├── .github
    └── ISSUE_TEMPLATE
    │   ├── bug_report.md
    │   ├── custom.md
    │   └── feature_request.md
├── README.md
└── README_CN.md


/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Bug report
 3 | about: Create a report to help us improve
 4 | 
 5 | ---
 6 | 
 7 | **Describe the bug**
 8 | A clear and concise description of what the bug is.
 9 | 
10 | **To Reproduce**
11 | Steps to reproduce the behavior:
12 | 1. Go to '...'
13 | 2. Click on '....'
14 | 3. Scroll down to '....'
15 | 4. See error
16 | 
17 | **Expected behavior**
18 | A clear and concise description of what you expected to happen.
19 | 
20 | **Screenshots**
21 | If applicable, add screenshots to help explain your problem.
22 | 
23 | **Desktop (please complete the following information):**
24 |  - OS: [e.g. iOS]
25 |  - Browser [e.g. chrome, safari]
26 |  - Version [e.g. 22]
27 | 
28 | **Smartphone (please complete the following information):**
29 |  - Device: [e.g. iPhone6]
30 |  - OS: [e.g. iOS8.1]
31 |  - Browser [e.g. stock browser, safari]
32 |  - Version [e.g. 22]
33 | 
34 | **Additional context**
35 | Add any other context about the problem here.
36 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/custom.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Custom issue template
3 | about: Describe this issue template's purpose here.
4 | 
5 | ---
6 | 
7 | 
8 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature request
 3 | about: Suggest an idea for this project
 4 | 
 5 | ---
 6 | 
 7 | **Is your feature request related to a problem? Please describe.**
 8 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 9 | 
10 | **Describe the solution you'd like**
11 | A clear and concise description of what you want to happen.
12 | 
13 | **Describe alternatives you've considered**
14 | A clear and concise description of any alternative solutions or features you've considered.
15 | 
16 | **Additional context**
17 | Add any other context or screenshots about the feature request here.
18 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 |  # web-sec-interview
  2 | 
  3 | Information Security Industry Practitioners (Web Security / Penetration Testing) Interview Questions 1.1
  4 | 
  5 | ### README English | [中文](README_CN.md)
  6 | 
  7 | ---
  8 | 
  9 |    * Introduce the experience of burrowing (or CTF experience) that you think is interesting
 10 | 
 11 |    * What are the more vulnerabilities you usually use? The principle of related vulnerabilities? And a fix for the vulnerability?
 12 | 
 13 |    * What tools do you usually use and the characteristics of the corresponding tools?
 14 |  
 15 |    * How to do sql injection / upload Webshell if you encounter waf? Please write the process of bypassing WAF (SQLi, XSS, upload vulnerability)
 16 |    
 17 |      Refer to the following three
 18 |     
 19 |   <a href="https://xz.aliyun.com/t/265/">My Way of WafBypass (SQL Injection)</a><br />
 20 |   <a href="https://xz.aliyun.com/t/337/">My Way of WafBypass (Upload)</a><br />
 21 |   <a href="https://xz.aliyun.com/t/265/">My Way of WafBypass (Misc)</a><br />
 22 | 
 23 |    * Talk about the idea of ​​lifting the rights of Windows system and Linux system?
 24 |  
 25 |    * List all high-risk vulnerabilities of open source components that you know (more than ten)
 26 |  
 27 |    * Describe a CVE or POC that you have studied in depth.
 28 |  
 29 | 
 30 | 
 31 | * SQLi
 32 |    * How to judge sql injection, what are the methods?
 33 |     > Add single quotes, double quotes, order by, rlike, sleep, benchmark, operator, modify data type, error injection statement test
 34 |    
 35 |    * Introduce the cause of SQL injection vulnerabilities, how to prevent it? What are the injection methods? In addition to database data, what are the ways to use it?
 36 |    
 37 |    * The principle of wide character injection? How to use the wide character injection vulnerability, how to construct and repair the payload?
 38 |     > Popularly speaking, gbk, big5 and other codes account for two bytes. After the sql statement enters the backend, the single quotes are escaped. The escaped \ is %5C, and the current %xx and %5C can be combined into two. When the characters are in bytes, the subsequent single quotes can escape, resulting in injection. More common gbk, %df' =>
 39 | %df%5c%27 => 运'. Already single quotes, the rest is almost the same as normal injection.
 40 |     > Fix the way by setting the MYSQL database character set utf8mb4, PHP character set utf-8.
 41 | 
 42 |    * You all know which sql pass skills
 43 |     > This is too much, a lot of online search. Mainly depends on the filtering and protection of the target site. Common bypass can be /**/ replace spaces, /*!00000union*/ is equal to union, or use front-end filtering, add angle brackets <>. Cases are too common. If you filter functions or keywords, you can try other equivalent functions that can achieve results. Keywords such as or 1=1 can be replaced with ||1, or with operators such as /, %. The same effect. In short, still look at the requirements.
 44 | 
 45 | 
 46 |    * How does sqlmap inject an injection point?
 47 |     > If it is get type, directly, sqlmap -u "injection point URL".
 48 |     >
 49 |     > If it is post type, you can sqlmap -u "injection point URL" -data="post parameter"
 50 |     >
 51 |     > If it is a cookie type, X-Forwarded-For, etc., when you can access it, use Burpsuite to capture the package, replace it with the * mark, put it in the file, and then sqlmap -r "file address"
 52 |     
 53 |    * mysql website injection, what is the difference between 5.0 and below?
 54 |     > Below 5.0, there is no information_schema system table, can not list names, etc., can only violently run table names.
 55 |     > 5.0 is multi-user single operation, 5.0 or more is multi-user and multi-operation.
 56 |     
 57 |    * mysql injection point, use the tool to write a sentence directly to the target station, what conditions are needed?
 58 |     > root permissions and the absolute path to the site.
 59 |    
 60 |    * There is a sql injection vulnerability in the following link. What ideas do you have for this variant injection?
