论坛首页 > 技术文章投稿区 > 代码审计

代码审计——DVWA Brute Force(暴力破解)

炮炮兵 · 发表于 2020-03-10 14:28:28 · 代码审计

DVWA是一款渗透测试的靶场。非常适合新手来练习渗透同时也是练习代码审计的入门之选。

关于Brute Force(暴力破解)审计
LOW等级代码
```php
if( isset( $_GET[ 'Login' ] ) ) {
 // Get username
 $user = $_GET[ 'username' ];

// Get password
 $pass = $_GET[ 'password' ];
 $pass = md5( $pass );

// Check the database
 $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";

$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

if( $result && mysqli_num_rows( $result ) == 1 ) {
 // Get users details
 $row = mysqli_fetch_assoc( $result );
 $avatar = $row["avatar"];

// Login successful
 $html .= "Welcome to the password protected area {$user}";
 $html .= "<img src=\"{$avatar}\" />";
 }
 else {
 // Login failed
 $html .= "<pre> Username and/or password incorrect.</pre>";
 }
 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>

```

![](/upload/md/9240e2e6c6d9d805dae9581806bef962_17917.png)

这里我们看到 user和pass变量接受 传递过来的值，密码经过MD5加密 拼接SQL语句直接执行 这里没有加任何的过滤由此得出这里存在SQL注入，我们在SQL语句后面加上var_dump($query);来查看执行的SQL语句。

![](https://bbs.zkaq.cn/upload/md/8d6c193a2188d4bfb2e31cee7b916cfd_67763.png)
发现是单引号闭合而且没有存在过滤 我们可以通过构造 万能密码 进行登陆

![](https://bbs.zkaq.cn/upload/md/ce0be16740baa03c9ed8aafd4ada2e79_60081.png)
'or ‘1’ ='1 然后登陆 成功；这里也可以进用burp精心暴力破解 这里我就不再演示了

![](https://bbs.zkaq.cn/upload/md/4d941b005d818f6936a24b86a734ce58_49036.png)
Medium等级代码

```php
<?php

if( isset( $_GET[ 'Login' ] ) ) {
 // Sanitise username input
 $user = $_GET[ 'username' ];
 $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Sanitise password input
 $pass = $_GET[ 'password' ];
 $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 $pass = md5( $pass );

// Check the database
 $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

if( $result && mysqli_num_rows( $result ) == 1 ) {
 // Get users details
 $row = mysqli_fetch_assoc( $result );
 $avatar = $row["avatar"];

// Login successful
 $html .= "Welcome to the password protected area {$user}";
 $html .= "<img src=\"{$avatar}\" />";
 }
 else {
 // Login failed
 sleep( 2 );
 $html .= "<pre> Username and/or password incorrect.</pre>";
 }
 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>

```

![](https://bbs.zkaq.cn/upload/md/45dc33c168607c1aa77fc672d46193a4_12355.png)
if判断 如果执行正确就显示图片登录成功，如果登录失败就延时两秒；
注入不行就采用暴力破解方式 这里延时两秒会延长爆破的时间影响不大也是可以爆破的。使用burp爆破就行

High等级代码
```php
<?php

if( isset( $_GET[ 'Login' ] ) ) {
 // Check Anti-CSRF token
 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

// Sanitise username input
 $user = $_GET[ 'username' ];
 $user = stripslashes( $user );
 $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Sanitise password input
 $pass = $_GET[ 'password' ];
 $pass = stripslashes( $pass );
 $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 $pass = md5( $pass );

// Check database
 $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

if( $result && mysqli_num_rows( $result ) == 1 ) {
 // Get users details
 $row = mysqli_fetch_assoc( $result );
 $avatar = $row["avatar"];

// Login successful
 $html .= "Welcome to the password protected area {$user}";
 $html .= "<img src=\"{$avatar}\" />";
 }
 else {
 // Login failed
 sleep( rand( 0, 3 ) );
 $html .= "<pre> Username and/or password incorrect.</pre>";
 }
 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
// Generate Anti-CSRF token
generateSessionToken();

?>

```
high等级比前两个难了很多 受限看到代码有个checkToken()方法 我们进入这个方法看看是干什么用的。这里传递了user_token和session_token和returnURL这三个参数；判断user_token的值和session_token值是否一样，如果不一样就执行dvwaRedirect()方法。dvwaRedirect()就是执行跳转链接的。
```php
// Token functions --
function checkToken( $user_token, $session_token, $returnURL ) { # Validate the given (CSRF) token
 if( $user_token !== $session_token || !isset( $session_token ) ) {
 dvwaMessagePush( 'CSRF token is incorrect' );
 dvwaRedirect( $returnURL );
 }
}
```
我来到首页F12审查元素查看，有个随机的token值每次刷新token值都会变。当每次访问页面的时候会执行generateSessionToken()这个方法就是 设置和销毁token的方法；每次访问generateSessionToken()方法会执行,并产生一个随机的token值存入session中。前段代码获取session中的token值赋值给user_token，执行提交操作时会和session中的的token比较 也就是执行了上面的checkToken()方法。

