Ukuba sesichengeni sites. Website nokuhlola. Inkqubo ukuze ajonge site ukuba semngciphekweni

umba website yokhuseleko ayikaze njengoko yondele njengoko kwinkulungwane yama-21. Kakade ke, oku kubangelwe ekusasazekeni olunzulu Internet phantse onke amashishini kunye namasimi. Yonke imihla, imigewu kunye neengcali zokhuseleko bafumana ezimbalwa kwiindawo semngciphekweni ezintsha. Uninzi lwabo ngoko nangoko abanini ezivaliweyo ababhekisi phambili, kodwa ezinye ahlale njengoko anjalo. Esetyenziswa yi abahlaseli. Kodwa ukusebenzisa isayithi igqekeziwe kunokubangela umonakalo omkhulu kubasebenzisi zayo zombini kunye abancedisi apho ligcinwe.

Types of sites semngciphekweni

Xa uyila amaphepha Web esetyenziswa yi a lot of ubugcisa ezinxulumene elektroniki. Abanye ephucukileyo kunye nexesha-kuvavanywa, yaye ezinye ezintsha kwaye awufunyaniswanga zonakele. Xa kunjalo, kukho intabalala kwiintlobo kweendawo of ku-:

• XSS. isayithi nganye ifomu encinane. Zinceda abasebenzisi faka data kwaye ufumane yoko, ubhaliso yenziwa okanye ukuthumela imiyalezo. Ukufakwa ngendlela lwamaxabiso ezizodwa engabangela abulawe script ethile, esinokubangela yaphula isidima site kunye data kujongelwa phantsi.
• SQL-ngenaliti. Indlela eqhelekileyo kakhulu nesebenzayo ukuzuza ukufikelela kwiinkcukacha eziyimfihlelo. Oku kunokwenzeka mhlawumbi ngokusebenzisa i-bha yedilesi, okanye nge ifomu. Le nkqubo ikhutshwa phandle esikhundleni imilinganiselo ezingenako kuhluzeka zeempendulo ngombuzo ledatha. Kwaye ngolwazi efanelekileyo oko kunokubangela ukuvuza.

• HTML-imposiso. Phantse iyafana naleyo XSS, kodwa hayi iklip script ikhowudi, kunye HTML.
• Le sesichengeni sites ezinxulumene ekupapashweni iifayile abalawuli kwiindawo emiselweyo. Ngokomzekelo, ukwazi ubume kumaphepha e web, uyakwazi ukufikelela ikhowudi panel yolawulo.
• ukhuselo olunganelanga of useto le yokusebenza kumncedisi. Ukuba ikhona, ukuba buthathaka ukho, ngoko umhlaseli kufuneka bakwazi ukwenza ikhowudi ngokwesigqibo esicalanye.
• password olubi. Enye sites semngciphekweni ecaca - sebenzisa amaxabiso ezibuthathaka ukukhusela ii-akhawunti zazo. Ingakumbi ukuba umlawuli.
• uphuphume buffer. Oku kusetyenziswa xa kutshintshwa data evela kwimemori, ukuze ukwazi ukwenza uhlengahlengiso zabo. Oku kwenzeka xa inxaxheba software abangafezekanga.
• Ukufaka amacandelo sayithi yakho. Udala i ikopi ngqo le website ngokuloga kwi kumsebenzisi abangakwaziyo ukuba zisola iqhinga uze ufake iinkcukacha zakho zobuqu, emva kwexesha abapasa umhlaseli.
• Ukuphika wenkonzo. Ngokubanzi eli gama iqondwa uhlaselo kumncedisi xa ufumana inani elikhulu lezicelo ezingenako ukuphatha, kwaye nje "ilahla" okanye uba ayikwazi ukukhonza ezi abasebenzisi. Ukuba sengozini siyifumana yokuba i filter IP asilungiselelwanga kakuhle.

Sengozini Scan Site

iingcali Ukhuseleko waqhuba uphicotho ekhethekileyo yecebo web iimpazamo neziphene enokukhokelela ng. Ezo sayithi yokungqinisisa ebizwa pentesting. Le nkqubo ihlaziya ikhowudi yemvelaphi esetyenziswa yi-CMS, ubukho iimodyuli ezibuthathaka kunye nezinye iimvavanyo ezininzi umdla.

