khuluma ngamathuluzi awusizo amapentesta. Esihlokweni esisha sizobheka amathuluzi okuhlaziya ukuphepha kwezinhlelo zokusebenza zewebhu.
Uzakwethu Sengiyenzile into efana nalena cishe eminyakeni eyisikhombisa edlule. Kuyathakazelisa ukubona ukuthi yimaphi amathuluzi agcine futhi aqinisa izikhundla zawo, nokuthi yimaphi afiphele ngemuva futhi awasasetshenziswa manje.
Qaphela ukuthi lokhu kuhlanganisa neBurp Suite, kodwa kuzoba khona ukushicilelwa okuhlukile mayelana nayo nama-plugin ayo awusizo.
Okuqukethwe:
I-Amass
- ithuluzi le-Go lokusesha nokubala izizindana ze-DNS kanye nokwenza imephu yenethiwekhi yangaphandle. I-Amass iphrojekthi ye-OWASP eklanyelwe ukukhombisa ukuthi izinhlangano eziku-inthanethi zibukeka kanjani kumuntu wangaphandle. I-Amass ithola amagama esizinda esingaphansi ngezindlela ezihlukahlukene; ithuluzi lisebenzisa kokubili ukubala okuphindaphindayo kwezizinda ezingaphansi nosesho lwemithombo evulekile.
Ukuthola izingxenye zenethiwekhi ezixhumene nezinombolo zesistimu ezizimele, i-Amass isebenzisa amakheli e-IP atholwe ngesikhathi sokusebenza. Lonke ulwazi olutholiwe lusetshenziselwa ukwakha imephu yenethiwekhi.
Izinzuzo:
- Izindlela zokuqoqa ulwazi zihlanganisa:
* I-DNS - ukusesha kwesichazamazwi sezizinda ezingaphansi, izizinda ezingaphansi kwe-bruteforce, ukusesha okuhlakaniphile kusetshenziswa ukuguqulwa kwezakhi okusekelwe ezizindeni ezingaphansi ezitholiwe, imibuzo ye-DNS ehlanekezelwe futhi useshe amaseva e-DNS lapho kungenzeka khona ukwenza isicelo sokudlulisa indawo (AXFR);* Usesho lomthombo ovulekile - Ask, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, Yahoo;
* Sesha isizindalwazi sesitifiketi se-TLS - Censys, CertDB, CertSpotter, Crtsh, Entrust;
* Ukusebenzisa ama-API enjini yokusesha - BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScan;
* Sesha izingobo zomlando zewebhu ze-inthanethi: I-ArchiveIt, i-ArchiveToday, i-Arquivo, i-LoCArchive, i-OpenUKArchive, i-UKGovArchive, i-Wayback;
- Ukuhlanganiswa ne-Maltego;
- Inikeza ukufakwa okuphelele komsebenzi wokusesha izizinda ezingaphansi kwe-DNS.
Umthengi:
- Qaphela ngezizinda ze-amass.net - izozama ukuxhumana nawo wonke amakheli e-IP kwingqalasizinda ekhonjiwe futhi ithole amagama wesizinda kusuka ekubhekeni okuhlanekezelwe kwe-DNS nezitifiketi ze-TLS. Lena indlela "yephrofayili ephezulu", ingadalula imisebenzi yakho yezobunhloli enhlanganweni ephenywayo.
- Ukusetshenziswa okuphezulu kwememori, kungadla kufikela ku-2 GB we-RAM kuzilungiselelo ezihlukene, ezingeke zikuvumele ukuthi usebenzise leli thuluzi efwini ku-VDS eshibhile.
Ama-Altdns
- Ithuluzi lePython lokuhlanganisa izichazamazwi zokubala izizinda ezingaphansi kwe-DNS. Ikuvumela ukuthi ukhiqize izinhlobonhlobo eziningi zezizinda ezingaphansi usebenzisa ukuguqulwa nezimvume. Kulokhu, amagama avame ukutholakala ezizindeni ezingaphansi asetshenziswa (isibonelo: test, dev, staging), zonke izinguquko nezimvume zisetshenziswa ezizindeni ezingaphansi ezaziwayo kakade, ezingathunyelwa kokokufaka kwe-Altdns. Okukhiphayo kuwuhlu lokwehluka kwezizinda ezingaphansi kwezinye ezingaba khona, futhi lolu hlu kamuva lungasetshenziselwa amandla anonya e-DNS.
