09 2020 档案

摘要:#JavaScript Attacks (前端攻击) The attacks in this section are designed to help you learn about how JavaScript is used in the browser and how it can be ma 阅读全文
posted @ 2020-09-29 10:16 乌漆WhiteMoon 阅读(2590) 评论(0) 推荐(3) 编辑
摘要:#Insecure CAPTCHA (不安全的验证流程) A CAPTCHA is a program that can tell whether its user is a human or a computer. You've probably seen them - colourful ima 阅读全文
posted @ 2020-09-28 02:28 乌漆WhiteMoon 阅读(2267) 评论(0) 推荐(3) 编辑
摘要:#CSP Bypass(CSP 绕过) Content Security Policy (CSP) is used to define where scripts and other resources can be loaded or executed from. This module will 阅读全文
posted @ 2020-09-27 09:11 乌漆WhiteMoon 阅读(3140) 评论(0) 推荐(3) 编辑
摘要:#Weak Session IDs (弱会话) Knowledge of a session ID is often the only thing required to access a site as a specific user after they have logged in, if t 阅读全文
posted @ 2020-09-24 03:18 乌漆WhiteMoon 阅读(1722) 评论(0) 推荐(4) 编辑
摘要:#Cross Site Request Forgery (CSRF) CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they are curren 阅读全文
posted @ 2020-09-23 02:49 乌漆WhiteMoon 阅读(1691) 评论(0) 推荐(3) 编辑
摘要:#XSS(Stored) "Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign a 阅读全文
posted @ 2020-09-22 01:01 乌漆WhiteMoon 阅读(1911) 评论(0) 推荐(3) 编辑
摘要:#XSS(Reflected) "Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benig 阅读全文
posted @ 2020-09-21 00:06 乌漆WhiteMoon 阅读(2082) 评论(0) 推荐(2) 编辑
摘要:#XSS(DOM) "Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and 阅读全文
posted @ 2020-09-20 11:33 乌漆WhiteMoon 阅读(3893) 评论(0) 推荐(3) 编辑
摘要:#SQL Injection (Blind) When an attacker executes SQL injection attacks, sometimes the server responds with error messages from the database server com 阅读全文
posted @ 2020-09-20 01:23 乌漆WhiteMoon 阅读(3210) 评论(0) 推荐(3) 编辑
摘要:#SQL Injection (SQL 注入) A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the applicati 阅读全文
posted @ 2020-09-18 19:48 乌漆WhiteMoon 阅读(7902) 评论(0) 推荐(2) 编辑
摘要:#File Upload(文件上传) Uploaded files represent a significant risk to web applications. The first step in many attacks is to get some code to the system t 阅读全文
posted @ 2020-09-14 12:37 乌漆WhiteMoon 阅读(7957) 评论(0) 推荐(3) 编辑
摘要:#File Inclusion(文件包含) Some web applications allow the user to specify input that is used directly into file streams or allows the user to upload files 阅读全文
posted @ 2020-09-13 22:53 乌漆WhiteMoon 阅读(2167) 评论(0) 推荐(2) 编辑
摘要:#Command Injection (指令注入) The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable ap 阅读全文
posted @ 2020-09-12 23:08 乌漆WhiteMoon 阅读(2132) 评论(0) 推荐(3) 编辑
摘要:#Brute Force (爆破) Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A co 阅读全文
posted @ 2020-09-11 23:23 乌漆WhiteMoon 阅读(2718) 评论(0) 推荐(3) 编辑
摘要:#Git 源码泄露 开发人员会使用 git 进行版本控制,对站点自动部署。但如果配置不当,可能会将 .git 文件夹直接部署到线上环境,这就引起了 git 泄露漏洞,我们可以利用这个漏洞直接获得网页源码。 ##确定是否存在泄漏 想要确定是否存在这个漏洞,可以通过以下方式。首先是看看有没有提示醒目地指 阅读全文
posted @ 2020-09-03 08:45 乌漆WhiteMoon 阅读(15916) 评论(0) 推荐(4) 编辑
摘要:#登录框 打开网页是个登录框,首先要先根据这个网页的情景走一遍,判断是否是 SQL 注入。 现在是不能登录的,也就是说我们要先注册个账号。打开注册页面随便输入个用户名和密码注册,注意到这是需要输入生日和地址。 使用注册的用户名和密码登录,但是在选择 Manage 时网页说我不是 “admin” 管理 阅读全文
posted @ 2020-09-02 09:53 乌漆WhiteMoon 阅读(1321) 评论(0) 推荐(3) 编辑
摘要:#文件上传 ##一句话木马 利用文件上传漏洞往目标网站中上传一句话木马,然后就可以在本地获取和控制整个网站目录。利用一句话木马进行入侵时需要满足木马上传成功未被查杀,知道木马的路径在哪并保证上传的木马能正常运行。一个简单的 PHP 一句话木马如下: <?php @eval($_POST['flag' 阅读全文
posted @ 2020-09-01 17:19 乌漆WhiteMoon 阅读(10737) 评论(0) 推荐(4) 编辑

点击右上角即可分享
微信分享提示