DVWA (Dam Vulnerable Web Application) DVWA is a set of WEB vulnerability testing programs written with PHP+Mysql for regular WEB vulnerability teaching and detection. Contains common security vulnerabilities such as SQL injection, XSS, and blind injection. This time we tested Version 1.9 (Release date: 2015-09-19).
Today we first completed the low, which is the easiest, and then we will continue to increase the difficulty to complete all difficult challenges. In the course of the challenge, we will analyze the source code of the program to understand the principle of the vulnerability and the simple repair plan.
After the installation is complete, the default login information is admin/password, and the installation process will not be described. The default level after login is impossible, we can set it through DVWA Security in the left menu bar, this time our challenge level is LOW.
Attack module 1: Brute Force (brute force cracking)
Attack Module 2: Command Injection
Attack module 3: Cross Site Request Forgery (CSRF cross-site scripting forgery)
Brute force cracking generally refers to the exhaustive method. The basic idea of the exhaustive method is to determine the approximate range of the answer according to some conditions of the question, and verify all possible situations one by one within this range, until all the conditions are verified. If a certain situation is verified to meet all the conditions of the question, it is a solution to the problem; if all the conditions are not verified, then the question is unsolved. The exhaustive method is also called the enumeration method. (The above is taken from Baidu Encyclopedia) By observing the page, it is found that there is no verification to prevent blasting, so we can enumerate through tools such as burpsuite.
1. We first configure the local agent of burpsuite to capture the login form information.
2. Submit the form to the intruder module and set the password to the payload we cracked.
3. Load the dictionary file.
4. Start enumeration and get the password.
Note: The detailed setting of BurpSuite is not our focus this time, so there is no detailed introduction.
Expansion:
By observing the source code of this module, we found that there is another place that can be used. The code is as follows
(File address: ./DVWA/vulnerabilities/brute/source/low.php)
Through a simple analysis of the code, we can see that this is a typical universal password (please refer to the universal password: http://bbs.ichunqiu.com/thread-10851-1-1.html ) vulnerability, when we enter [ 'or 1=1 limit 1,1 - 】can bypass login verification.
Universal password vulnerability
/***************************************************
The common pattern of command injection attacks is: when only data is input, malicious code is input along with the data , and the system that loads the data does not have a well-designed filtering process for this, causing the malicious code to be executed at the same time, eventually leading to Information leakage or destruction of normal data. (The above is taken from Baidu Encyclopedia)
Command connector:
command1 && command2 execute command1 first and then execute command2
command1 | command2 only execute command2
command1 & command2 execute command2 first and then command1
The above three connectors are supported in windows and linux environments
If the program is not filtered, then we can execute multiple system commands through the connector.
Execute multiple commands through the connector &&
Repair suggestions:
Filter the data entered by the user, and at the same time, can it be better not to use the module that calls system commands.
/***************************************************
To put it simply, CSRF is to allow authorized users to do what we want to do on our behalf. Detailed explanation of the move: http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html .
1. Here we first copy his form.
2. Modify the completed form. Here, pay attention to the name of Change, because the background has judged him, so it cannot be omitted.
3. Next, we will deceive the administrator to open the change page by cooperating with XSS or social work, and the page will flash by and display PassWord Change.
Expansion:
This may be discovered by the administrator, but if we let him hide it through an iframe. Specifically, it will be mentioned in the attack module Stored Cross Site Scripting (XSS), we will make xss + csrf work perfectly together.
Repair plan:
Adding a token and verifying it is the most common repair method now, but the premise of this is that there is no XSS, because if there is xss, then the token can also be obtained through xss for submission.
Other information: http://netsecurity.51cto.com/art/201308/407554.htm
/***************************************************
When the server includes any file through the features (functions) of PHP, the source of the file to be included is not strictly filtered, so that a malicious file can be included, and we can construct this malicious file to achieve the evil purpose.
1. Through the URL, we can determine that there may be a file inclusion vulnerability (in fact, the name of this module is the file inclusion).
2. The test file contains vulnerabilities and successfully includes phpinfo through ./ cross-directory.
Extension: How to use file inclusion
Take webshll through apache log:
Execute arbitrary commands through the built-in PHP protocol:
Tips for keeping the backdoor under PHP.ini:
Repair plan:
Let's take a look at the code first
(File address: ./DVWA/vulnerabilities/fi/source/low.php)
(File address: ./DVWA/vulnerabilities/fi/index.php part)
You can see that the included files are directly obtained through GET. We only need to change the relative path to an absolute path to fix it, or we restrict the use of [./] to prevent directory jumps.
