4.6.2 Principle of CSRF Vulnerability 148
4.6.3 Using CSRF Vulnerability 149
4.6.4 Analyzing CSRF vulnerability code 151
4.6.5 CSRF Vulnerability Repair Suggestion 155
4.7 SSRF Vulnerability 155
4.7.1 This section describes SSRF Vulnerability 155
4.7.2 SSRF Vulnerability Principle 155
4.7.3 SSRF vulnerability utilization 156
4.7.4 SSRF Vulnerability Code Analysis 157
4.7.5 SSRF Vulnerability Repair Suggestions 157
4.8 Uploading a File 158
4.8.1 Describes the File Upload Vulnerability 158
4.8.2 Knowledge about File Uploading 158
4.8.3 JS Detecting Bypass Attack 158
4.8.4 JS Detection Bypass Attack Analysis 160
4.8.5 File Suffix Bypass Attack 161
4.8.6 File Suffixes Bypass Code Analysis 162
4.8.7 File Type Bypass Attack 163
4.8.8 File Type Bypassing Code Analysis 164
4.8.9 File Truncation Bypass Attack 166
4.8.10 File Truncation bypasses code analysis 167
4.8.11 Competition Condition Attack 169
4.8.12 Competitive Condition Code Analysis 169
4.8.13 File Upload Repair Suggestion 170
4.9 Brute Force Cracking 170
4.9.1 Describes Brute-force Cracking Vulnerability 170
4.9.2 Brute-force Vulnerability 171
4.9.3 Brute-force Cracking Vulnerability Code Analysis 172
4.9.4 Brute-force Cracking Suggestion 172
4.10 Run the 173 command
4.10.1 Introduction to Command Execution Vulnerability 173
4.10.2 Command Execution Vulnerability Attack 173
4.10.3 Command Execution Vulnerability Code Analysis 175
4.10.4 Executing Vulnerability Repair Suggestion 175
4.11 Logical Vulnerability Mining 175
4.11.1 Logical Vulnerability 175
4.11.2 Unauthorized Access Attack 176
4.11.3 Logic Vulnerability: Unauthorized access Code Analysis 177
4.11.4 Unauthorized Access Repair Suggestion 179
4.12 XXE Vulnerability 179
4.12.1 This section describes Vulnerability 179 of XXE
4.12.2 XXE vulnerability 180
4.12.3 XXE Vulnerability Code Analysis 180
4.12.4 XXE Vulnerability Repair Suggestion 181
4.13 Those things about WAF
4.13.1 This section describes WAF 181
4.13.2 WAF Judgment 182
4.13.3 Some WAF bypass methods 184
Chapter 5 Metasploit Technology 188
5.1 Introduction to Metasploit 188
5.2 Metasploit Foundation 190
5.2.1 Technical Terms 190
5.2.2 Infiltration Attack Step 191
5.3 Host Scan 191
5.3.1 Scanning for Ports Using an Auxiliary Module 191
5.3.2 Scanning for Services Using the Auxiliary Module 193
5.3.3 Scanning 193 using Nmap
5.4 Vulnerability Utilization 195
5.5 Post-Penetration Attack: Information Collection 199
5.5.1 Migrating a Process 200
5.5.2 System Command 201
5.5.3 File System Command 208
5.6 Post Penetration Attack: Permission increased by 210
5.6.1 Using WMIC actual combat MS16-032 Local overflow Vulnerability 211
5.6.2 Token Theft 216
5.6.3 Hash Attack 219
5.7 Post-Penetration attack: Porting vulnerability exploits code module 229
5.7.1 Vulnerability Introduction, principle and Countermeasures of MS17-010. 229
5.7.2 Porting and exploiting the MS17-010 vulnerability to exploit code 230
5.8 Rear Penetration attack: Backdoor 233
5.8.1 Operating System Backdoor 233
5.8.2 Web Backdoor 237
5.9 Intranet Attack Zone Penetration Test Example 242
5.9.1 This section describes the Osmotic environment 242
5.9.2 Upgrading Rights 242
5.9.3 Collecting Information 245
5.9.4 Obtaining Permission on a Server 247
5.9.5 PowerShell Finds the domain Management Online Server
5.9.6 Obtaining Domain Management Permissions 252
5.9.7 Logging In to Domain Control 254
5.9.8 SMB blasting Intranet 257
5.9.9 Clearing Logs 259
Chapter 6 PowerShell Attack Guide 261
6.1 PowerShell Technology 261
6.1.1 Introduction to PowerShell 261
6.1.2 Basic Concepts of PowerShell 263
