The open source application fuzz testing database contains a collection of test cases for various attack payloads.
- OS command injection
- directory traversal
- File upload bypass
- Authentication bypass
- XSS
- SQL injection
- HTTP header injection
- CRLF injection
- NoSQL injection and more
- It also includes some webshells written in different languages and commonly used account and password dictionaries.
github地址:GitHub - fuzzdb-project/fuzzdb: Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
Unzip, where under attack are various attack payloads.
2. Use SQLi-CTF shooting range:
github地址:GitHub - Corb3nik/SQLi-CTF: A training CTF covering non-blind SQL injection techniques
Installation and deployment steps:
1) Download SQLi-CTF-master locally.
2) Switch to the decompressed directory: cd SQLi-CTF-master
4) Visit: http://127.0.0.1:12000 . If the following page is displayed, it means the service is started successfully.
2) Enter the username test and password test123, and use Burp Suite to intercept the login request.
Send the login request to Intruder and replace the payload with only the login user name.
sniper: Use a single dictionary and only change one parameter at a time. If username and password are both variables, username will be traversed through the dictionary first, password will remain unchanged, and then password will be changed, while username will remain unchanged.
Battering ram: Use a single dictionary, have multiple variables, and change to the same value at the same time.
Pitchfork tuning fork: one dictionary per variable. After a failure, three variables change at the same time, and one variable will not match all situations of the other variable.
Cluster bomb: In the form of Cartesian product, every other variable must be tested with another variable in all situations. In the case of multiple dictionaries, the test time is very long.
In this example, the login username payload is: fuzzdb-master\attack\sql-injection\detect\xplatform.txt
After Burpsuite loads the payload:
The illustration loads multiple dictionaries, and it is found that multiple attack scripts can be penetrated.
This example uses the length to determine which ones were successfully injected and found multiple successful injections. The length here is the length of the returned page.
The above comes from the content of the "Web Security Attack and Defense Practice" course of Geek Time, which is summarized and compiled.