Ninety percent of the penetration of a Web application starts with information collection, so information collection is particularly important. The collection of key information can make you more comfortable in later infiltration. If infiltration is like walking through a dark maze, then information collection can help you light up most of the maps in the maze.
There are many points involved in information collection. The software developed this time is mainly aimed at building a Web operating system and developed ports, building a Web Server and its approximate version, and building a Web CMS (some common CMS in China).
CSDN gift package: “Hacker &Network Security Introduction &Advanced Learning Resource Package” free sharing
To avoid reinventing the wheel, here are some features of some software and ideas during production.
1.Web operating system and development port
The program uses the nmap interface to detect different systems, and uses appropriate detection methods to obtain the operating system version of the current application and the port developed, as well as the fingerprint to determine the service using the port.
2.WebServer type and version
The type of WebServer is actually the top priority in a penetration. Different WebServers have different characteristics, and different versions of the same type have different characteristics. Sometimes, by combining these characteristics, some major vulnerabilities that are easily overlooked can be discovered. There are two detection methods for WebServer.
The first is to detect WebServer by defining two fingerprints based on HTTP header field order and status code. After collecting a large number of web programs of different versions of Nginx, Apache, and IIS in ZoomEye for detection, the following 7 different types were counted. The first column of the table is the request method and HTTP request protocol and version. The second column is the request after the request. The returned HTTP status code is defined. The last row of the table is the returned HTTP header field sequence. The table drawn using a large number of tests encapsulates an HTTP request class through Python’s Socket library to detect the specific type and approximate version of the WebServer.
| Apache/2.X | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 405 Method Not Allowed |
| DELETE / HTTP/1.1 | 405 Method Not Allowed |
| CONNECT / HTTP/1.1 | 400 Bad Request |
| HEAD / 0D9Y/1.1 | 200 OK |
| HEAD / HTTP/3.1 | 200 OK |
| Date, Server, Content-Length, Connection, Content-Type |
| Apache/1.3.X | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 405 Method Not Allowed |
| DELETE / HTTP/1.1 | 405 Method Not Allowed |
| CONNECT / HTTP/1.1 | 400 Bad Request |
| 0D9Y / HTTP/1.1 | 200 OK |
| HEAD / 0D9Y/1.1 | 400 Bad Request |
| HEAD / HTTP/3.1 | 200 OK |
| Date, Server, Content -Length, Connection, Content-Type |
| Nginx/0.7.69-1.3.9 | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 411 Length Required |
| DELETE / HTTP/1.1 | 200 OK /405 Not Allowed / 502 Bad Gateway |
| CONNECT / HTTP/1.1 | 200 OK /405 Not Allowed / 502 Bad Gateway |
| XXX / HTTP/1.1 | Lowercase letters or numbers 200 OK /405 Not Allowed / 502 Bad Gateway uppercase letters have no return information |
| HEAD / 0D9Y/1.1 | No return information |
| HEAD / HTTP/3.1 | 200 OK |
| Server, Date, Content-Type, Content-Length, Connection |
| Nginx/1.4.0-1.5.4 | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 405 NOT ALLOWED |
| DELETE / HTTP/1.1 | 405 NOT ALLOWED |
| CONNECT / HTTP/1.1 | 405 NOT ALLOWED |
| XXX / HTTP/1.1 | No information is returned for lowercase letters or numbers. Uppercase letters 405 METHOD NOT ALLOWED |
