1. Trang chủ
  2. » Tất cả

Tactical web application penetration testing methodology

45 295 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 45
Dung lượng 543,25 KB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

Extension Technology Server Platform.pl Perl CGI script Generic; usually web servers running on Unix .cgi Can be any scripting language .py Python .rb Ruby .asp Active Server Pages Micro

Trang 1

Tactical Web Application

Penetration Testing Methodology

Phase 1: Open Source

EHKDSXODOGO[EHKDSXODOK[EHKDSXODBFH[EHKDSXODQA[EHKDSXODOXHMTQKS@QFDSBNLO@MXBNLRHSDS@QFDSBNLO@MXBNLRQ

Trang 3

OGOHMENOGO

4HSDL@OWLK

4DMCANTMBDDL@HKSN@MNMDWHRSDMS@CCQDRR@SS@QFDSBNLO@MXBNLRNXNTB@MQD@CSGDGD@CDQHMENEQNLSGD.@HKDQ%@DLNM3DSTQMDC&L@HKQDRONMRD

:NTB@MTRT@KKXFDSSGD*1@CCQDRRNEL@HKRDQUDQSGHRV@X@MCFDS@MHCD@NESGDHMSDQM@K*1Q@MFD

Phase 2: Platform Determination

1 Determine if the target is virtually hosted

Trang 4

Extension Technology Server Platform

.pl Perl CGI script Generic; usually web servers running

on Unix

.cgi Can be any scripting language

.py Python

.rb Ruby

.asp Active Server Pages Microsoft IIS

.aspx ASP+ Microsoft NET

.asmx ASP.NET WebServer

.php PHP script Generic; usually interfaced with Apache.cfm ColdFusion Generic; usually interfaced with

Microsoft IIS

.cfml ColdFusion Markup Language

.nsf Lotus Domino Lotus Domino server

.jsp Java Server Page Various platforms

.jnpl Java WebStart File (formatted in XML)

.do Java Struts Various platforms

6 Determine if the site uses Application Pages or Functional Paths

7 Look for server mis-configurations

* Microsoft ASP.NET Debugging Enabled

Trang 7

Phase 4: Manual Attack Surface Mapping

Phase 4a) Look for the big vulnerabilities

1 Does this page or something on this page talk to a database, or another system?

2 Can I or any other website user see what I type?

3 Does this page or something on this page reference a local or remote file?

*ERNSDRSENQ-NB@K3DLNSD'HKDHMBKTCDR

4 Does his page appear to be passing user input to a System( ) function or processing a block of code that is supplied from user input?

Phase 4b) Look for the less popular vulnerabilities

1 Inference from Published Content

Trang 8

 /@UHF@SDSNSGD1045KHMD@MCLNCHEXSGDQDK@SHUDO@SGSN@M@ARNKTSDO@SG 5GHR

#&'03&

<form id="form_id" method="post" action="action.php"

onsubmit="javascript:return validate('form_id','email');">

<input type="text" id="email" name="email" />

<input type="submit" value="Submit" />

</form>

"'5&3

<form id="form_id" method="post" action="www.victim.com/action.php"

onsubmit="javascript:return validate('form_id','email');">

<input type="text" id="email" name="email" />

<input type="submit" value="Submit" />

</form>

OQNA@AKXKNNJRHLHK@QSNSGHR

function validate(form_id,email) {

Trang 9

var reg =

Trang 10

NQ

# openssl s_client -no_tls1 -no_ssl3 -connect www.targetcompany.com:443

NQ/DRRTR"BTMDSHWNQRHLHK@QUTKMDQ@AHKHSXRB@MMDQ

Phase 5: Manual Attacks

Manual SQL Injection (ASP/MS SQL Server)

Trang 11

GSSO<RHSD>O@FD@RO HC(3061#:S@AKDM@LD?$0-6.//".&?G@UHMF

$NKTLM<S@AKDM@LD?$0-6.//".&?>HRHMU@KHCHMSGDRDKDBSKHRSADB@TRDHSHRMNSBNMS@HMDCHM@M@FFQDF@SDETMBSHNM@MCSGDQDHRMN(3061#:BK@TRD

