首页 > 移动平台 > 详细

Application Security Per-Engagement

时间:2019-01-02 23:51:55      阅读:271      评论:0      收藏:0      [点我收藏+]

1、 an SQLi vulnerability will allow you  to do the  following 

  •    query the database using select statement forezample users table. you might get the password or usersname
  •    Bypass the login page executing successfuly query results
  •    Execute system commands in the database in oreder compromise the web server
  •    Execute inserts.delete commands to manipulate the records in the database

2、Command Injection

      we can append other commands after the variable and the application will be to execute it for us , my goal is to make the backend execute someting like this [nslookup [domain name variable ] && [other command ]

技术分享图片

3、OWASP top 10

    Injection-----> when a attacker can inject and execute a custom command in the backend because of missing sanitization,besides it ,command Injection are more like LDAP、XPath、NoSQLo  XML Parsers、STMTP Header

    Broken Authentication  ------> a hacker finds the user‘s idntity, credentials bouth name and password or web session

   Sesitive Data 、   XML External Entities  \ Broken Access Control \ Security Misconfig \Cross-site Scripting \ Insecure Deserialization \ Using Components with know vulnerability\ Insufficient logging

4、邮件信息收集

theharverster -d [目标网络域名地址] -l [邮件地址数量] -b [使用的搜索的公共知识库]  eg : theharvester  -d yalong.cn -l 20 -b baidu

技术分享图片技术分享图片技术分享图片

5、 use Whois search DNS and ip register name and phone number and email

   step one we can use the  Whois.net  the url: http:www.whois.net   or another website is NetCraft   the url :https://www.netcraft.com/

   step two:  use the command  whois ,the screenshout as follow

技术分享图片

another wegit tools is host it can translate ip to hostname

技术分享图片

nslookup id find DNS

   

 

   

  

 

Application Security Per-Engagement

原文:https://www.cnblogs.com/xinxianquan/p/10211936.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!