![](https://bbs.zkaq.cn/upload/md/d0880b98a66f927c9f70b013ddf9e04c_65582.png)
我们继续往下看有个stripslashes()函数 这个也是个防止SQL注入的一个函数 这个函数就是删除字符串中的反斜杠。还有一个就是mysqli_real_escape_string()函数，这个上面讲过了这里就不再重复了；

![](https://bbs.zkaq.cn/upload/md/b68d81deabf34b3177ecdb1deec88b1e_79307.png)
到这理就 明确了High等级的条件 验证token 和 防止了SQL注入；
注入是不行了，我们可以选择爆破，自己可以写个脚本,爆破前每次获取前段user_token的值，每次跑字典带着token去爆破就可以了；

impossible等级代码
```php
<?php

if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {
 // Check Anti-CSRF token
 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

// Sanitise username input
 $user = $_POST[ 'username' ];
 $user = stripslashes( $user );
 $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Sanitise password input
 $pass = $_POST[ 'password' ];
 $pass = stripslashes( $pass );
 $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 $pass = md5( $pass );

// Default values
 $total_failed_login = 3;
 $lockout_time = 15;
 $account_locked = false;

// Check the database (Check user information)
 $data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );
 $data->bindParam( ':user', $user, PDO::PARAM_STR );
 $data->execute();
 $row = $data->fetch();

// Check to see if the user has been locked out.
 if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {
 // User locked out. Note, using this method would allow for user enumeration!
 //$html .= "<pre> This account has been locked due to too many incorrect logins.</pre>";

// Calculate when the user would be allowed to login again
 $last_login = strtotime( $row[ 'last_login' ] );
 $timeout = $last_login + ($lockout_time * 60);
 $timenow = time();

/*
 print "The last login was: " . date ("h:i:s", $last_login) . " ";
 print "The timenow is: " . date ("h:i:s", $timenow) . " ";
 print "The timeout is: " . date ("h:i:s", $timeout) . " ";
 */

// Check to see if enough time has passed, if it hasn't locked the account
 if( $timenow < $timeout ) {
 $account_locked = true;
 // print "The account is locked ";
 }
 }
 // Check the database (if username matches the password)
 $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
 $data->bindParam( ':user', $user, PDO::PARAM_STR);
 $data->bindParam( ':password', $pass, PDO::PARAM_STR );
 $data->execute();
 $row = $data->fetch();

// If its a valid login...
 if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {
 // Get users details
 $avatar = $row[ 'avatar' ];
 $failed_login = $row[ 'failed_login' ];
 $last_login = $row[ 'last_login' ];

// Login successful
 $html .= "Welcome to the password protected area {$user}";
 $html .= "<img src=\"{$avatar}\" />";

// Had the account been locked out since last login?
 if( $failed_login >= $total_failed_login ) {
 $html .= "Warning: Someone might of been brute forcing your account.";
 $html .= "Number of login attempts: {$failed_login}. Last login attempt was at: ${last_login}.";
 }
 // Reset bad login count
 $data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );
 $data->bindParam( ':user', $user, PDO::PARAM_STR );
 $data->execute();
 } else {
 // Login failed
 sleep( rand( 2, 4 ) );

// Give the user some feedback
 $html .= "<pre> Username and/or password incorrect. Alternative, the account has been locked because of too many failed logins. If this is the case, please try again in {$lockout_time} minutes.</pre>";

// Update bad login count
 $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );
 $data->bindParam( ':user', $user, PDO::PARAM_STR );
 $data->execute();
 }
 // Set the last login time
 $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );
 $data->bindParam( ':user', $user, PDO::PARAM_STR );
 $data->execute();
}
// Generate Anti-CSRF token
generateSessionToken();

?>

```
这块代码的意思就是如果登录失败尝过三次会锁定15分钟，15分钟过才可以进行操作 这里爆破基本就凉掉了

流程大概是这样的total_failed_login变量定义了错误次数，lockout_time变量定义了锁定的时间

![](https://bbs.zkaq.cn/upload/md/3aa2679753d75a6d28373afc074f7b2a_78904.png)
这里如果登录失败会更新表中错误的次数 failed_login + 1

![](https://bbs.zkaq.cn/upload/md/42e22e47fc459fc306e7a1a962370479_12930.png)
if判断如果failed_login的值 大于等于total_failed_login的值就会进行15分钟的锁定

![](https://bbs.zkaq.cn/upload/md/67d15eb1fa4f5af7c2a495108155bc97_23367.png)

用户名	金币	时间	理由
青野	16.00	2023-11-04 11:11:52
青野	16.00	2023-11-04 11:11:51
青野	8.00	2023-11-04 11:11:51
admin	100.00	2020-03-11 17:05:32	不错的分享！

打赏我,让我更有动力~

0 条回复 | 直到 2020-3-10 | 1261 次浏览

登录后才可发表内容