M@LD?$0-6.//".&?G@UHMF

$NKTLM<S@AKDM@LD?$0-6.//".&?>HRHMU@KHCHMSGDRDKDBSKHRSADB@TRDHSHRMNSBNMS@HMDCHM@M@FFQDF@SDETMBSHNM@MCSGDQDHRMN(3061#:BK@TRD

&330342-*/+&$5*0/&953"$5%"5"#"4&64&3

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<%#64&3>SN@BNKTLMNEC@S@SXODHMS4NLDNSGDQNOSHNMR@QD

GSSO<RHSD>O@FD@RO HCNQHM 4&-&$5KNFHM@LD'30.L@RSDQRXROQNBDRRDR

&330342-*/+&$5*0/&953"$5%"5"#"4&/".&

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<%#/".&>SN@BNKTLMNEC@S@SXODHMS4NLDNSGDQNOSHNMR@QD

&330342-*/+&$5*0/&953"$5%"5"#"4&7&34*0/

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<%#7&34*0/>SN@BNKTLMNEC@S@SXODHMS4NLDNSGDQNOSHNMR@QD

Trang 12

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<4&37&3/".&>SN@BNKTLMNEC@S@SXODHMS

4NLDNSGDQNOSHNMR@QD

/TLADQNEBNKTLMRDMTLDQ@SHNM

6RHMF0QCDQAXSNCDSDQLHMDSGDMTLADQNEBNKTLMRHM@FHUDMPTDQXRSQHMFENQTRDVHSGAKHMCRPKHMIDBSHNM

GSSO<RHSDBNL>O@FD@RO NQCDQAX

OQNBDRRNEDKHLHM@SHNMSNCDSDQLHMDSGDMTLADQNEBNKTLMR/DWSVDVNTKCG@KUDSGDMTLADQ

&330342-*/+&$5*0/-HRS %"5"#"4&4

Trang 13

&330342-*/+&$5*0/&953"$5RS %"5"#"4&5"#-&

GSSO<RHSD>O@FD@RO HCNQHM RDKDBSSNOM@LDEQNLRXRNAIDBSRVGDQD

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<5"#-&/".&>SN@BNKTLMNEC@S@SXODHMS

4NLDNSGDQNOSHNMR@QD

GSSO<RHSD>O@FD@RO HC NQBNMUDQS 4&-&$5M@LD'30.L@RSDQRXRNAIDBSR

&330342-*/+&$5*0/&953"$5RS5"#-&$0-6.//".&

GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOBNKTLM?M@LDEQNL

Trang 14

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<$0-6.//".& >SN@BNKTLMNEC@S@SXODHMS

&330342-*/+&$5*0/&953"$5MC5"#-&$0-6.//".&

GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOBNKTLM?M@LDEQNL

%#/".&HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD5"#-&/".&@MC

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<$0-6.//".&>SN@BNKTLMNEC@S@SXODHMS

&330342-*/+&$5*0/&953"$5QC5"#-&$0-6.//".&

GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOBNKTLM?M@LDEQNL

%#/".&HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD5"#-&/".&@MC

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<$0-6.//".& >SN@BNKTLMNEC@S@SXODHMS

&330342-*/+&$5*0/&953"$5RS'*&-%0'RS308

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<'*&-%7"-6&>SN@BNKTLMNEC@S@SXODHMS

&330342-*/+&$5*0/&953"$5MC'*&-%0'RS308

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<'*&-%7"-6&>SN@BNKTLMNEC@S@SXODHMS

&330342-*/+&$5*0/&953"$5MC'*&-%0'RS308

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<'*&-%7"-6&>SN@BNKTLMNEC@S@SXODHMS

&330342-*/+&$5*0/&953"$5RS'*&-%0'MC308

Trang 15

&330342-*/+&$5*0/&953"$5RS'*&-%0'MC308

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<'*&-%7"-6&0'3%308>SN@BNKTLMNEC@S@SXODHMS

