摘要:漏洞靶場,不僅可以幫助我們鍛煉滲透測驗能力、可以幫助我們分析漏洞形成機理、更可以學習如何修復提高代碼能力,同時也可以幫助我們檢測各種各樣漏洞掃描器的效果,
本文分享自華為云社區《Web漏洞靶場搭建-wavsep》,作者:XuPlus ,
滲透測驗切忌紙上談兵,學習滲透測驗知識的程序中,我們通常需要一個包含漏洞的測驗環境來進行訓練,而在非授權情況下,對于網站進行滲透測驗攻擊,是觸及法律法規的,所以我們常常需要自己搭建一個漏洞靶場,避免直接對公網非授權目標進行測驗,
漏洞靶場,不僅可以幫助我們鍛煉滲透測驗能力、可以幫助我們分析漏洞形成機理、更可以學習如何修復提高代碼能力,同時也可以幫助我們檢測各種各樣漏洞掃描器的效果,
本文將以 sectooladdict/wavsep: The Web Application Vulnerability Scanner Evaluation Project靶場為例來學習靶場搭建,結合漏洞掃描服務-華為云來發現存在的漏洞,
靶場搭建
我們找一臺linux機器來進行實驗
? cat /etc/os-release -pNAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionicdocker
目前大部分靶場都有docker版本,我們利用docker來快速搭建靶場,docker安裝可參考官網Install Docker Engine on Ubuntu | Docker Documentation安裝手冊,或者借助https://get.docker.com進行自動化安裝
root in szvphisprd13003
> wget -qO- https://get.docker.com/ | bash安裝完成后,還需要配置docker鏡像源來加速鏡像拉取時間,這里配置中科大(USTC)源來進行加速,在 /etc/docker/daemon.json中配置
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}wavsep
WAVSEP 是經典的漏洞靶場之一,包含常見的Web漏洞(SQL/XSS/Path Travseral/…),包含大量漏洞場景甚至假漏洞(檢測掃描器誤報率),目前漏洞有
- Path Traversal/LFI: 816 test cases, implemented in 816 jsp pages (GET & POST)
- Remote File Inclusion (XSS via RFI): 108 test cases, implemented in 108 jsp pages (GET & POST)
- Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST)
- Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST)
- Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST)
- Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST)
- Unvalidated Redirect: 60 test cases, implemented in 60 jsp pages (GET & POST)
- Old, Backup and Unreferenced Files: 184 test cases, implemented in 184 files (GET Only)
- Passive Information Disclosure/Session Vulnerabilities (inspired/imported from ZAP-WAVE): 3 test cases of erroneous information leakage, and 2 cases of improper authentication/information disclosure - implemented in 5 jsp pages
- Experimental Test Cases (inspired/imported from ZAP-WAVE): 9 additional RXSS test cases (anticsrf tokens, secret input vectors, tag signatures, etc), and 2 additional SQLi test cases (INSERT) - implemented in 11 jsp pages (GET & POST)
使用docker安裝wavsep:
root in szvphisprd13003 in ~
? docker search wavsep
...
owaspvwad/wavsep The Web Application Vulnerability Scanner E… 6
...
root in szvphisprd13003 in ~
? docker pull owaspvwad/wavsep
...
