今天了解下Broken Web Application(BWA)的部署,并且能够用putty连接SSH到owaspbwa了并能够在root权限下做相关操作。
BWA的官方网站;
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
我们搭建的BWA:
http://owaspbwa
BWA的每个wa的相关漏洞msg:
http://sourceforge.net/apps/trac/owaspbwa/report/1
我们搭建的BWA的phpmyadmin:
http://owaspbwa/phpmyadmin/index.php
In all cases, use a username of "root" and a password of "owaspbwa".
这是bwa的userGuide:
http://code.google.com/p/owaspbwa/wiki/UserGuide
就是UserGuide
大概有20多个Web App,今天就搞一个WordPress。对照WordPress的漏洞来渗透渗透WordPress。
漏洞如下:
Ticket | Severity | Summary | Component | Description |
---|---|---|---|---|
#6 | High | Command Injection | WordPress | A command injection vulnerability exists, reference: http://www.exploit-db.com/exploits/6/as long as 'wordpress' is in the dictionary file used. |
#7 | High | SQL Injection | WordPress | A SQL Injection vulnerability exists in the xmlrpc.php page. Reference: http://www.exploit-db.com/exploits/3656/ |
#8 | High | SQL Injection | WordPress | The Spreadsheet plugin for Wordpress contains a SQL Injection vulnerability. Reference:http://www.exploit-db.com/exploits/5486/ http://owaspbwa/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users-- |
#9 | High | Malicious File Execution | WordPress | The myGallery plugin for Wordpress contains a malicious file execution vulnerability. Reference:http://www.exploit-db.com/exploits/3814/ |
(1)PHP命令行注入(Command Injection)
PHP执行外部的应用程序或函数的函数:
string system(string command, int &return_var)
command 要执行的命令
return_var 存放执行命令的执行后的状态值
string exec (string command, array &output, int &return_var)
command 要执行的命令
output 获得执行命令输出的每一行字符串
return_var 存放执行命令后的状态值
void passthru (string command, int &return_var)
command 要执行的命令
return_var 存放执行命令后的状态值
string shell_exec (string command)
command 要执行的命令
怎么注入呢:
假设有ex1.php :
<?php $dir = $_GET["dir"]; if(isset($dir)) { echo "<pre>";system("ls -al".$dir); echo "</pre>"; } ?>
我们访问的时候 :
http://localhost/ex1.php?dir=| cat /etc/passwd
提交以后,命令变成了system("ls -al | cat /etc/passwd");
就能看到/etc/passwd文件内容了。