Brute Force (brute force)
Brute force generally refers to the basic idea of the method of exhaustion, exhaustive method is part of the conditions to determine the answer based on the title of general scope, and one by one verification of all possible scenarios in this range until the whole situation has been verified. If a case of verifying compliance with all the conditions of the subject, a solution of this problem was; not in line with the title after all the circumstances to verify if all the conditions, this problem is no solution. Exhaustive method, also known as enumeration method.
Low (low)
Method, BurpSuite brute force
DVWA enter the tone for the low level
Open the appropriate level of php files, view the user name and password
Use admin login and password, successful landing
Open burpsuite Manual proxy settings
Then enter admin casually enter a password (except the password), and then open the capture burpsuite
Blasting sent to module
We advance text documents created on your desktop, in which all suspected passwords are written in, which is to create the dictionary.
Click Load, select the dictionary we started to create, and click Open
Into the Options, the Number of threads was adjusted to 50
To blasting parameters for the password, so select the password parameter Add $
In the menu bar click Start Attack, start blasting:
Depending on the length contrast, we found a different, presumably password is correct password manually verify successful landing:
Method two, manual injection
Although this is a blast cracked the module, but because of the low level of web protection, it is also possible sql injection
User name admin '# random password, you can log
User name admin 'or' 1 = '1 random password, you can log
Medium (Intermediate)
Medium-level code mysql_real_escape_string major increase in function, which will string special symbols (x00, n, r ,, ', ", x1a) escaped
$ Pass MD5 checksum also made to eliminate the possibility of sql injection parameter password. More than what we can see in the middle of the code php file
Then injected by hand the way it is filtered out, we can only take the brute force way to capture with Burp Suite, concrete steps and Low levels the same, not repeat them.
High (High)
We view the php file and found an increase of user_token parameters, so blasting to choose two parameters to. user_token, user token, returned by the server each time landing page will contain a random value user_token, should be submitted with the user_token time a user logs.
So, we are here not only to blow up the password, but also blasting user token user_token. Meanwhile, High-level code used stripslashes function (removal backslash character string, if there are two consecutive backslash, only remove a)
mysql_real_escape_string parameters username, password was filtered and escaping further resist sql injection
The method we use, or the Burp Suite performed by exhaustive analysis of all the possible outcomes all try again. Still capture, this time password set two parameters and variables user_token
Pitchfork selected type of attack, meaning pitchfork mode (Pitchfork), it can use a plurality of sets Payload set, each on a different flag Payload (up to 20), through all the Payload, for example, if there are two Payload flag, a first value Payload a and B, while the second is C Payload and D, the attack, the attack were initiated twice, first using Payload a and C, respectively, the second Payload times using respectively B and D.
Next, go to Options, set to 1 in the option in the option card attacks threads thread, because Recursive_Grep mode does not support multi-threading attack
Select Grep-Extract, means for extracting useful information response message, the Grep - Extract module, click Add, the map appears in the upper left Start after expression, the input value = 'can, without entering the rest of the click refetch response, there will be a number of content in content column below, we see, the value = 'behind the figures (ie, the server returns the token, represent each time to get the value from the response) selected and copied value, as will also be used for other purposes, and finally click OK cb56e150316ed8a6076567cb6873fd29
Always set the Redirections
Payload to the inside. We need to Payload set to 2, because we have two parameters need blasting, following Payload type blasting required for both are set, select the Simple list, then load the dictionary in the following (note the need here, appeared to experience problem, the solution is to load the dictionary for the time 1 in the Payload set, then changed to 2 )
After the Payload type transferred Recursive grep, the following Payload Options becomes the current Recursive grep pattern. In the bottom of a text box, copy the token value just copied in to it in Options
Then click blasting, can find different length value, this is what we're looking for passwords
The browser instead agentless, enter the admin login and password success
Of course, you can use the script, there are many similar online tutorials, due not master the language, do not do so in this presentation.
Impossible
This level we can not use brute force to blast this difficulty, Impossible-level code to a reliable anti-explosion mechanism, when an error is detected frequently log in, the system will account lockout, blasting will not be able to continue, in short, in the code, we can see to do a limited number of logins, this is the closest we have in real life the real situation. While using a more secure PDO (PHP Data Object) defense mechanism sql injection, because you can not use sql command PDO extension itself perform any database operations, and the key is to execute malicious sql injection sql statement by destroying the structure.