6.1.3 PowerShell common command 264
6.2 PowerSploit 266
6.2.1 PowerSploit Installation 266
6.2.2 PowerSploit Script Attack Actual 268
6.2.3 PowerUp Attack Module Description 275
6.2.4 PowerUp Attack Module Actual Combat 284
6.3 Empire 291
6.3.1 Introduction to Empire 291
6.3.2 Installation of Empire 292
6.3.3 Setting Listener 293
6.3.4 Generating Trojan 296
6.3.5 Connecting Hosts and Basic Usage 306
6.3.6 Information Collection 310
6.3.7 Permission Promotion 319
6.3.8 Lateral Penetration 324
6.3.9 Rear Door 330
6.3.10 Empire rebounds to Metasploit 333
6.4 Nishang 334
6.4.1 Nishang 334
6.4.2 Nishang module attacks Actual Combat 338
6.4.3 PowerShell hides communication tunnel 343
6.4.4 WebShell Backdoor 347
6.4.5 Permission Promotion 348
Chapter 7 Case Analysis 364
7.1 Code Audit Instance Analysis 364
7.1.1 SQL Injection Vulnerability 364
7.1.2 File Deletion Vulnerability 366
7.1.3 File Upload Vulnerability 367
7.1.4 Adding Administrator Vulnerability 373
7.1.5 Competition Condition vulnerability 378
7.2 Analysis of penetration test examples 380
7.2.1 Background blasting 380
7.2.2 SSRF+Redis obtains WebShell 383
7.2.3 Side attack 388
7.2.4 Resetting Password 391
7.2.5 SQL Injection 393
View All ↓
Preface/preface
The recommended sequence
After my old friend worked day and night, word by word, the book was finally published. I would like to express my thanks to the editor for bringing together many years of work experience into the book. I've been working in information security for 18 years, and I think this book is a great guide for anyone who wants to work in penetration testing. I in after reading the book, and friends say, I would recommend this book to Beijing zhong an nation institute of information technology "national 5 a-class information security personnel training" teaching material system and the "national information security emergency services personnel certification practice exam reference materials directory", an old friend replied, "the book of experiments will be launched soon, All the supporting experiments will be put on the cloud experimental platform of Honghei Network Security Academy for everyone to practice." It is a great blessing that readers will be able to read and practice at the same time!
I highly recommend professional penetration testing personnel, information security one
About Web security Attack and defense
Suitable audience: This book is suitable for enterprise security personnel, research and development personnel, ordinary colleges and universities network security discipline teaching and reference books, and as a network security enthusiasts self-study book.
Web Security Zero Basics introduction
From penetration test information collection to penetration offense and defense, learning penetration test this book is enough
Security expert practical explanation, from the principle to the scenario application
Content abstract
This book from the simple to the deep, comprehensive, systematic introduction of the current popular high-risk vulnerability attack means and defense methods, and strive to make the language easy to understand, simple and clear examples, easy for readers to read and understand. Combined with specific cases to explain, readers can be immersive, quickly understand and master the mainstream vulnerability utilization technology and penetration testing skills. A background in penetration testing is not required for this book, but relevant experience will be helpful. This book can also be used as a teaching material for information security in universities and colleges.