SQL-ziphene

Olu hlobo site test kugqiba enoba leempendulo okucoca izithethe ofunyenweyo ekulungiseleleni izicelo ledatha. Qhuba uvavanyo olulula kunokuba ngesandla. Indlela yokufumana SQL semngciphekweni kwisiza? Ngubani oza kuxoxwa.

Umzekelo, kukho site-sayt.rf wam. Kwiphepha yalo elikhokelayo inencwadana. Eya kuyo, ungenza zingafumaneka kule dilesi bar into efana yam-sayt.rf /? Product_id = 1. Kusenokwenzeka ukuba esi sicelo kwiziko ledatha. Ukuze ufumane semngciphekweni site kuqala zama ukuba kufakwe endaweni kumqolo a quote enye. Ngenxa yoko, nibe ngabam-sayt.rf /? Product_id = 1 '. Ukuba ucinezela kwiphepha, kukho umyalezo wemposiso i "Faka" iqhosha, ukuba sengozini ikhona.

Ngoku ungasebenzisa iinketho ezahlukeneyo zokukhetha lwamaxabiso. Used kubaqhubi ukuhlanganiswa ngaphandle, izimvo kunye nabanye abaninzi.

XSS

Olu hlobo sesichengeni inokuba kweentlobo ezimbini - active and passive.

Active kuthetha ukusungulwa isiziba ikhowudi kwiziko ledatha okanye ifayile kwi umncedisi. Kuyingozi kakhulu kwaye iyingozi.

imo UMSI kubandakanya nokutsalela ixhoba ukuba idilesi ethile site equlathe ikhowudi ngolunya.

Ukusebenzisa XSS umhlaseli ukuba ngebe Cookies. Kwaye zingaqulatha idata ebalulekileyo yomsebenzisi. Nkqu nemiphumela emibi iye yabiwa session.

Kwakhona, umhlaseli Ungasebenzisa shicilelo kwi sayithi ukwenzela ukwenza ngexesha lokuthumela wawunika umsebenzisi ulwazi ngqo ezandleni umhlaseli.

Ukufunyanwa okuzenzekelayo yenkqubo wophendlo

Uthungelwano Ungafumana okuninzi umdla site sengozini yabavavanyi. Abanye kufika yedwa, ezinye kuza ezifanayo eziliqela zadityaniswa umfanekiso enye, ezifana Kali Linux. Uya kuqhubeka ukubonelela ngamagqabantshintshi zixhobo ethandwa zokusebenzisa inkqubo yokuqokelela ulwazi malunga semngciphekweni.

Nmap

I ilula website sesichengeni kugqibeke ukuba ukubonisa iinkcukacha ezifana amazibuko indlela yokusebenza esetyenzisiweyo kunye neenkonzo. izicelo gumbini:

nmap -sS 127.0.0.1, apho endaweni idilesi IP wengingqi kuyimfuneko ukuba kufakwe isiza uvavanyo lokwenene.

Ingxelo sigqibo ngeenkonzo ezisebenzayo phezu kwalo, yaye zeziphi amazibuko zivulekile ngeli xesha. Ngokusekelwe kule nkcazelo, unga zama ukusebenzisa ubuthathaka sele ezichongiweyo.

Nazi amaqhosha ezimbalwa ukuya icala nmap scan:

• -A. scan senkohlakalo ukuba kulahlwa ulwazi oluninzi, kodwa kuthathe ezinye ixesha elide.
• Kuyoze. Oku uzama ukuchonga indlela yokusebenza esetyenziswa kwi server yakho.
• -D. Spoof idilesi ye-IP apho itshekhi senziwa xa uzibonisela kwakungenakwenzeka ukuba weseva ukuba ukujonga apho kwenzeka khona uhlaselo.
• -p. Uluhlu zamazibuko. Ukukhangela iinkonzo eziliqela ukuze evulekileyo.
• -S. It ikuvumela ukuba ukhankanye idilesi ye IP echanekileyo.