Izinzuzo:
- Isebenza kahle ngamasethi amakhulu edatha.
i-aquatone
- Phambilini belaziwa kangcono njengelinye ithuluzi lokusesha izizinda ezingaphansi, kodwa umbhali ukushiyile lokhu ethanda i-Amass eshiwo ngenhla. Manje i-aquatone isiphinde yabhalwa ku-Go futhi isihloselwe ukuthola ulwazi lwangaphambili kumawebhusayithi. Ukuze wenze lokhu, i-aquatone idlula ezizindeni ezishiwo futhi iseshe amawebhusayithi kumachweba ahlukene, emva kwalokho iqoqa lonke ulwazi mayelana nesayithi bese ithatha isithombe-skrini. Ilungele ukuqashelwa kabusha okusheshayo kwamawebhusayithi, ngemuva kwalokho ungakhetha okuhlosiwe okubalulekile kokuhlaselwa.
Izinzuzo:
- Okukhiphayo kudala iqembu lamafayela namafolda asebenziseka kalula uma kuqhubeka ukusebenza namanye amathuluzi:
* Umbiko we-HTML onezithombe-skrini eziqoqiwe nezihloko zezimpendulo eziqoqwe ngokufana;* Ifayela elinawo wonke ama-URL lapho amawebhusayithi atholwe khona;
* Ifayela elinezibalo nedatha yekhasi;
* Ifolda enamafayela aqukethe izihloko zezimpendulo ezivela kokuhlosiwe okutholiwe;
* Ifolda enamafayela aqukethe indikimba yempendulo evela kokuhlosiwe okutholiwe;
* Izithombe-skrini zamawebhusayithi atholakele;
- Isekela ukusebenza ngemibiko ye-XML evela ku-Nmap ne-Masscan;
- Isebenzisa i-Chrome/Chromium engenakhanda ukuze inikeze izithombe-skrini.
Umthengi:
- Ingase idonse ukunaka kwamasistimu okuthola ukungena, ngakho idinga ukucushwa.
Isithombe-skrini sithathwe kwesinye sezinguqulo ezindala ze-aquatone (v0.5.0), lapho ukusesha kwesizinda esingaphansi kwe-DNS kwasetshenziswa khona. Izinguqulo ezindala zingatholakala kokuthi .
IMassDNS
elinye ithuluzi lokuthola izizinda ezingaphansi kwe-DNS. Umehluko wayo omkhulu ukuthi yenza imibuzo ye-DNS ngokuqondile kuzixazululi eziningi ze-DNS futhi ikwenza ngesivinini esikhulu.
Izinzuzo:
- Ngokushesha - ekwazi ukuxazulula amagama angaphezu kwezinkulungwane ezingama-350 ngomzuzwana.
Umthengi:
- I-MassDNS ingabangela umthwalo omkhulu kuzixazululi ze-DNS ezisetshenziswayo, okungaholela ekuvinjweni kwalawo maseva noma izikhalazo ku-ISP yakho. Ngaphezu kwalokho, izobeka umthwalo omkhulu kumaseva e-DNS enkampani, uma benawo futhi uma benesibopho sezizinda ozama ukuzixazulula.
- Uhlu lwezixazululi luphelelwe isikhathi okwamanje, kodwa uma ukhetha izixazululi ze-DNS eziphukile futhi wengeza ezintsha ezaziwayo, yonke into izolunga.
Isithombe-skrini se-aquatone v0.5.0
nsec3map
iyithuluzi lePython lokuthola uhlu oluphelele lwezizinda ezivikelwe yi-DNSSEC.
