美文网首页
网络对抗原理实验三

网络对抗原理实验三

作者: 不湿的尿布湿 | 来源:发表于2018-07-20 06:00 被阅读0次

    班级:1518011

    姓名:于沂渭

    学号:151801100005


    1. 测试网页已前置 Apache

    2.安装并配置 ModSecurity 模块,搭建 WAF。

    2.1 环境安装

    安装 LAMP Server

    
    $ sudo apt-get install apache2 mysql-server libapache2-mod-auth-mysql php-mysql php libapache2-mod-php php-mcrypt
    

    安装 libapache2-modsecurity 模块及其依赖包

    $ sudo apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache2-modsecurity
    

    查看安装情况,如果一切正常,您应该看到以下输出:

    图片.png

    2.2 配置mod_security

    默认情况下,mod_security 不起作用,因为它需要规则才能工作。首先,需要重命名位于/etc/modsecurity目录下的 modsecurity.conf-recommended 文件示例:

    $ sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
    

    然后修改配置文件

    $ sudo vim /etc/modsecurity/modsecurity.conf
    
    SecRuleEngine on
    

    2.3 搭建 WAF

    默认情况下,mod_security 附带位于 /usr/share/modsecurity-crs 目录的核心规则集(安全规则)。但建议从 GitHub 存储库下载 mod_security CRS 。

    图片.png

    修改配置文件

    $ sudo vim /etc/apache2/mods-enabled/security2.conf
    
    <IfModule security2_module> 
         SecDataDir /var/cache/modsecurity 
         IncludeOptional /etc/modsecurity/*.conf 
         IncludeOptional /usr/share/modsecurity-crs/*.conf 
         IncludeOptional /usr/share/modsecurity-crs/rules/*.conf 
     </IfModule>
    

    重启 Apache 服务

    $ sudo systemctl restart apache2
    

    3. 根据文档自行编写,或者在 OWASP ModSecurity CRS 规则库的基础上修改,对 SQL 注入攻击进行阻断并报警。

    SQL 注入测试

    测试 mod_security 如何保护 Apache Web 服务器免受 SQL 攻击
    正常访问:

    图片.png 图片.png

    尝试 SQL 注入:

    001 or 1=1

    在以下输出中看到 403 Forbidden 响应:


    图片.png 图片.png

    查看日志文件,选择最下面的最新日志

    $ sudo vim /var/log/apache2/modsec_audit.log
    

    --adbda74e-A--
    [11/Jul/2018:20:45:36 +0800] W0X78H8AAQEAACbUCz4AAAAA 127.0.0.1 33846 127.0.0.1 80
    --adbda74e-B--
    GET /student/search.php?id=15180110007+or+1%3D1 HTTP/1.1
    Host: 127.0.0.1
    User-Agent: curl/7.47.0
    Accept: /
    --adbda74e-F--
    HTTP/1.1 403 Forbidden
    Content-Length: 302
    Content-Type: text/html; charset=iso-8859-1
    --adbda74e-E--
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /student/search.php
    on this server.<br />
    </p>



    <address>Apache/2.4.18 (Ubuntu) Server at 127.0.0.1 Port 80</address>
    </body></html>
    --adbda74e-H--
    Message: Warning. Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "127.0.0.1"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
    Message: Warning. detected SQLi using libinjection with fingerprint '1&1' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1&1 found within ARGS:id: 15180110007 or 1=1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
    Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
    Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"]
    Action: Intercepted (phase 2)
    Apache-Handler: application/x-httpd-php
    Stopwatch: 1531313136934105 1209 (- - -)
    Stopwatch2: 1531313136934105 1209; combined=920, p1=247, p2=600, p3=0, p4=0, p5=72, sr=8, sw=1, l=0, gc=0
    Response-Body-Transformed: Dechunked
    Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
    Server: Apache/2.4.18 (Ubuntu)
    Engine-Mode: "ENABLED"
    --adbda74e-Z--

    4. 尝试对特定扫描器或发包工具(paros、w3af 等)的 User-Agent 进行检测和报警,并在单个 IP 访问数量超过一定门限后对来源 IP 进行封禁。

    4.1 安装 W3AF

    $ git clone https://github.com/andresriancho/w3af.git
    $ cd w3af/
    $ ./w3af_console
    

