webug range 3.0 penetration course (all 16 off)

Posted by tzul at 2020-03-26

The webug name is defined as the "our vulnerability" range environment. The basic environment is built based on PHP / MySQL. The intermediate environment and the advanced environment are the operating environments of vulnerabilities collected by Internet vulnerability events. Part of the vulnerabilities are based on Windows operating system, so webug's Web environment is installed in a pure version of Windows 2003 virtual machine.

Infiltration Foundation

First off: a very simple get injection

If it's a normal get injection, then it's under the GID parameter

Single quotation mark error message needs to close single quotation mark to complete injection

order by 5

Report errors

order by 4

Return normal column length to 4

Explosion meter

-1' union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() %23

Explosion sequence

-1' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name = 'flag' %23

Check the flag value and complete

-1' union select 1,flag,3,4 from flag %23

Level 2: what can you find from the pictures? Find something useful in the picture

A photo is downloaded, Notepad is opened, and a 123.txt password is hidden at the end. There is nothing else. Maybe the problem is not perfect

Third, what do you see? It's also important to have a directory when it comes to infiltrating websites

Come in. Click Submit flag 404 = = estimated path is wrong or code is not finished. But it doesn't matter

The title says that the catalog is very important. Let's scan it

Get access to the test directory and get another prompt. To encrypt the directory name MD5 is to encrypt the test

After encryption, the access is cleared

Fourth: tell you that flag is a five digit code that can burst when encountering a five digit verification code

I didn't find the verification code when I went in

Later, I saw the source code and found that the account passwords were all weak passwords, but the output flag statements were also commented out. Maybe this is not perfect~

Level 5: a special injection head with small advantages (injection head!)

The injection of the head just thought of working hard on the XFF head. I used the Firefox plug-in modify heads (I can't change it with burpsuite). It's no different from the first level, but the injection is a little different~

The sixth level: this level needs RMB to buy Oh payment problem: use the least money to buy a book!

The password of login is at the seventh level=

Book 1 is 10 yuan for a Book 2 is 20 yuan for a book at least

Then purchase - 2 books, 11 books, 2 if the system does not verify the purchase quantity, then the settlement is: - 2 * 10 + 1 * 10 = 0 yuan

Many programs limit the number of packets on the front-end, so you can try to intercept packets to modify the number, but there is no verification here, so you can buy them directly

Pass 7: unauthorized account number: Tom password 123456

Log in with only one password change page

Combined with the level exceeding authority, it means that the user changes the password of others beyond authority. It is found that the URL is followed by the name parameter, which is the user who needs to change the password

Try to change it to admin to change the password. Here the program doesn't verify the old password. Enter the new password at will. You can change the password beyond your authority

Eighth pass: CSRF administrator goes online at 10:00 every night!

After entering, it's just a page to change the password

Use burpsuite to intercept the password change request and generate CSRF POC with one key

After opening this as HTML administrator, the password will be changed. CSRF is finished

Ninth pass: can URL jump from me to Baidu?

If the URL jumps to, you need to insert a URL in a certain place to participate in the successful jump

Level 10: download files according to the prompts

Open 404..

After checking the source code, I found that there was a problem with URL jump. Just change the original comment jump to download.php. The index.php code is not finished

When I come to download.php, I grab the package of the downloaded image and find that I pass a parameter fname to download the file name. Then I can modify the file name to download any file

The title prompts us to help the administrator retrieve the MySQL account password. Then scan the directory to get dB

Then scan the DB directory to get config.php

Construct the following path, download it to config.php, and get the account password

11: I'm a bit like boom, shakaraka!

It's a bit like the last pass. Do you want to find the password of MySQL account or grab the downloaded package first? Look at the last pass. The download uses the post of get

Still scan to get config.php under DB directory, then change post package

Pass 12: I forgot my system password. Please help me find it under disk D

After logging in, you can upload files. After testing, you can upload a sentence without any restrictions

Connect the kitchen knife according to the echoed path

It means that you can retrieve the password under disk D but cannot access disk D


But we can get the system password through mimikatz

I don't know why my kitchen knife didn't echo for a long time, so I ran it directly on the target machine and got the password successfully

Level 13: XSS to see what surprises you can bring me

Go in and see that the URL is followed by a parameter id = 666 and the parameter value is displayed on the page. Then this is a reflection XSS

No filtering, just any payload

14: storage XSS super!

A message board, so it's a storage XSS, and there's no filtering to use the last off payload

15: what? Can't upload the picture? What should I do if I can't upload the picture

The old way is to grab the uploaded data package, analyze it, first pass the upper case JPG or prompt me not to upload the image, and then change it to lower case

But she said she didn't like it

What will be echoed after trying PHP suffix? It seems that direct upload succeeded

After reading the directory, it's true that it's passed successfully. So the code guess of this problem is that it only verifies the content type

It seems that the source code can be uploaded as long as the suffix is not JPG, PNG and other image formats

Pass 16: tomorrow's double 11 I will cut my hand from the company's network!

Input the input box and click go to show that it's not easy to chop the hand, change the place and add a parameter URL

A well-known station chop hand then try Taobao echo prompt Oh, here only allow visit!!!

Try to change the XFF header or the same echo is not successful

Then I grabbed the packet and saw that the host was IP, which prompted me to try to change the host to

Not yet, but it's turned into a nono

Try to change the referer to Taobao or noo can't help checking the source code.. I don't understand why baidu is needed!

Get the flag after changing to Baidu

Verify success

At the end of the basic chapter, there may be some mistakes or bad writing, which will be corrected after discovery, and the rest of the strategies will be written later (if I can do it)! See you ~!

*Author: Xiaoshi, reprint from