Izinzuzo:
- Ngokushesha ithola abasingathi ezindaweni ze-DNS ngenani elincane lemibuzo uma ukwesekwa kwe-DNSSEC kunikwe amandla endaweni;
- Ifaka i-plugin ye-John the Ripper engasetshenziswa ukuqhekeza amahashi angumphumela we-NSEC3.
Umthengi:
- Amaphutha amaningi e-DNS awaphathwa ngendlela efanele;
- Akukho ukufana okuzenzakalelayo kokucubungula amarekhodi e-NSEC - kufanele uhlukanise indawo yamagama ngesandla;
- Ukusetshenziswa okuphezulu kwenkumbulo.
I-Acunetix
— iskena sobungozi bewebhu esenza ngokuzenzakalelayo inqubo yokuhlola ukuphepha kwezinhlelo zokusebenza zewebhu. Ihlola uhlelo lokusebenza lwemijovo ye-SQL, i-XSS, i-XXE, i-SSRF kanye nobunye ubungozi bewebhu. Kodwa-ke, njenganoma yisiphi esinye isithwebuli, ubungozi bewebhu obuhlukahlukene abuyithathi indawo ye-pentester, njengoba ayikwazi ukuthola amaketango ayinkimbinkimbi okuba sengozini noma ukukhubazeka kungqondongqondo. Kepha ihlanganisa ubungozi obuningi obuhlukene, okuhlanganisa nama-CVE ahlukahlukene, okungenzeka ukuthi i-pentester usewakhohliwe, ngakho-ke kulula kakhulu ukukukhulula ekuhlolweni okujwayelekile.
Izinzuzo:
- Izinga eliphansi lezinto ezingamanga;
- Imiphumela ingathunyelwa njengemibiko;
- Yenza inani elikhulu lokuhlola ubuthakathaka obuhlukahlukene;
- Ukuskena okuhambisanayo kwabasingathi abaningi.
Umthengi:
- Ayikho i-algorithm ye-deduplication (i-Acunetix izocabangela amakhasi afanayo ekusebenzeni ukuze ahluke, njengoba eholela kuma-URL ahlukene), kodwa abathuthukisi basebenza kuwo;
- Idinga ukufakwa kuseva yewebhu ehlukile, ehlanganisa amasistimu okuhlola amaklayenti ngoxhumo lwe-VPN nokusebenzisa isithwebuli engxenyeni engayodwa yenethiwekhi yeklayenti lendawo;
- Isevisi engaphansi kocwaningo ingase yenze umsindo, isibonelo, ngokuthumela ama-vector amaningi kakhulu efomini lokuxhumana esizeni, ngaleyo ndlela kube nzima kakhulu izinqubo zebhizinisi;
- Iwubunikazi futhi, ngokufanelekile, akusona isixazululo samahhala.
Ucwaningo
- Ithuluzi lePython lezinkomba namafayela aphoqelela ngesihluku kumawebhusayithi.
Izinzuzo:
- Ingakwazi ukuhlukanisa amakhasi wangempela athi “200 OK” kumakhasi athi “200 OK”, kodwa ngombhalo othi “ikhasi alitholakali”;
- Iza nesichazamazwi esiwusizo esinokulingana okuhle phakathi kosayizi nokusebenza kahle kosesho. Iqukethe izindlela ezijwayelekile ezijwayelekile kuma-CMS amaningi nezitaki zobuchwepheshe;
- Ifomethi yaso yesichazamazwi, ekuvumela ukuthi uzuze ukusebenza kahle nokuvumelana nezimo ekubaleni amafayela nezinkomba;
- Okukhiphayo okulula - umbhalo ongenalutho, i-JSON;
- Ingenza i-throttling - ikhefu phakathi kwezicelo, okubalulekile kunoma iyiphi isevisi ebuthakathaka.