 61 |    > demo.do?DATA=AjAxNg==
 62 |  
 63 |    * Found demo.jsp?uid=110 injection point, what kinds of ideas do you have to get webshell, which is the best?
 64 | 
 65 | * Domain
 66 |    * Explain the same-origin policy
 67 |     > If the protocol of the two pages, the port and the domain name are the same, it can be considered to be homologous.
 68 |    
 69 |    * The same-origin strategy, those things are acquired by homology
 70 |     > read cookies, LocalStorage and IndexDB
 71 |     > read DOM elements
 72 |     > Send an AJAX request
 73 |     >
 74 |    * If the subdomain and the top-level domain have different sources, where can I set them to be homologous?
 75 |     > Probably the same subdomain, the main domain has different meanings, you can solve the cross-domain by setting document.domain in both rooms.
 76 |    * How to set up data that can be requested across domains? What does jsonp do?
 77 |     > When the primary domain is the same, cross-domain, you can set document.domain as above.
 78 |     >
 79 |     > When the primary domain is different, you can set up CORS on the server to make cross-domain requests through jsonp and websocket. H5 added the window.postMessage method to resolve cross-domain requests.
 80 |     >
 81 |     > Request json data via <script> like server, not subject to the same-origin policy.
 82 | 
 83 |    * What is the business meaning of jsonp?
 84 |    
 85 | * Ajax
 86 |    * Does Ajax follow the same-origin policy?
 87 |     > The full name of ajax is Asynchronous JavaScript and XML, asynchronous javascript and XML technology. Follow the same-origin policy, but can be circumvented by jsonp, etc.
 88 |     
 89 |    * How to use JSON injection?
 90 |     > XSS cross-site attack
 91 |     
 92 |    * What is the difference between JSON and JSONP?
 93 |    * JSONP hijacking utilization and repair plan?
 94 | 
 95 | * Browser strategy
 96 |    * What are the security policies between different browsers, such as chrome, firefox, IE
 97 |     > All three browsers follow the same-origin policy, Content Security Policy (CSP), Cookie Security Policy (httponly, Secure, Path)
 98 |     
 99 |    * What is CSP? How to set up CSP?
100 |    > CSP: Content Security Policy, content security policy. It is a security mechanism for breeding XSS attacks. The idea is to configure trusted content sources in the form of server whitelists, which can be used by client web application code.
101 | 
102 | * XSS
103 |    * What is XSS and how is it repaired?
104 |     > XSS is a cross-site scripting attack, in which data submitted by users can be constructed to execute, thus stealing user information and other attacks. Fixing method: Escape character entities, use HTTP Only to prohibit JavaScript from reading cookie values, check on input, and use the same character encoding for browser and web application.
105 |    * What happened to xss?
106 |     > Personal understanding is to safely filter the data submitted by the user and then directly input into the page, causing the execution of the js code. As for the specific scene, there is a risk that the output may be affected by xss.
107 |    * XSS persistence?
108 |    * If you are given an XSS vulnerability, what additional conditions do you need to construct a worm?
109 |     > XSS worm: XSS attacks can cause mutual infections among users in the system, causing the entire system user to fall, and the XSS vulnerability that can cause this harm becomes an XSS worm.
110 |     >
111 |     > 1. Construct a self-replicating reflective XSS
112 |     >
113 |     > 2, insert comments, message box
114 |     >
115 |     > 3. The user clicks on the link and the link content points to the same XSS vector. That is, the page of the stored type xss injected into the worm code. When the link is clicked, it will continue to cause the worm to spread.
116 |    * Where can a worm appear on social networking sites?
117 |     >Message Board/Comment/Article Post/Private Message...
118 |    * If you are called to defend against worms, what methods do you have?
119 |     > 1. Change the name of the local destructive program.
120 | 2. Close the executable file.
121 | 3. Prohibit "FileSystemObject" to effectively control the spread of VBS virus. Specific operation method: Use regsvr32 scrrun.dll /u this command to disable file system objects.
122 | 4. Open the browser's security settings.
123 |    * If you are given an XSS blind hit vulnerability, but the information returned shows that his background is on the intranet and can only be accessed using intranet, how do you use this XSS?
124 |     > github has some ready-made xss scripts for scanning intranet ports, which can be used for reference, and then further utilized according to the detected information, such as opening redis, etc., and then using the vulnerability to getshell.
125 |    * How to prevent XSS vulnerabilities, how to do it in the front end, how to do it in the back end, where is better, and why?
126 |    * How does the black box detect XSS vulnerabilities?
127 | 
128 | * CRLF injection
129 |   * Principle of CRLF injection
130 |     > CRLF is the abbreviation for carriage return + line feed. I have encountered relatively few, and I have never dug through such a hole. In short, it is generally possible to control the response of the server by submitting a malicious data containing a carriage return and a line feed. I have encountered potential CRLF after submitting a carriage return and a new line. The use of CRLF can be XSS, malicious redirect location, and set-cookie.
131 | 
132 | * CSRF
133 |    * What is CSRF? How to fix it?
134 |     > CSRF is a cross-site request forgery attack. XSS is one of many means of implementing CSRF because there is no confirmation that the user is voluntarily initiated when the critical operation is performed. Fix: Filter out the pages that need to be protected and embed the Token, enter the password again, and verify the Referer.
135 |    * What is the nature of the CSRF vulnerability?
136 |     > CSRF is a cross-site request forgery that sends a request to the server as a victim. In essence, the individual feels that the server does not check the identity of the user who submitted the operation while performing some sensitive operations.
137 |   * What are the methods to defend against CSRF? How does JAVA defend against CSRF vulnerabilities? Is token useful?
138 |    > Defense CSRF is generally plus referer and csrf_token.
139 |    > For details, please refer to this <a href="https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/index.html">CSRF attack response to CSRF attacks</a>
140 |    
141 |   * What is the difference between CSRF, SSRF and replay attacks?