Author's brief introduction
Xu Yan is a security researcher at the Yangtze River Delta Institute of Beijing Jiaotong University. I got involved in network security in 2002, and my main research direction is Intranet penetration and APT attack. I have rich experience in network security penetration. Has published a book "Network attack and defense practical research: Vulnerability exploitation and rights", has published a number of technical articles in "Hacker Defense", "Hacker X-Files", "Hacker Handbook", FreeBuf, 360 security customer, Ali Cloud Shield Prophet, Shouhao and other magazines and media. Li Wenxuan, common ID: Oblivion. He used to be a penetration test engineer of Tianrongxin, and now he is a security researcher of Qihoo 360 Attack and Defense Laboratory. He is good at penetration testing and radio security. He has been active in multiple vulnerability reporting platforms, reported multiple CVE vulnerabilities, and participated in the editorial review of 360 Security Quarterly. Dong-a Wang, common ID 0xExploit. He used to be the senior security consultant of Green Alliance Technology and Tianrongxin. Now he is the security director of Anhui Sanshi and the initiator of ATK team. Good at penetration testing and code audit, active in multiple vulnerability reporting platforms, reported thousands of security vulnerabilities, including multiple CNVD, CVE vulnerabilities. He has published several professional technical articles in FreeBuf, Green League Technology Quarterly and other magazines and media, and won many CTF competition rankings.
directory
Chapter 1 Information Collection for Penetration Testing 1
1.1 Collecting Domain Name Information 1
1.1.1 Whois Query 1
1.1.2 Record Information Query 2
1.2 Collecting Sensitive Information 2
1.3 Collecting Subdomain Name Information 4
1.4 Collecting Common Port Information 7
1.5 Fingerprint recognition 10
1.6 Searching for the Real IP Address 11
1.7 Collecting Sensitive Directory Files 14
1.8 Social Engineering 15
Chapter 2 Build vulnerability environment and actual combat 17
2.1 Installing LANMP 17 on a Linux VM
2.2 Installing WAMP 19 on a Windows VM
2.3 Build DVWA vulnerability environment 21
2.4 Building an SQL Injection Platform 23
2.5 Building XSS Test Platform 24
Chapter 3 Common penetration testing tools 28
3.1 SQLMap Details 28
3.1.1 Installing SQLMap 28
3.1.2 SQLMap Introduction 29
3.1.3 SQLMap Advanced: Parameter Description 36
3.1.4 SQLMap comes with an explanation to bypass script tamper 40
3.2 Details of Burp Suite 50
3.2.1 Installation of Burp Suite 50
3.2.2 Getting Started with Burp Suite 51
3.2.3 Burp Suite 55
3.3 Details of Nmap 70
3.3.1 Installing Nmap 71
3.3.2 Nmap 101
3.3.3 Nmap advanced 83
Chapter 4 Web Security Principles 90
4.1 Basics of SQL injection 90
4.1.1 Introduction to SQL injection 90
4.1.2 Principles of SQL injection 90
4.1.3 Knowledge Points related to MySQL injection 91
4.1.4 Union Injection Attack 95
4.1.5 Union Injection Code Analysis 99
4.1.6 Boolean Injection attack 99
4.1.7 Boolean Injection code analysis 103
4.1.8 Error injection attack 104
4.1.9 Error injection code analysis 106
4.2 SQL Injection advanced 107
4.2.1 Time Injection Attack 107
4.2.2 Time Injection code analysis 109
4.2.3 Stack Query Injection Attack 110
4.2.4 Stack Query Injection Code Analysis 112
4.2.5 Secondary Injection 113
4.2.6 Secondary Injection Code Analysis 114
4.2.7 Wide Byte Injection Attack 116
4.2.8 Wide Byte injection Code Analysis 119
