DVWA靶机:172.16.12.10
windows攻击机:172.16.12.7
实验步骤:
一、Low级
1、查看源码及分析
先调整DVWA安全级别为Low,点击提交
点击左侧暴力破解,进入主题
查看源代码(在页面底部)
源码分析
<?php //检查变量是否设置(先看有没有Login参数) if( isset( $_GET[ 'Login' ] ) ) { //获取密码,存入pass变量中 $user = $_GET[ 'username' ]; //获取密码 $pass = $_GET[ 'password' ]; //将密码使用md5加密 $pass = md5( $pass ); //构建SQL语句,查询结果保存在query变量中 $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; //数据库查询,将查询结果保存在result变量中,查到了,保存用户具体信息;未查到,就在页面上输入错误结果,result为空 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); //结果存在并且返回一条记录,说明查到了 if( $result && mysqli_num_rows( $result ) == 1 ) { //查询结果关联数据row,row已经变成键值对 $row = mysqli_fetch_assoc( $result ); //获取登录成功图片 $avatar = $row["avatar"]; // Login successful //登录成功,输出到页面上 echo "<p>Welcome to the password protected area {$user}</p>"; echo "<img src=\"{$avatar}\" />"; } else { // Login failed //未查到,错误信息输出到页面上 echo "<pre><br />Username and/or password incorrect.</pre>"; } //释放资源 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?>
可以看到,服务器只是验证了参数 Login 是否被设置(isset 函数在 php 中用 来检测变量是否设置,该函数返回的是布尔类型的值,即true/false),没有 任何的防爆破机制,对参数 username 没有做任何过滤,存在明显的 sql 注入 漏洞,当然,$pass 做了 MD5 校验,杜绝了通过参数 password 进行 sql 注 入的可能性
2、漏洞复现
既然没有做任何身份校验,那就先抓包看看,随便输入用户名和密码,点击登录
Burp抓包如下
发送到Instruder进行爆破
点击测试器——位置——清除,然后在username和pasword处添加双s
攻击类型选Clusterbomb(对多个目标进行爆破)
注:
sniper 一个字典,两个参数,先匹配第一项再匹配第二项
Battering ram 一个字典,两个参数,同用户名同密码
Pitchfork 一个字典,两个参数,同行匹配,短的截至
Cluster bomb 两个字典,两个参数,交叉匹配,所有可能
点有效载荷,选择1,运行时文件,文件选择你用户名字典存放位置
选2,运行时文件,文件选择你密码字典
点选项,没有修改内容,点开始攻击
完成后点长度,长度和其他不一样的就是正确的用户名和密码
二、Medium级别
1、查看源代码及分析
<?php //是否存在Login变量(标签里面的name),检查是否存在Login按钮 if( isset( $_GET[ 'Login' ] ) ) { // Sanitise username input //获取用户名,存入user变量里 $user = $_GET[ 'username' ]; //user中x00,n,r,,’,”,x1a转义,防SQL注入 $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitise password input $pass = $_GET[ 'password' ]; //pass中x00,n,r,,’,”,x1a转义,防SQL注入 $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); //密码加密 $pass = md5( $pass ); // Check the database $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); if( $result && mysqli_num_rows( $result ) == 1 ) { // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful echo "<p>Welcome to the password protected area {$user}</p>"; echo "<img src=\"{$avatar}\" />"; } else { // Login failed sleep( 2 ); echo "<pre><br />Username and/or password incorrect.</pre>"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?>
相比 Low 级别的代码,Medium 级别的代码主要增加了mysql_real_escape_string 函数,这个函数会对字符串中的特殊符号(
x00,n, r,,’,”,x1a)进行转义,基本上能够抵御 sql 注入攻击(宽字节注入可以 搞定),但是,依然没有加入有效的防爆破机制(sleep(2)实在算不上)。
2、漏洞复现
和Low级别一样进行暴力破解
三、High级别
1、查看源代码及分析
<?php if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Sanitise username input $user = $_POST[ 'username' ]; $user = stripslashes( $user ); $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitise password input $pass = $_POST[ 'password' ]; $pass = stripslashes( $pass ); $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass = md5( $pass ); // Default values $total_failed_login = 3; $lockout_time = 15; $account_locked = false; // Check the database (Check user information) //如果在锁定状态就输出已被锁定 $data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // Check to see if the user has been locked out. if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) { // User locked out. Note, using this method would alLow for user enumeration! //echo "<pre><br />This account has been locked due to too many incorrect logins.