142 |    > CSRF is a cross-site request forgery attack initiated by the client
143 |    >
144 |    > SSRF is server-side request forgery, initiated by the server
145 |    >
146 |    > Replay attack is to replay the intercepted data packets for identity authentication and other purposes.
147 | 
148 | * SSRF
149 |   * SSRF vulnerability principle, utilization and repair plan? What is the difference between Java and PHP SSRF?
150 | 
151 | * Logical Vulnerabilities
152 |    * Say at least three business logic vulnerabilities and how to fix them?
153 |     > 1) The password recovery vulnerability exists in the password to allow brute force cracking, the existence of universal recovery documents, the ability to skip the verification step, the recovery of the voucher can be obtained, etc. to obtain the password through the password recovery function provided by the manufacturer.
154 |     >
155 |     > 2) The most common authentication vulnerability is session fixed attack and cookie spoofing. You can fake user identity by getting Session or Cookie.
156 |     >
157 |     > 3) The verification code exists in the verification code vulnerability to allow brute force cracking, and the verification code can be bypassed by Javascript or packet modification.
158 | 
159 | * Override access (horizontal/vertical/unauthorized)
160 |  * Talk about the difference between horizontal/vertical/unauthorized unauthorized access?
161 |  * How to detect the violation of power?
162 | 
163 | * XML injection
164 |  * What is XXE? What is the repair plan?
165 |   * XXE is an XML external entity injection attack. XML can request local or remote content by calling an entity. Similar to remote file protection, it can cause related security issues, such as sensitive file reading. Repair method: The XML parsing library strictly prohibits the parsing of external entities when called.
166 | 
167 | * URL redirection
168 |  * URL whitelist bypass
169 | 
170 | * HTML5
171 |    * Talk about the new security features of HTML5
172 |     > H5 has added a lot of tags and has a lot of options to bypass the xss defense. There is also the addition of local storage, localstorage and session storage, which can be modified by xss to achieve a similar storage xss effect.
173 | <code>
174 | <video onerror=alert(1)><source>
175 | <video><sourceonerror="javascript:alert(1)"
176 | <video src=".." onloadedmetadata="alert(1)" ondurationchanged="alert(2)" ontimeupdate="alert(3)"></video>
177 | <video><sourceonerrorsourceonerrorsourceonerrorsourceonerror="javascript:alert(1)">
178 | <videopostervideopostervideopostervideoposter=”javascript:alert(1)”>
179 | </code>
180 |    * What tags should be included in the HTML5 whitelist?
181 | See <a href="https://segmentfault.com/a/1190000003756563">HTML5 Security Issues</a>
182 | 
183 | * java
184 |    * What java framework do you know about?
185 |     > struts2 , spring, spring security, shiro, etc.
186 |     >
187 |    * What is the MVC structure of java, and what is the order of data flow to the database?
188 |    * Understand the java sandbox?
189 |    * Can ibats' parameterized query control sql injection effectively? Is there a dangerous way to cause sql injection?
190 |    * Talk about the principle of two struts2 vulnerabilities
191 |    * What role does ongl play in this payload?
192 |    * What is the hexadecimal encoding of the character \u0023? Why use him in the payload?
193 |    * Does java vulnerabilities occur when executing system commands? What statements are there in java, methods can execute system commands
194 |    * If you are asked to fix an xss vulnerability, will you fix it in that layer of the java program?
195 |    * Where is the xss filter set in the java program?
196 |    * Say what problems may exist in the security of java class reflections
197 |    * The principle of Java deserialization vulnerability? Solution?
198 | 
199 | * PHP
200 |    * What methods are available in php to prevent errors from being echoed?
201 |     > php's configuration file php.ini has been modified. When display_errors = On is changed to display_errors = off, there is no error message.
202 |     > Add error_reporting(0) at the beginning of the php script; it can also achieve the effect of closing the error.
203 |     > In addition to the above, you can also add @ in front of the execution statement
204 |    * What security features can be set by php.ini
205 |    
206 |     > Close the error, set open_basedir, disable the dangerous function, open gpc. There is a specific article on the security configuration, which belongs to the scope of operation and maintenance.
207 |     >
208 |    * What is the principle of php's %00 truncation?
209 |    
210 |     > Exist in version 5.3.4, generally use the truncation of the file name when the file is uploaded, or there may be a 00 stage when the file is operated. For example, filename=test.php%00.txt will be truncated to test.php, and 00 is ignored. When the system reads the file name, if it encounters 0x00, it will consider that the reading has ended.
211 |     >
212 |    * php webshell detection, what are the methods?
213 |     > Personally, there are two types of static detection and dynamic detection. Static detection, such as finding dangerous functions, such as eval, system, etc. Dynamic detection is the action to be performed when the script is running, such as file operations, socket operations, and so on. The specific method can be detected by D shield or other killing software, and now there is webshell recognition based on machine learning.
214 |     >
215 |    * php LFI, what is the principle of local vulnerability? Write a code with a vulnerability. How to find out by hand? How do you traverse the file if there is no error returning?
216 |    * The principle of php deserialization vulnerability? Solution?
217 | 
218 | * Middleware
219 |    * What security hardening does tomcat do?
220 |    * If tomcat restarts, under webapps, will the background you delete be back again?
221 |    * Common web server middleware container.
222 |     > IIS, Apache, nginx, Lighttpd, Tomcat
223 |     >
224 |     * What are the more common middleware containers in JAVA?
225 |     > Tomcat/Jetty/JBOSS/WebLogic/Coldfusion/Websphere/GlassFish
226 |    * Talk about common middleware parsing exploits
227 |     > IIS 6.0
228 |      > /xx.asp/xx.jpg "xx.asp" is the folder name
229 |      >
230 |     > IIS 7.0/7.5
231 |     > Default Fast-CGI is enabled. Enter /1.php directly after the image address in the url, and the normal image will be parsed as php.
