Pikachu vulnerability practice test platform - brute force (a)

Others 2019-09-18 20:09:50 views: null

First, the form-based brute
Second, bypassing the verification code (on server)
Third, bypassing the verification code (on client)
four, token anti-blast

Outline

An effective brute force dictionary can greatly improve the efficiency of

  • For example, common username / password TOP500
  • Account password (social workers library) after Tuoku
  • According to a specific object (such as a mobile phone, date of birth and bank card number, etc.) in accordance with specified rules to generate passwords

Brute force process

  • Vulnerability to confirm login interface
    • Try to log - Ethereal - observe and verify the response information element to determine whether there is likely to brute force
  • To optimize the dictionary
    • The dictionary is optimized according to actual situation, improve the efficiency of brute force
  • Automation tools

Dictionary Optimization Tips

  • According to the registered password prompt optimization, such as to require a password when registering eight or more, we will get rid of less than 8
  • Blasting management background, the account is likely to be relatively high admin / administrator / root, you can use these three account for blasting

First, the form-based brute force

When an input error, the following tips

There is no other verification code and other authentication mechanisms, capture and see 

Intruder sent to brute force

Set Payload

  

Then the "username or password is not exists ~" Copy to Grep Match in. Which can be followed using Grep Match request which distinguish between the string

Then you can start attack, matching the username or password is not exists failed attacks are, additionally, can be seen from the response length attack success

Second, bypassing verification code (on server) 

Code can be used to prevent malicious registration, to prevent brute force. Server-side code FAQ:

  • But in the background of the code, it can lead to long-term use
  • Check verification code is not strict, logical problems
  • Code design is too simple and regular, easy to guess

Let's look at a simple test, without entering the verification code will be prompted to verify the code is empty, you are prompted to enter a verification code error in the case of an error code, only validation under the premise of correct code will prompt the account or password does not exist

The following capture by determining what the server has no verifying a verification code, is there found

Description of the back-end code is validated, we look at the validation logic code generation:

When we refresh the page, we will send a request to the background, the background receives the request and generates a verification code in the session in the preservation verification code.

Our Mr. into a new code, then enter the correct code in the BurpSuite

Tip account password does not exist

 

 

Let us send a password change

Found still account password prompt does not exist, it should prompt normal verification code error, indicating that long-term effective verification code , we send directly to the brute Intruder

Third, bypassing verification code (on client)

Here we need to enter a verification code, we can not crack the code on violence, through the discovery request packet capture inside just more than a verification code

By looking at the source, we found validation logic verification code is implemented in the client-side

This JavaScript will be from 0-9 and 26 capital letters five randomly selected as the authentication code, then validate () to verify

In addition, the source code can see, we have every point of this code, it will call createCode () to change the code

By BurpSuite found that the background does not validate input validation error code in the browser, enter the wrong code is suggested

 

Normally this will pop  

DESCRIPTION distal codes provided as a dummy, the rear end of the codes is not validated. So we ignore this code, direct brute force on it

Four, token anti-blast

 Developers can use tools found there is a hidden label

 

Inside the numbers is our token, every time I submitted a request, there will be a token value, the backend will validate the token value

But the token has been written to the html page, an attacker would need to write a tool that certification prior to submitting all together like this token

A simple python script test, as follows:

import requests
import re

url = "http://192.168.171.133/pikachu/vul/burteforce/bf_token.php"


def get_token(url):
    response = requests.get(url)
    content = response.text
    pattern = '(?<=value=")\w+(?=")'
    token = re.search(pattern, content).group()
    return token

users = ["admin", "root"]
passwds = ["admin", "password", "123456"]

data = {}
for user in users:
    for passwd in passwds:
        data["submit"]= "Login"
        data["username"] = user
        data["password"] = passwd
        data["toekn"] = get_token(url)
        response = requests.post(url, data=data)
        content = response.text
        if "login success" in content:
            print("usernmae: ", user, "password: ", passwd)

Output

 

Guess you like

Origin www.cnblogs.com/dogecheng/p/11542541.html
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com