<?phpif(isset($_GET['Login'])){// Sanitise username input$user=$_GET['username'];$user=mysql_real_escape_string($user);// Sanitise password input$pass=$_GET['password'];$pass=mysql_real_escape_string($pass);$pass=md5($pass);// Check the database$query="SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";$result=mysql_query($query)ordie('<pre>'.mysql_error().'</pre>');if($result&&mysql_num_rows($result)==1){// Get users details$avatar=mysql_result($result,0,"avatar");// Login successful$html.="<p>Welcome to the password protected area {$user}</p>";$html.="<img src=\"{$avatar}\" />";}else{// Login failedsleep(2);$html.="<pre><br />Username and/or password incorrect.</pre>";}mysql_close();}?>
前言Low提交username和password(随意填写),同时抓包,然后Send to Intruder,进行爆破操作:从数据包中可看到,采用的是GET方式提交的。爆破成功的标志:username和password的同时正确。所以,要定性一个变量猜解另一个变量。选择爆破类型为Cluster bomb,分别选中爆破变量点击右边的Add在Payloads处加载字典:最后,尝试在爆破结果中找到正确的密码,可以看到password的响应包长度(Length)“与众不同”,可推测passwo