kali学习笔记3.pdf

所需积分/C币:49 2019-07-19 15:36:47 13.95MB PDF
收藏 收藏
举报

本版本的《kali学习笔记3》是接着上一个版本《kali学习笔记2》的内容,如果想要学习本版本前面的内容可以搜索《kali学习笔记2》 本版本是最后一版本,内容比较多。 本版主要讲解的是web渗透的后半部分:Burpsuite使用详解,手动的漏洞挖掘基于dvwa(包括编写webshell,文件上传漏洞原理和实践,命令执行漏洞的原理与实践,目录遍历与文件包含{包括本地和远程文件包含}的原理与实践),XSS漏洞原理以及实践(包括存储型XSS和DOM型XSS),XSS工具XSSER的使用,浏览器客户端攻击( beef的使用),CSRF原理和攻击方式与流程,WEBSHELL工具的详细使用(window
·在齿轮设置里面还可以设置被动扫描的规则 回回②回口回命D0%画是它画 Passive Scan bules Artim Sran Innuit Mortars Apply Mediurn.Threst ols To Al.fules Go Anti CsRF Tokens est Name A Threshold Qualty .168.1.107 Application errar disclosure Medium Certificate Content Type Header Missing Medium Release Medium Connection Cookie No Httpoaly Fag Cookie Without Secure Fa Medium :log in. php Database Inclusion Medium about php Dynamic SSL Certificates Incomplete or No Cache-control and Pragma Http Head meDium Encode/Decode Password Autocomplete in Browser Prirate P Disclose Mediu Release tindex. php Forced bro ose Script passhe scan rule Medium Re Secure Pages Include Mixed content Medium Releas security. php Global Exclude URL Beta Session ID in URL Rewrite Medium Hup Sessions board web 3rdvsser)ss Protestion Not Enabled Mediuin :phpinfo. shp X-Content Type- Options Header Missing Medium Release XFrane-Opcions Header No: Set Medium GET: instr.ctions. php GET ilo gout php Selenium Websockets 应 用程序 mestas Note 241950:z4 OST 示 n4195026 POST 本增代理 4195033 POST 「消 241950:42 2419:50:45 POST hitp/cn. bing camions/sp.asp doz No Content 54 mE 0 byes 2419:50:5 POST hitp/cn. hing cam/d/s/sp.aspx D byt ·设置爬网,爬网的深度( Maximum depth to craw),和爬网扫描线程 i查看析报工Qnne帮助 spider the Scan Input Vectors AJAX Spide Maximum depth to (raa Anti CsRf Tokens 声hp192,1081.107 891011121314 e器in 典GTd Cert ficate 每个主机并扫线程数 aDware 141 e F: login. php Database O AGET: about php Dynamic Ss_ Certificates Domains that are ahvays"in scope Encode/Deco do 活动 Extensions da O PGET index. php Forced browse Modry e rGET:setup. php FIver a AGET:security, php Ge| Exelude URL旧Beta) 和 POST:e<utityphptesclev Http Se 55ion5 Enable All 实种 GET:cwa Disable e P NGET instructionE.Php Passive Sta I Rules J Remove with out confirmation o P MGETilogoutph V Send"Refer header Quen parametsrs handling fafcheetirt visited URL Consider beth parameter"s name and walue 过流关闭 主动 M Proeess forms ffoms are precessed and GET queries sub mited) 应用程序 V POST forms recommended but may generate unwanted requests) 搜靈 Note 215-12- v Parse Htm.cOmRents 量示 0331512241550:26 本地代理 V Parse"robots: "iles for new URIs 91214415 935151224195042 315-1224195015 Ee/Akn bing.//p黑 20 No Cement a9151221n. armisen liny naRia Han.wrI 标准扫描工作流程 设置代理 手动爬网 自动爬网 主动扫描 ·标准流程 把标签全都显示出来 件直分都报告工具Qnne帮助 ms日每(回回a口回 苗点中 51b→潘款响应[+ k时游视图B你原治图□ Contexts HTTp/1.12000K D da Date: Thu, 24 Dec 2015 12:19: 07 GMT 点 Phrp19a166.110 Peweree-Dy: PlIP/5.2.4-2ubuntu5, 10 A GET:dwa ap res: Thu, 19 Nor 1981 08: 52: 00MT Cache- Cortrol: no store. no-cache. nmust-rewaladate, post-check re=o ragma: rocache KQp-A1v:t罪ut15,max= Connection: Keep-Alive Centent- Type: text/html <presThe used SELEcT statements have a different number of columns</pres 「D史赛翻报A出将车主动导 eshaP5 pions/Forced Brose I SQL injection may be possible T誓a DRAdrarced sQ- Injection AND boclean-based blind WHERE or HAWING clause(4 PAAdraneed sQ. Injection-MSQL-50,11 ssked queries SELECT .AAdrarced sQ-Injection-MysQL=*5D AND bated. WHERE, HAMNG, OI -[ Adrarced sQ-Injection-MhysQL 7=5.0.12 AND time-based blind (SELECT)(9) RDBMS [MySQL]Ikely ghe n UNI ON spec ifi< error message neg ar expression [QThe used SELE CT statements have a di ORAdvarced sQ- Injection-MysQL UNION query(NULL)-1 to 10 columns (6) umns\E) matched by the HTMLresults 回知 Adrarced So-Injection stacked queries (DBMS. PIFE RECEIVE MESSAGE Ine wlnerabilty was detected by manipu la ng the parameter with an SoL UNIDN' clause to cause a catabase error me turned and recognised ms只1A 文件编音看分析振当T盘Qne帮 留②回回回回口回回eD②圆是s 蝻点□5op uksa语求]应一[中| Scipt Console eader.I视图6厚治视图口□ 回 Context HTp/1.12000K Date: Tu. 24 Der 2015 12: 19: 07 GMT P点 Server: Apache/2.2.8(Ubuntu) DAv/2 ires:Th.19Nev198108:52:00T CacheCont rol: no-store. no cache. must-reval: date. post-check=0. prechecked Pragma:n。-cach pre>The used SELECT s,atements have a ditterent nunber ot columns</pre> T回报( 0AAdvanead SQLI-jectio n- AND boolean-based blind- WE RE or HAVING clause(4 p国两A成edSL下en-QL>5011kedq则rELE口T,吧mme -OR Adanced SQLInjectio nMySQL>=5. AND error based-WHE FE, HAVING Other Ino -ON Adanced SqLIjecton-MySQL>=5.0.12 AND uIme-based blind(SELECT)(9) RDBMS MMSQL] lke. gnen uNI ON-specific errar message regular expression MoThe u ed sE LECT stare ments have a diferent number A Advanced SQLInjectio n- SQ L UN ON query (NULL)-1 to 10 columns (6) 回典 Adanced sol hnjoctin n a Oracle ctac ked queries tr题15网 PERICEIVF MESSA Thse wuinerab ility was detected by manipulating the parameter with an sQ- UNioN clause tu cause a da atas ertor message to be -[P Advanced SqLIjectio- PostgreSQL>8.1 AND time-based blind(2) Soluzion ·把多余的标签都隐藏掉 文编锐置看分析报T具n帮 ATTACK moda j点中 0ksax语求」皮一[中斯 Script console Hea图By油视图口回 HmTP:1.120。K U daa Date: Thu, 24 Dec 2015 12: 19 eP点 server: Apache/2.2. 8 (Ubuntu 凵phtp:92168.1,107 X-Powered-By: PHP/5. 2.4-2ubuntu5, 10 P GET: dwaa Expies: Thu, 19 Nov 1981 08: 52: 00 GM Cachie-Coritrol: nostore. nIu-cathe, must-r validate, postcheck=o, pre-teck-i ragma: no-cache eepAlive: timeout 15. max g9 Connection: Keep-Alive Content-Type: text/html <presThe used SELECT statements have a different number of columns</pre> 史来心髻报“输出+ SQLinjection may be possible. .ADvanced SOLInjection-AND boolean-based blnd- WHERE or HAMNG clause(4 -ADanced SQLInjection-MhsCL>5.0.11 stacked queries(- corr ment) . AAdanced SQLInjection-MSCL>=5.0 AND error-based-WHERE HAVING, ORI Othar Info ·不显示标签只显示图标 地"曰冒日 D⊙%画是它国 kensand hl de rat naes Header:I视(图口□ HTpA1,12000 Date:Thu.24De201512:19:07a o hep: /92,1681,107 Peg+y:,2,42m: P GET: dnea Expires: Ihu, 19 NoV 1981 08:52: 99 GMI Cache-Control: nostore, ng-cache, must-revalidate, post-check 0, pre-check-g pragma: no-cache