4.2.9 cookie injection Attack 120
4.2.10 cookie Injection Code Analysis 121
4.2.11 base64 Injection Attack 122
4.2.12 base64 Injection Code Analysis 123
4.2.13 XFF Injection Attack 124
4.2.14 XFF Injection Code Analysis 125
4.3 SQL Injection Bypass Technology 126
4.3.1 Case bypass injection 126
4.3.2 Double write bypassing injection 128
4.3.3 Encoding bypasses injection 129
4.3.4 Inlining comments bypasses injection 131
4.3.5 SQL Injection Repair Suggestion 131
4.4 XSS base 135
4.4.1 XSS Vulnerabilities 135
4.4.2 XSS Vulnerability Principle 135
4.4.3 Reflective XSS Attack 137
4.4.4 Reflection XSS Code Analysis 138
4.4.5 Storage XSS Attack 139
4.4.6 Stored XSS code analysis 140
4.4.7 DOM XSS attack 142
4.4.8 DOM XSS Code analysis 143
4.5XSS advanced 144
4.5.1 XSS Common Statements and codes bypass 144
4.5.2 Testing XSS Vulnerability 145 using the XSS Platform
4.5.3 XSS Vulnerability Repair Suggestions 148
4.6 CSRF Vulnerability 148
4.6.1 Describes CSRF Vulnerability 148
4.6.2 Principle of CSRF Vulnerability 148
4.6.3 Using CSRF Vulnerability 149
4.6.4 Analyzing CSRF vulnerability code 151
4.6.5 CSRF Vulnerability Repair Suggestion 155
4.7 SSRF Vulnerability 155
4.7.1 This section describes SSRF Vulnerability 155
4.7.2 SSRF Vulnerability Principle 155
4.7.3 SSRF vulnerability utilization 156
4.7.4 SSRF Vulnerability Code Analysis 157
4.7.5 SSRF Vulnerability Repair Suggestions 157
4.8 Uploading a File 158
4.8.1 Describes the File Upload Vulnerability 158
4.8.2 Knowledge about File Uploading 158
4.8.3 JS Detecting Bypass Attack 158
4.8.4 JS Detection Bypass Attack Analysis 160
4.8.5 File Suffix Bypass Attack 161
4.8.6 File Suffixes Bypass Code Analysis 162
4.8.7 File Type Bypass Attack 163
4.8.8 File Type Bypassing Code Analysis 164
4.8.9 File Truncation Bypass Attack 166
4.8.10 File Truncation bypasses code analysis 167
4.8.11 Competition Condition Attack 169
4.8.12 Competitive Condition Code Analysis 169
4.8.13 File Upload Repair Suggestion 170
4.9 Brute Force Cracking 170
4.9.1 Describes Brute-force Cracking Vulnerability 170
4.9.2 Brute-force Vulnerability 171
4.9.3 Brute-force Cracking Vulnerability Code Analysis 172
4.9.4 Brute-force Cracking Suggestion 172
4.10 Run the 173 command
4.10.1 Introduction to Command Execution Vulnerability 173
4.10.2 Command Execution Vulnerability Attack 173
4.10.3 Command Execution Vulnerability Code Analysis 175
4.10.4 Executing Vulnerability Repair Suggestion 175
4.11 Logical Vulnerability Mining 175
4.11.1 Logical Vulnerability 175
4.11.2 Unauthorized Access Attack 176
4.11.3 Logic Vulnerability: Unauthorized access Code Analysis 177
4.11.4 Unauthorized Access Repair Suggestion 179
4.12 XXE Vulnerability 179
4.12.1 This section describes Vulnerability 179 of XXE
4.12.2 XXE vulnerability 180
4.12.3 XXE Vulnerability Code Analysis 180
4.12.4 XXE Vulnerability Repair Suggestion 181
4.13 Those things about WAF
4.13.1 This section describes WAF 181
4.13.2 WAF Judgment 182
4.13.3 Some WAF bypass methods 184
Chapter 5 Metasploit Technology 188
5.1 Introduction to Metasploit 188
5.2 Metasploit Foundation 190
5.2.1 Technical Terms 190
5.2.2 Infiltration Attack Step 191
5.3 Host Scan 191
5.3.1 Scanning for Ports Using an Auxiliary Module 191
5.3.2 Scanning for Services Using the Auxiliary Module 193
5.3.3 Scanning 193 using Nmap
5.4 Vulnerability Utilization 195
5.5 Post-Penetration Attack: Information Collection 199
5.5.1 Migrating a Process 200
