1、 an SQLi vulnerability will allow you  to do the  following

  • query the database using select statement forezample users table. you might get the password or usersname
  • Bypass the login page executing successfuly query results
  • Execute system commands in the database in oreder compromise the web server
  • Execute inserts.delete commands to manipulate the records in the database

2、Command Injection

we can append other commands after the variable and the application will be to execute it for us , my goal is to make the backend execute someting like this [nslookup [domain name variable ] && [other command ]

3、OWASP top 10

Injection-----> when a attacker can inject and execute a custom command in the backend because of missing sanitization,besides it ,command Injection are more like LDAP、XPath、NoSQLo  XML Parsers、STMTP Header

Broken Authentication  ------> a hacker finds the user's idntity, credentials bouth name and password or web session

Sesitive Data 、   XML External Entities  \ Broken Access Control \ Security Misconfig \Cross-site Scripting \ Insecure Deserialization \ Using Components with know vulnerability\ Insufficient logging

4、邮件信息收集

theharverster -d [目标网络域名地址] -l [邮件地址数量] -b [使用的搜索的公共知识库]  eg : theharvester  -d yalong.cn -l 20 -b baidu

5、 use Whois search DNS and ip register name and phone number and email

step one we can use the  Whois.net  the url: http:www.whois.net   or another website is NetCraft   the url :https://www.netcraft.com/

step two:  use the command  whois ,the screenshout as follow

another wegit tools is host it can translate ip to hostname

nslookup id find DNS

Application Security Per-Engagement的更多相关文章

  1. 安装数据库Mocrosoft.NET Application Security警告

    在安装sqlserver 2012的时候,出现了Mocrosoft.NET Application Security警告,这个时候可以检查是否联网,如果没有联网请连接上,然后重新检查就不再警告了.如果 ...

  2. IOS Application Security Testing Cheat Sheet

    IOS Application Security Testing Cheat Sheet    [hide]  1 DRAFT CHEAT SHEET - WORK IN PROGRESS 2 Int ...

  3. Web Application Security(Web应用安全)

    Web Application Security 1.web应用面临的主要安全问题 1)黑客入侵:撞库拖库.网页篡改.后门木马.加密勒索.数据泄露 2)恶意内容 2.web应用安全现状 1)网站安全问 ...

  4. iOS Application Security

    文章分A,B,C,D 4个部分. A) iOS Application Security 下面介绍iOS应用安全,如何分析和动态修改app. 1)iOS Application security Pa ...

  5. Spring Security(三十七):Part IV. Web Application Security

    Most Spring Security users will be using the framework in applications which make user of HTTP and t ...

  6. Network Security Services If you want to add support for SSL, S/MIME, or other Internet security standards to your application, you can use Network Security Services (NSS) to implement all your securi

    Network Security Services | MDN https://developer.mozilla.org/zh-CN/docs/NSS 网络安全服务 (NSS) 是一组旨在支持支持安 ...

  7. ModSecurity web application firewall (WAF) Research

    catalog . 引言 . OWASP ModSecurity Core Rule Set (CRS) Project . Installation mod_security for Apache ...

  8. Page Security

    参见开发文档 Overview This document describes how to build applications that grant selected access to indi ...

  9. Linux LSM(Linux Security Modules) Hook Technology

    目录 . 引言 . Linux Security Module Framework Introduction . LSM Sourcecode Analysis . LSMs Hook Engine: ...

随机推荐

  1. windows平台上用python 远程线程注入,执行shellcode

    // 转自: https://blog.csdn.net/Jailman/article/details/77573990import sys import psutil import ctypes ...

  2. Write your own operating system Day(1)

    工具准备: VirtualBox.exe是一个免费的轻巧的虚拟机 Bz.exe是二进制编辑器 NASM则是用来编译汇编语言的,具体使用方法自行百度 HZK16.fnt 中文GB2312的二进制点阵文件 ...

  3. Django标签和过滤器

    过滤器格式{{   }} 标签格式{%  %} 模板中过滤器filter只能使用一个参数,自定义标签中则可以使用多个参数!!! 过滤器能够采用链式的方式使用,例如:{{ text | escape | ...

  4. 题解 P1601 【A+B Problem(高精)】

    P1601 A+B Problem(高精) 题目描述 高精度加法,x相当于a+b problem,b不用考虑负数. 输入输出格式 输入格式: 分两行输入a,b<=10^500 输出格式: 输出只 ...

  5. Lodop简短问答客户反馈篇 及排查步骤 及注册相关

    A.http下打印图片正常,https下打印图片是××.(有的客户端可以,有的不可以)重置ie浏览器试试.客户反馈:(和ie浏览器的设置有关)intenet选项--高级里,我调整为和能打印出图片的电脑 ...

  6. pm2自动部署

    配置pm2自动部署前,请确保已经能够ssh免密登录服务器. 一.创建ecosystem.json { "apps" : [{ "name" : "HT ...

  7. luoguP4841 城市规划

    题意: 求n个点的无相连通图的个数.有编号 思路一: 黏博客 至于为什么除以k!:(没有博客中说的那么简单) 实际上, 对于一个n的用k个自然数的拆分,每一个拆分的贡献是: $\frac{n!*\Pi ...

  8. 越光后端开发——ygapi(2.新建Model)

    1.新建Model 1.users数据 1.在apps/users/models.py中: from datetime import datetime from django.db import mo ...

  9. MySQL 导入导出数据库、表

    使用 GUI 软件很好操作,下面介绍命令行操作. 导出 cmd 命令 # 1.1 导出整个数据库 mysqldump -hlocalhost -uroot -p student_db > C:\ ...

  10. 主机管理+堡垒机系统开发:webssh(十)

    一.安装shellinabox 1.安装依赖工具 yum install git openssl-devel pam-devel zlib-devel autoconf automake libtoo ...