    在执行 w3af_console 文件时,有时会提示系统未安装很多依赖环境,需要安装的环境,已经写在了 /tmp 目录下的 w3af_dependency_install.sh 文件里面,执行它即会自动下载安装所需的所有文件。

    $ . /tmp/w3af_dependency_install.sh
    

    上述步骤完成后可在终端中操作:

    图片.png

    4.2 使用 W3AF 进行 SQL 注入

    两次注入使用同一规则

    $ w3af_console
    w3af>>> plugins
    w3af/plugins>>> audit sqli,xss
    w3af/plugins>>> back
    w3af>>> plugins
    w3af/plugins>>> output htmlFile,console,gtkOutput
    w3af/plugins>>> output config console
    w3af/plugins/output/config:console>>> set verbose True
    w3af/plugins/output/config:console>>> back
    w3af/plugins>>> output config gtkOutput
    w3af/plugins/output/config:gtkOutput>>> back
    w3af/plugins>>> back
    w3af>>> plugins
    w3af/plugins>>> discovery webSpider
    w3af/plugins>>> back
    w3af>>> target
    w3af/config:target>>> set target http://127.0.0.1/student/
    w3af/config:target>>> back
    w3af>>> start

    此时关闭 ModSecurity 模块

    `Enabling _dnsCache()
    Called buildOpeners
    keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 1
    DNS response from DNS server for domain: 127.0.0.1
    GET http://127.0.0.1/student/ returned HTTP code "403" - id: 1
    [thread manager] Successfully added function to threadpool. Work queue size: 1
    [thread manager] Successfully added function to threadpool. Work queue size: 2
    [thread manager] Successfully added function to threadpool. Work queue size: 3
    [thread manager] Successfully added function to threadpool. Work queue size: 4
    [thread manager] Successfully added function to threadpool. Work queue size: 5
    [thread manager] Successfully added function to threadpool. Work queue size: 6
    [thread manager] Successfully added function to threadpool. Work queue size: 7
    [thread manager] Successfully added function to threadpool. Work queue size: 8
    [thread manager] Successfully added function to threadpool. Work queue size: 9
    [thread manager] Successfully added function to threadpool. Work queue size: 10
    [thread manager] Successfully added function to threadpool. Work queue size: 11
    [thread manager] Successfully added function to threadpool. Work queue size: 12
    [thread manager] Successfully added function to threadpool. Work queue size: 13
    [thread manager] Successfully added function to threadpool. Work queue size: 14
    keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 2
    Cached DNS response for domain: 127.0.0.1
    keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 3
    Cached DNS response for domain: 127.0.0.1
    keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 4
    Cached DNS response for domain: 127.0.0.1
    keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 5
    Cached DNS response for domain: 127.0.0.1
    GET http://127.0.0.1/student/ww1yYZl9.htm returned HTTP code "403" - id: 2
    No grep for: "http://127.0.0.1/student/ww1yYZl9.htm", the plugin sent grep=False.