Umthengi:
- Izandiso kufanele zidluliswe njengeyunithi yezinhlamvu, okuyinto engalungile uma udinga ukudlula izandiso eziningi ngesikhathi esisodwa;
- Ukuze usebenzise isichazamazwi sakho, sizodinga ukuthi sishintshwe kancane sibe ifomethi yesichazamazwi se-Dirsearch ukuze sisebenze kahle kakhulu.
wfuz
- Python web application fuzzer. Mhlawumbe omunye wezigaba zewebhu ezidume kakhulu. Umgomo ulula: i-wfuzz ikuvumela ukuthi ufake noma iyiphi indawo esicelweni se-HTTP, okwenza kube nokwenzeka ukuhlukanisa imingcele ye-GET/POST, izihloko ze-HTTP, okuhlanganisa i-Cookie nezinye izihloko zokuqinisekisa. Ngasikhathi sinye, ilungele futhi amandla alula wezinhlu zemibhalo namafayela, okudingayo isichazamazwi esihle. Ibuye ibe nohlelo lokuhlunga oluguquguqukayo, ongahlunga ngalo izimpendulo ezivela kuwebhusayithi ngokuya ngemingcele ehlukene, okuvumela ukuthi uzuze imiphumela esebenzayo.
Izinzuzo:
- I-Multifunctional - isakhiwo se-modular, umhlangano uthatha imizuzu embalwa;
- Indlela elula yokuhlunga kanye ne-fuzzing;
- Ungakwazi ukuhlukanisa noma iyiphi indlela ye-HTTP, kanye nanoma iyiphi indawo esicelweni se-HTTP.
Umthengi:
- Ngaphansi kokuthuthukiswa.
fuf
- i-web fuzzer ku-Go, edalwe "ngomfanekiso nokufana" kwe-wfuzz, ikuvumela ukuthi uhlukumeze amafayela, izinkomba, izindlela ze-URL, amagama namanani wepharamitha ye-GET/POST, izihloko ze-HTTP, okuhlanganisa nesihloko se-Host for brute force yabasingathi be-virtual. I-wfuzz ihluke kumfowabo ngesivinini esikhulu nezinye izici ezintsha, isibonelo, isekela izichazamazwi zefomethi ye-Dirsearch.
Izinzuzo:
- Izihlungi zifana nezihlungi ze-wfuzz, zikuvumela ukuthi ulungiselele amandla anonya;
- Ikuvumela ukuthi uhlanganise amanani kanhlokweni we-HTTP, idatha yesicelo se-POST kanye nezingxenye ezihlukahlukene ze-URL, okuhlanganisa amagama namanani amapharamitha we-GET;
- Ungacacisa noma iyiphi indlela ye-HTTP.
Umthengi:
- Ngaphansi kokuthuthukiswa.
i-gobuster
- Ithuluzi le-Go lokuthola kabusha, linezindlela ezimbili zokusebenza. Eyokuqala isetshenziselwa ukuhlukumeza amafayela nezinkomba kuwebhusayithi, eyesibili isetshenziselwa ukuhlukumeza izizinda ezingaphansi kwe-DNS. Ithuluzi ekuqaleni alikusekeli ukubalwa okuphindaphindayo kwamafayela nezinkomba, okuyinto, vele, yonga isikhathi, kodwa ngakolunye uhlangothi, amandla anonya ephoyinti ngalinye elisha lesizindalwazi kufanele aqaliswe ngokuhlukana.
Izinzuzo:
- Isivinini esikhulu sokusebenza sokusesha kwe-brute force kwezizinda ezingaphansi kwe-DNS kanye namandla ahlukumezayo wamafayela nezinkomba.
Umthengi:
- Inguqulo yamanje ayikusekeli ukusetha izihloko ze-HTTP;
- Ngokuzenzakalelayo, amanye amakhodi wesimo se-HTTP kuphela (200,204,301,302,307) athathwa njengavumelekile.