232 |     >
233 |     > Nginx
234 |      > The version is less than or equal to 0.8.37. The method is the same as IIS 7.0/7.5, and the Fast-CGI can be used when it is closed.
235 |      > empty byte code xxx.jpg%00.php
236 |      >
237 |     > Apache
238 |      > The uploaded file is named test.php.x1.x2.x3, and Apache is suffixed from right to left.
239 |      >
240 |     > lighttpd
241 |      > xx.jpg/xx.php
242 |      >
243 |    * How does Redis' unauthorized access vulnerability exploit?
244 | 
245 | * Database
246 |    * What is the difference between MySQL UDF and 5.1 and above, and what are the conditions?
247 |    
248 |    > 1) Mysql version is larger than 5.1 version udf.dll file must be placed in the lib\plugin folder under the MYSQL installation directory.
249 |    >
250 |    > 2) Mysql version is less than version 5.1. The udf.dll file is placed in c:\windows\system32 under Windows 2003 and c:\winnt\system32 under windows2000.
251 |    >
252 |    > 3) Master the mysql database account has the mysql insert and delete permissions to create and discard the function, generally the root account is better, with the other accounts of the root account can also be used.
253 |    >
254 |    > 4) Permission to write udf.dll to the appropriate directory.
255 | 
256 |    * What libraries are available by default in the mysql database? Say the name of the library
257 |    
258 |     > infomation_schema, msyql, performance_scheme, test
259 |     >
260 |    * mysql username and password are stored in that table? What encryption method does mysql password use?
261 |     > The user table under the mysql database.
262 |     >
263 |    * mysql table permissions, in addition to additions and deletions to change the check, file read and write, what permissions?
264 |    * How to do mysql security?
265 |    * How to private sqlserver public permission
266 |    * Windows, Linux, database reinforcement and power reduction ideas, choose one
267 | 
268 | * Linux
269 |    * Briefly describe what needs to be done for Linux system security hardening
270 |    * What tools do you use to determine if the system has a back door?
271 |    * What is Selinux for Linux? How to set up Selinux?
272 |    * Which layer of iptables work in the TCPIP model?
273 |    * If the kernel cannot be upgraded, how can I ensure that the system is not authorized by the known exp?
274 |    * What are the logs in syslog? Where to find the log of the installation software?
275 |    * How to query the login log of ssh? How to configure the log format of syslog?
276 |    * Can syslog be viewed directly using tools such as vi? Is it a binary file?
277 |    * How do you respond to an emergency if a Linux server is compromised?
278 |    * Common commands for bounce shells? Which kind of shell does it usually rebound? why?
279 | 
280 | * Emergency Response
281 |   * What kinds of backdoor implementations are there?
282 |   * What is the idea of ​​webshell detection?
283 |   * After the Trojan in the Linux server, please briefly describe the emergency ideas?
284 |   * How should I respond to an emergency after encountering a new 0day\ (such as Struts2\)?
285 |   * In which directions can the security assessment be conducted before the new business goes online?
286 |   * From which directions can the existing system be audited to find out the security risks?
287 | 
288 | * Information Collection
289 |    * What information is collected when you step on the point?
290 |    * The role of DNS in penetration
291 |    * How to get around the CDN to get the real IP of the target website, talk about your ideas?
292 |  
293 |     <a href="https://zhuanlan.zhihu.com/p/33440472">Summary of ways to bypass the CDN to find real IP on the site</a>
294 |     
295 |    * If you are given a website, what is your penetration testing idea?
296 | Subject to written authorization
297 | 
298 |     * 1. Information collection
299 |     > 1) Obtain the whois information of the domain name, obtain the registrant's email name and phone number.
300 |     >
301 |     > 2) Query the server side station and the sub-domain name site, because the main station is generally difficult, so first look at the side stations for general-purpose cms or other vulnerabilities.
302 |     >
303 |     > 3) View the server operating system version, web middleware, to see if there are known vulnerabilities, such as IIS, APACHE, NGINX parsing vulnerabilities
304 |     >
305 |     > 4) View the IP, perform an IP address port scan, and perform vulnerability detection on the responding port, such as rsync, heart bleeding,
306 |      Mysql, ftp, ssh weak password, etc.
307 |     > 5) Scan the site directory structure to see if you can traverse the directory, or sensitive file leaks, such as php probe
308 |     >
309 |     > 6) google hack further probes website information, background, sensitive files
310 |     
311 |     * 2. Vulnerability scanning
312 |     > Start detecting vulnerabilities such as XSS, CSRF, SQL injection, code execution, command execution, unauthorized access, directory read, arbitrary file read,
313 |      Download, file contains, remote command execution, weak password, upload, editor vulnerability, brute force, etc.
314 |     * 3. Exploitation
315 |     > Get the webshell or other permissions using the above method
316 |     * 4. Privilege promotion
317 |     > Elevate the server, such as mysql udf privilege under windows, serv-u privilege, windows low version of the vulnerability, such as iis6, pr,
318 |      Brazilian barbecue
319 |     > linux dirty cow vulnerability, linux kernel version vulnerabilities, mysql root privilege under linux and oracle low privilege
320 |     * 5. Log cleaning
321 |     * 6. Summary report and repair plan
322 | 
323 | 
324 |    * In the infiltration process, what is the value of collecting the target station registrant mailbox for us?
325 |    
326 |     > 1) Drop the social library to see if there is any password leaked, and then try to log in to the background with the leaked password.
327 |     >
328 |     > 2) Use the mailbox as a keyword to throw into the search engine.
329 |     >
330 |     > 3) Use the searched related information to find other mails and get the common social accounts.
331 |     >
332 |     > 4) Social workers find social accounts, which may find the administrator's habit of setting passwords.
333 |     >
334 |     > 5) Use the existing information to generate a dedicated dictionary.
335 |     >
336 |     > 6) Observe what non-popular websites the administrator often visits, take it, and you will get more good things.
337 |     
338 |    * What is the significance of determining the CMS of the website for infiltration?
