Track 安全社区
免费学习黑客教程
实战攻防平台
黑客必备导航
Track商城
招聘专版
登录
注册
论坛首页
>
技术文章投稿区
>
代码审计
代码审计——DVWA Brute Force(暴力破解)
炮炮兵
· 发表于 2020-03-10 14:28:28 ·
代码审计
DVWA是一款渗透测试的靶场。非常适合新手来练习渗透同时也是练习代码审计的入门之选。 关于Brute Force(暴力破解)审计 LOW等级代码 ```php if( isset( $_GET[ 'Login' ] ) ) { // Get username $user = $_GET[ 'username' ]; // Get password $pass = $_GET[ 'password' ]; $pass = md5( $pass ); // Check the database $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); if( $result && mysqli_num_rows( $result ) == 1 ) { // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful $html .= "<p>Welcome to the password protected area {$user}</p>"; $html .= "<img src=\"{$avatar}\" />"; } else { // Login failed $html .= "<pre><br />Username and/or password incorrect.</pre>"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> ``` ![](/upload/md/9240e2e6c6d9d805dae9581806bef962_17917.png) 这里我们看到 user和pass变量接受 传递过来的值,密码经过MD5加密 拼接SQL语句直接执行 这里没有加任何的过滤由此得出这里存在SQL注入,我们在SQL语句后面加上var_dump($query);来查看执行的SQL语句。 ![](https://bbs.zkaq.cn/upload/md/8d6c193a2188d4bfb2e31cee7b916cfd_67763.png) 发现是单引号闭合而且没有存在过滤 我们可以通过构造 万能密码 进行登陆 ![](https://bbs.zkaq.cn/upload/md/ce0be16740baa03c9ed8aafd4ada2e79_60081.png) 'or ‘1’ ='1 然后登陆 成功;这里也可以进用burp精心暴力破解 这里我就不再演示了 ![](https://bbs.zkaq.cn/upload/md/4d941b005d818f6936a24b86a734ce58_49036.png) Medium等级代码 ```php <?php if( isset( $_GET[ 'Login' ] ) ) { // Sanitise username input $user = $_GET[ 'username' ]; $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitise password input $pass = $_GET[ 'password' ]; $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass = md5( $pass ); // Check the database $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); if( $result && mysqli_num_rows( $result ) == 1 ) { // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful $html .= "<p>Welcome to the password protected area {$user}</p>"; $html .= "<img src=\"{$avatar}\" />"; } else { // Login failed sleep( 2 ); $html .= "<pre><br />Username and/or password incorrect.</pre>"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?> ``` ![](https://bbs.zkaq.cn/upload/md/45dc33c168607c1aa77fc672d46193a4_12355.png) if判断 如果执行正确就显示图片登录成功,如果登录失败就延时两秒; 注入不行就采用暴力破解方式 这里延时两秒会延长爆破的时间影响不大也是可以爆破的。使用burp爆破就行 High等级代码 ```php <?php if( isset( $_GET[ 'Login' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Sanitise username input $user = $_GET[ 'username' ]; $user = stripslashes( $user ); $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitise password input $pass = $_GET[ 'password' ]; $pass = stripslashes( $pass ); $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass = md5( $pass ); // Check database $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); if( $result && mysqli_num_rows( $result ) == 1 ) { // Get users details $row = mysqli_fetch_assoc( $result ); $avatar = $row["avatar"]; // Login successful $html .= "<p>Welcome to the password protected area {$user}</p>"; $html .= "<img src=\"{$avatar}\" />"; } else { // Login failed sleep( rand( 0, 3 ) ); $html .= "<pre><br />Username and/or password incorrect.</pre>"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } // Generate Anti-CSRF token generateSessionToken(); ?> ``` high等级比前两个难了很多 受限看到代码有个checkToken()方法 我们进入这个方法看看是干什么用的。这里传递了user_token和session_token和returnURL这三个参数;判断user_token的值和session_token值是否一样,如果不一样就执行dvwaRedirect()方法。dvwaRedirect()就是执行跳转链接的。 ```php // Token functions -- function checkToken( $user_token, $session_token, $returnURL ) { # Validate the given (CSRF) token if( $user_token !== $session_token || !isset( $session_token ) ) { dvwaMessagePush( 'CSRF token is incorrect' ); dvwaRedirect( $returnURL ); } } ``` 我来到首页F12审查元素查看,有个随机的token值每次刷新token值都会变。当每次访问页面的时候会执行generateSessionToken()这个方法就是 设置和销毁token的方法;每次访问generateSessionToken()方法会执行,并产生一个随机的token值存入session中。前段代码获取session中的token值赋值给user_token,执行提交操作时会和session中的的token比较 也就是执行了上面的checkToken()方法。 ![](https://bbs.zkaq.cn/upload/md/d0880b98a66f927c9f70b013ddf9e04c_65582.png) 我们继续往下看有个stripslashes()函数 这个也是个防止SQL注入的一个函数 这个函数就是删除字符串中的反斜杠。