/***************************************************
Attack Module 5: File Inclusion (arbitrary file upload)
Since the file upload function implementation code does not strictly limit the file suffix and file type uploaded by users, it allows an attacker to upload any PHP files to a directory accessible through the Web, and can pass these files to the PHP interpreter. Execute arbitrary PHP scripts on the remote server
Here we can directly last the PHP file.
Repair plan:
See source code
No verification was performed last time, and the save operation was performed directly. For any file, you can use the whitelist to verify the repair last time.
/***************************************************
Attack module 6: Insecure CAPTCHA (insecure verification code)
Related introduction can refer to:
The rough meaning is that the background does not verify the verification code securely.
To open it for the first time, you need to apply for a key, and you can apply according to his requirements (left: no key, right: key)
Since Google cannot be accessed in China, this module will not be tried too hard! ! !
/***************************************************
Attack Module 7: SQL Injection (SQL Injection)
It is by inserting the SQL command into the Web form submission or inputting the query string of the domain name or page request to finally deceive the server to execute the malicious SQL command. Specifically, it uses existing applications to inject (malicious) SQL commands into the back-end database engine for execution. It can enter (malicious) SQL statements in a web form to get a website with security vulnerabilities. Database, instead of executing SQL statements according to the designer's intentions.
SQL statement can be executed directly, because the forum has detailed manual injection, it will not be described here
Expansion:
PHP+mysql manual injection: http://bbs.ichunqiu.com/thread-12118-1-1.html
Repair plan:
The input parameters are escaped and filtered through common PHP filtering functions addslashes, mysqli_real_escape_string, etc.
Or use precompiled parameterized query: http://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=11761
/***************************************************
Attack Module 8: SQL Injection (Blind)
Ordinary injection will display some error messages on the page for the attacker to judge, that is to say, it will have a variety of situations, so as to facilitate the attacker. There are only two cases for blind betting, namely TRUE and FALSE, and they will not return much information.
Judge by changing the execution time of mysql through sleep
Expansion:
Delay injection: http://bbs.ichunqiu.com/thread-11429-1-1.html
Repair plan:
Refer to the repair method of module 7.
/***************************************************
Attack Module 9: Reflected Cross Site Scripting (XSS) (Reflected Cross Site Scripting)
XSS is also called CSS (Cross Site Script), a cross-site scripting attack. It refers to a malicious attacker inserting malicious html code into a Web page. When the user browses the page, the html code embedded in the Web will be executed, so as to achieve the special purpose of maliciously attacking the user, such as obtaining the user’s cookie. Navigate to malicious websites, carry Trojan horses, etc. Using this vulnerability, an attacker can hijack the session of an authenticated user. After hijacking the authenticated session, the attacker has all the permissions of the authorized user.
Here we directly enter [<script>alert(/xss/)</script>]
Let's take a look at his code
It is judged that there is input and print out directly, and it is not escaped, resulting in reflective XSS
Expansion:
Several typical DOM-based reflective XSS:
Repair plan:
Use htmlspecialchars to convert predefined characters into HTML entities during input.
/***************************************************
Attack Module 10: Stored Cross Site Scripting (XSS) (stored cross-site scripting)
Stored XSS, persistence, code is stored in the server, such as in personal information or published articles, add code, if there is no filtering or the filtering is not strict, then these codes will be stored in the server, the user visits the page When triggering code execution, it is more dangerous than reflective xss.
We continue to use this payload [<script>alert(/xss/)</script>].
Trigger immediately after saving
At this time, we refresh or re-login or change the browser will trigger, because it already exists in the database
/***************************************************
Comprehensive utilization (XSS+CSRF)
We talked about cross-site scripting forgery. Here we use XSS+CSRF to simulate a simple attack environment.
First we prepare a csrf page:
The above code snippet will submit a form to modify the password and it will be submitted automatically.
We use the last stored XSS to submit this form. Due to the length limitation here, we need to modify it.
payload:<iframe src="http://127.0.0.1/csrf.html" width="0px"height="0px"></iframe>
After submission, the CSRF we constructed has been included
Confirm through the database that the password has been modified successfully