root in szvphisprd13003 in ~
? docker run -itd -p 8080:8080 owaspvwad/wavsep完成后訪問 http://IP:8080/wavsep/ 即可
漏洞發現
通過手工測驗與掃描器來發現靶場中的問題
手工測驗
以檔案包含漏洞為例,訪問
http://IP:8080/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/index.jsp
http://IP:8080/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/Case01-LFI-FileClass-FilenameContext-Unrestricted-OSPath-DefaultFullInput-AnyPathReq-Read.jsp?target=/root/apache-tomcat-8.0.27/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini
手動修改 target 引數為 /etc/passwd 發現成功讀取到 passwd 檔案
華為云漏洞掃描
1.添加資產,配置域名認證
# 查看wavsep容器id
root in szvphisprd13003 in ~
? docker ps
02e9031d5b59 owaspvwad/wavsep "/bin/sh -c 'sh ~/..." 8 months ago Up 6 minutes
0.0.0.0:8080->8080/tcp
# 查看web根目錄
root in szvphisprd13003 in ~
? docker exec -it 02e9031d5b59 /bin/bash
root@02e9031d5b59:/# cd ~/apache-tomcat-8.0.27/webapps/ROOT/
root@02e9031d5b59:~/apache-tomcat-8.0.27/webapps/ROOT# echo d2NjX2NyeXB0ATQxNDU1MzVGNDM0MjQzOzMzMzAzNTM4MzUzMjM0NDUz
NDMzMzQ0MTM4NDMzMTMwNDI0MjMzNDIzMzQzMzE0MTM0MzAzMzMzNDMzNjM4MzQzOTQ1MzgzNjM4MzMzNjM2NDQ0NTM2MzczMjQyNDEzMjQ0MzMzMDMy
NDYzNDQ2MzU0NjMxMzEzMjM2MzYzOTM3NDUzNTM5NDI0MzM2NDUzNjQxNDEzNjMwMzYzNTMwMzk0NTM1MzAzMjM5NDQzNzQ0NDUzNDQyNDUzMzM1MzQ0
NDs7MzUzMDMwMzAzMDs4Q0NEMkJEOUVFNkIxOTlCQjk4Qjk1QTgzMUJBMEZBNDtDQTRDQjVENUM4RjI1N0ZDOzM3MzgzMzM0MzU2MTM1MzIyRDYyMzUz
NzY1MkQzNDY1MzEzNzJENjI2MzYzMzUyRDM2NjIzNzY1MzczMDY1MzMzNTM2MzAzMDs+d2NjX2NyeXB0ATQxNDU1MzVGNDM0MjQzOzM5MzI0NDMyMzk0
NTM2NDMzMjM3MzA0MjM1NDMzNjM5MzQ0NDQxMzkzMDM4MzU0MTMxMzczNTMxNDI0MzQyMzE0NjMzNDQzNDM0MzIzMzQ0MzkzNTM0MzkzODQzNDYzOTMw
MzEzNDQ2NDU0MzM0Mzk0NTQyMzgzOTQ2MzE0MzQ0OzszNTMwMzAzMDMwOzA4NDNFN0FEQzI3OUI0Q0QzNzA3RTNCN0YyMUM0RUIxO0MwODcyOTY0QjY0
ODk4MEM7MzczODMzMzQzNTYxMzUzMjJENjIzNTM3NjUyRDM0NjUzMTM3MkQ2MjYzNjMzNTJEMzY2MjM3NjUzNzMwNjUzMzM1MzYzMDMwOw+d2NjX2Nye
XB0ATQxNDU1MzVGNDM0MjQzOzM5NDM0NjMxMzQzNDMyNDU0NTM5MzUzODM4NDE0MzM4MzAzNjQ1MzIzNDQ2MzYzNTQzNDYzMzQ1NDEzNjM5MzA7OzM1M
zAzMDMwMzA7MjBGQzg0NThGODVFNUM4NUI5QzBCQzE2MDgxRENGRjk7N0QyNjgyMTMwN0U2M0JDODszNzM4MzMzNDM1NjEzNTMyMkQ2MjM1Mzc2NTJEM
zQ2NTMxMzcyRDYyNjM2MzM1MkQzNjYyMzc2NTM3MzA2NTMzMzUzNjMwMzA7+IP:8080 > hwwebscan_verify.html訪問 http://IP:8080/hwwebscan_verify.html 確認認證檔案能被訪問,完成域名認證
2. 開始掃描,在掃描資訊配置處更改目標網址為 http://IP:8080/wavsep/active/index-main.jsp
目標網址不應填寫 http://IP:8080/wavsep/ 由于此頁面無任何 <a>等網頁連接 爬蟲無法爬取到新的頁面 將掃描不到任何資訊
3. 等待掃描結束 查看漏洞資訊
Reference
???
- 漏洞掃描_網站安全漏洞掃描_web網站漏洞掃描_漏洞掃描服務-華為云
- Docker 鏡像使用幫助 - LUG @ USTC
點擊關注,第一時間了解華為云新鮮技術~
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/337618.html
標籤:其他