DVWA-Brute Force暴力破解
漏洞介紹
由於對弱密碼的防護就弱,此漏洞主要是通過大量的使用者名稱和字典對賬號進行暴力破解。
Low Brute Force Source
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Get username
$user = $_GET[ 'username' ];
// Get password
$pass = $_GET[ 'password' ];
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
echo "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
分析原始碼 對user和password的值進行分析
此處繞過直接登陸成功
admin’or ‘1’=‘1
admin’ – #(密碼)
123456 (密碼)
回顯以下介面
或者使用萬金油admin和password試試看
結果返回
Medium Security Level
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Sanitise username input
$user = $_GET[ 'username' ];
$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
sleep( 2 );
echo "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
還是一樣原始碼分析
發現此處的原始碼使用了函式mysql_real_escape_string
mysql_real_escape_string的作用
1.防止SQL Injection攻擊,驗證使用者輸入
2.運算元據時避免不必要的字元導致錯誤
並且使用sleep休眠函式
意思是如果密碼錯誤,則延時兩秒響應
直接進行爆破
點選開始攻擊
爆破密碼
(明天續更,今天就晚安啦)
相關文章
- DVWA靶機通關係列--1.Brute Force(暴力破解)(解題思路+審計分析)
- House Of Force
- STARTUP FORCE 理解
- 暴力破解
- 什麼是暴力破解?暴力破解的方法有哪些?
- rman backup database force 功能Database
- 暴力破解測試
- kali暴力破解教程
- innodb_force_recovery設定
- 迭代暴力破解域名工具
- [譯] 使用 `-force` 被認為是有害的;瞭解 Git 的 `-force-with-lease` 命令Git
- cursor_sharing : exact , force , similarMILA
- Linux防止SSH暴力破解Linux
- web類靶機暴力破解Web
- PostgreSQL DBA(138) - PG 13(Drop database force)SQLDatabase
- Log Switch Triggers 及Force SCN
- [滲透測試] Hydra暴力破解
- 暴力破解3 (6千字)
- Webmin 暴力破解+ 執行命令(轉)Web
- 2.5.11 指定 FORCE LOGGING 模式模式
- -Objc -all_load -force_loadOBJ
- rman 中delete 與delete force 的區別delete
- Specifying FORCE LOGGING Mode (82)
- Wireshark駭客發現之旅(4)——暴力破解
- dvwa-暴力破解(low-high)
- fail2ban 防止ssh暴力破解AI
- 服務認證暴力破解工具Crowbar
- Violent Python 暴力破解zip檔案Python
- SYSTEM CLEANER 暴力破解 (1千字)
- 暴力破解太陽鏡++ (607字)
- 暴力破解-基於Pikachu的學習
- terrans force筆記本怎麼安裝win10_terrans force電腦安裝win10教程【圖文】筆記Win10
- D3原始碼解讀系列之Force原始碼
- 小心設定cursor_sharing=force引數
- Centos7使用DenyHosts防止ssh暴力破解CentOS
- 使用python暴力破解mysql資料庫PythonMySql資料庫
- Spring Boot如何防暴力破解攻擊?Spring Boot
- DNS暴力破解工具Fierce常用命令DNS