下面的规则可以通过DVWA高中低三种难度
涉及到的漏洞包括:
爆破攻击
SQL注入攻击
命令注入攻击
XSS_r漏洞攻击
XSS_S漏洞攻击
upload漏洞攻击
File_Inclusion漏洞攻击
特别警告,数据包内容过长,下面数据包的截图是我拼接的
爆破攻击
爆破攻击的核心是在一定时间范围内频繁发起来连接请求,把握住这一点即可
攻击方式
低级难度:直接BurpSuite爆破
中级难度:直接BurpSuite爆破
高级难度:BurpSuite单线程爆破
详情可以参考我之前的文章DVWA闯关Brute Force
规则编写
alert tcp any any -> any any (msg:"DVWA-brute漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/brute"; fast_pattern:only; detection_filter:track by_dst, count 15, seconds 30; uricontent:"username="; pcre:"/username[\s=]+?.+?password[\s=]\w+?/iU"; flowbits:set,Brute_Force; metadata:service http; sid:2; rev:1;)
alert tcp any any -> any any (msg:"DVWA-brute漏洞攻击响应"; flow:established,to_client; content:"200 OK"; flowbits:isset,Brute_Force; metadata:service http; sid:22; rev:1;)
规则的核心是限制请求频率:
detection_filter:track by_dst, count 15, seconds 30;
SQL注入攻击
在DVWA中,正常的请求是输入一个数字(如下图),把握住这一点即可,只要用户在输入框中输入了非数字内容,就认为非法!
攻击方式
具体的攻击手段,参考DVWA之SQL Injection
低级难度攻击手段如下:
中级难度的攻击手段如下:
高级难度的攻击手段如下:
规则编写
由上面的攻击方式,可以知道,在控制请求时要编写两条规则,两条规则的区别主要体现在修饰符上,低级难度用U,中级和高级难度用P,并且在高级难度的攻击手段截图中,用绿色标记到了id和ID,这意味着高级难度的修饰符不能使用i
请求规则
alert tcp any any -> any any (msg:"DVWA-SQL注入攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/sqli"; fast_pattern:only; pcre:"/id[\s=]+?\d+?[^\d]+?/i"; flowbits:set,SQL_Injection; metadata:service http; sid:3; rev:1;)
响应规则
由于不同方式注入产生不同结果,而请求规则已经限制的足够了,所以响应规则不多限制
alert tcp any any -> any any (msg:"DVWA-SQL注入攻击响应"; flow:established,to_client; content:"200 OK"; flowbits:isset,SQL_Injection; metadata:service http; sid:333; rev:1;)
XSS反射型攻击
正常的请求如下图所示,所以控制XSS请求的核心在于特殊字符的控制,而响应包里面会包含请求的内容,所以针对响应包的规则编写也是在于特殊字符的检查
攻击方式
详情参考DVWA闯关XSS(Reflected)
(下面的截图是请求与响应的数据包拼接的)
低级难度攻击手段如下:
中级难度攻击手段如下:
高级难度攻击手段如下:
规则编写
alert tcp any any -> any any (msg:"DVWA-XSS_r漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/xss_r"; fast_pattern:only; uricontent:"name="; nocase; pcre:"/name[\s=]+?(%3c|\x3c|<).+?(%3E|\x3E|>)/iU"; flowbits:set,xss_reflect; metadata:service http; sid:4; rev:1;)
alert tcp any any -> any any (msg:"DVWA-XSS_r漏洞攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/Hello\s+?(%3c|\x3c|<).+?(%3E|\x3E|>)/i"; flowbits:isset,xss_reflect; metadata:service http; sid:44; rev:1;)
XSS存储型攻击
正常的请求如下图所示,在请求与响应的规则控制上与xss反射型相似
攻击方式
具体的攻击手段参考:DVWA之Stored XSS(存储型XSS)
低级难度攻击手段如下:
中级难度攻击手段如下:
友情提示,在构造payload时需要做URL编码,建议使用BurpSuite来做,HackBar或者一些在线工具做出来的可能会不符合要求
高级难度攻击手段如下:
规则编写
alert tcp any any -> any any (msg:"DVWA-XSS_S漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/xss_s"; fast_pattern:only; content:"txtName="; nocase; http_client_body; content:"mtxMessage="; nocase; http_client_body; pcre:"/(txtName|mtxMessage)[\s=]+?(%3C|\x3c|<).+?(%3E|\x3E|>)/iP"; flowbits:set,SQL_stored; metadata:service http; sid:5; rev:1;)