    GET http://127.0.0.1/student/UBd6Bxxt.py returned HTTP code "403" - id: 3
    No grep for: "http://127.0.0.1/student/UBd6Bxxt.py", the plugin sent grep=False.
    GET http://127.0.0.1/student/boQkOdd9.asp returned HTTP code "403" - id: 6
    GET http://127.0.0.1/student/Kq9Kl3OI.do returned HTTP code "403" - id: 5
    No grep for: "http://127.0.0.1/student/Kq9Kl3OI.do", the plugin sent grep=False.
    No grep for: "http://127.0.0.1/student/boQkOdd9.asp", the plugin sent grep=False.
    GET http://127.0.0.1/student/5HE5HJbF.gif returned HTTP code "403" - id: 7
    GET http://127.0.0.1/student/wkOiP2IM. returned HTTP code "403" - id: 4
    No grep for: "http://127.0.0.1/student/wkOiP2IM.", the plugin sent grep=False.
    No grep for: "http://127.0.0.1/student/5HE5HJbF.gif", the plugin sent grep=False.
    GET http://127.0.0.1/student/y2mbi09u.htmls returned HTTP code "403" - id: 8
    No grep for: "http://127.0.0.1/student/y2mbi09u.htmls", the plugin sent grep=False.
    GET http://127.0.0.1/student/TGc5v5NN.rb returned HTTP code "403" - id: 9
    No grep for: "http://127.0.0.1/student/TGc5v5NN.rb", the plugin sent grep=False.
    GET http://127.0.0.1/student/EQp6IMrI.php returned HTTP code "403" - id: 10
    No grep for: "http://127.0.0.1/student/EQp6IMrI.php", the plugin sent grep=False.
    GET http://127.0.0.1/student/JDu6xd51.cgi returned HTTP code "403" - id: 11
    No grep for: "http://127.0.0.1/student/JDu6xd51.cgi", the plugin sent grep=False.
    GET http://127.0.0.1/student/xbnERvIu.jsp returned HTTP code "403" - id: 12
    No grep for: "http://127.0.0.1/student/xbnERvIu.jsp", the plugin sent grep=False.
    GET http://127.0.0.1/student/8mlVHdU5.aspx returned HTTP code "403" - id: 13
    No grep for: "http://127.0.0.1/student/8mlVHdU5.aspx", the plugin sent grep=False.
    GET http://127.0.0.1/student/3dEV8D7t.pl returned HTTP code "403" - id: 15
    GET http://127.0.0.1/student/OUUivLqI.xhtml returned HTTP code "403" - id: 14
    No grep for: "http://127.0.0.1/student/OUUivLqI.xhtml", the plugin sent grep=False.
    No grep for: "http://127.0.0.1/student/3dEV8D7t.pl", the plugin sent grep=False.
    The 404 body result database has a length of 1.
    "http://127.0.0.1/student/" (id:1) is a 404 [similarity_index > 0.9]
    Called _discover_worker()
    Starting plugin: webSpider
    webSpider plugin is testing: http://127.0.0.1/student/
    GET http://127.0.0.1/student/ returned HTTP code "403" - id: 16
    [thread manager] Successfully added function to threadpool. Work queue size: 1
    [thread manager] Successfully added function to threadpool. Work queue size: 2
    GET http://127.0.0.1/student/ returned HTTP code "403" - id: 17
    "http://127.0.0.1/student/" (id:17) is a 404 [similarity_index > 0.9]
    GET http://127.0.0.1/ returned HTTP code "403" - id: 18
    "http://127.0.0.1/" (id:18) is a 404 [similarity_index > 0.9]
    The following is a list of broken links that were found by the webSpider plugin:

    ModSecurity 模块开启后:

    Exiting setOutputPlugins()
    Called w3afCore.start()
    Enabling _dnsCache()
    Called buildOpeners
    keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 1
    DNS response from DNS server for domain: 127.0.0.1
    GET http://127.0.0.1/student/ returned HTTP code "403" - id: 1
    [thread manager] Successfully added function to threadpool. Work queue size: 1
    [thread manager] Successfully added function to threadpool. Work queue size: 2
    [thread manager] Successfully added function to threadpool. Work queue size: 3
    [thread manager] Successfully added function to threadpool. Work queue size: 4
    [thread manager] Successfully added function to threadpool. Work queue size: 5
    [thread manager] Successfully added function to threadpool. Work queue size: 6
    [thread manager] Successfully added function to threadpool. Work queue size: 7
    [thread manager] Successfully added function to threadpool. Work queue size: 8
    [thread manager] Successfully added function to threadpool. Work queue size: 9
    [thread manager] Successfully added function to threadpool. Work queue size: 10
    [thread manager] Successfully added function to threadpool. Work queue size: 11
    [thread manager] Successfully added function to threadpool. Work queue size: 12
    [thread manager] Successfully added function to threadpool. Work queue size: 13
    [thread manager] Successfully added function to threadpool. Work queue size: 14
    keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 2
    Cached DNS response for domain: 127.0.0.1
    keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 3
    keepalive: added one connection, len(self._hostmap["127.0.0.1"]): 4
    Cached DNS response for domain: 127.0.0.1
    Cached DNS response for domain: 127.0.0.1
    GET http://127.0.0.1/student/Vg1vHrJO. returned HTTP code "403" - id: 2
    No grep for: "http://127.0.0.1/student/Vg1vHrJO.", the plugin sent grep=False.
    GET http://127.0.0.1/student/a2O3LyYI.do returned HTTP code "403" - id: 4
    GET http://127.0.0.1/student/0eLnOV3J.asp returned HTTP code "403" - id: 3
    No grep for: "http://127.0.0.1/student/a2O3LyYI.do", the plugin sent grep=False.
    No grep for: "http://127.0.0.1/student/0eLnOV3J.asp", the plugin sent grep=False.
    GET http://127.0.0.1/student/mAGEns7z.py returned HTTP code "403" - id: 6
    No grep for: "http://127.0.0.1/student/mAGEns7z.py", the plugin sent grep=False.
    GET http://127.0.0.1/student/khbMvzIG.htmls returned HTTP code "403" - id: 8
    No grep for: "http://127.0.0.1/student/khbMvzIG.htmls", the plugin sent grep=False.
    GET http://127.0.0.1/student/qMyT7lZ5.jsp returned HTTP code "403" - id: 9
    GET http://127.0.0.1/student/SU7LbF3J.htm returned HTTP code "403" - id: 5
    No grep for: "http://127.0.0.1/student/SU7LbF3J.htm", the plugin sent grep=False.
    No grep for: "http://127.0.0.1/student/qMyT7lZ5.jsp", the plugin sent grep=False.
    GET http://127.0.0.1/student/iJRJULzR.gif returned HTTP code "403" - id: 7
    No grep for: "http://127.0.0.1/student/iJRJULzR.gif", the plugin sent grep=False.
    GET http://127.0.0.1/student/jTrkFnpt.xhtml returned HTTP code "403" - id: 14
    No grep for: "http://127.0.0.1/student/jTrkFnpt.xhtml", the plugin sent grep=False.
    GET http://127.0.0.1/student/H0xoFI0S.cgi returned HTTP code "403" - id: 11
    No grep for: "http://127.0.0.1/student/H0xoFI0S.cgi", the plugin sent grep=False.
    GET http://127.0.0.1/student/lwzkMqkS.php returned HTTP code "403" - id: 13
    No grep for: "http://127.0.0.1/student/lwzkMqkS.php", the plugin sent grep=False.
    GET http://127.0.0.1/student/gW3XjZz8.rb returned HTTP code "403" - id: 10
    No grep for: "http://127.0.0.1/student/gW3XjZz8.rb", the plugin sent grep=False.
    GET http://127.0.0.1/student/zQ2qJZkl.aspx returned HTTP code "403" - id: 12
    No grep for: "http://127.0.0.1/student/zQ2qJZkl.aspx", the plugin sent grep=False.
    GET http://127.0.0.1/student/JAdleo2T.pl returned HTTP code "403" - id: 15
    No grep for: "http://127.0.0.1/student/JAdleo2T.pl", the plugin sent grep=False.
    The 404 body result database has a length of 1.
    "http://127.0.0.1/student/" (id:1) is a 404 [similarity_index > 0.9]
    Called _discover_worker()
    Starting plugin: webSpider
    webSpider plugin is testing: http://127.0.0.1/student/
    GET http://127.0.0.1/student/ returned HTTP code "403" - id: 16
    [thread manager] Successfully added function to threadpool. Work queue size: 1
    [thread manager] Successfully added function to threadpool. Work queue size: 2
    GET http://127.0.0.1/student/ returned HTTP code "403" - id: 17
    "http://127.0.0.1/student/" (id:17) is a 404 [similarity_index > 0.9]
    GET http://127.0.0.1/ returned HTTP code "403" - id: 18
    "http://127.0.0.1/" (id:18) is a 404 [similarity_index > 0.9]
    The following is a list of broken links that were found by the webSpider plugin:

    对比两次 SQL 注入的返回数据可观察出:

    1.在关闭 ModSecurity 模块的情况下:HTTP 请求返回的都是 returned HTTP code "200"
    2.在开启 ModSecurity 模块的情况下:HTTP 请求返回的都是 returned HTTP code "403"
    ModSecurity有效的阻止了 SQL 注入

    相关文章

      网友评论

          本文标题:网络对抗原理实验三

          本文链接:https://www.haomeiwen.com/subject/wxmtmftx.html