experience sharing of vulnerability mining

Posted by punzalan at 2020-03-06

After the prophet conference, I had a dinner with my friends from the dawn team and joked that digging holes is like digging an excavator, which depends on your technology and thinking.

As for my personal digging time, it's quite a long time. From the beginning of the dark cloud to SRC, I have achieved good results and accumulated a lot of experience.

Recently, we have been digging for safe Src. The quality and quantity of vulnerabilities are still available.

Because I am busy at work, so I don't have much time and experience to do other things. This experience sharing is also Shanshan! I hope you will forgive me.

My experience in digging holes usually sums up the following points:

1. Collect information as much as possible (primary domain name, IP segment, search engine, GitHub, etc.).

2. After collecting the information, expand the collected information to increase the amount of information collection (you can use the sub domain tool to collect the manufacturer's domain name information in batches, and the domain name corresponds to the IP address. When there is more data, you can use it to analyze the real address and potential IP segment of the domain name).

3. A large number of IP segments, subdomains, etc. are cracked. Here, we need to collect some commonly used ports for SRC development and the naming habits of some domain names (GitHub has a lot of ready-made ports, which can be paid more attention to when collecting information at ordinary times).

4. Collect the naming habits of each other's email account (because many official backstage users log in with internal email account)

5. In general, there are not many loopholes in the main station of large manufacturers, and there are not many points when the loopholes are dug. When a novice encounters this type of station, he should take the initiative to detour and go to other sub stations to have a look.

6. Logic loopholes, there are many loopholes of this type. Generally, there are all major manufacturers, some of which are just hidden. For the white hat that just started, it may be difficult to dig, because it needs to have a certain analysis and understanding of the system, but the good thing is that this loophole is generally only one, and the reward is basically good.

7. Weak password, this kind of loophole, the new white hat had better collect some weak password dictionaries in advance, I usually use TOP2000. You can see their mailbox structure for account collection, such as: accounts in the format of liudehua, liudh, LDH, liudehua + numbers, etc. if you encounter a system with only background class, you can use the collected accounts + common user names to crack.

8. Generally, after discovering the vulnerability, you can try to analyze a series of hazards caused by the vulnerability. Remember that the weak password is not only a weak password problem, but there may be other vulnerabilities in the system. At this time, we can use the weak password to enter the background and analyze other vulnerabilities, such as upload, injection, logic and other vulnerabilities, which are common hazards It's relatively large and maliciously used, which is easy to cause other problems.

Remember: when you dig a weak password tired loophole, you must not submit it easily. You can use weak password to dig some other loopholes. If there are no other loopholes in the background (it may also be personal technical problems, which can not be dug), you can submit it (in fact, it is a kind of helplessness).

9. Some manufacturers have large C-segment and some manufacturers have large B-segment. At this time, we can use some of our usual accumulation. I usually accumulate 4000 common ports. In this time, you can start to run ports in your spare time. Generally, after running, you have to process the data after running to see that the services are normally open and accessible. You can write It's a simple script to process, otherwise it's too troublesome for you to visit one by one. Now many manufacturers block the database port, middleware and other ports (occasionally there's a leak), and only keep the port numbers of 80, 8080 and so on.

10. Usually pay more attention to the latest loopholes, and sort out the data collected by yourself (to be able to use the data in the first time), such as JSP, PHP and other systems.

11, pay more attention to the mobile applications of the manufacturer (APP, official account system, Mobile system). The general manufacturers are also prone to problems. Many of the manufacturers are not good enough in mobile applications development, resulting in a lot of logical loopholes, resulting in user sensitive information leakage and so on.

12. When the number of manufacturer's personnel reaches a certain number, weak password or information disclosure often occurs, resulting in serious consequences, such as: developers unconsciously transfer code to the third-party platform, internal test server, platform account and other information disclosure.