Arjun
- ithuluzi lamandla anonya lamapharamitha e-HTTP afihliwe kumapharamitha we-GET/POST, kanye naku-JSON. Isichazamazwi esakhelwe ngaphakathi sinamagama angama-25, u-Ajrun awahlola cishe ngemizuzwana engama-980. Iqhinga liwukuthi i-Ajrun ayihloli ipharamitha ngayinye ngokwehlukana, kodwa ihlola ~ amapharamitha angu-30 ngesikhathi futhi ibone ukuthi impendulo ishintshile yini. Uma impendulo ishintshile, ihlukanisa le mingcele engu-1000 ibe izingxenye ezimbili futhi ihlole ukuthi iyiphi yalezi zingxenye ezithinta impendulo. Ngakho-ke, usebenzisa usesho olulula kanambambili, ipharamitha noma imingcele eminingana efihliwe itholakala ethonye impendulo futhi, ngakho-ke, ingaba khona.
Izinzuzo:
- Ijubane eliphezulu ngenxa yokusesha kanambambili;
- Ukusekelwa kwamapharamitha we-GET/POST, kanye namapharamitha asesimweni se-JSON;
I-plugin yeBurp Suite isebenza ngomgomo ofanayo - , nakho okuhle kakhulu ekutholeni amapharamitha e-HTTP afihliwe. Sizokutshela kabanzi ngakho esihlokweni esizayo mayelana neBurp nama-plugin ayo.
I-LinkFinder
- umbhalo wePython wokucinga izixhumanisi kumafayela eJavaScript. Iwusizo ekutholeni iziphetho/ama-URL afihliwe noma akhohliwe kuhlelo lokusebenza lewebhu.
Izinzuzo:
- Ngokushesha;
- Kukhona i-plugin ekhethekile ye-Chrome esekelwe ku-LinkFinder.
.
Umthengi:
- Isiphetho sokugcina esingalungile;
- Ayihlaziyi i-JavaScript ngokuhamba kwesikhathi;
- I-logic elula yokusesha izixhumanisi - uma i-JavaScript ivezwe ngandlela thize, noma izixhumanisi zishoda ekuqaleni futhi zenziwe ngendlela eguqukayo, ngeke ikwazi ukuthola lutho.
I-JSParser
iskripthi sePython esisebenzisayo и ukuze uhlukanise ama-URL ahlobene kumafayela e-JavaScript. Iwusizo kakhulu ekutholeni izicelo ze-AJAX kanye nokuhlanganisa uhlu lwezindlela ze-API uhlelo lokusebenza olusebenzisana nazo. Isebenza ngempumelelo ngokubambisana ne-LinkFinder.
Izinzuzo:
- Ukuhlaziya okusheshayo kwamafayela e-JavaScript.
i-sqlmap
mhlawumbe ingelinye lamathuluzi adume kakhulu okuhlaziya izinhlelo zokusebenza zewebhu. I-Sqlmap yenza ngokuzenzakalelayo ukusesha nokusebenza kwemijovo ye-SQL, isebenza ngezilimi zesigodi ezimbalwa ze-SQL, futhi inenani elikhulu lamasu ahlukene kunqolobane yayo, kusukela kumacaphuno aqondile kuya kumavekhtha ayinkimbinkimbi emijovo ye-SQL esekwe isikhathi. Ngaphezu kwalokho, inamasu amaningi okuqhubeka nokuxhashazwa kwama-DBMS ahlukahlukene, ngakho ayiwusizo nje njengesithwebuli semijovo ye-SQL, kodwa futhi njengethuluzi elinamandla lokuxhaphaza imijovo ye-SQL esivele itholakele.
Izinzuzo:
- Inani elikhulu lamasu ahlukene nama-vectors;
- Inombolo ephansi yezimpawu ezingamanga;
- Izinketho eziningi zokuhlela kahle, amasu ahlukahlukene, isizindalwazi esiqondiwe, imibhalo ephazamisayo yokudlula i-WAF;
- Ikhono lokudala ukulahlwa kokuphumayo;
- Amakhono amaningi okusebenza ahlukene, isibonelo, kwezinye izingosi zolwazi - ukulayisha/ukulayishwa ngokuzenzakalelayo kwamafayela, ukuthola ikhono lokukhipha imiyalo (RCE) nokunye;
- Ukusekela uxhumano oluqondile ku-database usebenzisa idatha etholwe ngesikhathi sokuhlasela;
- Ungahambisa ifayela lombhalo elinemiphumela ye-Burp njengokufaka - asikho isidingo sokuqamba mathupha zonke izici zomugqa womyalo.
