往期博文:
DVWA靶场-Brute Force Source 暴力破解
靶场环境搭建
目录
Weak Session IDs 脆弱的Session
session 具有会话认证的功能,生成的session值,要尽量无规律,不然很容易被恶意用户伪造
Low Weak Session IDs
核心代码
<?php
$html = "";
if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (!isset ($_SESSION['last_session_id'])) {
$_SESSION['last_session_id'] = 0;
}
$_SESSION['last_session_id']++;
$cookie_value = $_SESSION['last_session_id'];
setcookie("dvwaSession", $cookie_value);
}
?>可以看到,这里生成的session有规律的,是从0开始,每一次加一,这样很容易被恶意用户依次遍历获取session认证。
Medium Weak Session IDs
核心代码
<?php
$html = "";
if ($_SERVER['REQUEST_METHOD'] == "POST") {
$cookie_value = time();
setcookie("dvwaSession", $cookie_value);
}
?>med 使用time()生成时间戳作为生成的session ,事实上时间戳也有一定的规律,以秒为单位,也有被猜出的可能
High Weak Session IDs
核心代码
<?php
$html = "";
if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (!isset ($_SESSION['last_session_id_high'])) {
$_SESSION['last_session_id_high'] = 0;
}
$_SESSION['last_session_id_high']++;
$cookie_value = md5($_SESSION['last_session_id_high']);
setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], false, false);
}
?>相较于low级别,增加了加了md5 加密,但还是存在规律性
Impossible Weak Session IDs
核心代码
<?php
$html = "";
if ($_SERVER['REQUEST_METHOD'] == "POST") {
$cookie_value = sha1(mt_rand() . time() . "Impossible");
setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], true, true);
}
?>这里的session值=(随机数.时间戳.impossible)组成,相对来说安全了很多,不知道是不是运行环境的问题,笔者这里没有成功复现
https://www.sqlsec.com/2020/05/dvwa.html#toc-heading-31
https://www.freebuf.com/articles/web/119467.html