bWAPP(A9&A10)
A9 - Using Known Vulnerable Components
- Buffer Overflow (Local)
- Buffer Overflow (Remote)
- Drupal SQL Injection (Drupageddon)
- Heartbleed Vulnerability
- PHP CGI Remote Code Execution
- PHP Eval Function
- phpMyAdmin BBCode Tag XSS
- Shellshock Vulnerability (CGI)
- SQLiteManager Local File Inclusion
- SQLiteManager PHP Code Injection
- SQL iteManager XSS
- A10 - Unvalidated Redirects & Forwards
- Unvalidated Redirects & Forwards (1)
- Unvalidated Redirects & Forwards (2)
Buffer Overflow (Local)
首先需要了解一些缓冲区和缓冲区溢出的相关知识
缓冲区是指一块可用于接受和存放数据的存储区域,缓冲区一旦分配,其大小也就固定了,比如C语言中 char
meetsec[12];那么meetsec字符串的大小就固定为了12字节;在内存中,每个进程在其内存堆栈段中都拥有自己的栈,EBP指向当前栈的底部,而ESP总是指向栈顶。
函数调用会有3个步骤
1、按照调用约定,首先需要将函数参数按照逆序入栈,从而对函数调用进行设置。
2、将EIP保存到栈上(EIP是指令寄存器,存放当前指令的下一条指令的地址),这样程序在调用函数返回后能够在之前中断的地方继续执行下去,所以EIP存放的地址被称为返回地址。
3、执行call命令,将该函数地址放入EIP寄存器进行执行。
EIP存放的地址被称为返回地址,程序在调用函数返回后能够在之前中断的地方继续执行下去靠的就是EIP,如果EIP被其它破坏了,程序肯定要崩溃,这就是经典的缓冲区溢出原理
大佬博客
09BWAPP通关指北–使用含已知漏洞组件篇
我能说phpstudy搭建的bwappA9都做不了吗
Buffer Overflow (Remote)
Drupal SQL Injection (Drupageddon)
Heartbleed Vulnerability
PHP CGI Remote Code Execution
PHP Eval Function
phpMyAdmin BBCode Tag XSS
Shellshock Vulnerability (CGI)
SQLiteManager Local File Inclusion
SQLiteManager PHP Code Injection
SQL iteManager XSS
A10 - Unvalidated Redirects & Forwards
Unvalidated Redirects & Forwards (1)
low
if(isset($_REQUEST["url"]) && ($_COOKIE["security_level"] != "1" && $_COOKIE["security_level"] != "2"))
{
// Debugging
// echo $_REQUEST["url"];
header("Location: " . $_REQUEST["url"]);
exit;
}
Location的参数由url字段决定
可以修改url
medium&high
if(isset($_REQUEST["url"]) && ($_COOKIE["security_level"] == "1" || $_COOKIE["security_level"] == "2"))
{
// Destroys the session and the cookie 'admin'
if($_COOKIE["security_level"] == "2")
{
// Destroys the session
$_SESSION = array();
session_destroy();
// Deletes the cookies
setcookie("admin", "", time()-3600, "/", "", false, false);
setcookie("movie_genre", "", time()-3600, "/", "", false, false);
setcookie("secret", "", time()-3600, "/", "", false, false);
setcookie("top_security", "", time()-3600, "/", "", false, false);
setcookie("top_security_nossl", "", time()-3600, "/", "", false, false);
setcookie("top_security_ssl", "", time()-3600, "/", "", false, false);
}
Unvalidated Redirects & Forwards (2)
这里是需要修改ReturnUrl
if(isset($_REQUEST["ReturnUrl"]) && ($_COOKIE["security_level"] == "1" || $_COOKIE["security_level"] == "2"))
{
header("Location: portal.php");
exit;
}
if(isset($_REQUEST["ReturnUrl"]) && ($_COOKIE["security_level"] != "1" && $_COOKIE["security_level"] != "2"))
{
// Debugging
// echo $_REQUEST["url"];
header("Location: " . $_REQUEST["ReturnUrl"]);
exit;
}
先还要完善完善,bee-box怕是有点悬