13. As for scanners, try to use as few scanners as possible to improve your hand mining ability, which can also improve your mining level. I usually use very little scanners in the process of digging holes. Now, scanners have a scanning accuracy of almost 0 for some holes, or they can't scan at all.

14. As for vulnerability mining tools, burp is the most commonly used tool, followed by sqlmap. These two tools play an important role in my vulnerability mining process.

Burp is used for packet grabbing and replay, and sqlmap is used to handle the suspected SQL injection problems encountered in burp test.

15. As for programming languages, you should be familiar with some scripting languages, such as python, PHP, etc., which can help you understand the principle of vulnerability generation and write some scripts when encountering problems.

16. As for the network, some white hats are not very clear about the computer network, IP division, network service, host service, routing, etc., which can be said to be the foundation. When you are free, you can look at the books and videos of network engineering and make up for them.

17. Third party data platforms, such as Shodan and oshadan, are often used by me. Although there is a limit on the number of queries, we can find ways to bypass them. Through the above platforms, we can query some systems that we don't know, such as the system developed by the branch of a company. At this time, we can also make some loopholes in this system Mining, as long as the system has not been tested before, there are many problems in general, minutes into the background, serious may lead to data leakage, or roaming the headquarters through the branch network.

18. Learn more and communicate more. When you think you can't dig a hole quickly, but someone else can dig a hole, you should think about what's going on. If you don't have enough knowledge, or your own thinking is wrong. If you don't have enough knowledge, you should study hard. I always keep learning in the process of digging a hole. Communicate more. When most white hats encounter this problem, many people feel like they are fighting on their own, looking for nothing. If you don't have your own organization at this time, I suggest you look for it. At least find someone who is willing to help you to solve the problem. Now this kind of people seem to be less and less, more bullshit.

Add: if you think your level is very high, you should ask questions.

19. Contact more people on the vulnerability platform, and ask them when they are confused. For example, what hole are you digging recently? It's not necessarily that every audit will say, but if you do, you can dig according to that idea. There will always be holes.

20. When you dig to a certain level, you can try to dig the crowd survey project, which can further improve your digging efficiency and ability. After all, it's all money. Whether you go to school or work is a considerable income.

21. Don't give up. There are many people who feel depressed and want to give up when they can't dig for a long time. At this time, I want to tell you, look forward, review the holes you dug before, and see if you can dig new holes from the holes you are familiar with.

22. Be really familiar with the utilization methods and principles of various vulnerability types. Never limit yourself to TOP10 vulnerability types. Remember that any vulnerability type of a large platform may appear. If you don't wait for someone to master the basic skills, you may be poached by other white hats. Sometimes, digging a hole is also a test of your basic skills.

23. On the issue of maximizing vulnerability utilization, in the process of digging holes, some manufacturers may ask you to provide a description of the vulnerability's hazard degree after auditing. At this time, what you think is the point to the end, and what they think is the hazard degree, because it is used to give you vulnerability rating,

For example: XXX system has command execution. It's frightening to see the name of the vulnerability. In fact, sometimes the score and rating of this kind of vulnerability are not high, because the system has various restrictions, so you can only execute some simple commands, can't upload the shell, perform other dangerous operations, etc. because you want to stop, you don't know that the system has so many restrictions, so you give it after self-evaluation or audit confirmation The low score leads to some contradictions between the two sides.

What's more, you can enter the system, command execution is directly the administrator's permission, and you can get the server's permission. At this time, white hat should grasp the degree, take some screenshots, and don't steal other sensitive information of the server (such as secretly taking off pants, etc.). If you want to prove other hazards such as roaming, you should focus on it in the report (only prove that you can roam, or Take other systems for example.

24. On the bottom line, be strict with yourself. Don't take the loopholes secretly.


Let's write about it today. If you are interested, you can pay attention to my wechat, and then you can share the content about digging holes. Thank you for your attention. Please forward!

Please read the full text:

We are serious about digging!


Wechat: secbugs

Long press QR code for easy attention!