Self-introduction
Have you ever dug src?
How do you usually learn web penetration? Is there any actual combat? Have you ever successfully found a vulnerability?
What tools have you come into contact with when doing web penetration
? What is the xxe vulnerability? What is ssrf?
When I was playing ctf, what direction was I responsible for
? Why do you want to engage in information security? How much interest do you have in security? Will you change careers in the future? Or do
you plan to keep working on security? The direction (app security), how much time will you spend on learning, or do you have a direction you want to do? Let’s talk about the
process of code auditing.
How do you usually do code auditing?
Have you ever audited open source frameworks and CMS?
How to judge whether a database is mysql or oracle?
Types of sql injection and how to use it?
Let’s talk about the principle and defense ideas of sql injection.
What language do you use when doing development?
What framework do you use when doing java development? Can you do java security development?
Have you ever done Android development?
Have you ever written tools in python?
Which vulnerability is used by msf, and has it successfully rebounded?
What did you mainly do when protecting the network? Let’s talk about your understanding of security products.
The company now needs someone who can do app security. If you want to do it now, would you learn it, or are you interested, or something else? If you want to do it, but don’t want to do app security, how much time can you devote to learning
Intranet penetration? Talk about the idea of intranet penetration
Interview questions collection
1. Summary of high-frequency interview questions in Dachang
This time I spent three months sorting out the interview questions for the network security service positions of major security vendors (including but not limited to: security service engineer, security operation engineer, security operation and maintenance engineer, security attack and defense engineer").
Without further ado, let's learn together
At present, there are still a lot of impreciseness and redundancy, and I implore my friends to correct and modify!
1.1. SQL injection protection methods
Invalid authentication and session management
Cross-site scripting attacks XSS
direct references to unsafe objects
Security configuration errors
Leakage of sensitive information
Lack of functional-level access control
Cross-site request forgery CSRF
uses components with known vulnerabilities
without verification Redirection and forwarding
1.2 Common web security vulnerabilities
SQL injection
XSS
File traversal, file upload, file download
Vertical and horizontal overreach
Logical loopholes
First of all, for newcomers, most of the students have no practical experience, corresponding to the interviewer's questions Talk about your penetration testing practice, but many people have no way to talk.
1.3. Given a website, how did you conduct the penetration test?
Under the premise of obtaining written authorization.
1) Information collection
Obtain the whois information of the domain name, obtain the registrant's email address, name and phone number, etc.
Query server side sites and sub-domain sites, because the main site is generally more difficult, so first check if there are any common cms or other loopholes in the side sites.
Check the server operating system version, web middleware, and see if there are known vulnerabilities, such as IIS, APACHE, NGINX parsing vulnerabilities
Check IP, scan IP addresses and ports, and detect vulnerabilities on corresponding ports, such as rsync, Heartbleed , mysql, ftp, ssh weak passwords, etc.
Scan the website directory structure to see if you can traverse the directory, or leak sensitive files, such as php probe
google hack to further detect website information, background, sensitive files
2) Vulnerability scanning
Start to detect vulnerabilities, such as XSS, XSRF, sql injection, code execution, command execution, unauthorized access, directory reading, arbitrary file reading, downloading, file inclusion, remote
command execution, weak passwords, uploading, editor vulnerabilities, brute force cracking wait
3) Exploitation
Use the above methods to get webshell, or other permissions
4) Privilege Escalation
Privilege escalation server, such as udf privilege escalation of mysql under windows, serv-u privilege escalation, vulnerabilities of lower versions of windows, such as iis6, pr, Brazilian barbecue, linux Tibetan cow vulnerability, linux kernel version vulnerability escalation of privilege, mysql system under
linux Privilege escalation and oracle low privilege escalation
5) Log cleaning
6) Summary report and repair plan
1.4. Penetration testing process
Project interview
Information collection: whois, website source IP, side station, C-segment website, server system version, container version, program version, database type, second-level domain name, firewall, maintainer information Vulnerability scanning: Nessus
, AWVS
Manual Mining: Logical Vulnerabilities
Verification Vulnerabilities
Repair Suggestions
(if any) Baseline Check/Retest Vulnerabilities
Output Report
Overview
Test Basic Information
Test Scope
Test Time
Test Tasks Test
Process
Information Security Risk Comprehensive Analysis
Overall Risk Analysis
Risk Impact Analysis
System Security Analysis Security
Vulnerabilities List
Solution suggestions
Retest report
SQL interview questions
1.5. The type of SQL injection is
based on error injection
. Boolean-based injection judges whether the condition is true or false based on the returned page. The
time-based blind injection cannot judge any information based on the content returned by the page. Use the conditional statement to check whether the time delay statement is executed (that is, the page returns Whether the time increases) to judge.
Wide byte injection
Joint query, can use union injection.
Heap query injection, which can execute the injection of multiple statements at the same time.
7.6. The principle of SQL injection
By inserting SQL commands into Web forms to submit or input query strings for domain names or page requests, the server is finally tricked into executing malicious SQL commands. Often unchecked or insufficiently checked user input data or code writing issues accidentally become code execution.
