zoukankan      html  css  js  c++  java
  • Application Security Per-Engagement

    1、 an SQLi vulnerability will allow you  to do the  following 

    •    query the database using select statement forezample users table. you might get the password or usersname
    •    Bypass the login page executing successfuly query results
    •    Execute system commands in the database in oreder compromise the web server
    •    Execute inserts.delete commands to manipulate the records in the database

    2、Command Injection

          we can append other commands after the variable and the application will be to execute it for us , my goal is to make the backend execute someting like this [nslookup [domain name variable ] && [other command ]

    3、OWASP top 10

        Injection-----> when a attacker can inject and execute a custom command in the backend because of missing sanitization,besides it ,command Injection are more like LDAP、XPath、NoSQLo  XML Parsers、STMTP Header

        Broken Authentication  ------> a hacker finds the user's idntity, credentials bouth name and password or web session

       Sesitive Data 、   XML External Entities  Broken Access Control Security Misconfig Cross-site Scripting Insecure Deserialization Using Components with know vulnerability Insufficient logging

    4、邮件信息收集

    theharverster -d [目标网络域名地址] -l [邮件地址数量] -b [使用的搜索的公共知识库]  eg : theharvester  -d yalong.cn -l 20 -b baidu

    5、 use Whois search DNS and ip register name and phone number and email

       step one we can use the  Whois.net  the url: http:www.whois.net   or another website is NetCraft   the url :https://www.netcraft.com/

       step two:  use the command  whois ,the screenshout as follow

    another wegit tools is host it can translate ip to hostname

    nslookup id find DNS

       

       

      

  • 相关阅读:
    1.数据结构《Pytorch神经网络高效入门教程》Deeplizard
    plt.figure()的使用,plt.plot(),plt.subplot(),plt.subplots()和图中图
    可变长参数
    np.linspace,numpy中的linspace()
    python和numpy中sum()函数的异同
    maven install 错误
    spring boot启动后执行方法
    java 定时任务多线程处理
    java 生成txt文件
    java 方法超时
  • 原文地址:https://www.cnblogs.com/xinxianquan/p/10211936.html
Copyright © 2011-2022 走看看