首页
学习视频
导航页
关于我
网络信息安全管理(中级)-WEB安全题目
XUCANCHENG
站长
2022年11月02日 15:32:37
网络安全
### WEB安全 > 根据具体要求,完成下列题目。 `1、在已知密码为password的情况下,通过暴力破解的方式猜解出username。` 1. 选择Brute Force(暴力破解模块) ![image-20221101134418932](./upload/image-20221101134418932.png) 2. 浏览器设置代理 ![image-20221101134529107](./upload/image-20221101134529107.png) ![image-20221101134120664](./upload/image-20221101134120664.png) ![image-20221101134330583](./upload/image-20221101134330583.png) 3. 打开BurpSuite代理功能 ![image-20221101134650037](./upload/image-20221101134650037.png) ![image-20221101134835736](./upload/image-20221101134835736.png) 4. 回到火狐浏览器,根据题目我们知道密码是==password==在Username下的输入框中我们任意输入一个用户名,在Password下的输入框中我们输入==password==单击Login按钮 ![image-20221101135132788](./upload/image-20221101135132788.png) ![image-20221101135225450](./upload/image-20221101135225450.png) 5. 回到BurpSuite,对用户名进行暴力破解 ![image-20221101135513268](./upload/image-20221101135513268.png) ![image-20221101135758113](./upload/image-20221101135758113.png) ![image-20221101140429684](./upload/image-20221101140429684.png) ![image-20221101140811526](./upload/image-20221101140811526.png) ![image-20221101141311053](./upload/image-20221101141311053.png) ![image-20221101141750324](./upload/image-20221101141750324.png) ![image-20221101141859715](./upload/image-20221101141859715.png) ![image-20221101142132156](./upload/image-20221101142132156.png) `2、通过文件包含(本地)漏洞爆出网站的绝对路径。` 1. 选择File Inclusion(文件包含模块) ![image-20221101142539744](./upload/image-20221101142539744.png) 2. 点击文件 ![image-20221101142913986](./upload/image-20221101142913986.png) 3. 查看URL地址栏 ![image-20221101143114180](./upload/image-20221101143114180.png) ![image-20221101143309344](./upload/image-20221101143309344.png) `3、通过SQL注入获取当前网站所使用数据库中的表名` 1. 选择SQL Injection(SQL注入模块) ![image-20221101143532163](./upload/image-20221101143532163.png) 2. 设置浏览器代理,步骤与第一小题中的步骤一致,参考第一小题的第二步 3. 打开BurpSuite代理功能,步骤与第一小题中的步骤一致,参考第一小题的第三步 4. 回到浏览器,单击Submit按钮 ![image-20221101144018288](./upload/image-20221101144018288.png) 5. 打开BurpSuite ![image-20221101144131523](./upload/image-20221101144131523.png) 6. 编写SQL注入语句 > 在id=1后面编写 ```sql union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() # ``` ![image-20221101144501538](./upload/image-20221101144501538.png) 7. 返回浏览器查看结果 ![image-20221101144600193](./upload/image-20221101144600193.png) `4、检测是否存在XSS,判断XSS的类型。` 1. 选择XSS(Reflected) XSS(反射型)模块 ![image-20221101144847965](./upload/image-20221101144847965.png) 2. 编写XSS注入代码 > 双标签XSS注入 ```html
ript>alert(/xss/) ``` ![image-20221101145235184](./upload/image-20221101145235184.png) 3. 有弹出框说明XSS注入存在 ![image-20221101145426805](./upload/image-20221101145426805.png)