| HEAD / 0D9Y/1.1 | None Return information |
| HEAD / HTTP/3.1 | 200 OK |
| Server, Date, Content-Type, Content-Length, Connection |
| Nginx/1.5.5-Now | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/ 1.1 | 200 OK |
| PUT / HTTP/1.1 | 405 Not Allowed |
| DELETE / HTTP/1.1 | 405 Not Allowed |
| CONNECT / HTTP/1.1 | 405 Not Allowed |
| XXX / HTTP/1.1 | Lowercase letters or numbers 400 Bad Request Uppercase letters 405 Not Allowed |
| HEAD / 0D9Y/1.1 | No return information |
| HEAD / HTTP/3.1 | 200 OK |
| Server, Date, Content-Type, Content-Length, Connection |
| Microsoft-IIS/6.0 | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/1.1 | 200 OK |
| PUT / HTTP/1.1 | 411 Length Required |
| DELETE / HTTP/1.1 | 501 Not Implemented |
| CONNECT / HTTP/1.1 | 501 Not Implemented |
| XXX / HTTP/1.1 | lowercase Letters or numbers 501 Not Implemented Capital letters 501 Not Implemented |
| HEAD / 0D9Y/1.1 | 400 Bad Request |
| HEAD / HTTP/3.1 | 505 HTTP Version Not Supported |
| Connection, Date, Server, Content-Type, Content-Length |
| Microsoft-IIS/7.0-8.5 | |
|---|---|
| GET / HTTP/1.1 | 200 OK |
| HEAD / HTTP/ 1.1 | 200 OK |
| PUT / HTTP/1.1 | 411 Length Required |
| DELETE / HTTP/1.1 | 405 Method Not Allowed |
| CONNECT / HTTP/1.1 | 405 Method Not Allowed |
| XXX / HTTP/1.1 | Lowercase letters or numbers 405 Method Not Allowed Uppercase letters 405 Method Not Allowed |
| HEAD / 0D9Y/1.1 | 400 Bad Request |
| HEAD / HTTP/3.1 | 505 HTTP Version Not Supported |
| HEAD: Content-Length, Content-Type, Server, Date, Connection |
The second method is a method that you may often use. Check the Server field in the returned HTTP header. However, the Server field can be modified to achieve a blinding effect, so this method is only used as a supplement.
3. CMS type for building Web
Currently, the CMS that the program can quickly and accurately detect include 74CMS, ASPCMS, CMSEASY, DEDECMS, DISCUZ, DRUPAL, ECSHOP, JOOMLA, METINFO, PHPCMS, PHPWIND, WORDPRESS, XYCMS, Z-BLOG and other rapid website building systems. For the collection of CMS fingerprints, we first downloaded the latest versions and some old versions of these CMSs, extracted their directories and files in the directories, then bound the files to their MD5 files, and then searched for this type of Web through ZoomEye. website, successfully access the file and output the md5 matching entries, and then select the ones with the highest matching degree to achieve the purpose of quick matching (as shown below). However, if no matching is successful, you can try exact matching, which is slower, but matches all entries, with a higher success rate, and the program goes down through the directories layer by layer, such as /js/index.js ,/js/jq.js… and other entries, the program will first try to see if the js directory is 404, and then proceed downward in sequence.
74cms.txt /templates/default/css/wap.css 50c71ede9badf9417b15a3df09890a50 /templates/default/js/jquery.highlight-3.js 9b9f1ebc7411e9d9cec08031622a645a /templates/default/js/jquery.KinSlideshow.min.js 376a6749c02e3d527cfce83a2e77d568 /templates/tpl_company/default/css/ui-dialog.css 4440728e29e7b41b79f33fb212845b9f ASPCMS.txt /images/qq/qqkf1/default.css 76cb116c87b88929c439a6104bfc9c0f /plug/collect/style.css fa87014850b44b241b14ee993d7ed223 /plug/vote/style.css fa87014850b44b241b14ee993d7ed223 /images/qq/qqkf2/kefu.js 1cdeba13ea60605047e77ce38f2fa77c CmsEasy.txt /js/jquery.min.js 10092eee563dec2dca82b77d2cf5a1ae /common/js/jquery/ui/themes/flora/flora.datepicker.css 670ec3ce24416b0c7a462e39bc39ca1d /common/js/jquery/ui/themes/flora/flora.all.css 7f325a06e7ccf2222c0c4527449c0527 /common/js/jquery/ui/themes/flora/flora.tabs.css 28cddf861963342333a844bac80f2219 