339 |    
340 |     > 1) Find vulnerable bugs on the web.
341 |     >
342 |     > 2) If open source, you can also download the corresponding source code for code auditing.
343 |     >
344 |     > 3) A mature and relatively safe CMS, the meaning of sweeping the catalog when infiltrating?
345 |     >
346 |     > 4) sensitive files, secondary directory scanning
347 |     >
348 |     > 5) The misoperation of the webmaster such as: compressed files of the website backup, description.txt, secondary directory may store other sites
349 | 


--------------------------------------------------------------------------------
/README_CN.md:
--------------------------------------------------------------------------------
  1 |  # web-sec-interview
  2 | 
  3 | 信息安全行业从业者(Web安全/渗透测试方向)面试题目1.1
  4 | 
  5 | ### README [English](README.md) | 中文
  6 | 
  7 | ---
  8 | 
  9 |    * 介绍一下自认为有趣的挖洞经历（或CTF经历）
 10 | 
 11 |    * 你平时用的比较多的漏洞是哪些？相关漏洞的原理？以及对应漏洞的修复方案？
 12 | 
 13 |    * 你平时使用哪些工具?以及对应工具的特点?
 14 |  
 15 |    * 如果遇到waf的情况下如何进行sql注入/上传Webshell怎么做？请写出曾经绕过WAF的经过(SQLi，XSS，上传漏洞选一) 
 16 |    
 17 |      参考以下三篇
 18 |     
 19 |    * <a href="https://xz.aliyun.com/t/265/">我的WafBypass之道（SQL注入篇）</a><br />
 20 |    * <a href="https://xz.aliyun.com/t/337/">我的WafBypass之道（Upload篇）</a><br />
 21 |    * <a href="https://xz.aliyun.com/t/265/">我的WafBypass之道（Misc篇）</a><br />
 22 | 
 23 |    * 谈一谈Windows系统与Linux系统提权的思路？  
 24 |  
 25 |    * 列举出您所知道的所有开源组件高危漏洞(十个以上)  
 26 |  
 27 |    * 描述一个你深入研究过的 CVE 或 POC。
 28 |  
 29 | 
 30 | 
 31 | * SQLi
 32 |    * 如何判断sql注入，有哪些方法
 33 |     > 添加单引号，双引号，order by, rlike,sleep，benchmark，运算符，修改数据类型，报错注入语句测试
 34 |    
 35 |    * 介绍 SQL 注入漏洞成因，如何防范？注入方式有哪些？除了数据库数据，利用方式还有哪些？
 36 |    
 37 |    * 宽字符注入的原理？如何利用宽字符注入漏洞，payload如何构造及修复方案？
 38 |     > 通俗讲，gbk，big5等编码占了两个字节，sql语句进后端后对单引号等进行了转义，转义\为%5C，当前面的%xx与%5C能结合成两个字节的字符时候，就可以使后面的单引号逃逸，从而造成注入。比较常见的gbk，%df' =>
 39 | %df%5c%27 => 運' 。已经可以单引号了，剩下的就和普通注入差不多了。
 40 |     > 修复方式通过设置MYSQL数据库字符集utf8mb4，PHP字符集utf-8。
 41 | 
 42 |    * 你都了解哪些sql 的bypass技巧
 43 |     > 这种太多了，网上一搜一大把。主要还是看目标站点的过滤和防护，常见bypass可以是/**/替换空格，/*!00000union*/ 等于union，或者利用前端过滤，添加尖括号<>。大小写什么的都太常见了，如果过滤了函数或者关键字，可以尝试其他能达到效果的同等函数，关键字比如or 1=1可以用||1替换，或者用运算符比如/，%达到相同的效果。总之，还是看要求。
 44 | 
 45 | 
 46 |    * sqlmap如何对一个注入点注入?
 47 |     > 如果是get型，直接，sqlmap -u “注入点网址”. 
 48 |     >
 49 |     > 如果是post型，可以sqlmap -u “注入点网址” –data=”post的参数” 
 50 |     >
 51 |     > 如果是cookie型，X-Forwarded-For等，可以访问的时候，用burpsuite抓包，注入处用*号替换，放到文件里，然后sqlmap -r “文件地址”
 52 |     
 53 |    * mysql的网站注入，5.0以上和5.0以下有什么区别？
 54 |     > 5.0以下没有information_schema这个系统表，无法列表名等，只能暴力跑表名。
 55 |     > 5.0以下是多用户单操作，5.0以上是多用户多操做。
 56 |     
 57 |    * mysql注入点，用工具对目标站直接写入一句话，需要哪些条件？
 58 |     > root权限以及网站的绝对路径。
 59 |    
 60 |    * 以下链接存在 sql 注入漏洞，对于这个变形注入，你有什么思路？ 
 61 |    > demo.do?DATA=AjAxNg== 
 62 |  
 63 |    * 发现 demo.jsp?uid=110 注入点，你有哪几种思路获取 webshell，哪种是优选？ 
 64 | 
 65 | * Domain
 66 |    * 解释一下同源策略
 67 |     > 如果两个页面的协议，端口和域名相同，则可认为是同源。
 68 |    
 69 |    * 同源策略，那些东西是同源可以获取到的
 70 |     > 读取cookie， LocalStorage 和 IndexDB
 71 |     > 读取DOM元素
 72 |     > 发送AJAX请求
 73 |     > 
 74 |    * 如果子域名和顶级域名不同源，在哪里可以设置叫他们同源
 75 |     > 大概就是子域相同，主域不同的意思吧，可以通过在两房都设置document.domain来解决跨域。
 76 |    * 如何设置可以跨域请求数据？jsonp是做什么的？
 77 |     > 主域相同时跨域，可以像上面那样设置document.domain.