Umthengi:
- Kunzima ukwenza ngendlela oyifisayo, isibonelo, ukubhala amanye amasheke akho ngenxa yokushoda kwemibhalo yalokhu;
- Ngaphandle kwezilungiselelo ezifanele, yenza isethi engaphelele yokuhlola, okungase kudukise.
NoSQLMap
- Ithuluzi lePython lokuzenzela ukusesha nokuxhashazwa kwemijovo ye-NoSQL. Kulula ukusebenzisa hhayi kuphela kusizindalwazi se-NoSQL, kodwa futhi ngokuqondile lapho ucwaninga izinhlelo zokusebenza zewebhu ezisebenzisa i-NoSQL.
Izinzuzo:
- Njenge-sqlmap, ayitholi nje kuphela ubungozi obungaba khona, kodwa futhi ihlola ukuthi kungenzeka yini ukuxhashazwa kwayo kwe-MongoDB ne-CouchDB.
Umthengi:
- Ayisekeli i-NoSQL ye-Redis, i-Cassandra, ukuthuthukiswa kuyaqhubeka ngale ndlela.
oxml_xxe
— ithuluzi lokushumeka i-XXE XML isizakala ezinhlotsheni ezahlukahlukene zamafayela asebenzisa ifomethi ye-XML ngandlela thile.
Izinzuzo:
- Isekela amafomethi amaningi ajwayelekile njenge-DOCX, ODT, SVG, XML.
Umthengi:
- Ukusekelwa kwe-PDF, i-JPEG, i-GIF akwenziwanga ngokugcwele;
- Idala ifayela elilodwa kuphela. Ukuxazulula le nkinga ungasebenzisa ithuluzi , engakha inani elikhulu lamafayela okulayisha ezindaweni ezahlukene.
Izinsiza ezingenhla zenza umsebenzi omuhle wokuhlola i-XXE lapho kulayishwa amadokhumenti aqukethe i-XML. Kodwa futhi khumbula ukuthi izibambi zefomethi ye-XML zingatholakala kwezinye izimo eziningi, isibonelo, i-XML ingasetshenziswa njengefomethi yedatha esikhundleni se-JSON.
Ngakho-ke, sincoma ukuthi unake inqolobane elandelayo, equkethe inani elikhulu lemithwalo ekhokhelwayo ehlukene: .
i-tplmap
- ithuluzi lePython lokuhlonza ngokuzenzakalela nokusebenzisa ubungozi bomjovo wesifanekiso se-Server-Side; inezilungiselelo namafulegi afana ne-sqlmap. Isebenzisa amasu amaningana ahlukene nama-vectors, okuhlanganisa umjovo oyimpumputhe, futhi inamasu okusebenzisa ikhodi nokulayisha/ukulayisha amafayela angadingeki. Ngaphezu kwalokho, unamasu akhe ezikhali zezinjini zezifanekiso ezahlukene kanye namasu athile okusesha ama-eval()-like code injection ePython, Ruby, PHP, JavaScript. Uma iphumelele, ivula ikhonsoli esebenzisanayo.
Izinzuzo:
- Inani elikhulu lamasu ahlukene nama-vectors;
- Isekela izinjini eziningi zokunikeza izifanekiso;
- Izindlela eziningi zokusebenza.
CeWL
- i-generator yesichazamazwi ku-Ruby, edalwe ukukhipha amagama ayingqayizivele kuwebhusayithi eshiwo, ilandela izixhumanisi kusayithi ekujuleni okucacisiwe. Isichazamazwi esihlanganisiwe samagama ayingqayizivele singasetshenziswa kamuva ukuphoqa amagama ayimfihlo ezinkonzweni noma amafayela nezinhlu zemibhalo kuwebhusayithi efanayo, noma ukuhlasela ama-hash angumphumela kusetshenziswa i-hashcat noma u-John the Ripper. Iwusizo uma uhlanganisa uhlu "oluqondiwe" lwamaphasiwedi angaba khona.
