DVWA 之暴力破解攻击(Brute Force)
暴力破解(Brute Force)的意思是攻击者借助计算机的高速计算不停枚举所有可能的用户名和密码,直到尝试出正确的组合,成功登录系统。理论上,只要字典足够大,破解总是会成功的。阻止暴力破解的最有效方式是设置复杂的密码(英文字母大小写、数字、符号混合)。而如果你的字典是从某网站泄露出来的,你使用它试图登陆其他网站,就便是撞库。撞库攻击的成功率高于暴力破解,因为你在A网站的用户名、密码通常和B网站的用户名、密码一致。例如:12306铁道部购票网站曾在2014年底发生过撞库攻击。
DVWA提供以下四种安全级别:Low、Medium、High、Impossible。
Low级别
首先,我们将安全级别设置为Low进行破解,选择左侧DVWA Security选项,下拉框选Low并提交,然后选择Brute Force。
方法一:使用Burp Suite暴力破解
1. 浏览器设置代理,地址127.0.0.1,端口8080;
2. 启动Burp Suite软件,在Proxy选项卡下选择Options,监听127.0.0.1:8080;
3. 在Proxy选项卡下的Intercept中开启intercept(拦截数据包);
4. 随后在DVWA中输入用户名和密码,假设已知用户名是admin,密码未知(随意填写),点击登录;
5. 在Burp Suite中得到请求代码,全选按Ctrl+I或者点击鼠标右键Send to Intruder。
6. 切换到Intruder选项卡,选择Positions,点击右侧Clear,然后选中密码123456,点击Add,结果如图。
7. 点击Payloads,在Payload set中选择第几个需要暴力破解的参数,我们这里只有一个,在下面选择Load加载字典文件(*.txt格式),然后点击Start attack;
8. 我们可以看到密码password的返回长度和其他不一样,证明password就是正确密码;
方法二:SQL注入漏洞
查看PHP代码
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . 'Welcome to the password protected area {$user}
"; echo ""; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?>
Username and/or password incorrect.
代码审计可以发现,没有对username和password进行过滤,存在SQL注入漏洞:
$query = "SELECT * FROM `users` WHERE user = '$user' AND password ='$pass';";
比如在Username中输入admin' #或者admin' or '1'='1等都可以登录。
Medium级别
代码
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . 'Welcome to the password protected area {$user}
"; echo ""; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?>
Username and/or password incorrect.
mysqli_real_escape_string()会将转义特殊字符,一定程度上防止SQL注入。但是它也有漏洞,在MySQL5.5.37以下版本有绕过方法。sleep(2)降低了暴力破解速度,嗯,但是没有从根源上防住爆破呀!因此,破解方法同Low级别。
High级别
代码
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . 'Welcome to the password protected area {$user}
"; echo ""; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } // Generate Anti-CSRF token generateSessionToken(); ?>
Username and/or password incorrect.
代码中加入了user_token,每次提交需要将username、password、Login和user_token四个参数一起提交到后台,因此要想解决每次变化的user_token需要每次重新获取,破解难度提升,需要编码解决。
Impossible级别
代码
prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// Check to see if the user has been locked out.
if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {
// User locked out. Note, using this method would allow for user enumeration!
//echo "
This account has been locked due to too many incorrect logins.
";
// Calculate when the user would be allowed to login again
$last_login = strtotime( $row[ 'last_login' ] );
$timeout = $last_login + ($lockout_time * 60);
$timenow = time();
/*
print "The last login was: " . date ("h:i:s", $last_login) . "
";
print "The timenow is: " . date ("h:i:s", $timenow) . "
";
print "The timeout is: " . date ("h:i:s", $timeout) . "
";
*/
// Check to see if enough time has passed, if it hasn't locked the account
if( $timenow < $timeout ) {
$account_locked = true;
// print "The account is locked
";
}
}
// Check the database (if username matches the password)
$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR);
$data->bindParam( ':password', $pass, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// If its a valid login...
if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
// Get users details
$avatar = $row[ 'avatar' ];
$failed_login = $row[ 'failed_login' ];
$last_login = $row[ 'last_login' ];
// Login successful
echo "Welcome to the password protected area {$user}
";
echo "![](\"{$avatar}\")
";
// Had the account been locked out since last login?
if( $failed_login >= $total_failed_login ) {
echo "Warning: Someone might of been brute forcing your account.
";
echo "Number of login attempts: {$failed_login}.
Last login attempt was at: ${last_login}.
";
}
// Reset bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
} else {
// Login failed
sleep( rand( 2, 4 ) );
// Give the user some feedback
echo "
Username and/or password incorrect.
Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.
";
// Update bad login count
$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Set the last login time
$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
当输入错误3次,锁定15分钟的可靠方式防止了爆破,同时采用PDO(PHP Data Object,PHP数据对象)机制更为安全,不会在本地对SQL进行拼接。当调用prepare()时,将SQL模板传给MySQL Server,传过去的是占位符“?”,不包含用户数据,当调用execute()时,用户的变量值才传递到MySQL Server,分开传递,阻止了SQL语句被破坏而执行恶意代码。