 78 |     >
 79 |     > 主域不同时，可以通过jsonp，websocket，在服务端设置CORS进行跨域请求。H5新增window.postMessage方法解决跨域请求。
 80 |     >
 81 |     > 通过<script>像服务器请求json数据，不受同源策略限制。
 82 | 
 83 |    * jsonp的业务意义？
 84 |    
 85 | * Ajax
 86 |    * Ajax是否遵循同源策略？
 87 |     > ajax全名是Asynchronous JavaScript and XML ，异步的javascript和XML技术。遵循同源策略，但是可以通过jsonp等进行规避。
 88 |     
 89 |    * JSON注入如何利用？
 90 |     > XSS跨站攻击
 91 |     
 92 |    * JSON和JSONP的区别？
 93 |    * JSONP劫持利用方式及修复方案？
 94 | 
 95 | * 浏览器策略
 96 |    * 不同浏览器之间，安全策略有哪些不同，比如chrome，firefox，IE
 97 |     > 三种浏览器都遵循同源策略，内容安全策略(CSP), Cookie安全策略（httponly, Secure, Path）
 98 |     
 99 |    * CSP是什么？如何设置CSP？
100 |    > CSP：Content Security Policy，内容安全策略。是繁育XSS攻击的一种安全机制，其思想是以服务器白名单的形式来配置可信的内容来源，客户端Web应用代码可以使用这些安全来源。
101 | 
102 | * XSS
103 |    * XSS是什么，修复方式是？
104 |     > XSS是跨站脚本攻击，用户提交的数据中可以构造代码来执行，从而实现窃取用户信息等攻击。修复方式：对字符实体进行转义、使用HTTP Only来禁止JavaScript读取Cookie值、输入时校验、浏览器与Web应用端采用相同的字符编码。 
105 |    * xss的发生场景？
106 |     > 个人理解是对用户提交数据为进行安全的过滤然后直接输入到页面当中，造成js代码的执行。至于具体场景，有输出的地方就有可能被xss的风险。
107 |    * XSS持久化？
108 |    * 如果给你一个XSS漏洞，你还需要哪些条件可以构造一个蠕虫？
109 |     > XSS蠕虫：XSS攻击可能会造成系统中用户间的互相感染，导致整个系统用户的沦陷，能够造成这种危害的XSS漏洞成为XSS蠕虫。
110 |     >
111 |     > 1、构造一个具有自我复制的反射型XSS
112 |     >
113 |     > 2、插入评论、留言框
114 |     >
115 |     > 3、用户点击链接，链接内容指向同样的XSS向量。也就是注入了蠕虫代码的的存在存储型xss的页面。链接被点击后将继续造成蠕虫传播。
116 |    * 在社交类的网站中，哪些地方可能会出现蠕虫？
117 |     >留言板/评论/文章发布/私信...
118 |    * 如果叫你来防御蠕虫，你有哪些方法？
119 |     > 1、将本地带有破坏性的程序改名字。
120 | 2、关闭可执行文件。
121 | 3、禁止“FileSystemObject”就可以有效的控制VBS病毒的传播。具体操作方法：用regsvr32 scrrun.dll /u这条命令就可以禁止文件系统对象。
122 | 4、开启浏览器的安全设置。
123 |    * 如果给你一个XSS盲打漏洞，但是返回来的信息显示，他的后台是在内网，并且只能使用内网访问，那么你怎么利用这个XSS？
124 |     > github有一些现成的xss扫描内网端口的脚本，可以参考利用，再根据探测出来的信息进一步利用，比如开了redis等，再就是利用漏洞去getshell.
125 |    * 如何防范 XSS 漏洞，在前端如何做，在后端如何做，哪里更好，为什么？
126 |    * 黑盒如何检测XSS漏洞？
127 | 
128 | * CRLF注入
129 |   * CRLF注入的原理
130 |     > CRLF是回车+换行的简称。碰得比较少，基本没挖到过这种洞，简而言之一般是可以通过提交恶意数据里面包含回车，换行来达到控制服务器响应头的效果。碰到过潜在的CRLF都是提交回车和换行之后就500了。CRLF的利用可以是XSS，恶意重定向location，还有set-cookie.
131 | 
132 | * CSRF
133 |    * CSRF是什么？修复方式？
134 |     > CSRF是跨站请求伪造攻击，XSS是实现CSRF的诸多手段中的一种，是由于没有在关键操作执行时进行是否由用户自愿发起的确认。修复方式：筛选出需要防范`的页面然后嵌入Token、再次输入密码、检验Referer。
135 |    * CSRF漏洞的本质是什么？
136 |     > CSRF即跨站请求伪造，以受害者的身份向服务器发送一个请求。本质上个人觉得是服务端在执行一些敏感操作时候对提交操作的用户的身份校检不到位。
137 |   * 防御CSRF都有哪些方法，JAVA是如何防御CSRF漏洞的，token一定有用么？
138 |    > 防御CSRF一般是加上referer和csrf_token.
139 |    > 具体可以参考这篇<a href="https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/index.html">CSRF攻击的应对之道</a>
140 |    
141 |   * CSRF、SSRF和重放攻击有什么区别？ 
142 |    > CSRF是跨站请求伪造攻击，由客户端发起 
143 |    >
144 |    > SSRF是服务器端请求伪造，由服务器发起 
145 |    >
146 |    > 重放攻击是将截获的数据包进行重放，达到身份认证等目的
147 | 
148 | * SSRF
149 |   * SSRF漏洞原理、利用方式及修复方案？Java和PHP的SSRF区别？
150 | 
151 | * 逻辑漏洞
152 |    * 说出至少三种业务逻辑漏洞，以及修复方式？ 
153 |     > 1)密码找回漏洞中存在密码允许暴力破解、存在通用型找回凭证、可以跳过验证步骤、找回凭证可以拦包获取等方式来通过厂商提供的密码找回功能来得到密码 
154 |     >
155 |     > 2)身份认证漏洞中最常见的是会话固定攻击和 Cookie 仿冒，只要得到 Session 或 Cookie 即可伪造用户身份 
156 |     >
157 |     > 3)验证码漏洞中存在验证码允许暴力破解、验证码可以通过 Javascript 或者改包的方法来进行绕过
158 | 
159 | * 越权访问(水平/垂直/未授权)
160 |  * 谈谈水平/垂直/未授权越权访问的区别?