1.7. How to defend against SQL injection
Close application error prompts
Add waf
to filter input
Limit input length
Limit database permissions, drop/create/truncate and other permissions cautiously grant
precompiled SQL statements, generally used in python and Php? As Placeholder. This method is to solve the sql injection using placeholder parameters from the perspective of programming framework, and it can only be said to prevent injection to a certain extent. There are also buffer overflows, termination characters, etc.
Encryption and security of database information (leading to cryptography). Do not use md5 because there is a rainbow table, generally add salt after md5, then md5
clear programming specifications, pairing/automated code review, add a lot of ready-made solutions (PreparedStatement, ActiveRecord, ambiguous character filtering, only accessible stored procedures balabala) The risk of SQL injection has been made very low.
How to prevent injection in a specific language, what security framework
1.8 and sqlmap are used, and how to inject an injection point?
If it is a get model, directly, sqlmap -u "such as point URL".
If it is a post type such as point, you can sqlmap -u "injection point URL" --data="post parameter"
If it is a cookie, X-Forwarded-For Wait, when you can access it, use burpsuite to capture the package, replace the injection site with *, put it in the file, and then sqlmap -r "file address"
1.9. What is the difference between mysql website injection, above 5.0 and below 5.0?
5.0 was released 10 years ago, and now it’s 5.7, it’s meaningless
Below 5.0, there is no information_schema system table, and it is impossible to list names, etc., and can only violently run table names.
Below 5.0 is multi-user single operation, and above 5.0 is multi-user multi-operation.
1.10. MySQL storage engine?
1. InnoDB: the mainstream storage engine. Support transactions, support row locks, support non-locking reads, support foreign key constraints
Provides MySQL with a transaction-safe (ACID-compliant) storage engine with commit, rollback, and crash recovery capabilities. InnoDB locks at the row level and also provides an Oracle-like non-locking read in the SELECT statement. These features increase multi-user deployment and performance. In SQL queries, you can freely mix InnoDB tables with other MySQL table types, even in the same query. The InnoDB storage engine maintains its
own buffer pool for caching data and indexes in main memory. . InnoDB organizes its tables and indexes in a logical tablespace, which can contain several files (or raw disk files). This is different from MyISAM tables, for example, where each table is stored in a separate file. InnoDB tables can be of any size. Even on an operating system where the file size is limited to 2GB,
InnoDB supports foreign key integrity constraints. When storing data in a table, each table is stored in the order of the primary key. If not displayed in the table Specify the primary key when defining, and InnoDB will generate a 6-byte ROWID for each row, and use it as the primary key
2. MyISAM: fast access, does not support transactions, and is gradually eliminated
3. MEMORY: BTREE index or HASH index. Put the data in the table in the memory, and the concurrency performance is poor.
4. MERGE, Archive, etc. are not commonly used
1.11. What is a transaction?
A transaction is a set of atomic SQL statements or an independent unit of work. If the database engine can successfully apply this set of SQL statements to the database, it will be executed. If any statement cannot be executed due to a crash or other reasons, then All statements will not be executed. That is to say, the statements in the transaction either all execute successfully or all fail to execute.
A typical example of a banking application:
Suppose the bank's database has two tables: a check table and a savings table. Now a customer A wants to transfer 2,000 yuan from his checking account to his savings account, then at least three steps are required:
a. Check that the balance of A's checking account is higher than 2,000 yuan;
b. Subtract 2,000 yuan from A's checking account balance;
c. Add $2,000 to A's savings account balance.
These three steps must be packaged in one transaction. If any step fails, all steps must be rolled back. Otherwise, A, as a bank customer, may inexplicably lose 2,000 yuan, and something goes wrong. This is a typical transaction. This transaction is the smallest indivisible unit of work. All operations in the entire transaction are either submitted successfully or rolled back if they fail. It is impossible to execute only part of them. This is also the atomic feature of a transaction.
1.12. Read locks and write locks
Read locks are shared, that is, they do not block each other, and multiple clients can read the same resource at the same time without interfering with each other. Write locks are exclusive, that is, a write lock will block other write locks and read locks. Only in this way can it be ensured that only one user can perform writing within a given time, preventing other users from reading the same resource being written. Write locks have higher priority than read locks.
1.13. MySQL index
An index is a data structure that helps MySQL obtain data efficiently. MYISAM and InnoDB storage engines only support BTree indexes; MEMORY and HEAP storage engines can support HASH and BTREE indexes.
1.14. ORDER BY can add field name, expression and field position after the order by injection , and the field position needs to be an integer.
1.15. What is GPC? How to bypass after GPC?
If magic_quotes_gpc=On, the PHP parser will automatically add the escape character "\" to the data from post, get, and cookie to ensure that these data will not cause the program, especially the database statement because of special characters (considered as PHP characters) ) caused by pollution.
1.16. What is the difference between one @ and two @ in Mysql? @
is a user variable, use SET @var1=1 to assign
@@ to a system variable, including the global variable show global variables \G; and the session variable show session variables \G;
1.17. Injecting/bypassing commonly used functions
1. Blind injection based on Boolean SQL
left(database(),1)>'s'
ascii(substr((select table_name information_schema.tables where tables_schema=database()limit 0,1),1,1))=101 --+
ascii(substr((select database()),1,1))=98
ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23
regexp正则注入 select user() regexp '^[a-z]';
select user() like 'ro%'