Connection: Keep-Alive Content-Type: text/ntm] <pre>The used SELECT statements have a different number of columns</pre> 搜索翻拓≠出士 Advanced SQL Injection- AND boolean-based blind-WHERE or HAVNG dause (4 Advanced sQLInjechonMysQL50,11 stac ked quenes (SELECT-commentCo Advanced SQLInjection-MySQL>*5.0 AND enror-based- WHERE HAVING OFDE Advanced SQLInjection-MysoL>=5.0.12 AND time-based blind tsELECD)(9) RDBMS MySQL] likey. gen UNI ON-spec fic eror massage regular expression MQThe used sELECT statements have a deferent numb Advanced SQLInjecton-Mys0L UNON query(ruu]. I to 0 columns ID) lumns\E] ma: c hed by the HTMLresults nnOrare staked nuepiss (D3MS PIPE RECEIVE MESSAGE he wine ra bility was detected by m anipulating the parameter with an SCL UNON'clause to cause a database error message to be 阻[原始国口 T口Cne TTP21.1 200 OK Date: Thu, 24 Dec 2015 12: 19: 07 GMT 姑点 Server: Apache/2.2.8 CUbun tu] DAv/2 平典hxp:/n921681:107 X-Powered-By: PHP/5.2.4-2ubuntu5 10 DUeL:dna Expi'es; Thw, 19 NoY 1981 08:52:00 cache-Control: no-store, no-cache, must-reval1date, post-check-0, pre-check=o Fragma: ne-cache Keep-Alive: timeout-15, maxeg9 Connection: Keep-Alive Content-Type: texthtm1 <pre> The used SELECT statements have a different nunber of co luns</pre> SQL injection may be possible. 誓报(27 * ADvanced SQLInjection-AND boole an-based blind- WHERE or HAMNG clause (4 ADanced SOLInje ction=M/S0L> 5.0.11 stacked queries [SELECT comme nt)(4 GAAuvanced SQLInjectiun-MSQL--50 AND enut-bared-IHERE, HAVING, ORD Othe-Info .DRAdvancedSQLInjecrion-M SQL>=5.0.12 AND time-b ased blind ISELECT)(9) RDBMS [MySQL leel, gen UN ON-specific error message regu ar expression [oTha used sELECT statements 回两 Adanced s0 L -M sQL UINON quer(u-1to10comn( lumns\E matched by the HTMLresults ADvanced sQLIn]e caon Oracle stac ked queries (DBMS_ PIPE. RECETVE MESSAGE The wlne rability was detected by manipulating the parameter with an SQL 'UNION" clause to cause a database earned and recognised □典具 dvanced50 LInjection-Pcstgn50L8.1 AND time -based blind(2 so Burpsuite ·Web安全工具中的瑞士军刀 统一的集成工具发现全部现代WEB安全漏洞 · PortSwigger公司开发 · Burpsuite有两种版本 1. Burp Free(Bup免费版) 2. Burp Professional( Burp专业版) 3.kali集成的是free版,free和专业版最大的差别就是没有扫描的功能,免麦版是一个手动挖掘的工具 4.官方网站:http://www.portswigger.net 所有的工具共享一个能¢理并显示HTTP消息的可扩展框架,模块之间无缝交换信息。 ·修改显示的字体 1.点击设置 nder Proiect User IriLer face NImbus Http Message Displa played wthin the 'aw HTTF viewer/editor adder HIML Hendering Http H 2选择显示 Display) I connections ssL Display Misc o These settings let you co ntrol the appearance o,'s user interface Ni Luy Y ( Http Message Display These settings let re splayed wit in the r Courier 10ptChange. W Hig licht request aram display AMF messages (use [2 Character Sets a these settings control how Burp F andles dfferent character sets whan displaying raw HII P messages. Ncte that phs are not supported by all fonts. If you need to use a extended or unusual character set, you shoud irst try a sy matically based on message head o Use the platformm default(UTF (2 ITML Rendering e Allow renderer to make Http raqussts(for mages,st 3选择HttpMessageDisplay(HTTP结果显示的字体)点击Changefont指定字体 C HighligHt teques. O Anal:e and isplayAw/F atswhan Eimplayingrav Http messages cad to ue an extended or ud cara土sr Courier New or Dialog 当 sage headers Use the pa I se aspecific characte sat High 2 HTML Rendering o These setings cantral hyv Bup handes in-toplrerderngof HTML cortert kkHTTP y>, MlL ·代理模块(Pr。