先來介紹一下bwapp
bwapp是一款非常好用的漏洞演示平台,包含有100多個漏洞
-
SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP,
PHP Code, Host Header and SMTP injections
- Authentication, authorization and session management issues
- Malicious, unrestricted file uploads and backdoor files
- Arbitrary file access and directory traversals
- Heartbleed and Shellshock vulnerability
- Local and remote file inclusions (LFI/RFI)
- Server Side Request Forgery (SSRF)
- Configuration issues: Man-in-the-Middle, Cross-Domain policy file,
FTP, SNMP, WebDAV, information disclosures,... - HTTP parameter pollution and HTTP response splitting
- XML External Entity attacks (XXE)
- HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS)
and web storage issues - Drupal, phpMyAdmin and SQLite issues
- Unvalidated redirects and forwards
- Denial-of-Service (DoS) attacks
- Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and
Cross-Site Request Forgery (CSRF) - AJAX and Web Services issues (JSON/XML/SOAP)
- Parameter tampering and cookie poisoning
- Buffer overflows and local privilege escalations
- PHP-CGI remote code execution
- HTTP verb tampering
- And much more
特點:
- 開源的php應用
- 后台Mysql數據庫
- 可運行在Linux/Windows Apache/IIS
- 支持WAMP或者XAMPP
安裝:
bwapp可以單獨下載,也可以下載一個虛擬機版本,解壓后直接打開虛擬機就可以訪問。
單獨下載的話需要部署到apache+mysql+php的環境中
- 單獨安裝:
瀏覽器訪問你的bwapp:http://x.x.x.x/bwapp/install
點開here
這里我已經安裝過了
- 虛擬機方式:
下載之后解壓,用vmware打開即可
默認賬號密碼為:bee/bug
但使用用虛擬機的方式的話存在一個鍵盤亂序的問題,需要做如下設置:
System -> preferences -> keyboard -> layouts -> +add【layouts:China】
keyboard -> A4Tech KB-21
附下載地址:
虛擬機下載地址:https://sourceforge.net/projects/bwapp/files/bee-box/
安裝包下載地址:https://sourceforge.net/projects/bwapp/files/bWAPP/
本文固定鏈接:http://www.cnblogs.com/hell0w/p/7523114.html 轉載請注明出處,謝謝!