信息收集小记

最新推荐文章于 2022-09-22 09:32:47 发布

1Amp

最新推荐文章于 2022-09-22 09:32:47 发布

阅读量964

点赞数

CC 4.0 BY-SA版权

分类专栏：学习笔记文章标签：信息收集

本文链接：https://blog.youkuaiyun.com/nigweua/article/details/74421577

学习笔记专栏收录该内容

3 篇文章

订阅专栏

本次扫描报告详细记录了对五莲县第一中学官方网站的安全扫描过程，包括网站指纹识别、敏感信息查找、开放端口及服务检测、SQL注入风险评估等内容。通过使用多种工具和技术，如WhatWeb、Nmap等，揭示了潜在的安全隐患。

目标站点：www.wlyz.net

0x01访问目标站点，收集相关信息

0x02网站指纹识别--->whatweb www.wlyz.net

WhatWeb是一款网站指纹识别工具，主要针对的问题是：“这个网站使用的什么技术？”WhatWeb可以告诉你网站搭建使用的程序，包括何种CMS系统、什么博客系统、Javascript库、web服务器、内嵌设备等。WhatWeb有超过900个插件，并且可以识别版本号、email地址、账号、web框架、SQL错误等等。

http://www.wlyz.net [200 OK]
Apache[1.3.28], Country[CHINA][CN],
HTTPServer[Windows (32 bit)][Apache/1.3.28 (Win32)
PHP/4.3.3],
IP[218.56.158.77],
PHP[4.3.3], Script[text/javascript], X-Powered-By[PHP/4.3.3]

0x03 google hack

-->site:*.wlyz.net

-->site:*.wlyz.net login
http://www.wlyz.net/phpinfo.php
绝对路径：e:/k12product/htdocs
IP可能存在内网： SERVER_ADDR 192.168.70.2
系统：windows 2003

后台地址：http://www.wlyz.net/platform/app/login.php?url=http%3A//www.wlyz.net/platform/
敏感：http://www.wlyz.net/derup/page/comment.php/3141

0x04 whois查询-->whois wlyz.net
WHOIS是用来查询域名的IP以及所有者等信息的传输协议

管理员：dou shuiwei
组织：wulian middle school of rizhao
街道：yucai road,wulian,rizhao
城市：rizhao
省：Shandong
电话：+86.6335213084
邮箱：msf@rz-public.sd.cninfo.net
Name Server:ns19.xincache.com
Name Server:ns20.xincache.com

0x05 nslookup查询-->nslookup wlyz.net

nslookup wlyz.net
Server: 10.10.10.2
Address: 10.10.10.2#53

Non-authoritative answer:
Name: wlyz.net
Address: 218.56.158.77

IP地址查询: 218.56.158.77山东省日照市联通 //通过对服务器ip查询，看能否和信息收集的站点相关信息对应，或者是使用的云服务器。

查看IP地址能否直接访问：http://218.56.158.77/cms/index.htm

0x06 nmap nmap 218.56.158.77

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-04 22:22 CST
Nmap scan report for 218.56.158.77
Host is up (1.1s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp filtered shell
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1027/tcp open IIS
1434/tcp filtered ms-sql-m
3306/tcp open mysql
3389/tcp open ms-wbt-server
4444/tcp filtered krb524
4662/tcp filtered edonkey
4899/tcp filtered radmin
6129/tcp filtered unknown
9898/tcp filtered monkeycom

Nmap done: 1 IP address (1 host up) scanned in 61.84 seconds

rdesktop 218.56.158.77 //连一下，看下什么操作系统

nmap 218.56.158.77 --script=vuln

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-04 22:26 CST
Nmap scan report for 218.56.158.77
Host is up (1.1s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /phpinfo.php: Possible information file
| /icons/: Potentially interesting directory w/ listing on'apache/1.3.28'
|_ /index/: Potentially interesting folder
| http-sql-injection:
| Possible sqli for queries:
|_ http://218.56.158.77/cms/app/js/(this.open)?webFXTreeConfig%2elMinusIcon%3awebFXTreeConfig%2elPlusIcon%3b=%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp filtered shell
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1027/tcp open IIS
1434/tcp filtered ms-sql-m
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
3389/tcp open ms-wbt-server
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
4444/tcp filtered krb524
4662/tcp filtered edonkey
4899/tcp filtered radmin
6129/tcp filtered unknown
9898/tcp filtered monkeycom

Nmap done: 1 IP address (1 host up) scanned in 394.47 seconds

0x07 C段探测：
1.用AWVS扫C段