xy 1.这个安钮按下夫就表示截所是开启状态(默认就是按下去的 应用程序一 Lau-BurpL oader 12月30三,17:57 R5进F吧n3v1E,ats 90E Burp Intrude repeater window Help Larget Prozy spider Scammer Intruder Repeater Sequencer Deceder Comparer Extender options Aertsco2 htercept HTP hisory Web Sockets hstory options Raw Hex · proxy options( proxy模块的σ ptions选项) c Invisible options{隐蔽代理设置}(主机头/多目标域名) terface hvisibleRedirect Certficate 12701080 Per-host Edit pro listener Bindng Request handlingCertfcste 2 these settings control whether bup redirects requests received by ths listener REdact to host n instalation B certificate for use inothe Redirect to port A certifiate 口 Force use of s5L risible proxy support aoNs non-proxy-amere dents to conec r to te listener. percept dient 2 support nwis ble prong (emble on if needed) these setings toea intercept requets b t k O utomatialy for mang or superflOus new ines at end of request Autormatikaly update Content-Lngthheader wwhen th erequi is edited 1.Invisibleproxy隐蔽代理的作用:给走http协议,不支持代理的客宀端,做代理功能。 2.客户端不支持代理,在本机启动隐蔽代理,让客户端把所有的流量通过隐蔽代理转发给真正的服务器端。但如何让不攴持代理旳客户端支持代理呢?) 3.让不支持代理的客户端支持代理的方法:比如访问的目标站点是wwwa.com,那我们需要在客户端这边,通过DNS欺骗,修改客户端的host文件,把 Burpsuite的p地址解析成www.acom。(当客户端访问ww.a.com的时候,肯定会做DNS查询,通过DNS查询获取www.a.com对应的p圯址无 论是在内网的dns服务器上做重定向,或者是在客户端通过host文件做重定向,总之要把www.a.com解析成Burpsuite它的地址》这个时候客户端就 会把所有的流量发给 Burpsuite的i, Burpsuite再通过本机的 Invisible proxy功能对客户端访问请求流量来进行代理,可以在本机查看修改之后传 给web服务器。web服务器在回包的时候,在本机 Burpsuite也可以把回包截获下来,进行修改之后再把结果回传给客户端 4.上面是在两台机器的情况下(一台客户端机器,一台开着 Burpsuite隐蔽代埋的机器)。但是通常的实际凊况,在俶渗透测试的时候,一般不会再搞第三台 器,一般都是在本机运行客户端的程序(同时也运行 Burpsuite)。虽然结枃逻辑上和上面的一样,但是实际两个程序都是在本机运行的,使用刚才的 DNS重定向方法就会有点问题。因为 Burpsuite和客户端都运行在一台机器上,如果还按刚才的思路(只不过修改的是本机的hos文件),把 wwwa.com解析成Burpsuite的i地址〔也就是本机的地址),客户端把请求发给本机的ip地址。Burpsuite启动nvisibleproxy这个功能,接收到来 自客户宀端程序发给Burpsuite侦听的代理端口的访问请求。Burpsuite一看访问请求可以代理,目标是www.a.cαm解析之后是本机的卩,这个时候就 可能会出现一个死循环(客户端程序把请求发给Burρ suite旳侦听端口, Burpsuite再把这个汸问请求通过解析ip的方式不停的在发给白己的本机i这 样 Burpsuite访冋请求就发不出去了,因为它没有办法把域名孵析到真正正确的web服务器的ip地址上) 5.遇到上面的这种情况,就必须要使用 Burpsuite另外一个配置的功能,在 user oρ tions模块选项下(不是 proxy模块下的σ ptions选项)选择……….(新版本 好像没找到) ,「cc m51 Decoder Comparer Ext邮P冰c地 ertirns ssi i naray. IN Us Font ol: and feel: Nimb 2 Http Message Display e These trol how htt s are dsp ayed wthi the raw HT P viewver'edio F Courier lept change font,,‖ U Highlight reque E Highlight 口Anaz2 e and display AMF me!5a∈ s use with caut ion 2 character Sets cr iTerant charader =o d=playing ra neszagc. Note that some glyph= are not supported >y all font QD甲 ay as raw Bytes O Use E specific character set_ 2 HTML Rendering r SaquanccrDacoder Extandar project options User options