161 |  * 越权问题如何检测？
162 | 
163 | * XML注入
164 |  * XXE是什么？修复方案是？
165 |   * XXE是XML外部实体注入攻击，XML中可以通过调用实体来请求本地或者远程内容，和远程文件保护类似，会引发相关安全问题，例如敏感文件读取。修复方式：XML解析库在调用时严格禁止对外部实体的解析。
166 | 
167 | * URL重定向
168 |  * URL白名单绕过
169 | 
170 | * HTML5
171 |    * 说说HTML5有哪些新的安全特性
172 |     > H5新增了不少标签，在绕过xss防御方面多了不少选择。还有就是新增了本地存储，localstorage 和session storage,可以通过xss修改本地存储达到类似一个存储xss的效果。
173 | <code>
174 | <video onerror=alert(1)><source>
175 | <video><sourceonerror="javascript:alert(1)"
176 | <video src=".." onloadedmetadata="alert(1)" ondurationchanged="alert(2)" ontimeupdate="alert(3)"></video>
177 | <video><sourceonerrorsourceonerrorsourceonerrorsourceonerror="javascript:alert(1)“>
178 | <videopostervideopostervideopostervideoposter=”javascript:alert(1)”> 
179 | </code>
180 |    * HTML5白名单要有哪些标签
181 | 参考<a href="https://segmentfault.com/a/1190000003756563">HTML5安全问题</a>
182 | 
183 | * java
184 |    * 你都了解哪些java框架？
185 |     > struts2 ,spring,spring security, shiro 等
186 |     > 
187 |    * java的MVC结构都是做什么的，数据流向数据库的顺序是什么？
188 |    * 了解java沙箱吗？
189 |    * ibats的参数化查询能不能有效的控制sql注入？有没有危险的方法可以造成sql注入？
190 |    * 说说两次struts2漏洞的原理
191 |    * ongl在这个payload中起了什么作用？
192 |    * \u0023是什么字符的16进制编码？为什么在payload中要用他？
193 |    * java会不会发生执行系统命令的漏洞？java都有哪些语句，方法可以执行系统命令
194 |    * 如果叫你修复一个xss漏洞，你会在java程序的那个层里面进行修复？
195 |    * xss filter在java程序的哪里设置？
196 |    * 说下java的类反射在安全上可能存在哪些问题
197 |    * Java反序列化漏洞的原理?解决方案?
198 | 
199 | * PHP
200 |    * php里面有哪些方法可以不让错误回显？
201 |     > php的配置文件php.ini进行了修改，display_errors = On 修改为 display_errors = off时候就没有报错提示。
202 |     > 在php脚本开头添加error_reporting(0); 也可以达到关闭报错的作用
203 |     > 除了上面的，还可以在执行语句前面添加@
204 |    * php.ini可以设置哪些安全特性
205 |    
206 |     > 关闭报错，设置open_basedir，禁用危险函数，打开gpc。有具体的文章介绍安全配置这一块，属于运维的工作范围。
207 |     > 
208 |    * php的%00截断的原理是什么？
209 |    
210 |     > 存在于5.3.4版本下，一般利用在文件上传时文件名的截断，或者在对文件进行操作时候都有可能存在00阶段的情况。 如filename=test.php%00.txt 会被截断成test.php，00后面的被忽略。系统在对文件名读取时候，如果遇到0x00,就会认为读取已经结束了。
211 |     > 
212 |    * php webshell检测，有哪些方法
213 |     > 个人知道的大体上分为静态检测和动态检测两种。静态检测比如查找危险函数，如eval，system等。动态检测是检测脚本运行时要执行的动作，比如文件操作，socket操作等。具体方法可以是通过D盾或者其他查杀软件进行查杀，现在也有基于机器学习的webshell识别。
214 |     > 
215 |    * php的LFI，本地包含漏洞原理是什么？写一段带有漏洞的代码。手工的话如何发掘？如果无报错回显，你是怎么遍历文件的？
216 |    * php反序列化漏洞的原理?解决方案?
217 | 
218 | * 中间件
219 |    * tomcat要做哪些安全加固？
220 |    * 如果tomcat重启的话，webapps下，你删除的后台会不会又回来？
221 |    * 常见的网站服务器中间件容器。
222 |     > IIS、Apache、nginx、Lighttpd、Tomcat
223 |     >
224 |     * JAVA有哪些比较常见的中间件容器？
225 |     > Tomcat/Jetty/JBOSS/WebLogic/Coldfusion/Websphere/GlassFish
226 |    * 说说常见的中间件解析漏洞利用方式  
227 |     > IIS 6.0
228 |      > /xx.asp/xx.jpg "xx.asp"是文件夹名
229 |      > 
230 |     > IIS 7.0/7.5
231 |     > 默认Fast-CGI开启，直接在url中图片地址后面输入/1.php，会把正常图片当成php解析
232 |     > 
233 |     > Nginx
234 |      > 版本小于等于0.8.37，利用方法和IIS 7.0/7.5一样，Fast-CGI关闭情况下也可利用。
235 |      > 空字节代码 xxx.jpg%00.php
236 |      > 
237 |     > Apache
238 |      > 上传的文件命名为：test.php.x1.x2.x3，Apache是从右往左判断后缀
239 |      > 
240 |     > lighttpd
241 |      > xx.jpg/xx.php
242 |      > 
243 |    * Redis未授权访问漏洞如何入侵利用？
244 | 
245 | * 数据库
246 |    * mysql UDF提权5.1以上版本和5.1以下有什么区别,以及需要哪些条件?