alert tcp any any -> any any (msg:"DVWA-XSS_S漏洞攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/Name:\s+?((%3C|\x3c|<).+?(%3E|\x3E|>))|Message:\s+?(%3C|\x3c|<).+?(%3E|\x3E|>)/i"; flowbits:isset,SQL_stored; metadata:service http; sid:55; rev:1;)
文件上传攻击
在DVWA中,文件上传如下图所示,要求上传图片,并且会给出路径。而文件上传的攻击思路则一般是直接上传一句话木马,或者更改文件类型,或者使用图片木马,但是这三种方法的共同特征就是会在上传的时候,可以检测到文件内容存在恶意代码。
响应内容里面会包含文件名,如果是上传的图片木马,在DVWA中,响应是没办法检查的,所以不必太在意响应的规则编写。
攻击方式
具体攻击方式参考DVWA闯关File Upload
低级难度攻击手段如下: 直接上传一句话木马
中级难度攻击手段如下: 修改文件类型,上传一句话木马
高级难度攻击手段如下: 使用图片木马
规则编写
请求规则:
alert tcp any any -> any any (msg:"DVWA-upload漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/upload"; fast_pattern:only; content:"name=|22|uploaded|22|"; content:"filename="; distance:0; pcre:"/filename[\s=]+?\x22.+?\.(php|phtml|html|php3|php5|jsp|asp|htm|war|phl|htaccess)|(eval|assert|call_user_func|preg_replace).+(_REQUEST|_GET|_POST|_COOKIES)/i"; flowbits:set,file_upload; metadata:service http; sid:6; rev:1;)
核心是这一段正则:
/filename[\s=]+?\x22.+?\.(php|phtml|html|php3|php5|jsp|asp|htm|war|phl|htaccess)|(eval|assert|call_user_func|preg_replace).+(_REQUEST|_GET|_POST|_COOKIES)/i
它的优点是可以不仅可以匹配直接上传非图片文件,还可以匹配文件内容中的恶意代码;
缺点是执行效率低下。
譬如对于中等难度的文件上传,需要执行5千多步才行
对于高级难度的文件上传,就很夸张了,执行了近40万步才匹配上
所以,推荐把文件后缀和文件内容两块内容分开来写,或者干脆只检查文件内容。
于是得到了如下的请求规则:
新的请求规则
alert tcp any any -> any any (msg:"DVWA-upload漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/upload"; fast_pattern:only; content:"name=|22|uploaded|22|"; content:"filename="; distance:0; pcre:"/(eval|assert|call_user_func|preg_replace).+(_REQUEST|_GET|_POST|_COOKIES)/i"; flowbits:set,file_upload; metadata:service http; sid:6; rev:1;)
另外,只有删除掉请求规则里面的正则,才可以匹配高级难度里的图片木马,否则无论正则怎么写都没法匹配,怀疑可能是数据包庞大导致snort分析出现问题,这也是唯一失败的一条规则,以后如果解决掉的话再补上
响应规则
根据“攻击方式”的截图可以看到,响应没有什么特殊的地方,所以不做严格检查
alert tcp any any -> any any (msg:"DVWA-upload漏洞攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/uploads\/.+?\.(php|phtml|html|php3|php5|jsp|asp|htm|war|phl|htaccess)?/i"; flowbits:isset,file_upload; metadata:service http; sid:66; rev:1;)
文件包含攻击
在DVWA中,正常的请求如下图,恶意请求一般为远程文件包含或者本地文件包含,这两种包含方式都要路径,那限制使用路径即可
攻击方式
具体攻击方式参考DVWA闯关File Inclusion
低级难度攻击手段如下:
中级难度攻击手段如下:
高级难度攻击手段如下:
规则编写
请求规则
alert tcp any any -> any any (msg:"DVWA-fi漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/fi"; fast_pattern:only; uricontent:"page="; nocase; pcre:"/page[\s=]+?.+(\x2F|\/|%2F|\x5C|\\|%5C).+\.(php|html|txt|jsp|aspx|conf|htaccess|md|ini|ico)/iU"; flowbits:set,file_Inclusion; metadata:service http; sid:7; rev:1;)
核心匹配代码:
pcre:"/page[\s=]+?.+(\x2F|\/|%2F|\x5C|\\|%5C).+\.(php|html|txt|jsp|aspx|conf|htaccess|md|ini|ico)/iU";
响应规则
全级别通过响应
alert tcp any any -> any any (msg:"DVWA-fi漏洞攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/main_body\">[\x0d\x09\x0a]+<br/i"; flowbits:isset,file_Inclusion; metadata:service http; sid:777; rev:1;)
主要是匹配截图中的那个空白字符,你可以使用正则匹配,我一开始也是这样做的,我当时写的规则如下,但snort死活就是无法响应高级难度的数据,所以最终使用了上面的那条规则,很无语
