DVWA-Brute Force暴力破解

漏洞介绍
由于对弱密码的防护就弱，此漏洞主要是通过大量的用户名和字典对账号进行暴力破解。
Low Brute Force Source

if( isset( $_GET[ 'Login' ] ) ) {
     
    // Get username
    $user = $_GET[ 'username' ];

    // Get password
    $pass = $_GET[ 'password' ];
    $pass = md5( $pass );

    // Check the database
    $query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' );

    if( $result && mysqli_num_rows( $result ) == 1 ) {
     
        // Get users details
        $row    = mysqli_fetch_assoc( $result );
        $avatar = $row["avatar"];

        // Login successful
        echo "
Welcome to the password protected area {
       $user}
";
        echo "{
       $avatar}\" />";
    }
    else {
     
        // Login failed
        echo "

Username and/or password incorrect.
";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

分析源码 对user和password的值进行分析

此处绕过直接登陆成功
admin’or ‘1’=‘1
admin’ – #（密码）
123456 （密码）
回显以下界面

或者使用万金油admin和password试试看
结果返回

Medium Security Level

if( isset( $_GET[ 'Login' ] ) ) {
     
    // Sanitise username input
    $user = $_GET[ 'username' ];
    $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Sanitise password input
    $pass = $_GET[ 'password' ];
    $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass = md5( $pass );

    // Check the database
    $query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' );

    if( $result && mysqli_num_rows( $result ) == 1 ) {
     
        // Get users details
        $row    = mysqli_fetch_assoc( $result );
        $avatar = $row["avatar"];

        // Login successful
        echo "
Welcome to the password protected area {
       $user}
";
        echo "{
       $avatar}\" />";
    }
    else {
     
        // Login failed
        sleep( 2 );
        echo "

Username and/or password incorrect.
";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

还是一样源码分析
发现此处的源码使用了函数mysql_real_escape_string
mysql_real_escape_string的作用
1.防止SQL Injection攻击，验证用户输入
2.操作数据时避免不必要的字符导致错误
并且使用sleep休眠函数

意思是如果密码错误，则延时两秒响应
直接进行爆破


点击开始攻击

爆破密码
（明天续更，今天就晚安啦）