The webug name is defined as the "our vulnerability" range environment. The basic environment is built based on PHP / MySQL. The intermediate environment and the advanced environment are the operating environments of vulnerabilities collected by Internet vulnerability events. Part of the vulnerabilities are based on Windows operating system, so webug's Web environment is installed in a pure version of Windows 2003 virtual machine.
Infiltration Foundation
First off: a very simple get injection
If it's a normal get injection, then it's under the GID parameter
Single quotation mark error message needs to close single quotation mark to complete injection
order by 5 Report errors
order by 4Return normal column length to 4
Explosion meter
-1' union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() %23Explosion sequence
-1' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name = 'flag' %23Check the flag value and complete
-1' union select 1,flag,3,4 from flag %23Level 2: what can you find from the pictures? Find something useful in the picture
A photo is downloaded, Notepad is opened, and a 123.txt password is hidden at the end. There is nothing else. Maybe the problem is not perfect
Third, what do you see? It's also important to have a directory when it comes to infiltrating websites
Come in. Click Submit flag 404 = = estimated path is wrong or code is not finished. But it doesn't matter
The title says that the catalog is very important. Let's scan it
Get access to the test directory and get another prompt. To encrypt the directory name MD5 is to encrypt the test
After encryption, the access is cleared
Fourth: tell you that flag is a five digit code that can burst when encountering a five digit verification code
I didn't find the verification code when I went in
Later, I saw the source code and found that the account passwords were all weak passwords, but the output flag statements were also commented out. Maybe this is not perfect~
Level 5: a special injection head with small advantages (injection head!)
The injection of the head just thought of working hard on the XFF head. I used the Firefox plug-in modify heads (I can't change it with burpsuite). It's no different from the first level, but the injection is a little different~
The sixth level: this level needs RMB to buy Oh payment problem: use the least money to buy a book!
The password of login is at the seventh level=
Book 1 is 10 yuan a Book 2 is 20 yuan a book to buy a book with the least money
Then purchase - 2 books, 11 books, 2 if the system does not verify the purchase quantity, then the settlement is: - 2 * 10 + 1 * 10 = 0 yuan
Many programs will limit the number of packets on the front end, so you can try to intercept packets to modify the number, but there is no verification here, so you can buy them directly
Pass 7: unauthorized account number: Tom password 123456
Log in with only one password change page
Combined with the level exceeding authority, it means that the user changes the password of others beyond authority. It is found that the URL is followed by the name parameter, which is the user who needs to change the password
Try to change it to admin to change the password. Here the program doesn't verify the old password. Enter the new password at will. You can change the password beyond your authority
Eighth pass: CSRF administrator goes online at 10:00 every night!
After entering, it's just a page to change the password
Use burpsuite to intercept the password change request and generate CSRF POC with one key
After opening this as HTML administrator, the password will be changed. CSRF is finished
Ninth pass: can URL jump from me to Baidu?
If the URL jumps to http://www.baidu.com, you need to insert the URL and add a URL to jump successfully
Level 10: download files according to the prompts
Open 404..
After checking the source code, I found that there was a problem with URL jump. Just change the original comment jump to download.php. The index.php code is not finished
When I come to download.php, I grab the package of the downloaded image and find that I pass a parameter fname to download the file name. Then I can modify the file name to download any file
The title prompts us to help the administrator retrieve the MySQL account password. Then scan the directory to get dB
Then scan the DB directory to get config.php
Construct the following path, download it to config.php, and get the account password
11: I'm a bit like boom, shakaraka!
It's a bit like the last pass. Do you want to find the password of MySQL account or grab the downloaded package first? Look at the last pass. The download uses the post of get
Still scan to get config.php under DB directory, then change post package
Pass 12: I forgot my system password. Please help me find it under disk D
After logging in, you can upload the file. After testing, you can upload a sentence without any restrictions
Connect the kitchen knife according to the echoed path
It means that you can retrieve the password under disk D but cannot access disk D
Because..
But we can get the system password through mimikatz
I don't know why my kitchen knife didn't echo for a long time, so I ran it directly on the target machine and got the password successfully
Level 13: XSS to see what surprises you can bring me
Go in and see that the URL is followed by a parameter id = 666 and the parameter value is displayed on the page. Then this is a reflection XSS
No filtering, just any payload
14: storage XSS super!
A message board, so it's a storage XSS, and there's no filtering. Just use the last off payload
15: what? Can't upload the picture? What should I do if I can't upload the picture
The old way is to grab the uploaded data package, analyze it, first pass the upper case JPG or prompt me not to upload the image, and then change it to lower case
But she said she didn't like it
What will be echoed after trying PHP suffix? It seems that direct upload succeeded
After reading the directory, it's true that it's passed successfully. So the code guess of this problem is that it only verifies the content type
It seems that the source code can be uploaded as long as the suffix is not JPG, PNG and other image formats
Pass 16: tomorrow's double 11 I will cut my hand from the company's network!
Input the input box and click go to show that it's not easy to chop your hands in another place and add a parameter URL
A well-known station chop hand then try Taobao echo prompt ah, here only allow 10.10.10.10 visit!!!
Try to change the XFF header or the same echo is not successful
Then I grabbed the packet and saw that the host was IP, which prompted me to try to change the host to 10.10.10.10
Not yet, but it's turned into a nono
Try to change the referer to Taobao or noo can't help checking the source code.. I don't understand why baidu is needed!
Get the flag after changing to Baidu
Verify success
At the end of the basic chapter, there may be some mistakes or bad writing, which will be corrected after discovery, and the rest of the strategies will be written later (if I can do it)! See you ~!
*Author: Xiaoshi, reprint from freebuf.com