This book reproduces the wonderful process of Web penetration with pictures and texts from the professional perspective of Web penetration, combined with practical cases in network security. This book is divided into seven chapters, which introduces and analyzes the methods and means of Web penetration attacks popular on the Internet at present, and gives corresponding security precautions according to the author's many years of practical experience in network security, and also gives experience summary and skills for some classic cases. By reading this book, we can quickly master the mainstream technology of Web penetration at present. The biggest feature of this book is its practicality and flexibility of thinking. The content mainly includes the necessary technology of Web penetration, Google hacking technology, file upload penetration technology, SQL injection, advanced penetration technology, 0-0day attack, Windows empowerment and security prevention.

order

After nearly a year's hard work, I finally finished this book. This book is my third book, which mainly discusses the attack and defense technology of network security from the professional angle of Web penetration, and reproduces the scene of Web penetration as much as possible. Each part represents a specific scene. This book is a summary of my work for several years. Finally, I will share all the achievements with you in this book.

This book is another security book based on my last book, Case Analysis of Hacker's Attack and Defense and Actual Combat, which mainly discusses Web penetration attack and defense technology. The relationship between attack and protection is dialectical unity. If you master the attack technology, you will master the protection technology. Web penetration is the most popular technology in network security attack and defense. By infiltrating the Web server and using the existing information, it gradually penetrates into the company or large-scale network, and finally achieves the purpose of infiltration.

Network security has been particularly popular in the last two years, and it can be said that engaging in network security is still one of the promising occupations. At present, there is a shortage of talents in the field of network security, especially after the user databases of 20 1 1 CSDN, Tianya and other large websites have been leaked, major companies are flocking to security personnel, and the employees who master network security attack and defense technology and are experienced generally earn more than 654.38+million, and those who can independently dig loopholes generally earn more than 200,000. In fact, Web security penetration technology is not so unattainable. As long as you set your sights on this direction, persevere, and carry out experiments and research, you will eventually become an expert. Moreover, security attack and defense technology has nothing to do with academic qualifications, and many technical experts have never been to college.

Web penetration attack and defense technology can be taught by the following methods: first, through the update notice and security articles of security websites, we can understand the formation principle and utilization process of vulnerabilities and master the core principle of vulnerabilities; The second is to build a local test environment for actual testing and master the methods of vulnerability utilization; Thirdly, the website with vulnerabilities is actually run on the Internet, verified in the real environment, and the methods to fix the vulnerabilities are put forward. At the same time of technical research, we should make records, summarize the methods of failure and success, and accumulate skills and experience. I once met a great man who collected more than 10GB of Web vulnerability data!

This book focuses on Web penetration and defense, and mainly introduces Web penetration and defense technology through typical penetration cases. In addition to the technical principles, each section also summarizes and refines these technologies. After mastering and understanding these technologies, readers can infiltrate themselves when they encounter similar infiltration scenes. This book is explained with the most easy-to-understand pictures and texts, and the attack and defense scenes at that time can be restored according to the steps in the book. By reading this book, beginners can quickly master the process of Web attack and defense, the latest technology and methods, and experienced readers can make the attack and defense technology more systematic in theory and practice, and at the same time, they can use some defense methods introduced in this book to strengthen the server system.

This book is divided into seven chapters, from shallow to deep, and the content is arranged according to some technical characteristics of Web attack and defense. Each section is a typical application of a specific Web attack and defense technology. At the same time, it is illustrated by a case and some classic summaries are given. The main contents of this book are arranged as follows.

Chapter 65438 +0 network penetration necessary technology

This paper introduces some essential basic knowledge of Web penetration, such as creating and using VPN to hide yourself, obtaining operating system password, cracking MD5 password, cracking MySQL password, database recovery and so on. These technologies can be used for network penetration and network management.

Chapter 2 Google-I love you and I hate you.

Using Google and other search engine technologies to obtain information and assist Web penetration will often produce unexpected results in some scenarios, also known as Nday attack (continuous attack for several days after 0day). While doing research on Web attack and defense technology, we can conduct actual combat drills through Google. The best effect is to catch broilers with Goolge technology after the internet breaks out.

Chapter 3 is all caused by uploading.

Uploading is one of the easiest shortcuts to get WebShell in Web penetration. This chapter introduces how to use typical editor vulnerabilities such as WebEditor, FCKeditor and CuteEditor to obtain WebShell, and also discusses how to obtain WebShell through Flash upload and file upload after login bypass.

Chapter 4 SQL injection-the main force of infiltration movement

SQL injection is the core technology of network penetration. This chapter mainly introduces the use of SQL injection to obtain WebShell, interspersed with a variety of scanning software and attack tools to infiltrate the Web server and enhance permissions.

Chapter V Advanced Infiltration Technology

This chapter introduces how to make full use of a variety of technology combinations, combined with ingenious ideas, and finally successfully penetrate some difficult Web servers.

Chapter VI 0-Day Attack

0day is an "artifact" in Web penetration, almost invincible. This chapter introduces the use of Discuz! 6.0、Discuz！ 7.2、Discuz！ Some methods of infiltrating Web servers, such as NT, PHP 168, WordPress, Citrix, Art2008cms, Phpcms2008sp4, etc.

Chapter 7 Windows Permission Promotion and Security Protection

After obtaining WebShell, obtaining server permissions has always been the ultimate goal of Web penetration. This chapter introduces some mainstream methods of lifting the ban. After mastering these methods and principles, we can draw inferences from others. Finally, it introduces how to establish a secure "abnormal" Web server.

Although the content of this book is rich and complete, it still cannot cover all the technologies of Web penetration, but through the study of this book, you can quickly understand and master the technologies of Web penetration and strengthen your own server. The purpose of this book is to discuss network security through Web penetration technology and some cases, so as to better strengthen the Web server and stay away from the threat of hackers.