最近参加某央企攻防演练中的一些心得与实战工具分享

作者:FancyPig | 发布时间: | 更新时间:

近期概况

最近去参加了某央企内部组织的攻防演练,做了红方的队员,因此非常忙,最近更新的内容不是很频繁,这里分享一些心得体会还有一些工具,希望对各位师傅有所帮助。

准备工作

挂代理

挂代理防止被溯源,方法之前有讲过

data-postsbox="{"id":2618,"title":"如何隐藏自己的真实IP地址 防止被溯源/恶意钓鱼","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":26270,"comment_count":1165,"category":"cybersecurity","is_forum_post":false}">{"id":2618,"title":"如何隐藏自己的真实IP地址 防止被溯源/恶意钓鱼","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":26270,"comment_count":1165,"category":"cybersecurity","is_forum_post":false}

同时这里还推荐一个代理软件proxifier,后面补充详细教程!

data-postsbox="{"id":3876,"title":"Proxifier 4.05 最新破解版下载 – 最强大的代理客户端","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":8154,"comment_count":10,"category":"software","is_forum_post":false}">{"id":3876,"title":"Proxifier 4.05 最新破解版下载 – 最强大的代理客户端","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":8154,"comment_count":10,"category":"software","is_forum_post":false}

首先要找到攻击的目标对应的资产,提前踩好点,我们需要做资产收集资产收集可以通过下面的网络空间测绘搜索引擎:

无脑模糊搜索

最简单无脑的是直接输域名,比方说pigsec.cn

"pigsec.cn"

这种模糊搜索的方法,会把其他网站里包含这个域名的也收录进去

比方说下面这个

但是,这种方式搜索出来的资产会很全面,包括使用了pigsec.cn证书的都会显示出来。

简单实用的搜索语法

搜索标题

title="4K壁纸"

有一些奇妙的小发现,评论可见

此处内容已隐藏,请评论后刷新页面查看.

查询某个域名下的网站

domain="pigsec.cn"

查询某个C段的资产

ip="220.181.111.1/24"

查询某个时间段的资产

比如搜索2017年到2017年10月10日之间的资产

after="2017" && before="2017-10-01"

搜索2021-03-18以后的ip资产(以ip为单位的资产数据)

ip_after="2021-03-18"

搜索2019-09-09以后的ip资产(以ip为单位的资产数据) 

ip_before="2019-09-09"

证书查询

查询使用百度SSL证书的相关资产

cert="baidu"

之前我们讲过通过域名证书可以溯源IP地址相关操作

data-postsbox="{"id":3185,"title":"使用Fofa确定网站真实IP地址的小技巧","author":"热心网友","author_id":9547,"cover_image":"","cover_video":"","views":4835,"comment_count":5,"category":"cybersecurity","is_forum_post":false}">{"id":3185,"title":"使用Fofa确定网站真实IP地址的小技巧","author":"热心网友","author_id":9547,"cover_image":"","cover_video":"","views":4835,"comment_count":5,"category":"cybersecurity","is_forum_post":false}

组合搜索

使用&&连接语句即可

比方说如果,你想搜索带有一定关键词的,同时又是该域名下的资产,你可以使用下面的命令

title="汉堡" && domain="pigsec.cn"

比如,这里找下以前收录的汉堡(现在已经没了)

上述工作可以帮助我们完成绝大多数的资产收集,当然也可以配合Google搜索引擎,其语法可以参考之前的文章

data-postsbox="{"id":312,"title":"常见搜索引擎Google Hacking语法整理","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":25102,"comment_count":948,"category":"knowledge","is_forum_post":false}">{"id":312,"title":"常见搜索引擎Google Hacking语法整理","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":25102,"comment_count":948,"category":"knowledge","is_forum_post":false}

Google搜索引擎需要科学上网,上面说的两款网络安全空间测绘网站不需要科学上网哦

[postsbox post_id="222"]

资产梳理补充

借助搜索引擎,我们可以找到绝大多数资产,但是可能还不够全面。资产梳理完成后,可以围绕着资产的IP和域名做一下站点的目录、端口扫描,这里分享给大家两款常见的工具

目录扫描

windows工具

目录扫描工具打包 提取码gmxte8御剑扫描器 提取码sxaotgwebpathbrute工具 提取码kt2x5o

通过上述的目录扫描工具,可以快速发现网站的后台路径,甚至是一些未授权可以访问的地址,再或是一些可能曾经被入侵后遗留的webshell文件,我们可以直接加以利用完成入侵。