WPScan

Le program ukuze kusekwe isayithi semngciphekweni zifakiwe kwi GhostScript Kali Linux. Yenzelwe ukuba ukujonga izibonelelo web kwi WordPress CMS. kubhaliwe kwathiwa Ruby, ndenjenjalo ukubaleka ngolu hlobo:

Ruby ./wpscan.rb --help. Lo myalelo uya kubonisa zonke iinketho ezikhoyo kunye neeleta.

umyalelo zingasetyenziswa ukubaleka uvavanyo olulula:

isardiyo ./wpscan.rb --url some-sayt.ru

Ngokubanzi WPScan - lula intle ukusebenzisa eluncedo lokuvavanya isayithi yakho "WordPress" semngciphekweni.

nezvodí

Program ekuhloleni semngciphekweni, nayo iyafumaneka kwi GhostScript Kali Linux. Ubonelela ubunakho enamandla ukuze kube lula yayo yonke:

• protocol Scan nge HTTP ne HTTP;
• udluliselwe ezininzi izixhobo eyakhelwe-Ubhaqo;
• ukukrwaqula port ezininzi, nkqu kuluhlu non-eqhelekileyo;
• ukuxhasa ukusetyenziswa abancedisi beproxy;
• kuyenzeka ukuba ukuphumeza uqhagamshelwano plug-ins.

Ukuqalisa imfuneko nezvodí le nkqubo sele ifakiwe Perl. Uhlalutyo elula kwenziwa ngolu hlobo lulandelayo:

Perl nikto.pl -h 192.168.0.1.

Le nkqubo ibe 'bondliwe "ifayile okubhaliweyo libala dilesi iseva Web:

Perl nikto.pl -h file.txt

Esi sixhobo iza kunceda kuphela iingcali zokhuseleko ukuqhuba Pentest, kodwa abalawuli womnatha kunye nezibonelelo nokugcina amaziko ezempilo.

Kunjani Suite

A isixhobo esinamandla kakhulu ukujonga kuphela kwisayithi, kodwa esweni naluphi network. Ingaba umsebenzi eyakhelwe-ngaphakathi wezicelo ukuguqulwa wadlulisela uvavanyo server. Smart isikeni ekwaziyo khangela ngokuzenzekelayo kwiintlobo ezininzi semngciphekweni ngaxeshanye. Kuyenzeka ukuba ukugcina ngenxa yemisebenzi yangoku uze uqhube ngayo. Ukuba nokwenzeka ukuba ukusebenzisa nje kuphela wesithathu plug-in, kodwa ukuba babhale eyakho.

Le nkampani inayo imbonakalo yayo mfanekiso yeprogram elungele umsebenzisi, nto leyo ngokungathandabuzekiyo lula, ingakumbi kubasebenzisi abo basandula kuqalisa.

SQLmap

Mhlawumbi isixhobo kakhulu lula kwaye enamandla yokufuna SQL kunye XSS semngciphekweni. Dwelisa izinto zayo ungaboniswa ngolu hlobo:

• Inkxaso phantse kuzo zonke iintlobo kweenkqubo zolawulo database;
• ukukwazi ukusebenzisa iindlela ezintandathu ezisisiseko ukugqiba isicelo kunye SQL-ziphene;
• Abasebenzisi aveza indlela, hashes zabo, amagama okugqitha kunye nezinye iinkcukacha.

Ngaphambi kokuba usebenzise SQLmap ngokuqhelekileyo kuqala wafumana indawo sesichengeni kusetyenziswa dork - iinjini blank umbuzo uphendlo ukukunceda ukususa uqikelelo izixhobo web kuyimfuneko.

Ke idilesi iphepha idluliselwa kule nkqubo, kwaye uhlola. Ukuba yimpumelelo, inkcazelo eluncedo sesichengeni nga ngokwayo nokusetyenziswa kwayo ukuzuza ukufikelela ngokupheleleyo icebo.

Webslayer

Into eluncedo encinane ikuvumela ukuba bahlasele amandla ndisisilo. Ayikwazi 'amandla ndisisilo "iintlobo yobomi, i parameters intlanganiso wesiza. It exhasa multi-lwelizwe, ethi ichaphazele umsebenzi uqaqambile. Ungakhetha kwakhona amaphepha passwords recursively ezazihlala. Kukho inkxaso proxy.

Resources for sokuhlola

Kuthungelwano kukho izixhobo ezininzi ukuvavanya ukuba sesichengeni sites intanethi:

• coder-diary.ru. Simple site for uvavanyo. Nje faka idilesi, le resource kwaye ucofe ku "Khangela". Ukufunwa kungathatha ixesha elide, ukuze ucacise idilesi yakho yemeyile ukuze kufika ekupheleni isiphumo ngqo kwi uvavanyo kokha. kukho malunga 2,500 semngciphekweni eyaziwa kule sayithi.
• https://cryptoreport.websecurity.symantec.com/checker/. ngetsheki Service Online ye SSL kunye nesiqinisekiso TLS evela kwinkampani Symantec. Kufuneka kuphela idilesi, le resource.
• https://find-xss.net/scanner/. Le projekthi iyi fayile PHP eyahlukileyo eskena kwiiwebhsayithi semngciphekweni okanye ZIP yokugcina. Unga khankanya iintlobo zeefayili ukuba ngaske iisimboli, apho isixhobo eso sikhuseleke yi-data kwi leempendulo.
• http://insafety.org/scanner.php. Scanner ukuvavanya sites eqongeni "1C-Bitrix". esibonakalayo elula ongenantandabuzo.

