当前位置:网站首页>DVWA练习一 暴力破解
DVWA练习一 暴力破解
2022-07-25 09:17:00 【目标是技术宅】
Damn Vulnerable Web App (DVWA),直译为 该死的易受攻击的Web应用,是一个基于PHP/MySQL的非常脆弱的web应用。其主要目标是帮助安全专业人员在合法环境中测试他们的技能和工具,帮助Web开发人员更好地了解保护Web应用程序的过程,并帮助教师/学生在课堂环境中教授/学习Web应用程序安全性 。
1.DVWA在kali上的安装教程
注意不配置ReCAPTCHA 也没有问题。其它按照下面教程上的步骤来就可以。
https://www.cnblogs.com/JetpropelledSnake/p/9128613.html
2.DVWA Brute Force 暴力破解
LOW
参考链接:https://blog.csdn.net/qq_42357070/article/details/81109775
补充:
1.GET方法
可以看到,在low级别下,form表单的方法是GET方法。GET方法会将查询的字符串在URL中显示,会被缓存、保存在浏览器历史记录中、存在长度限制。通过GET方法的特性可以看出,处理敏感数据时,用GET方法非常不安全。一般在form表单中,采用的方法都是POST方法。
2.源代码解析
<?php
//isset函数作用:变量不存在或变量存在但值为NULL,返回FALSE;变量存在且值不为NULL,返回TRUE
//这里判断是否点击了login
if( isset( $_GET[ 'Login' ] ) ) {
// Get username
$user = $_GET[ 'username' ];
// Get password
$pass = $_GET[ 'password' ];
$pass = md5( $pass );
// Check the database 在这里直接查询了数据库
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
//mysqli_query(connection, query, resultmode)执行对某个数据库的查询
//die函数输出一条消息,并退出当前脚本
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//mysqli_num_rows返回结果中行的数量
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
//在结果中取一行作为关联数组,avatar一般是指用户头像
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful
echo "<p>Welcome to the password protected area {
$user}</p>";
echo "<img src=\"{
$avatar}\" />";
}
else {
// Login failed
echo "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
3.四种标签
Sniper 狙击手 针对每个位置设置payload,适用于对漏洞中的单个请求参数进行测试
请求总数的数量=位置个数*payload个数
Battering ram 大木棰 所有位置一次设置相同的payload,适用于将相同输入放入多个位置的情况
请求总数的数量=payload个数
Pitchfork 叉子 不同位置使用不同的payload组,攻击时同步迭代所有的组,适用于在不同位置插入不相同但是相关的输入
请求总数的数量=多个payload组中每组最小的payload数量
Cluster Bomb 集束炸弹 使用多个不同的payload组,攻击时迭代每个组,适用于在不同位置插入不同且不相关的输入
请求总数的数量=各payload组中payload数量的乘积
4.SQL注入
参考链接:https://ctf-wiki.github.io/ctf-wiki/web/sqli-zh/
本次可以使用的万能密码:
1.admin'--或者admin'#
注意横线后面有空格
因为--和#是行间注释,对于源码中的查询语句中的条件部分就变成了where user = 'admin',所以能够得到一条正确的查询结果。
2.admin' or '1' = '1
条件部分变成了where user = 'admin' or '1' = '1' and password = '',因为and语句连接的部分优先级比较高,'1' = '1' and password = ''一定不成立,所以相当于执行条件语句where user = 'admin',能够得到一条正确的查询结果。
其实把这个简化一下改成admin' or '也可以得到正确的结果。
对于像' or '1' = '1的万能语句,条件语句变成了where user = '' or '1' = '1' and password = '',因为没有用户名为空的记录,所以返回错误。
在构造万能语句时,也要考虑查询的参数是否为字符串,如果是字符串,那么引号的个数应当合适。
MEDIUM
在medium版本中,$user和$password变量都加上了下面的限制:
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
mysqli_real_escape_string()函数转义在 SQL 语句中使用的字符串中的特殊字符。
会被进行转义的字符包括: NUL (ASCII 0),\n,\r,\,’," 和 Control-Z.
