security - 经常有人问 ^_^ 的问题汇总 security questions

访问量: 431

XSS的几种方式   https://blog.csdn.net/qq_43679507/article/details/84105722

1. 基于反射, 例如   baidu.com?name=<script>alert(1)</script>

这样的话,把上面链接发给别人,别人点击了之后, 会把 <script>内容显示在input 中。如果该网站的input没有对<script>进行转义,则会在受害者的电脑上显示  alert.

2. 基于存储

例如,攻击者在某个提交表单的地方,提交了一段script. 管理员在后台查看的时候,就会运行该script

解决方案:保存到数据库之前,对用户提交的表单进行转义

3. 基于DOM

a.com#javascript:alert(1)

a.com#vbscirpt:

a.com#data:

上面3个都是伪协议。 ( javascript: ,  vbscript: , data: )

还有 <img src=2 onerror="javascript...     onload="javascript....   

记得css中也可以有这样的东东

谈一下钩子框架  hook

1. frida: 超级强大的钩子框架,可以针对android, ios, windows, 等系统做钩子。

frida-client  安装在PC端,可以直接执行脚本:  python脚本中,包含js代码,作用于android

frida-server安装在安卓端 

2. edxposed    

都是在root设备上。

用什么工具做代码审计

fortify

内网渗透

CVE的漏洞原理,随便挑一个

永恒之蓝, CVE-2017 .  利用SMB协议漏洞进行的攻击,使用了3个漏洞: 1. 越界内存写 2. 绕过内存写的长度限制 3. 攻击数据的内存布局
滴血漏洞,  CVE-2014.  SSL 1.0.x的版本的漏洞,每次超过64K的请求,就可以把内存中的数据挤出来, 每次挤一点,多挤几百次,好多密码就都出来了。
xstream(用在struts2), CVE-2020等,好几个。都是用于XML转换成代码(序列化)的时候,可以导入 有威胁的代码。例如:
tomcat server : cve 2019  enableCmdLineArguments    要求是windows 下,
http://localhost:8080/cgi-bin/hello.bat?& C%3A%5CWindows%5CSystem32%5Cnet.exe+user

谈一下WAF

如果对方机器隐藏在CDN之后,拿到普通权限后,如何反射到外网?

如何提权

windows下:很多方式
linux下:很多方式。
https://blog.csdn.net/qq_43233085/article/details/108068439?spm=1001.2101.3001.6650.6&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7Edefault-6.no_search_link&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7Edefault-6.no_search_link
通过软件,通过MSF木马,通过CVE提权漏洞, 根据系统查询EXP即可。
linux:内核漏洞脏牛提权.
linux exploirt suggester 利用软件提权
suid, 具备这些suid的命令,host是属于root的。就算被普通用户执行,也没事。
nmap的部分版本, 通过交互式的shell, !# 来实现提权.
如何保持权限

紧急响应?

安卓反编译

这个就不说了,

apktool -> dex

frida -> dex

dex -> jar

jar -> class

class -> java

修改smali.

重新编译 apksigner

接口签名

超级简单,public key, private key, base64, signature , timestamp

弄过海外网站没有

SQLI的盲注?

bool 盲注
时间盲注
SQLI:数据库,表等信息来自于哪里   select database()
information_schema 表
mysql:   information_schema
关于SQLI的更多信息: http://siwei.me/blog/posts/sqlilab-mysql

代码审查 Security Audit

https://www.comparitech.com/net-admin/network-security-auditing-tools/

基本都是使用软件

Nessus 全球排名第一的

PhpCodeChecker: 专门检查php

Here is our list of the eleven best network security auditing tools:

SolarWinds Access Rights Manager – FREE TRIAL An access control system that helps protect the user accounts and device access. This tool also includes extensive network and system auditing tools. It runs on Windows Server.
Syxsense Manage – FREE TRIAL A cloud-based system management service that is able to document and monitor networked endpoints across sites.
ManageEngine ADAudit Plus – FREE TRIAL Analyze user access accounts, log user activity, and audit the system for data security standards. It runs on Windows Server.
Papertrail – FREE TRIAL A cloud-based log manager and audit archiving service that includes data searching and analysis features.
ManageEngine Log360 – FREE TRIAL This SIEM includes log management for an audit trail and also provides compliance reporting. Runs on Windows Server.
LogicGate A cloud-based IT governance, risk assessment, and security standards auditing tool.
Splunk Enterprise Security A network security system that includes incident response auditing and standards compliance auditing.
Intruder.io A cloud-based monthly vulnerability scanner with an on-demand scanning function, software inventory analysis, and the services of a pen-testing team.
Netwrix Auditor A network security auditing tool that includes configuration management and protection. It installs on Windows and Windows Server.
Acunetix A suite of software testing tools that focus on the vulnerabilities in Web applications. It is available for Windows, macOS, and Linux.
Nessus A vulnerability assessment tool in free and paid versions that includes auditing reports. It is available for Windows, macOS, and Linux.

订阅/RSS Feed

Subscribe