还有一个就是mysqli_real_escape_string()函数,这个上面讲过了这里就不再重复了; ![](https://bbs.zkaq.cn/upload/md/b68d81deabf34b3177ecdb1deec88b1e_79307.png) 到这理就 明确了High等级的条件 验证token 和 防止了SQL注入; 注入是不行了,我们可以选择爆破,自己可以写个脚本,爆破前每次获取前段user_token的值,每次跑字典带着token去爆破就可以了; impossible等级代码 ```php <?php if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Sanitise username input $user = $_POST[ 'username' ]; $user = stripslashes( $user ); $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); // Sanitise password input $pass = $_POST[ 'password' ]; $pass = stripslashes( $pass ); $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass = md5( $pass ); // Default values $total_failed_login = 3; $lockout_time = 15; $account_locked = false; // Check the database (Check user information) $data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // Check to see if the user has been locked out. if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) { // User locked out. Note, using this method would allow for user enumeration! //$html .= "<pre><br />This account has been locked due to too many incorrect logins.</pre>"; // Calculate when the user would be allowed to login again $last_login = strtotime( $row[ 'last_login' ] ); $timeout = $last_login + ($lockout_time * 60); $timenow = time(); /* print "The last login was: " . date ("h:i:s", $last_login) . "<br />"; print "The timenow is: " . date ("h:i:s", $timenow) . "<br />"; print "The timeout is: " . date ("h:i:s", $timeout) . "<br />"; */ // Check to see if enough time has passed, if it hasn't locked the account if( $timenow < $timeout ) { $account_locked = true; // print "The account is locked<br />"; } } // Check the database (if username matches the password) $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR); $data->bindParam( ':password', $pass, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // If its a valid login... if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) { // Get users details $avatar = $row[ 'avatar' ]; $failed_login = $row[ 'failed_login' ]; $last_login = $row[ 'last_login' ]; // Login successful $html .= "<p>Welcome to the password protected area <em>{$user}</em></p>"; $html .= "<img src=\"{$avatar}\" />"; // Had the account been locked out since last login? if( $failed_login >= $total_failed_login ) { $html .= "<p><em>Warning</em>: Someone might of been brute forcing your account.</p>"; $html .= "<p>Number of login attempts: <em>{$failed_login}</em>.<br />Last login attempt was at: <em>${last_login}</em>.</p>"; } // Reset bad login count $data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } else { // Login failed sleep( rand( 2, 4 ) ); // Give the user some feedback $html .= "<pre><br />Username and/or password incorrect.<br /><br/>Alternative, the account has been locked because of too many failed logins.<br />If this is the case, <em>please try again in {$lockout_time} minutes</em>.</pre>"; // Update bad login count $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } // Set the last login time $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' ); $data->bindParam( ':user', $user, PDO::PARAM_STR ); $data->execute(); } // Generate Anti-CSRF token generateSessionToken(); ?> ``` 这块代码的意思就是如果登录失败尝过三次会锁定15分钟,15分钟过才可以进行操作 这里爆破基本就凉掉了 流程大概是这样的total_failed_login变量定义了错误次数,lockout_time变量定义了锁定的时间 ![](https://bbs.zkaq.cn/upload/md/3aa2679753d75a6d28373afc074f7b2a_78904.png) 这里如果登录失败会更新表中错误的次数 failed_login + 1 ![](https://bbs.zkaq.cn/upload/md/42e22e47fc459fc306e7a1a962370479_12930.png) if判断如果failed_login的值 大于等于total_failed_login的值就会进行15分钟的锁定 ![](https://bbs.zkaq.cn/upload/md/67d15eb1fa4f5af7c2a495108155bc97_23367.png)
用户名
金币
积分
时间
理由
青野
16.00
0
2023-11-04 11:11:52
青野
16.00
0
2023-11-04 11:11:51
青野
8.00
0
2023-11-04 11:11:51
admin
100.00
0
2020-03-11 17:05:32
不错的分享!
打赏我,让我更有动力~
赏
0 条回复
|
直到 2020-3-10
|
1261 次浏览
登录
后才可发表内容
返回顶部
投诉反馈
炮炮兵
用户组:
Track 实习学员
积分:
0
金币:
204.60
主题:
3
帖子:
32
返回:技术文章投稿区
代码审计
NISP 国测证书限时补贴活动
web安全工程师高薪正式课
© 2016 - 2024
掌控者
All Rights Reserved.