因此此时SQL语句注入不再有效。
HIGH
相比与之前,又加入了:
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
//去除反斜线,如果有两个连续的反斜线则去掉一个
$user = stripslashes( $user );
// Login failed
sleep( rand( 0, 3 ) );
// Generate Anti-CSRF token
generateSessionToken();
用户每次提交都会随机生成一个token,存入session中,并设置过期时间。当用户再次提交时,检查token是否一致或者过期。
这就使得盲目爆破无法实现。
参考链接中给出了两种方法,一种是Python脚本,一种还是用burp suite,但是使用Grep-Extract从网页中提取了token信息,然后作为payload,使用Pitchfork进行攻击。
注意在用burp suite时,Options中一定要设置永远跟随重定向:
IMPOSSIBLE
连续三次登录失败后上锁一段时间。在数据库中记录连续登录失败的次数,以及上次登录失败的时间。
<?php
//要判断是否这三个都有值
if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
//净化username输入
$user = $_POST[ 'username' ];
$user = stripslashes( $user );
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
//净化密码输入
$pass = $_POST[ 'password' ];
$pass = stripslashes( $pass );
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass = md5( $pass );
// Default values
$total_failed_login = 3;
$lockout_time = 15;
$account_locked = false;
// Check the database (Check user information)
$data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// Check to see if the user has been locked out.
if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {
// User locked out. Note, using this method would allow for user enumeration!
//echo "<pre><br />This account has been locked due to too many incorrect logins.</pre>";
// Calculate when the user would be allowed to login again
$last_login = strtotime( $row[ 'last_login' ] );
$timeout = $last_login + ($lockout_time * 60);
$timenow = time();
/* print "The last login was: " . date ("h:i:s", $last_login) . "<br />"; print "The timenow is: " . date ("h:i:s", $timenow) . "<br />"; print "The timeout is: " . date ("h:i:s", $timeout) . "<br />"; */
//连续三次登录失败后,检查最近的一次登录失败到现在是否度过了足够的时间
if( $timenow < $timeout ) {
$account_locked = true;
// print "The account is locked<br />";
}
}
// Check the database (if username matches the password)
$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR);
$data->bindParam( ':password', $pass, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// If its a valid login...
if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
// Get users details
$avatar = $row[ 'avatar' ];
$failed_login = $row[ 'failed_login' ];
$last_login = $row[ 'last_login' ];
// Login successful
echo "<p>Welcome to the password protected area <em>{
$user}</em></p>";
echo "<img src=\"{
$avatar}\" />";
// Had the account been locked out since last login?
if( $failed_login >= $total_failed_login ) {
echo "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>";
echo "<p>Number of login attempts: <em>{
$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>";
}
// Reset bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
} else {
// Login failed
sleep( rand( 2, 4 ) );
// Give the user some feedback
echo "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {
$lockout_time} minutes</em>.</pre>";
// Update bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Set the last login time
$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
边栏推荐
- 『怎么用』代理模式
- activemq--可持久化机制之JDBC代码
- Guangzhou has carried out in-depth "100 day action" to check the safety of self built commercial houses, and more than 2 million houses have been checked in two months
- Common tool classes under JUC package
- ActiveMQ -- persistent mechanism
- [buuctf-n1book][Chapter 2 advanced web]ssrf training
- uni-app - Refused to display ‘xxx‘ in a frame because an ancestor violates the following Content Sec
- ActiveMQ -- dead letter queue
- [machine learning] Finally, the important steps of machine learning modeling have been clarified
- c语言中的六个存储类型:auto register static extern const volatile
猜你喜欢
Programmers can't SQL? Ashes Engineer: all waiting to be eliminated! This is a must skill!
centos更改mysql数据库目录
Troubleshooting error: NPM install emojis list failed
『每日一问』ReentrantLock加锁解锁
How to avoid duplicate data when the database is high and distributed
activemq--延迟投递和定时投递
Uniapp intercepts route jumps through addinterceptor to control whether the page needs to log in
idea 热部署
The garbage classification data set used in the excellent Yolo target detection training is shared - about 3000 labeled
sql注入
随机推荐
[common tools] obtain system status information based on psutil and gputil
Nacos启动报错Unable to start web server
[learn rust together] a preliminary understanding of rust package management tool cargo
[STL]stack&queue模拟实现
[STL]list模拟实现
Analysis of concat and group in MySQL_ Use of concat
ActiveMQ -- leveldb of persistence mechanism
PHP date() function does not support processing numbers greater than 2147483648? "Suggested collection"
@Scheduled源码解析
The development of art NFT
SSM高级整合
Detailed explanation of pipeline pipeline mechanism in redis
OverTheWire-Bandit
registration status: 204
【线程知识点】-- 自旋锁
Software examination system architecture designer concise tutorial | software life cycle
activemq--死信队列
Guangzhou has carried out in-depth "100 day action" to check the safety of self built commercial houses, and more than 2 million houses have been checked in two months
Ten thousand words long, one word thoroughly! Finally, someone has made business intelligence (BI) clear
idea中将lib目录下的jar包加入到项目中