"KKPTDQHDRHM@M42-RS@SDLDMSBNMS@HMHMF@6/*0/NODQ@SNQLTRSG@UD@MDPT@KMTLADQNEDWOQDRRHNMRHMSGDHQS@QFDSKHRSR

"KKPTDQHDRHM@M42-RS@SDLDMSBNMS@HMHMF@6/*0/NODQ@SNQLTRSG@UD@MDPT@KMTLADQNEDWOQDRRHNMRHMSGDHQS@QFDSKHRSR

/0&3303

6/*0/42-*/+&$5*0/$NKTLM5XOD&MTLDQ@SHNM

Trang 19

GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$5501/".&EQNLRXRNAIDBSRVGDQDGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL5@AKD/@LD64&34

#-*/%42-*/+&$5*0/&953"$5MC%"5"#"4&5"#-&

GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$5501/".&EQNLRXRNAIDBSRVGDQDGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL5@AKD/@LD03%&34

#-*/%42-*/+&$5*0/&953"$5QC%"5"#"4&5"#-&

GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$5501/".&EQNLRXRNAIDBSRVGDQDGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

Trang 20

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL5@AKD/@LD$6450.&34

#-*/%42-*/+&$5*0/&953"$5RS5"#-&$0-6.//".&

GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$5501BNKTLM?M@LDEQNL130

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LDGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LDGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LDGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LDEQNL130%#HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD64&34@MC

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LDEQNL130%#HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD64&34@MC

Trang 21

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LDEQNL130%#HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD64&34@MC

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LDEQNL130%#HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD64&34@MC

Trang 22

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$5501*% EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$5501*% EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$5501*% EQNL

'HDKC%@S@

#-*/%42-*/+&$5*0/&953"$5RS'*&-%0'MC308

GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$550164&3EQNL64&34VGDQD64&3/05GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNL'HDKC%@S@+0&

#-*/%42-*/+&$5*0/&953"$5RS'*&-%0'MC308

GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$550164&3EQNL64&34VGDQD64&3/05GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNLGSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNL

'HDKC%@S@+*

Calling the XP_CMDSHELL Stored Procedure in MS SQL Server

(Privileged Database User Account Required)

*MRNLDB@RDRHSHRONRRHAKDSNQTM@QAHSQ@QXBNLL@MCRNM@RXRSDLUH@42-HMIDBSHNMSGQNTFGSGD91?$.%4)& RSNQDCOQNBDCTQD )DQD@QDRNLDRSDORSNFDSSGHRVNQJHMF5DBGMHPTDENQ91?$.%4)& 42-*MIDBSHNMNM8HMCNVR