247 |    
248 |    > 1)Mysql版本大于5.1版本udf.dll文件必须放置于MYSQL安装目录下的lib\plugin文件夹下。
249 |    > 
250 |    > 2)Mysql版本小于5.1版本。udf.dll文件在Windows2003下放置于c:\windows\system32，在windows2000下放置于c:\winnt\system32。
251 |    > 
252 |    > 3)掌握的mysql数据库的账号有对mysql的insert和delete权限以创建和抛弃函数，一般以root账号为佳，具备`root账号所具备的权限的其它账号也可以。
253 |    > 
254 |    > 4)可以将udf.dll写入到相应目录的权限。
255 | 
256 |    * mysql数据库默认有哪些库？说出库的名字
257 |    
258 |     > infomation_schema， msyql， performance_scheme, test
259 |     > 
260 |    * mysql的用户名密码是存放在那张表里面？mysql密码采用哪种加密方式？
261 |     > mysql数据库下的user表。
262 |     > 
263 |    * mysql表权限里面，除了增删改查，文件读写，还有哪些权限？
264 |    * mysql安全要如何做？
265 |    * sqlserver public权限要如何提权
266 |    * Windows、Linux、数据库的加固降权思路，任选其一  
267 | 
268 | * Linux
269 |    * 简述Linux系统安全加固需要做哪些方面
270 |    * 你使用什么工具来判断系统是否存在后门
271 |    * Linux的Selinux是什么？如何设置Selinux？
272 |    * iptables工作在TCPIP模型中的哪层？
273 |    * 如果无法升级内核，那么如何保证系统不被已知的exp提权？
274 |    * syslog里面都有哪些日志？安装软件的日志去哪找？
275 |    * 如何查询ssh的登录日志？如何配置syslog的日志格式？
276 |    * syslog可不可以使用vi等工具直接查看？是二进制文件吗？
277 |    * 如果一台Linux服务器被入侵后,你会如何做应急响应?
278 |    * 反弹 shell 的常用命令？一般常反弹哪一种 shell？为什么？
279 | 
280 | * 应急响应
281 |   * 有哪几种后门实现方式？
282 |   * webshell检测有什么方法思路？
283 |   * Linux服务器中了木马后，请简述应急思路？
284 |   * 遇到新0day\(比如Struts2\)后，应该如何进行应急响应？
285 |   * 新业务上线前可以从哪些方向进行安全评估？
286 |   * 现有系统可以从哪些方向进行审计发现其中的安全风险？
287 | 
288 | * 信息采集
289 |    * 踩点都要采集哪些信息？
290 |    * DNS在渗透中的作用
291 |    * 如何绕过CDN获取目标网站真实IP，谈谈你的思路？  
292 |  
293 |     <a href="https://zhuanlan.zhihu.com/p/33440472">绕过CDN寻找网站真实IP的方法汇总</a>
294 |     
295 |    * 如果给你一个网站,你的渗透测试思路是什么?
296 | 在获取书面授权的前提下
297 | 
298 |     * 1.信息收集
299 |     > 1)获取域名的whois信息,获取注册者邮箱姓名电话等。
300 |     >
301 |     > 2)查询服务器旁站以及子域名站点，因为主站一般比较难，所以先看看旁站有没有通用性的cms或者其他漏洞。 
302 |     >
303 |     > 3)查看服务器操作系统版本，web中间件，看看是否存在已知的漏洞，比如IIS，APACHE,NGINX的解析漏洞 
304 |     >
305 |     > 4)查看IP，进行IP地址端口扫描，对响应的端口进行漏洞探测，比如 rsync,心脏出血，
306 |      mysql,ftp,ssh弱口令等。 
307 |     > 5)扫描网站目录结构，看看是否可以遍历目录，或者敏感文件泄漏，比如php探针 
308 |     >
309 |     > 6)google hack 进一步探测网站的信息，后台，敏感文件
310 |     
311 |     * 2.漏洞扫描 
312 |     > 开始检测漏洞，如XSS,CSRF,SQL注入，代码执行，命令执行，越权访问，目录读取，任意文件读取，
313 |      下载，文件包含， 远程命令执行，弱口令，上传，编辑器漏洞，暴力破解等 
314 |     * 3.漏洞利用 
315 |     > 利用以上的方式拿到webshell，或者其他权限 
316 |     * 4.权限提升 
317 |     > 提权服务器，比如windows下mysql的udf提权，serv-u提权，windows低版本的漏洞，如iis6,pr,
318 |      巴西烤肉
319 |     > linux脏牛漏洞，linux内核版本漏洞提权，linux下的mysql root提权以及oracle低权限提权
320 |     * 5.日志清理 
321 |     * 6.总结报告及修复方案
322 | 
323 | 
324 |    * 在渗透过程中，收集目标站注册人邮箱对我们有什么价值？
325 |    
326 |     > 1)丢社工库里看看有没有泄露密码，然后尝试用泄露的密码进行登录后台。
327 |     >
328 |     > 2)用邮箱做关键词进行丢进搜索引擎。
329 |     >
330 |     > 3)利用搜索到的关联信息找出其他邮进而得到常用社交账号。
331 |     >
332 |     > 4)社工找出社交账号，里面或许会找出管理员设置密码的习惯 。
333 |     >
334 |     > 5)利用已有信息生成专用字典。
335 |     >
336 |     > 6)观察管理员常逛哪些非大众性网站，拿下它，你会得到更多好东西。
337 |     
338 |    * 判断出网站的CMS对渗透有什么意义？
339 |    
340 |     > 1)查找网上已曝光的程序漏洞。
341 |     >
342 |     > 2)如果开源，还能下载相对应的源码进行代码审计。
343 |     >
344 |     > 3)一个成熟并且相对安全的CMS，渗透时扫目录的意义？
345 |     >
346 |     > 4)敏感文件、二级目录扫描
347 |     >
348 |     > 5)站长的误操作比如：网站备份的压缩文件、说明.txt、二级目录可能存放着其他站点
349 | 


--------------------------------------------------------------------------------