Web漏洞靶場(chǎng)搭建-wavsep

Web漏洞靶場(chǎng)搭建

滲透測(cè)試切記紙上談兵，學(xué)習(xí)滲透測(cè)試知識(shí)的過程中，我們通常需要一個(gè)包含漏洞的測(cè)試環(huán)境來(lái)進(jìn)行訓(xùn)練。而在非授權(quán)情況下，對(duì)于網(wǎng)站進(jìn)行滲透測(cè)試攻擊，是觸及法律法規(guī)的，所以我們常常需要自己搭建一個(gè)漏洞靶場(chǎng)，避免直接對(duì)公網(wǎng)非授權(quán)目標(biāo)進(jìn)行測(cè)試。

漏洞靶場(chǎng)，不僅可以幫助我們鍛煉滲透測(cè)試能力、可以幫助我們分析漏洞形成機(jī)理、更可以學(xué)習(xí)如何修復(fù)提高代碼能力，同時(shí)也可以幫助我們檢測(cè)各種各樣漏洞掃描器的效果。

本文將以 sectooladdict/wavsep: The Web Application Vulnerability Scanner Evaluation Project靶場(chǎng)為例來(lái)學(xué)習(xí)靶場(chǎng)搭建，結(jié)合漏洞掃描服務(wù)-華為云來(lái)發(fā)現(xiàn)存在的漏洞。

靶場(chǎng)搭建

我們找一臺(tái)linux機(jī)器來(lái)進(jìn)行實(shí)驗(yàn)

? cat /etc/os-release -pNAME="Ubuntu"  VERSION="18.04.2 LTS (Bionic Beaver)"

ID=ubuntu

ID_LIKE=debian

PRETTY_NAME="Ubuntu 18.04.2 LTS"

VERSION_ID="18.04"

HOME_URL="https://www.ubuntu.com/"  SUPPORT_URL="https://help.ubuntu.com/"  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"

VERSION_CODENAME=bionic

UBUNTU_CODENAME=bionic

docker

目前大部分靶場(chǎng)都有docker版本，我們利用docker來(lái)快速搭建靶場(chǎng)。docker安裝可參考官網(wǎng)Install Docker Engine on Ubuntu | Docker Documentation安裝手冊(cè)，或者借助https://get.docker.com進(jìn)行自動(dòng)化安裝

root in szvphisprd13003

> wget -qO- https://get.docker.com/ | bash

安裝完成后，還需要配置docker鏡像源來(lái)加速鏡像拉取時(shí)間。這里配置中科大(USTC)源來(lái)進(jìn)行加速,在 /etc/docker/daemon.json中配置

{

"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}

wavsep

WAVSEP 是經(jīng)典的漏洞靶場(chǎng)之一，包含常見的Web漏洞（SQL/XSS/Path Travseral/…)，包含大量漏洞場(chǎng)景甚至假漏洞（檢測(cè)掃描器誤報(bào)率）,目前漏洞有

1. Path Traversal/LFI: 816 test cases, implemented in 816 jsp pages (GET & POST)
2. Remote File Inclusion (XSS via RFI): 108 test cases, implemented in 108 jsp pages (GET & POST)
3. Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET & POST)
4. Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST)
5. Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST)
6. Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST)
7. Unvalidated Redirect: 60 test cases, implemented in 60 jsp pages (GET & POST)
8. Old, Backup and Unreferenced Files: 184 test cases, implemented in 184 files (GET Only)
9. Passive Information Disclosure/Session Vulnerabilities (inspired/imported from ZAP-WAVE): 3 test cases of erroneous information leakage, and 2 cases of improper authentication/information disclosure - implemented in 5 jsp pages
10. Experimental Test Cases (inspired/imported from ZAP-WAVE): 9 additional RXSS test cases (anticsrf tokens, secret input vectors, tag signatures, etc), and 2 additional SQLi test cases (INSERT) - implemented in 11 jsp pages (GET & POST)

使用docker安裝wavsep：

root in szvphisprd13003 in ~

? docker search wavsep
...

owaspvwad/wavsep The Web Application Vulnerability Scanner E… 6
...

root in szvphisprd13003 in ~

? docker pull owaspvwad/wavsep
...

root in szvphisprd13003 in ~

? docker run -itd -p 8080:8080 owaspvwad/wavsep

完成后訪問 http://IP:8080/wavsep/ 即可

漏洞發(fā)現(xiàn)

通過手工測(cè)試與掃描器來(lái)發(fā)現(xiàn)靶場(chǎng)中的問題

手工測(cè)試

以文件包含漏洞為例，訪問

http://IP:8080/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/index.jsp

http://IP:8080/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/Case01-LFI-FileClass-FilenameContext-Unrestricted-OSPath-DefaultFullInput-AnyPathReq-Read.jsp?target=/root/apache-tomcat-8.0.27/webapps/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/content.ini

