往期博文:
DVWA靶場-Brute Force Source 暴力破解
靶場環境搭建
目錄
Weak Session IDs 脆弱的Session
session 具有會話認證的功能,生成的session值,要儘量無規律,不然很容易被惡意用戶僞造
Low Weak Session IDs
核心代碼
<?php
$html = "";
if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (!isset ($_SESSION['last_session_id'])) {
$_SESSION['last_session_id'] = 0;
}
$_SESSION['last_session_id']++;
$cookie_value = $_SESSION['last_session_id'];
setcookie("dvwaSession", $cookie_value);
}
?>
可以看到,這裏生成的session有規律的,是從0開始,每一次加一,這樣很容易被惡意用戶依次遍歷獲取session認證。
Medium Weak Session IDs
核心代碼
<?php
$html = "";
if ($_SERVER['REQUEST_METHOD'] == "POST") {
$cookie_value = time();
setcookie("dvwaSession", $cookie_value);
}
?>
med 使用time()生成時間戳作爲生成的session ,事實上時間戳也有一定的規律,以秒爲單位,也有被猜出的可能
High Weak Session IDs
核心代碼
<?php
$html = "";
if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (!isset ($_SESSION['last_session_id_high'])) {
$_SESSION['last_session_id_high'] = 0;
}
$_SESSION['last_session_id_high']++;
$cookie_value = md5($_SESSION['last_session_id_high']);
setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], false, false);
}
?>
相較於low級別,增加了加了md5 加密,但還是存在規律性
Impossible Weak Session IDs
核心代碼
<?php
$html = "";
if ($_SERVER['REQUEST_METHOD'] == "POST") {
$cookie_value = sha1(mt_rand() . time() . "Impossible");
setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], true, true);
}
?>
這裏的session值=(隨機數.時間戳.impossible)組成,相對來說安全了很多,不知道是不是運行環境的問題,筆者這裏沒有成功復現
https://www.sqlsec.com/2020/05/dvwa.html#toc-heading-31
https://www.freebuf.com/articles/web/119467.html