无法响应高级难度
alert tcp any any -> any any (msg:"DVWA-fi漏洞攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/main_body">\s+<br/i"; flowbits:isset,file_Inclusion; metadata:service http; sid:77; rev:1;)
命令注入攻击
在DVWA中,正常的命令输入如下,恶意的命令输入会在IP地址后面输入额外的字符,把握住这一点即可。
攻击方式
具体的攻击方式参考DVWA闯关Command Execution
低级难度攻击手段如下:
中级难度攻击手段如下:
高级难度攻击手段如下:
注意,输入127.0.0.1|net user并没有发生ping,只显示了net user的内容
规则编写
请求规则
这部分没什么好说的,主要检查是否在ip地址后面输入了其他内容
alert tcp any any -> any any (msg:"DVWA-命令注入攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/exec"; fast_pattern:only; content:"ip="; nocase; http_client_body; pcre:"/ip=\d+?\.\d+?\.\d+?\.\d+?[^\d]+?/iP"; flowbits:set,Command_Injection; metadata:service http; sid:1; rev:1;)
响应规则
这部分我本来是用正则匹配做的,但很不幸,snort无法响应高级难度,虽然正则可以匹配的上,正则如下:
/\x20=\x200ms\s+[\w\\\s-.]+<\/pre>|<pre>\s+[\w\\\s-.]+<\/pre>/is
成功匹配低级难度
成功匹配中级难度
成功匹配高级难度
既然snort无法响应高级难度的数据包,那就只好把低级和中级使用一条规则,高级使用另一条。
响应规则
alert tcp any any -> any any (msg:"DVWA-命令注入攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/\x20=\x200ms[\x0d\x0a]+?.*<\/pre>/is"; flowbits:isset,Command_Injection; metadata:service http; sid:11; rev:1;)
alert tcp any any -> any any (msg:"DVWA-命令注入攻击响应"; flow:established,to_client; content:"200 OK"; content:!"ms"; flowbits:isset,Command_Injection; metadata:service http; sid:111; rev:1;)
第二条响应规则是为高级难度量身打造的,主要是当主机不ping时,响应的内容里面没有ms(毫秒),根据这一点写规则。
汇总
命令注入
alert tcp any any -> any any (msg:"DVWA-命令注入攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/exec"; fast_pattern:only; content:"ip="; nocase; http_client_body; pcre:"/ip=\d+?\.\d+?\.\d+?\.\d+?[^\d]+?/iP"; flowbits:set,Command_Injection; metadata:service http; sid:1; rev:1;)
alert tcp any any -> any any (msg:"DVWA-命令注入攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/\x20=\x200ms[\x0d\x0a]+?.*<\/pre>/is"; flowbits:isset,Command_Injection; metadata:service http; sid:11; rev:1;)
alert tcp any any -> any any (msg:"DVWA-命令注入攻击响应"; flow:established,to_client; content:"200 OK"; content:!"ms"; flowbits:isset,Command_Injection; metadata:service http; sid:111; rev:1;)
爆破:
alert tcp any any -> any any (msg:"DVWA-brute漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/brute"; fast_pattern:only; detection_filter:track by_dst, count 15, seconds 30; uricontent:"username="; pcre:"/username[\s=]+?.+?password[\s=]\w+?/iU"; flowbits:set,Brute_Force; metadata:service http; sid:2; rev:1;)
alert tcp any any -> any any (msg:"DVWA-brute漏洞攻击响应"; flow:established,to_client; content:"200 OK"; flowbits:isset,Brute_Force; metadata:service http; sid:22; rev:1;)
SQL注入:
alert tcp any any -> any any (msg:"DVWA-SQL注入攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/sqli"; fast_pattern:only; pcre:"/id[\s=]+?\d+?[^\d]+?/iU"; flowbits:set,SQL_Injection; metadata:service http; sid:3; rev:1;)