I algorithm for ukuskena ukuba semngciphekweni

Nayiphi specialist yokhuseleko womnatha owenza itsheki kwi algorithm elula:

1. Ekuqaleni ngesandla okanye ngokusebenzisa izixhobo automated uhlaziye ingaba kukho naluphi na buthathaka intanethi. Ukuba ewe, ngoko imisela uhlobo lwabo.
2. Kuxhomekeka kuhlobo semngciphekweni langoku wakha kuvunyelwane. Ngokomzekelo, xa siyazi CMS, ngoko ukukhetha indlela efanelekileyo ukuhlasela. Ukuba a SQL-inaliti, imibuzo ekhethiweyo kwiziko ledatha.
3. Eyona njongo iphambili yokufumana ilungelo kwiqela lenjongo yolawulo. Ukuba akukwazeki ukuba enjalo, mhlawumbi kubalulekile ukuzama ukwenza idilesi fake kunye nokuqaliswa isikripthi sakhe kunye nokudluliselwa elandelayo kwixhoba.
4. Ukuba nokuhlaselwa okanye ukungena uyasilela, loo uqalisa ukuqokelelwa kwedatha: ukuba kukho ukungakhuseleki ngaphezulu Ukuphazamiseka akhoyo.
5. Ngokusekelwe kwi ingcali ukhuseleko lwedatha uthi umnini site malunga neengxaki nendlela ukucombulula iingxaki zabo.
6. Ukuba sesichengeni eceleni ngezandla zakhe okanye ngoncedo iinkosi zomntu wesithathu.

A amacebiso okuphepha ezimbalwa

Abo uziqeshile iphuhlisa website yayo, kuza kulinceda eli iingcebiso ezilula kunye namacebo.

data ezingenayo kufuneka kuhluzeka ukwenzela ukuba iincwadi zeempendulo okanye imibuzo ayikwazi ukubaleka stand-alone okanye ukunika data evela ledatha.

Sebenzisa passwords ezintsonkothileyo womelele ukufikelela panel yolawulo, ukwenzela ukuthintela umkhosi kunokwenzeka ndisisilo.

Ukuba website isekelwe kwi-CMS, kufuneka ngokukhawuleza plugins ubungqina bokuba, templates kunye neemodyuli kunokuba njalo kuyihlaziya kwaye isicelo. Musa ukuyilayisha isayithi ezinamacandelo ezingeyomfuneko.

Amaxesha amaninzi khangela weseva ukuba naziphi izenzeko okanye izenzo ekrokrisayo.

Khangela eyakho site yabavavanyi zakho eziliqela kunye neenkonzo.

I echanekileyo uqwalaselo lomncedisi - isitshixo ukusebenza kwayo oluzinzileyo ekhuselekileyo.

Ukuba kuyenzeka, sebenzisa isiqinisekiso SSL. Oku kuya kuthintela iimbalelwano data zobuqu okanye eyimfihlo phakathi iseva kunye umsebenzisi.

Zizixhobo ukhuseleko. Iyavakala ukufaka okanye qhagamshela software ukuthintela intrusion nezisongelo zangaphandle.

isiphelo

Eli nqaku yajika ukubana HIV, kodwa akwanelanga ukuchaza ngokweenkcukacha zonke iinkalo zokhuseleko womnatha. Ukuhlangabezana nale ngxaki yokhuseleko lolwazi, kuyimfuneko ukuba ukufunda ezininzi izixhobo kunye nemiyalelo. Kwaye kananjalo ukuba ukufunda iqelana izixhobo kunye technologies. Uyakwazi bafune iingcebiso kunye noncedo neenkampani professional ukuba zibanga Pentest kunye nezibonelelo web zophicotho. Nangona ezi nkonzo, kwaye aya kujika abe isixa elungileyo, lonke ukhuseleko isiza efanayo kunokuba kakhulu eninzi kakhulu ngokubhekiselele kwezoqoqosho kunye negama.