一、攻击方法:
1.先随意输入账号和密码
2.用Burnsuite抓包并传到intruder中
3.清除变量 并将username和password添加为新变量
4.选择Cluster bomb方式 在payloads中导入字典
payload 1 2都导入相同的即可
点击start attack 开始暴力破解
5.结束后 筛选length
拿到账号:admin
密码:password
6.登陆成功
二、代码审计:
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Get username
$user = $_GET[ 'username' ];
// Get password
$pass = $_GET[ 'password' ];
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar =