啓動mysql:php
sudo mysqld_safe
注意啓動後程序不會退出,能夠打開新的終端執行後續命令。
mysql
啓動Apache:sql
sudo service apache2 start
配置DNS:數據庫
sudo vim /etc/hosts
在原來的基礎上直接添加
apache
配置網站文件:vim
sudo vim /etc/apache2/conf.d/lab.conf
關閉php配置策略:緩存
sudo vim /etc/php5/apache2/php.ini
把magic_quotes_gpc=On 改成 magic_quotes_gpc = Off
服務器
訪問:www.sqllabcollabtive.com;當咱們知道用戶而不知道到密碼的時候,咱們能夠怎麼登錄?cookie
查看登錄驗證文件:網絡
sudo vim /var/www/SQL/Collabtive/include/class.user.php
設置行號 :set number
找到其中第375行 :375
$sel1 = mysql_query ("SELECT ID, name, locale, lastlogin, gender, FROM user WHERE (name = '$user' OR email = '$user') AND pass = '$pass'");
這一句就是咱們登陸時,後臺的sql語句;咱們能夠構造一個語句,在不知道密碼的狀況下登錄;
修改完後重啓一下服務器:
sudo service apache2 restart
咱們在$user後面加上) # 這樣就會只驗證用戶名,後面的會被#註釋
繞過密碼登陸成功
Collabtive平臺中能夠更新用戶信息,咱們要實現經過本身的用戶去修改別人的用戶信息;
咱們使用任意用戶,如: bob bob 進行登陸;
在編輯用戶的位置:user 填 ted 用戶;
Company 處填:
', `pass` = '9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684' WHERE ID = 4 # ' 注:這裏的 9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684 就是pass的md5值;
點擊修改,而後咱們退出當前用戶,使用ted用戶登陸,這個時候ted用戶的密碼應該是pass;
SQL注入漏洞的根本問題是數據與代碼的分離失敗,所以咱們能夠針對這個緣由進行防護
防護轉義特殊字符使用,默認開啓magic_quotes_gpc,將magic_quotes_gpc值設爲On。
sudo vim /etc/php5/apache2/php.ini
MySQL提供一個函數 mysql_real_escape_string(),這個函數能夠用來過濾一些特殊字符;如\x00, \n, \r, , ', " and \x1a;
代碼防護示例:
sudo vim /var/www/SQL/Collabtive/include/class.user.php
修改下圖紅色框中部分
以及編輯用戶代碼部分
修改下圖紅框部分
修改成以下:
// This code was provided by the lab's author Wenliang Du, of Syracuse // University under the GNU Free Documentation License function login($user, $pass) { if (!$user) { return false; } // modification fixed $user = mysql_real_escape_string($user); $pass = mysql_real_escape_string($pass); $pass = sha1($pass); $sel1 = mysql_query("SELECT ID, name, locale, lastlogin, gender FROM user WHERE (name = '$user' OR email = '$user') AND pass = '$pass'"); $chk = mysql_fetch_array($sel1); if ($chk["ID"] != "") { // New user session object and cookie creation code // removed for brevity return true; } else { return false; } }
以及編輯用戶代碼:
function edit($id, $name, $realname, $email, $tel1, $tel2, $company, $zip, $gender, $url, $address1, $address2, $state, $country, $tags, $locale, $avatar = "", $rate = 0.0) { $name = mysql_real_escape_string($name); $realname = mysql_real_escape_string($realname); // modification fixed $company = mysql_real_escape_string($company); $email = mysql_real_escape_string($email); // further escaped parameters removed for brevity... $rate = (float) $rate; $id = (int) $id; if ($avatar != "") { $upd = mysql_query("UPDATE user SET name='$name', email='$email', tel1='$tel1', tel2='$tel2', company='$company', zip='$zip', gender='$gender', url='$url', adress='$address1', adress2='$address2', state='$state', country='$country', tags='$tags', locale='$locale', avatar='$avatar', rate='$rate' WHERE ID = $id"); } else { // same query as above minus setting avatar; removed for // brevity } if ($upd) { $this->mylog->add($name, 'user', 2, 0); return true; } else { return false; } }
經過SQL邏輯分離來告訴數據庫究竟是哪部分是數據部分,哪一部分是SQL語句部分;
提供以新的new mysqli()函數, 將這個函數寫入config/standary/config.php文件:
sudo vim /var/www/SQL/Collabtive/include/class.user.php
修改代碼以下:
// This code was provided by the lab's author Wenliang Du, of Syracuse // University under the GNU Free Documentation License function login($user, $pass) { if (!$user) { return false; } // using prepared statements // note that $conn is instantiated in the datenbank class found in // ./class.datenbank.php. this may need to be passed in, but we // will assume we have access to it for the sake of brevity $stmt = $conn->prepare("SELECT ID,name,locale,lastlogin,gender FROM user WHERE (name=? OR email=?) AND pass=?"); $stmt->bind_param("sss", $user, $user, sha1($pass)); $stmt->execute(); $stmt->bind_result($bind_ID, $bind_name, $bind_locale, $bind_lastlogin, $bind_gender); $chk = $stmt->fetch(); if ($bind_ID != "") { // New user session object and cookie creation code // removed for brevity return true; } else { return false; } }
以及編輯用戶處的代碼:
// This code was provided by the lab's author Wenliang Du, of Syracuse // University under the GNU Free Documentation License function edit($id, $name, $realname, $email, $tel1, $tel2, $company, $zip, $gender, $url, $address1, $address2, $state, $country, $tags, $locale, $avatar = "", $rate = 0.0) { // the bind_param() function wants a double, not float, though // they are the same internally $rate = (double) $rate; $id = (int) $id; if ($avatar != "") { // again, $conn is instantiated in the datenbank class, and // may need to be passed, but we are assuming we have // access to it for the sake of brevity // note that the app uses zip as a string, does not use // realname although it is passed, and the columns adress // and adress2 are misspelled $stmt = $conn->prepare("UPDATE user SET name=?, email=?, tel1=?, tel2=?, company=?, zip=?, gender=?, url=?, adress=?, adress2=?, state=?, country=?, tags=?, locale=?, avatar=? rate=? WHERE ID = ?"); $stmt->bind_param("sssssssssssssssdi", $name, $email, $tel1, $tel2, $company, $zip, $gender, $url, $address1, $address2, $state, $country, $tags, $locale, $avatar, $rate, $id); $upd = $stmt->execute(); } else { $stmt = $conn->prepare("UPDATE user SET name=?, email=?, tel1=?, tel2=?, company=?, zip=?, gender=?, url=?, adress=?, adress2=?, state=?, country=?, tags=?, locale=?, rate=? WHERE ID = ?"); $stmt->bind_param("ssssssssssssssdi", $name, $email, $tel1, $tel2, $company, $zip, $gender, $url, $address1, $address2, $state, $country, $tags, $locale, $rate, $id); $upd = $stmt->execute(); } if ($upd) { $this->mylog->add($name, 'user', 2, 0); return true; } else { return false; } }
參考課程資源中的「TCP_IP網絡協議攻擊實驗.pdf 」
以SEED爲攻擊機,以Linux Metasploitable/Windows Metasploitable作靶機完成TCP/IP協議攻擊,提交本身攻擊成功截圖,加上本身的學號水印。任選兩個攻擊:
ARP緩存欺騙攻擊,ICMP重定向攻擊,SYN Flood攻擊,TCP RST攻擊,TCP 會話劫持攻擊
選擇了ARP緩存欺騙攻擊和SYN Flood攻擊
一、ARP緩存欺騙攻擊
首先查看兩個靶機的IP地址:
一個是172.16.6.21,另外一個是172.16.6.117
初始ARP緩衝中沒有內容
攻擊機能夠ping通兩個靶機
得到兩個靶機的IP和mac地址
打開攻擊機上的netwox,依次輸入五、33,使用netwox中的工具僞造ARP數據包,使用如下兩條命令
此時再查看靶機的ARP緩存,發現欺騙成功。
二、SYN Flood攻擊
查看靶機IP地址
攻擊機Telnet連接靶機23端口,成功,能夠鏈接
使用netwag攻擊進行SYN flood攻擊
打開的界面
搜索並選擇SYN
設置靶機的IP地址和端口
開啓tcpdump監聽
實施攻擊
攻擊成功,沒法Telnet連接上靶機