Linux工具

当然,上面的工具都是windows,我们还可以通过kali虚拟机里自带的dirbuster完成

打开界面后输入网址和相关的字典即可,这里温馨提示下Kali里自带了一些字典库,路径为:/usr/share/wordlists/

当然,您也可以使用我们之前讲过的FUFF,功能也相当强大

data-postsbox="{"id":210,"title":"ffuf安装与使用教程","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":4459,"comment_count":1,"category":"cybersecurity","is_forum_post":false}">{"id":210,"title":"ffuf安装与使用教程","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":4459,"comment_count":1,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":241,"title":"使用ffuf对DVWA整个目录进行扫描","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":6507,"comment_count":2,"category":"cybersecurity","is_forum_post":false}">{"id":241,"title":"使用ffuf对DVWA整个目录进行扫描","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":6507,"comment_count":2,"category":"cybersecurity","is_forum_post":false}

端口扫描

使用Nmap就可以完成,这里不再赘述,可以参考以往的教程。

data-postsbox="{"id":182,"title":"如何使用Nmap?Nmap常见口令","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7155,"comment_count":1,"category":"cybersecurity","is_forum_post":false}">{"id":182,"title":"如何使用Nmap?Nmap常见口令","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7155,"comment_count":1,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":199,"title":"如何提升Nmap扫描速度?如何绕过防火墙?Nmap实战教程?","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":9767,"comment_count":1,"category":"cybersecurity","is_forum_post":false}">{"id":199,"title":"如何提升Nmap扫描速度?如何绕过防火墙?Nmap实战教程?","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":9767,"comment_count":1,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":194,"title":"如何使用Nmap对某网段进行全端口扫描","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7264,"comment_count":4,"category":"project","is_forum_post":false}">{"id":194,"title":"如何使用Nmap对某网段进行全端口扫描","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7264,"comment_count":4,"category":"project","is_forum_post":false}

这次,顺便补充一下,windows可以和mac电脑可以使用的工具,如下

windows Nmap 7.92官方最新安装包mac Nmap 7.92官方最新安装包备用打包下载地址 提取码:aa3gil

打开软件便可以可视化完成操作,稍微简单些。

相关学习视频

第1集-11集 信息收集

data-postsbox="{"id":2040,"title":"【在线学习】小迪web渗透安全培训2020","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":6388,"comment_count":462,"category":"lsources","is_forum_post":false}">{"id":2040,"title":"【在线学习】小迪web渗透安全培训2020","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":6388,"comment_count":462,"category":"lsources","is_forum_post":false}

SQL注入

对于常见的搜索框、登录框,我们可以尝试进行SQL手工注入的尝试,输入or '1=1 之类的进行尝试看看能不能绕过登录或者查看其报错内容,有的报错内容会泄露关键路径,包括数据库名称或者存储在电脑上的路径,方便后面入侵,这里不再赘述,之前有靶场相关的资料,可以参考

data-postsbox="{"id":270,"title":"【DVWA全攻略】DVWA SQL Injection实验 手工注入","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":6031,"comment_count":1,"category":"cybersecurity","is_forum_post":false}">{"id":270,"title":"【DVWA全攻略】DVWA SQL Injection实验 手工注入","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":6031,"comment_count":1,"category":"cybersecurity","is_forum_post":false}

当然,除了手工的方法,我们还可以使用SQLMAP工具,这里补充一下,如果自己不会找注入点可以输入下面的语句

sqlmap -u http://example.com --forms --batch --crawl=10 --cookie=jsessionid=12345 --level=5 --risk=3

如果自己能找到注入点,那可以参考下面这篇

data-postsbox="{"id":269,"title":"【DVWA全攻略】使用SQLMAP完成DVWA SQL Injection实验","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7266,"comment_count":3,"category":"cybersecurity","is_forum_post":false}">{"id":269,"title":"【DVWA全攻略】使用SQLMAP完成DVWA SQL Injection实验","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7266,"comment_count":3,"category":"cybersecurity","is_forum_post":false}

当然,还有一些视频讲解的资料

观看第9节和第12节的视频内容:

  • 9-实战-60分钟搭建SQLI-LABS专有靶场并进行拖库
  • 12-实战-使用SQLmap进行sql注入并获得后台管理员帐号和密码
data-postsbox="{"id":3499,"title":"【在线学习】2021年零基础安全渗透实战系列","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":8843,"comment_count":456,"category":"cybersecurity","is_forum_post":false}">{"id":3499,"title":"【在线学习】2021年零基础安全渗透实战系列","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":8843,"comment_count":456,"category":"cybersecurity","is_forum_post":false}

观看第2-7节的视频内容:

  • 第二章 课时2 注入式攻击 OR漏洞实战讲解
  • 第二章 课时3 注入式攻击 MySQL手工注入基础及注入点探测
  • 第二章 课时4 注入式攻击 MySQL手工注入一个站
  • 第二章 课时5 注入式攻击 MySQL手工宽字节注入
  • 第二章 课时6 注入式攻击 MySQL手工高级注入(上)
  • 第二章 课时7 注入式攻击 MySQL手工高级注入(下)
data-postsbox="{"id":3265,"title":"【免费视频课程】国庆假期58节课搞定Web常见漏洞","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":7542,"comment_count":585,"category":"cybersecurity","is_forum_post":false}">{"id":3265,"title":"【免费视频课程】国庆假期58节课搞定Web常见漏洞","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":7542,"comment_count":585,"category":"cybersecurity","is_forum_post":false}

漏洞扫描

当然,在挖掘不出来漏洞情况下,也可以用漏洞扫描工具完成网站,常见的有AWVSGobyNessusXrayAppScan,部分已经做了详细的介绍了,这几天会补充几天几款软件的下载地址以及破解方法

后面我会将所有用到的漏洞工具都整合在这个链接里,大家可以收藏下

https://www.pigsec.cn/category/software/tools

data-postsbox="{"id":2111,"title":"渗透测试工具 AWVS 14.4.2最新破解版下载","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":3812,"comment_count":12,"category":"software","is_forum_post":false}">{"id":2111,"title":"渗透测试工具 AWVS 14.4.2最新破解版下载","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":3812,"comment_count":12,"category":"software","is_forum_post":false}
data-postsbox="{"id":1124,"title":"渗透测试工具Hcl AppScan Standard 10.0破解版","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":5404,"comment_count":7,"category":"cybersecurity","is_forum_post":false}">{"id":1124,"title":"渗透测试工具Hcl AppScan Standard 10.0破解版","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":5404,"comment_count":7,"category":"cybersecurity","is_forum_post":false}

密码爆破

使用BurpSuite完成密码的爆破,很多客户使用的老资产的系统:

  • 不限制IP、密码输入次数;
  • 未使用token验证、cookies限制;
  • 未对密码使用算法进行加密

这样使得我们的密码爆破可以很轻松完成,当然做了限制我们也有对策,有验证码我们也有接码平台,封了IP我们也有IP代理池,密码进行了base64加密,我们也可以使用BurpSuite里相应的加密功能直接对字典库进行加密,可以说是上有政策,下有对策。

相关的详细教程,我们之前也有提过

data-postsbox="{"id":1610,"title":"BurpSuite 2021年8月最新版pro_v2.1.06 全攻略","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7027,"comment_count":245,"category":"software","is_forum_post":false}">{"id":1610,"title":"BurpSuite 2021年8月最新版pro_v2.1.06 全攻略","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7027,"comment_count":245,"category":"software","is_forum_post":false}
data-postsbox="{"id":209,"title":"使用BurpSuite完成Pikachu暴力破解","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3101,"comment_count":1,"category":"cybersecurity","is_forum_post":false}">{"id":209,"title":"使用BurpSuite完成Pikachu暴力破解","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3101,"comment_count":1,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":207,"title":"使用Burpsuite完成DVWA Brute Force实验","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3219,"comment_count":3,"category":"cybersecurity","is_forum_post":false}">{"id":207,"title":"使用Burpsuite完成DVWA Brute Force实验","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3219,"comment_count":3,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":205,"title":"2021Kali linux安装burpsuite pro专业版教程","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":20440,"comment_count":6,"category":"cybersecurity","is_forum_post":false}">{"id":205,"title":"2021Kali linux安装burpsuite pro专业版教程","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":20440,"comment_count":6,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":208,"title":"burpsuite配置https抓包","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3345,"comment_count":0,"category":"cybersecurity","is_forum_post":false}">{"id":208,"title":"burpsuite配置https抓包","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3345,"comment_count":0,"category":"cybersecurity","is_forum_post":false}

使用电报中某机器人收集邮箱资料

以下方法仅限用于攻防演练,如果恶意搜集并提供或出售账户资料需要负相应的法律后果,请自重!

根据《中国人民共和国刑法总成》(第15版)第二百五十三条之一规定

  • 情节严重的,处三年以下有期徒刑或者拘役,并处或者单处罚金
  • 情节特别严重的,处三年以上七年以下有期徒刑,并处罚金

请自行搜索

相关学习视频

我们也可以参考一些学习视频

下面视频的第20节有使用BurpSuite软件完成实战

data-postsbox="{"id":3499,"title":"【在线学习】2021年零基础安全渗透实战系列","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":8843,"comment_count":456,"category":"cybersecurity","is_forum_post":false}">{"id":3499,"title":"【在线学习】2021年零基础安全渗透实战系列","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":8843,"comment_count":456,"category":"cybersecurity","is_forum_post":false}

未完待续

时间有限,后续继续补充!

标签:post, 软件, 域名, sqlmap post注入