Aarts 2 Platform Auth entication cally carry out platfo Neee的( in be overridden for individual projects wthinDrcye过otms add destination host A Tvpe Serna. DorrainDormain hasina a Prompt far credentials on plaform auth g The ' ollo ether Bur hefr丈n &tches each destination h Note:these setings can be overridden fo: ivica proects whir projec codons aulirosbkc deiation box Irroxthost -roxy p. Acthtype Serna. Arriva) 2 SoCKS Proxy ese settngs ou have configured rules for ups rearm hitP proxy servers, then requests Nule. L,/ese :el.wMs Low, Le Uwe /(ev// Nalyula ev wela wilw, wv ayed ilww 6.遇到上面的这种情况,就必须要使用 Burpsuite另外一个配置的功能,在 options模块选项下(不是 proxy模墺下的σ ptions选项)选择 Connections,其 中有一项是 Hostname resolution(主机名解析) 用程序位置甲 r-lau- Burgloader甲 12月30三,18:10 ssi们a16:1Ces Burp ruder Repeater Wincom Help [ Target Proxy spider女m 9p四ls2 ntercepthttphistorywebsockeShistryoptons 7 Proxy Listeners u Burp rony uses listeners to receve incoming HTTF requests from your browser. You wil need to configure your browser to use one cf the istensrs as ts pray server Add rnning nterface mistle Redrew Cerotate 边1270.18060 Per-host Remove n of sup generates ts omun CAcertfcate that Frony ast an use when negotiating >>t connection. You can Import or export ths cer fate tcr Lse in other toos a anolher rstalalon CAcerfrate 2 Intercept dient Requests Use these setings to control which recess are saled or viewing and edting in the intercept sab. a Imercept requsts based on the folowing rues Enabled Operator Match type Conditon Edit 本pg学g|心 HTTPmehod i n target soopa Burp Stite Prof ssional.1.6. li:ensed ts Lauplau Burp intruder Repeater window Help I TargetRy htruder Repeater Sequencer Decoder Comparer Ectende Opsons NlertsCo: 7 User Interface o These settings let yau control the appearance of Burp's user interface Funt size: 11 Look anc feel: Nimbus 2HTTPMessageDisplay ul hese settings let youcontrol how HilP messages are spayed within the raw HiP wewetreaitor 文辑米黑13t Ceng font a Hghight request parameters 固 Hghight reponse/n!里 Character sets ese settings control how Burp handles diffetent c aracter sets when dsp哪Hmm略,时时 me glyphs are not supported by al. io,算 you need to use an脚 e Reocg ae automaticaly tased onmessage headers Uke the peform defa此U8 O Dspby as raw bytes O ue s specie cnaracter set:Bg5 12 HTML Rendering a These settings cotrolhow Burphandes in-to rendering of HTML content 团 tenderer to make HiTP re平is(femg,ete4

...展开详情
试读 55P kali学习笔记3.pdf
立即下载 低至0.43元/次 身份认证VIP会员低至7折
    抢沙发
    一个资源只可评论一次,评论内容不能少于5个字
    关注 私信 TA的资源
    上传资源赚积分,得勋章
    最新推荐
    kali学习笔记3.pdf 49积分/C币 立即下载
    1/55
    kali学习笔记3.pdf第1页
    kali学习笔记3.pdf第2页
    kali学习笔记3.pdf第3页
    kali学习笔记3.pdf第4页
    kali学习笔记3.pdf第5页
    kali学习笔记3.pdf第6页
    kali学习笔记3.pdf第7页
    kali学习笔记3.pdf第8页
    kali学习笔记3.pdf第9页
    kali学习笔记3.pdf第10页
    kali学习笔记3.pdf第11页
    kali学习笔记3.pdf第12页
    kali学习笔记3.pdf第13页
    kali学习笔记3.pdf第14页
    kali学习笔记3.pdf第15页
    kali学习笔记3.pdf第16页
    kali学习笔记3.pdf第17页

    试读已结束,剩余38页未读...

    49积分/C币 立即下载 >