dedecms.txt /images/swfupload/plugins/swfupload.swfobject.js 9cf88d567c218192eb26bf3b27763b83 /images/swfupload/plugins/swfupload.cookies.js f6940672b1ef27fccbe5a360d8382b72 /images/swfupload/plugins/swfupload.speed.js d840d5988a2b8b64350faed539041550 /images/swfupload/plugins/swfupload.queue.js 83b614f4e551d5c176833ee44c8f0e01 Discuz.txt /static/image/common/extstyle_none.css 7215ee9c7d9dc229d2921a40e899ec5f /source/admincp/robots.txt 96bbf89620d30c72c1dab0e8b8eca17d /uc_server/robots.txt 15dde9868cbc402f19261bd376496d38 /template/default/common/wysiwyg.css a3ae9afbc98ac594a1ff90f8410b38f3 drupal.txt /themes/seven/ie7.css d408f1a7cfd5ae23bd7817f036e94cea /modules/profile/profile.js 80c518c28630fca61a98d46124210221 /modules/poll/poll-rtl.css 28f82f3171b115e9031c250abee951c0 /modules/dashboard/dashboard.css ac59df14268190ef0ea60e1d7a804fda ECShop.txt /includes/fckeditor/editor/filemanager/browser/default/js/common.js cf81ed7a0668e5eb3b9135bf7eb65b9a /includes/fckeditor/fckeditor.js 5ec5a57d981113875d68d2daa3e01a0d /includes/fckeditor/editor/dtd/fck_xhtml10transitional.js 2eaa9662e59360ed579aa2e422c7aa39 /includes/fckeditor/editor/dialog/common/fck_dialog_common.js 2341d0ae9d63666fbe01469582068419 Joomla.txt /media/system/js/punycode-uncompressed.js 1b6d3b0e700c0a47cd91bbe2a75dcd12 /media/editors/codemirror/mode/jinja2/jinja2.js 7078315f8a3f9181c79d8b969cb10607 /media/editors/codemirror/addon/scroll/simplescrollbars.css 0352ba51fd6a422fe6cc44925e33ad88 /media/editors/codemirror/mode/crystal/crystal.js 37af5605299e885305a5a1f499288d3c MetInfo.txt /public/js/yao.js 858a08c6c59dfa72a33ab3d623e989a5 /public/js/metzoom.js 45af213d8f5dda4746ed101fe5a9dcb9 /public/js/imgdisplay5.js 1c2827d0e79de5bfc1337800c6522f04 /public/js/metzoomHTML.js 060a5e02653a9a34a3bcb24d9f5d38a6
phpcms.txt /statics/js/calendar/calendar-blue.css c0c2286a4460f3b9a870be43923d4395 /robots.txt 7750f62fc14ea34527c09c7694a3d406 /statics/js/calendar/border-radius.css 888d3ead98ff921a09c0365a723339f5 /phpsso_server/statics/js/jquery.min.js 10092eee563dec2dca82b77d2cf5a1ae
phpwind.txt /js/DeployInit.js ed1109ddea65852255c15b543a3ec161 /js/wind_editor.js e624e24a8de77dadff7c768ff7247fd6 /js/Deploy.js f1e394ddf8ae52faf4dc90fdfb5632e4 /js/credit_pop.js f80829a7eaf499dfb4dd3dd145f9ca07
wordpress.txt /wp-includes/js/admin-bar.min.js 5bd4dfd347e0592a6bc8a5b9d6b070fc /wp-includes/js/comment-reply.js d30ad028653d4eac285a1d4d06567bbd /wp-includes/js/tinymce/skins/lightgray/content.inline.min.css 35b20a1298ab637a58ac70fa73df335c /wp-includes/js/media-models.min.js bc01c1de1fdb0176783247e8a754a60b
xycms.txt /system/images/Deepeach_colorPicker.js b2096cbcab653ad132350ef455f10e95 /system/images/menu.js 6b22b5913da498c9194205930fb95922 /system/images/style.css 6bfbaf7c3e740b19e1af6c4b6bb3ffa2 /system/images/common.js 49ed0d60b73129aebf93de5bbc4fd76e
Z-Blog.txt /zb_users/plugin/AppCentre/images/style.css b8e0b269520535b3daf15e7fcc5bd9f9
In fact, there are many tips for information collection. It is actually a kind of liberation to write some of your usual collection skills into your own program, and the efficiency will be greatly improved. If you have any tips, please let me know privately. I will write them out for you in a while and add them to my program.
Friends, if you need the complete set of “Hacking & Network Security Introduction & Advanced Learning Resource Pack”, click the link below to get it for free
CSDN gift package: “Hacker & Network Security Introduction & Advanced Learning Resource Package”
This complete version of the learning materials has been uploaded to CSDN, and you can also scan the CSDN official certification QR code below on WeChat to get it for free [Guaranteed 100% Free]