RXMS@WENQCNHMFSGHRHM@TRDQM@LDEHDKCNE@KNFHMO@FDVNTKCAD

6RDQM@LD"/% !!7&34*0/

1@RRVNQC@MXSGHMF

Trang 23

GSSO<RHSDBNL>O@FDOGO HCNQCDQAX

Trang 24

/NVVDQTMSGDENKKNVHMFNMSGDRHSD@MCRS@QSSDRSHMFENQRNLDS@AKDM@LDR

UNION ALL SELECT to enum db info

GSSO<RHSDBNL>O@FDOGO 

NQGSSO<RHSDBNL>O@FDOGO MTKK

:NTB@MTRDSGHRHEXNTQTMHMSN@RDQUDQSG@SG@RL@FHBPTNSDRSTQMDCNM

4SQHMF&MBNCDQ

VFDSGSSOVVVFQ@XRB@KDQDRD@QBGNQFMDVBNCD4SQHMF&MBNCDQS@QS@QWUE4SQHMF&MBNCDQS@Q

BC4SQHMF&MBNCDQL@JD

Trang 26

VDENTMCS@AKDTRDQRHBNKTLMRTRDQM@LDO@RRVNQCRNVDFNMM@OTKKBG@Q@BSDQREQNLSG@S

Trang 28

:NTB@M@KRNQDBHDUDSGD'*-&OQHUHKDFDHMENEQNLSGDHMENQL@SHNMRBGDL@S@AKDNM.X42-

HMENQL@SHNM?RBGDL@TRDQ?OQHUHKDFDR8)&3&OQHUHKDFD?SXODaEHKDb"/%FQ@MSDDKHJDaTRDQM@LD

-HJD*/AKHMCRPKH

c"/%.*% 4&-&$5HR?FQ@MS@AKD'30.HMENQL@SHNM?RBGDL@TRDQ?OQHUHKDFDR8)&3&

The web directory problem

0MBDVDJMNVHEVDB@MQD@CVQHSDEHKDRVDG@UDSNBGDBJNTSSGDQHFGSO@SG*MSGDLNRSB@RDRSGD.X42-RDQUDQHRQTMMHMFNMSGDR@LDL@BGHMD@RSGDVDARDQUDQCNDR@MCSN

@BBDRRNTQEHKDRK@SDQVDV@MSSNVQHSDSGDLNMSNSGDVDACHQDBSNQX*EXNTCDEHMDMN0M.X42-VDB@MFDS@MDQQNQLDRR@FDCHROK@XHMFSGDC@S@CHQ

0M.X42-VDTRD

5GDCDE@TKSO@SGENQEHKDVQHSHMFSGDMHRC@S@CHQ=C@S@A@RDM@LD

:NTB@MEHFTQDNTSSGDC@S@A@RDM@LDVHSG

/NVSGDRDHMENQL@SHNM@QDG@QCSNFDSVHSGAKHMC42-HMIDBSHNM#TSXNTCNMbSMDDCSGDLMDBDRR@QHKX+TRSL@JDRTQDXNTEHMCNTSSGDVDACHQDBSNQX@MCTRDRNLDSNITLOA@BJEQNLSGDC@S@CHQ

NQRHLHK@QETMBSHNMR@MCCHROK@XRV@QMHMFLDRR@FDR5GDMXNTB@MD@RHKXEHMCNTSSGDVDARDQUDQCHQDBSNQXAXKD@UHMFSGNRDETMBSHNMRVHSGMNHMOTSSG@SSGDXVHKKSGQNV@

DSBHMHSC@O@BGD

DSBHMHSC@O@BGD

DSBGSSOCGSSOCBNME

DSB@O@BGD@O@BGDBNME

Trang 29

Create useful files

Trang 30

SQL Injection Against Oracle

Error Based SQL Injection

GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR RDKDBSA@MMDQEQNL



5GHRHR@M@KSDQM@SHUDSG@SRGNTKCVNQJ@F@HMRSF

GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR 4&-&$5FKNA@K?M@LD

Trang 31

GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR 4DKDBSFQ@MSDC?QNKDEQNL GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR 4DKDBSFQ@MSDC?QNKDEQNL GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR RDKDBS

Union Based SQL Injection

UHBSHLBNL

Trang 33

GSSO<RHSDBNL>O@FDOGO HC4$055b@MC RDKDBS

RTL KDMFSG TSK?GSSOQDPTDRS GSSOVVVKD@QMRDBTQHSXNMKHMDBNL

GSSO<RHSDBNL>O@FDOGO HC4$055b@MC 4&-&$54:4%#.4?-%"1*/*5 4&-&$55GHRHR@M@KSDQM@SHUDSG@SRGNTKCVNQJ@F@HMRSF

NQSXOD B@SDSBO@RRVC

... 4&-&$5HR?FQ@MS@AKD''30.HMENQL@SHNM?RBGDL@TRDQ?OQHUHKDFDR8)&3&

The web directory problem

0MBDVDJMNVHEVDB@MQD@CVQHSDEHKDRVDG@UDSNBGDBJNTSSGDQHFGSO@SG*MSGDLNRSB@RDRSGD.X42-RDQUDQHRQTMMHMFNMSGDR@LDL@BGHMD@RSGDVDARDQUDQCNDR@MCSN

Ngày đăng: 14/12/2021, 22:19

Xem thêm

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN

w