Izinzuzo:
- Kulula ukuyisebenzisa.
Umthengi:
- Udinga ukuqaphela ukujula kokusesha ukuze ungathathi isizinda esengeziwe.
I-Weakpass
- isevisi equkethe izichazamazwi eziningi ezinamaphasiwedi ahlukile. Iwusizo kakhulu emisebenzini ehlukahlukene ehlobene nokuqhekeka kwephasiwedi, kusukela ekusetshenzisweni okulula kwe-inthanethi kwama-akhawunti ezinsizeni eziqondiwe, kuya ekusetshenzisweni okunamandla okungaxhunyiwe ku-inthanethi kwama-hash awamukelwe kusetshenziswa. noma . Iqukethe amagama ayimfihlo angaba yizigidi eziyizinkulungwane ezingu-8 asukela ezinhlamvu ezi-4 kuye kwezingu-25 ubude.
Izinzuzo:
- Iqukethe kokubili izichazamazwi ezithile nezichazamazwi ezinamaphasiwedi avamile - ungakhetha isichazamazwi esithile sezidingo zakho;
- Izichazamazwi ziyabuyekezwa futhi zigcwaliswe ngamaphasiwedi amasha;
- Izichazamazwi zihlelwa ngokusebenza kahle. Ungakhetha inketho yakho kokubili amandla anonya aku-inthanethi asheshayo kanye nokukhetha okuningiliziwe kwamaphasiwedi kusichazamazwi esinamandla esinokuvuza kwakamuva;
- Kukhona isibali esibonisa isikhathi esisithathayo ukuze usebenzise amagama ayimfihlo kumshini wakho.
Singathanda ukufaka amathuluzi okuhlola i-CMS eqenjini elihlukile: i-WPScan, i-JoomScan ne-AEM hacker.
I-AEM_hacker
iyithuluzi lokuhlonza ubungozi ezinhlelweni ze-Adobe Experience Manager (AEM).
Izinzuzo:
- Ingakwazi ukuhlonza izinhlelo zokusebenza ze-AEM ohlwini lwama-URL athunyelwe kokufakwayo;
- Iqukethe imibhalo yokuthola i-RCE ngokulayisha igobolondo le-JSP noma ukuxhaphaza i-SSRF.
I-JoomScan
- Ithuluzi le-Perl lokuzitholela ngokuzenzakalelayo ubungozi lapho kuthunyelwa i-Joomla CMS.
Izinzuzo:
- Ikwazi ukuthola amaphutha okumisa nezinkinga ngezilungiselelo zokuphatha;
- Ibala izinguqulo ze-Joomla kanye nokuba sengozini okuhlobene, ngokufanayo ezingxenyeni ezingazodwana;
- Iqukethe izinto ezingaphezu kwe-1000 zezingxenye ze-Joomla;
- Umphumela wemibiko yokugcina ngombhalo kanye nefomethi ye-HTML.
I-WPScan
- ithuluzi lokuskena amasayithi e-WordPress, inobungozi kunqolobane yayo kokubili injini ye-WordPress ngokwayo kanye nama-plugin athile.
Izinzuzo:
- Iyakwazi ukufaka kuhlu hhayi kuphela ama-plugin we-WordPress angaphephile nezindikimba, kodwa futhi nokuthola uhlu lwabasebenzisi namafayela e-TimThumb;
- Ingaqhuba ukuhlasela kwe-brute force kumasayithi e-WordPress.
Umthengi:
- Ngaphandle kwezilungiselelo ezifanele, yenza isethi engaphelele yokuhlola, okungase kudukise.
Ngokuvamile, abantu abahlukene bakhetha amathuluzi ahlukene omsebenzi: wonke mahle ngendlela yawo, futhi lokho okuthandwa umuntu oyedwa kungase kungahambisani nhlobo nomunye. Uma ucabanga ukuthi asizinaki ngokungafanele insiza ethile enhle, bhala ngakho kumazwana!
Source: www.habr.com