OWASP
安全测试
- 演练环境:http://47.95.238.18:9080/login.php 用户名 admin 密码 password
搭建方法
docker run --name dvwa -d -p 9080:80 vulnerables/web-dvwa
命令注入
http://47.95.238.18:9080/vulnerabilities/exec/#
testerhome.com ; ls
CSRF
SQL Injection
有漏洞的代码
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
id部分被我们的输入填充
?id=a' UNION SELECT "text1","text2";-- -&Submit=Submit.
结果就变成了
SELECT first_name, last_name FROM users WHERE user_id = 'a' UNION SELECT "text1","text2";-- -';
SELECT first_name, last_name FROM users WHERE user_id = '1' UNION SELECT first_name,password from users;-- -';
#SELECT first_name, last_name FROM users WHERE user_id = '1' UNION update users set password='68053af2923e00204c3ca7c6a3150cf7' ;-- -';
其中–是注释的意思,让后面尾随的单引号与分号不起作用
SELECT first_name, last_name FROM users WHERE user_id = ‘a’ UNION SELECT “text1”,“text2”;-- -’;
XSS
<script>alert(document.cookie);</script>
ZAP安全测试流程
挂上代理可能会快点
curl -x socks5h://127.0.0.1:1080 -o /tmp/zap/zap.zip 'https://github-production-release-asset-2e65be.s3.amazonaws.com/36817565/b210ad00-7d4a-11e9-97a8-41e094f62dfd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190526T075323Z&X-Amz-Expires=300&X-Amz-Signature=4a74bb2e3ef9df9b6e3d2c8321164936e80a1c3819536e0b69d1dea96c5d7be5&X-Amz-SignedHeaders=host&actor_id=1222769&response-content-disposition=attachment%3B%20filename%3DZAP_WEEKLY_D-2019-05-23.zip&response-content-type=application%2Foctet-stream'
流程
- 使用代理去发送请求和操作业务
- 根据收集到url与参数整理到一个待测站点
- 使用ZAP进行扫描
- 生成html报告
移动端安全
- jd-gui
- jadx https://github.com/skylot/jadx/releases
- apktool https://github.com/skylot/jadx/releases
- https://source.android.com/devices/tech/dalvik/dalvik-bytecode
专项测试实战
作业1
扫描 http://47.95.238.18:9080/login.php ,通过收集更多的url和参数,以及定制规则,扫描出尽量全面的漏洞,把扫描出的漏洞数截图上来