alert tcp any any -> any any (msg:"DVWA-SQL注入攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/sqli"; fast_pattern:only; pcre:"/id[\s=]+?\d+?[^\d]+?/P"; flowbits:set,SQL_Injection; metadata:service http; sid:33; rev:1;)
alert tcp any any -> any any (msg:"DVWA-SQL注入攻击响应"; flow:established,to_client; content:"200 OK"; flowbits:isset,SQL_Injection; metadata:service http; sid:333; rev:1;)
XSS反射型:
alert tcp any any -> any any (msg:"DVWA-XSS_r漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/xss_r"; fast_pattern:only; uricontent:"name="; nocase; pcre:"/name[\s=]+?(%3c|\x3c|<).+?(%3E|\x3E|>)/iU"; flowbits:set,xss_reflect; metadata:service http; sid:4; rev:1;)
alert tcp any any -> any any (msg:"DVWA-XSS_r漏洞攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/Hello\s+?(%3c|\x3c|<).+?(%3E|\x3E|>)/i"; flowbits:isset,xss_reflect; metadata:service http; sid:44; rev:1;)
XSS存储型:
alert tcp any any -> any any (msg:"DVWA-XSS_S漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/xss_s"; fast_pattern:only; content:"txtName="; nocase; http_client_body; content:"mtxMessage="; nocase; http_client_body; pcre:"/(txtName|mtxMessage)[\s=]+?(%3C|\x3c|<).+?(%3E|\x3E|>)/iP"; flowbits:set,SQL_stored; metadata:service http; sid:5; rev:1;)
alert tcp any any -> any any (msg:"DVWA-XSS_S漏洞攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/Name:\s+?((%3C|\x3c|<).+?(%3E|\x3E|>))|Message:\s+?(%3C|\x3c|<).+?(%3E|\x3E|>)/i"; flowbits:isset,SQL_stored; metadata:service http; sid:55; rev:1;)
upload:
alert tcp any any -> any any (msg:"DVWA-upload漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/upload"; fast_pattern:only; content:"name=|22|uploaded|22|"; content:"filename="; distance:0; pcre:"/filename[\s=]+?\x22.+?\.(php|phtml|html|php3|php5|jsp|asp|htm|war|phl|htaccess)|(eval|assert|call_user_func|preg_replace).+(_REQUEST|_GET|_POST|_COOKIES)/i"; flowbits:set,file_upload; metadata:service http; sid:6; rev:1;)
alert tcp any any -> any any (msg:"DVWA-upload漏洞攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/uploads\/.+?\.(php|phtml|html|php3|php5|jsp|asp|htm|war|phl|htaccess)?/i"; flowbits:isset,file_upload; metadata:service http; sid:66; rev:1;)
file_inlude:
alert tcp any any -> any any (msg:"DVWA-fi漏洞攻击"; flow:to_server,established; uricontent:"DVWA-master/vulnerabilities/fi"; fast_pattern:only; uricontent:"page="; nocase; pcre:"/page[\s=]+?.+(\x2F|\/|%2F|\x5C|\\|%5C).+\.(php|html|txt|jsp|aspx|conf|htaccess|md|ini|ico)/iU"; flowbits:set,file_Inclusion; metadata:service http; sid:7; rev:1;)
alert tcp any any -> any any (msg:"DVWA-fi漏洞攻击响应"; flow:established,to_client; content:"200 OK"; pcre:"/main_body\">[\x0d\x09\x0a]+<br/i"; flowbits:isset,file_Inclusion; metadata:service http; sid:777; rev:1;)
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/134354.html