</pre>"; // Calculate when the user would be alLowed to login again //计算用户能再次登录的时间 $last_login = strtotime( $row[ 'last_login' ] ); $timeout = $last_login + ($lockout_time * 60); $timenow = time(); /* print "The last login was: " . date ("h:i:s", $last_login) . "<br />"; print "The timenow is: " . date ("h:i:s", $timenow) . "<br />"; print "The timeout is: " . date ("h:i:s", $timeout) . "<br />"; */ // Check to see if enough time has passed, if it hasn't locked the account if( $timenow < $timeout ) { $account_locked = true; // print "The account is locked<br />"; } } // Check the database (if username matches the password) $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR); $data->bindParam( ':password', $pass, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // If its a valid login... if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) { // Get users details $avatar = $row[ 'avatar' ]; $failed_login = $row[ 'failed_login' ]; $last_login = $row[ 'last_login' ]; // Login successful echo "<p>Welcome to the password protected area <em>{$user}</em></p>"; echo "<img src=\"{$avatar}\" />"; // Had the account been locked out since last login? if( $failed_login >= $total_failed_login ) { echo "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>"; echo "<p>Number of login attempts: <em>{$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>"; } // Reset bad login count $data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } else { // Login failed sleep( rand( 2, 4 ) ); // Give the user some feedback echo "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {$lockout_time} minutes</em>.</pre>"; // Update bad login count $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } // Set the last login time $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } // Generate Anti-CSRF token generateSessionToken(); ?>
High 级别的代码加入了 Token,可以抵御 CSRF 攻击,同时也增加了爆破的难度,通过抓包,可以看到,登录验证时提交了四个参数:username、
password、Login 以及 user_token。
2、漏洞复现
随便输入密码,点击登录
抓包如下,复制全部发送到instruder
点测试器——位置——清除,然后在passwd和token处添加,攻击模式为Pitchfork
点选项,找到grep—Extract,点击添加
点击获取回复(refetch response)进行一个请求,即可看到响应报文,找到橘色字体部分用鼠标选中,上面会自动填入数据的起始和结束标识,点击ok,则会在列表中看到一个grep项。(橘色字体保存到记事本,后面会用到)
将请求引擎( Request Engine)中的 Number of threads 改为 1。
找到重定向(Redirections)模块设置允许重定向,选择总是(always)
返回有效载荷( payloads) 栏,payload 1 设置为密码字典
payload 2 选择 payload type 为“(递归搜索)Recursive grep”,然后选择下面的 extract grep 项即可。将刚刚 保存的值复制到箭头处,然后点击开始攻击
点击长度,即可看到正确密码所返回长度和其他不一样,即为正确密码
四、Impossible级
1、源码分析
<?php if( isset( $_GET[ 'Login' ] ) ) { // Check Anti-CSRF token //注册token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Sanitise username input $user = $_GET[ 'username' ]; $user = stripslashes( $user ); $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitise password input $pass = $_GET[ 'password' ]; $pass = stripslashes( $pass ); $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass = md5( $pass ); // Check database $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); if( $result && mysqli_num_rows( $result ) == 1 ) { // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful echo "<p>Welcome to the password protected area {$user}</p>"; echo "<img src=\"{$avatar}\" />"; } else { // Login failed sleep( rand( 0, 3 ) ); echo "<pre><br />Username and/or password incorrect.</pre>"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } // Generate Anti-CSRF token generateSessionToken(); ?>
可以看到Impossble级别的代码加入了可靠的防爆破机制,当检测到频繁的错误登陆后,系统会将账户锁定,爆破也就无法继续。
2、尝试暴力破解,账户被锁定