5.5.2 System Command 201
5.5.3 File System Command 208
5.6 Post Penetration Attack: Permission increased by 210
5.6.1 Using WMIC actual combat MS16-032 Local overflow Vulnerability 211
5.6.2 Token Theft 216
5.6.3 Hash Attack 219
5.7 Post-Penetration attack: Porting vulnerability exploits code module 229
5.7.1 Vulnerability Introduction, principle and Countermeasures of MS17-010. 229
5.7.2 Porting and exploiting the MS17-010 vulnerability to exploit code 230
5.8 Rear Penetration attack: Backdoor 233
5.8.1 Operating System Backdoor 233
5.8.2 Web Backdoor 237
5.9 Intranet Attack Zone Penetration Test Example 242
5.9.1 This section describes the Osmotic environment 242
5.9.2 Upgrading Rights 242
5.9.3 Collecting Information 245
5.9.4 Obtaining Permission on a Server 247
5.9.5 PowerShell Finds the domain Management Online Server
5.9.6 Obtaining Domain Management Permissions 252
5.9.7 Logging In to Domain Control 254
5.9.8 SMB blasting Intranet 257
5.9.9 Clearing Logs 259
Chapter 6 PowerShell Attack Guide 261
6.1 PowerShell Technology 261
6.1.1 Introduction to PowerShell 261
6.1.2 Basic Concepts of PowerShell 263
6.1.3 PowerShell common command 264
6.2 PowerSploit 266
6.2.1 PowerSploit Installation 266
6.2.2 PowerSploit Script Attack Actual 268
6.2.3 PowerUp Attack Module Description 275
6.2.4 PowerUp Attack Module Actual Combat 284
6.3 Empire 291
6.3.1 Introduction to Empire 291
6.3.2 Installation of Empire 292
6.3.3 Setting Listener 293
6.3.4 Generating Trojan 296
6.3.5 Connecting Hosts and Basic Usage 306
6.3.6 Information Collection 310
6.3.7 Permission Promotion 319
6.3.8 Lateral Penetration 324
6.3.9 Rear Door 330
6.3.10 Empire rebounds to Metasploit 333
6.4 Nishang 334
6.4.1 Nishang 334
6.4.2 Nishang module attacks Actual Combat 338
6.4.3 PowerShell hides communication tunnel 343
6.4.4 WebShell Backdoor 347
6.4.5 Permission Promotion 348
Chapter 7 Case Analysis 364
7.1 Code Audit Instance Analysis 364
7.1.1 SQL Injection Vulnerability 364
7.1.2 File Deletion Vulnerability 366
7.1.3 File Upload Vulnerability 367
7.1.4 Adding Administrator Vulnerability 373
7.1.5 Competition Condition vulnerability 378
7.2 Analysis of penetration test examples 380
7.2.1 Background blasting 380
7.2.2 SSRF+Redis obtains WebShell 383
7.2.3 Side attack 388
7.2.4 Resetting Password 391
7.2.5 SQL Injection 393
View All ↓
Preface/preface
The recommended sequence
After my old friend worked day and night, word by word, the book was finally published. I would like to express my thanks to the editor for bringing together many years of work experience into the book. I've been working in information security for 18 years, and I think this book is a great guide for anyone who wants to work in penetration testing. I in after reading the book, and friends say, I would recommend this book to Beijing zhong an nation institute of information technology "national 5 a-class information security personnel training" teaching material system and the "national information security emergency services personnel certification practice exam reference materials directory", an old friend replied, "the book of experiments will be launched soon, All the supporting experiments will be put on the cloud experimental platform of Honghei Network Security Academy for everyone to practice." It is a great blessing that readers will be able to read and practice at the same time!
I highly recommend professional penetration testing personnel, information security one