n tips for web penetration practice (1)

Posted by tzul at 2020-03-29

brief introduction

For our life, the importance of the web is self-evident, because the seemingly simple pages are more and more closely related to our life, and we have more personal information which is carried between the server and our computer. Because of this, the security of the web has become more and more important and can not be ignored by us. As a network security worker / enthusiast, it is more and more important to study the security of web.

Then, in the next few articles, I will introduce to you some of the foreign big cattle's Web penetration skills. Of course, this will certainly include some basic but easily ignored points, hoping to help students who are interested in studying the web or are interested in it.


The source files needed during the exercise can be downloaded here

Link: password: 17fn

The software that may be used in the environment includes (in addition to the environment software, other software will have another brief introduction after use):

Because there is a lot of content, there may be a little more after an article is written, so this series is divided into several articles, which are needed in the article. Don't talk much, move!

Exercise 1: secret documents

From the past to today, it is still a relatively mainstream way to protect our confidential documents by hiding. In fact, this means that in addition to the general meaning of not letting everyone know the hidden address, there is no protection measures. As long as we can find the hidden location, we can easily access these "confidential" data.

For some websites, the protection measure is not to include any address of confidential pages on the homepage or other sub pages, so as to prevent spiders from catching them quickly and losing their confidentiality. For example, many websites hide their own login pages or some SVN pages or git pages that are not open to the public. In fact, we can check the robots.txt file of the website to see the content of the main site that is forbidden to be crawled. Maybe it contains some secret.

Now, you can upload some files to deepdatahiding and try to find them in this way.

PS: practice one does have some water You can watch it patiently.)

Exercise 2: I have a dictionary in hand

For the general infiltration, without thinking, there is often only violence. Therefore, in addition to good luck, it is particularly important to have a set of high-quality dictionaries. Because the dictionary is different from person to person, I won't upload my own dictionary. Here I provide you a good command-line tool for dictionary generation - John the Ripper.

Address of the tool:

Git address:

Jtr is originally a password cracking tool, but here the author does not use it according to its original functions, but uses this powerful tool to generate dictionary files.

Here is a brief introduction to generation. Here are the generation commands

If you are a Kali user, please replace John MMX here directly with John without installation. Kali comes with jtr tool. < mode > you can specify all (including all characters), digit (pure number), lanman (letters, numbers and some special characters), alpha (only letters).

For other purposes of the tool (crack), you can search it online, or directly read git's instructions. If necessary, we can give a single article to introduce this good tool.

Exercise 3: make good use of search engine

It's Google hacking, but this time it's user name and password. For the user name and password we need, if the dictionary we generated doesn't work, we might as well try using the search engine. We can use filetype to specify the search type. For example, here I search filetype: LST password, and the results are as follows

Of course, we can specify different keywords according to different situations, you may have unexpected gains;)

Exercise 4: kill HTTP auth

In this exercise, we will use Hydra and the username and password dictionary file we have obtained.

Let's just say Hydra:

Next, we need to specify the host address, which is of course, and then use HTTP get or HTTP post to specify the connection mode, then specify the user name and password address, and finally keep up with the path you need to access the password, if not, you can specify the root directory. The entire command is as follows:

Of course, the premise is that we need to configure this site to require authentication. We need to use htpasswd.exe to create a password at the command line (please Google yourself). You also need to edit the. Htaccess file here

You can specify a user name to access a page, and you can also specify the permissions of multiple different user names to access different pages to continuously practice this basic authentication method.

Exercise 5: get rid of post authentication

The user name and password dictionaries required for this exercise are all in the formcracking folder. Because they are test exercises, our default password should be as simple as possible.

Hydra is still used here:

Different from the previous exercise, this command specifies some fields that need to submit user name and password. The names of these fields are mainly from the properties of the input fields that need to input user name and password in our test web page

Another difference is that the parameters following the address in the command need to be separated from the address by a colon (:). In addition, we need to distinguish different responses when the password is correct and wrong. Here we specify "oops" as the keyword when we log in to fail. Of course, we still need to specify the ^ user ^ and ^ pass ^ fields here so that our dictionary data can be populated into the request.

Here, there are many tools about violence, including many excellent ones, such as lightweight hackbar plug-ins, Java based burpsuite, etc., but we are trying to find some different ideas and methods, so please look at them rationally. )

Exercise 6: modify fields

The next exercise is in the parametertampering folder.

We will find that there are three PHP files in this folder. This exercise has two objectives, both of which are required to be completed without looking at the three PHP source codes.

The first requirement is to open login.php with a browser and then log in correctly without considering any user name and password to jump to the member.php page correctly.

For this exercise, let's give a hint: modify the fields of the page.

At the beginning, many people may think it's strange that no page can make such a stupid mistake. Just add one < input type = hide > to the front end of such important data, but the fact is that someone did. For example, a long time ago, an old third-party website added hide to the important data and put it on the page when it entered the amount and then jumped to the palpay. Then you can change the amount of money you want to pay. It is said that no one pays more than the original price. As shown in the figure:

The second requirement is to directly log in to member2.php by modifying the referer property. Here we can use a Firefox plug-in, tamperdata, and of course, we can also use burpsuite, as you like. Although it may only be a small header field, up to now, there are still some small login background to accept authentication in this way. We still need to remember that it may be used one day.

Exercise 7: violent account locking

If we have the following account locking mechanism (based on PHP / MySQL):

If the above code is our login mechanism, and our login depends on a WordPress or Joomla plug-in, then there may be malicious people who lock the account they want by entering the wrong password many times. This is definitely not what we want.

One solution is to lock the logged in IP address and only lock the account for a period of time rather than permanently.

Here is a solution (based on PHP / MySQL) as follows:

If we add another account to the database at this time, it may look like this (because the code can't be opened, the style has been slightly adjusted):

We use the number - 1 to declare that the account is not locked, and the code can be as follows:

This is a simple locking mechanism after three times of account error. Of course, the locking is only for one hour, and it will be automatically unlocked after one hour. This code can also be found in the folder of the change exercise.


This article introduces a lot of points that are easy to be ignored. The last exercise is also to put forward solutions. Because this article is also the first one of the author's opening questions, the ideas are not particularly clear, but in general, it is of great benefit to a beginner. Because there are many people who come here to read this article at all levels, so after weighing it, I still moved this article here. I hope it can help some people.

The practice of the article is from simple to deep. You can look forward to the next article. Those who can't wait can also go to the original English version:

To be continued

[article / reference source of xiaoa0k of freebuf:, reprint must be noted: freebuf. Com]