手動(dòng)修改 target 參數(shù)為 /etc/passwd 發(fā)現(xiàn)成功讀取到 passwd 文件

華為云漏洞掃描

1. 添加資產(chǎn)，配置域名認(rèn)證

#查看wavsep容器id
root in szvphisprd13003 in ~

? docker ps

02e9031d5b59 owaspvwad/wavsep "/bin/sh -c 'sh ~/..." 8 months ago Up 6 minutes  0.0.0.0:8080->8080/tcp# 查看web根目錄

root in szvphisprd13003 in ~

? docker exec -it 02e9031d5b59 /bin/bash

root@02e9031d5b59:/# cd ~/apache-tomcat-8.0.27/webapps/ROOT/

root@02e9031d5b59:~/apache-tomcat-8.0.27/webapps/ROOT# echo d2NjX2NyeXB0ATQxNDU1MzVGNDM0MjQzOzMzMzAzNTM4MzUzMjM0NDUz

NDMzMzQ0MTM4NDMzMTMwNDI0MjMzNDIzMzQzMzE0MTM0MzAzMzMzNDMzNjM4MzQzOTQ1MzgzNjM4MzMzNjM2NDQ0NTM2MzczMjQyNDEzMjQ0MzMzMDMy

NDYzNDQ2MzU0NjMxMzEzMjM2MzYzOTM3NDUzNTM5NDI0MzM2NDUzNjQxNDEzNjMwMzYzNTMwMzk0NTM1MzAzMjM5NDQzNzQ0NDUzNDQyNDUzMzM1MzQ0

NDs7MzUzMDMwMzAzMDs4Q0NEMkJEOUVFNkIxOTlCQjk4Qjk1QTgzMUJBMEZBNDtDQTRDQjVENUM4RjI1N0ZDOzM3MzgzMzM0MzU2MTM1MzIyRDYyMzUz

NzY1MkQzNDY1MzEzNzJENjI2MzYzMzUyRDM2NjIzNzY1MzczMDY1MzMzNTM2MzAzMDs+d2NjX2NyeXB0ATQxNDU1MzVGNDM0MjQzOzM5MzI0NDMyMzk0

NTM2NDMzMjM3MzA0MjM1NDMzNjM5MzQ0NDQxMzkzMDM4MzU0MTMxMzczNTMxNDI0MzQyMzE0NjMzNDQzNDM0MzIzMzQ0MzkzNTM0MzkzODQzNDYzOTMw

MzEzNDQ2NDU0MzM0Mzk0NTQyMzgzOTQ2MzE0MzQ0OzszNTMwMzAzMDMwOzA4NDNFN0FEQzI3OUI0Q0QzNzA3RTNCN0YyMUM0RUIxO0MwODcyOTY0QjY0

ODk4MEM7MzczODMzMzQzNTYxMzUzMjJENjIzNTM3NjUyRDM0NjUzMTM3MkQ2MjYzNjMzNTJEMzY2MjM3NjUzNzMwNjUzMzM1MzYzMDMwOw+d2NjX2Nye

XB0ATQxNDU1MzVGNDM0MjQzOzM5NDM0NjMxMzQzNDMyNDU0NTM5MzUzODM4NDE0MzM4MzAzNjQ1MzIzNDQ2MzYzNTQzNDYzMzQ1NDEzNjM5MzA7OzM1M

zAzMDMwMzA7MjBGQzg0NThGODVFNUM4NUI5QzBCQzE2MDgxRENGRjk7N0QyNjgyMTMwN0U2M0JDODszNzM4MzMzNDM1NjEzNTMyMkQ2MjM1Mzc2NTJEM

zQ2NTMxMzcyRDYyNjM2MzM1MkQzNjYyMzc2NTM3MzA2NTMzMzUzNjMwMzA7+IP:8080 > hwwebscan_verify.html`

訪問 http://IP:8080/hwwebscan_verify.html 確認(rèn)認(rèn)證文件能被訪問，完成域名認(rèn)證

2. 開始掃描,在掃描信息配置處更改目標(biāo)網(wǎng)址為 http://IP:8080/wavsep/active/index-main.jsp

目標(biāo)網(wǎng)址不應(yīng)填寫 http://IP:8080/wavsep/ 由于此頁(yè)面無(wú)任何 等網(wǎng)頁(yè)連接 爬蟲無(wú)法爬取到新的頁(yè)面 將掃描不到任何信息
3. 等待掃描結(jié)束 查看漏洞信息

審核編輯：湯梓紅