Installation Environment:
Picachu at the following address to download the installation package, this is my own Baidu network disk. I used here is phpStudy, unzip it to the next WWW catalog:
Link: https: //pan.baidu.com/s/1bTc0XaSi0GnVcO5VfC8dBQ
extraction code: dl16
Then enter through the Firefox browser:
It found that after entering into the page changes, sometimes the case that the left column will disappear, this time press ctrl, scroll wheel you can zoom the page, left column that appeared:
After opening pkxss folder in the folder, inc is selected (FIG following this path), then open config.inc.php with Notepad:
Open the database user name and password to modify according to their actual situation for their own database user name and password (I have here are amended as root), and then save:
This is to open xss background, if you do not modify the database user name and password, then the situation will appear in the following figure after you open the bottom of the page management tool, enter xss background will be a problem, click on the red tips, setup initialization:
But after the amendment is successful, we re-enter the normal installation xss background initialization, it is normal:
admin / 123456 login, you can log in successfully:
Then back to the original home page, you can operate the Pikachu's.
Brute force (Burte Force)
In my previous blog (Sqli-labs and DVWA), has done the relevant module of the brute force, brute force with regard to the introduction, can refer to DVWA brute force modules are described in detail. Necessary tool of brute force, must ultimately Burp Suite, because we need a dictionary tool has been trying to bring automated login, artificial attempt too slow. And other information regarding the use of Burp Suite, you can refer to my Sqli labs Less 5-10.
Let's take a look at the Burp Suite, as used below to burp suite, here briefly explain things intruder module
Target options :
Setting targets, can be sent by proxy
Pasitions options :
Specifies the brute force of arguments and set variables, and select attack mode
There are four modes of attack:
Sniper (sniper):
A payload, the first variable using a dictionary first test, then the second test variables dictionary
Battering ram (car crash) :
May be provided a plurality of payload, all variables are replaced together with the contents of the dictionary, and then try with
Pitchfork (pitchfork type) :
Each payload contents of the dictionary corresponding to the set, and then press one correspondence order to crack
Cluster bomb (bomb-focus beam) :
Setting a payload for each variable, respectively, using the contents of the dictionary composition variables replace
(Details of these four modes can learn more at the following URL:
https://www.cnblogs.com/wayne-tao/p/11130158.html)
Payloads options:
Set the dictionary, and the dictionary unified policy processing
Options Options:
Thread scanning failure retry like configuration;
Matching the results set flag: identifier by a discrimination result, and the flag in the results column
After understanding, we began to brute force.
First, the form-based brute force
On the left, choose violent crack "form-based brute force" under the drop-down menu:
This is the simplest mode, first test, just enter a user name and password, and the correct username and password to see if they are any different return values:
Error: 123/456
Correct: admin / 123456
[If you do not know the correct user name and password, you can click on the upper right corner of tips:
】
Since different results returned, we can be based on different data pages returned to the difference between brute force, open the browser proxy, just enter a user name and password, directly burp capture (specifically, how proxy, please refer to my blog: sqli labs Less 5-10):
Intruder then sent to the module:
Point into Positions, click Clear $, variable unrelated to remove, then select the username and password variables, click Add $ select, then select the attack mode for the Cluster bomb:
Then we enter the Payloads, the Payload Sets in the Payload set to 2, because we have two parameters need to crack. Click Load Import dictionary Payload Options in (actually a text document that we created in advance, which is written we're guessing the user name and password, Brup Suite will be according to the dictionary, the contents inside to try, dictionary storage path and name at random ):
The last option can be set according to their own threads, and some do not seem to support high-concurrency, then add grep match this, we observed depending on the length of the returned page, but you can also set up their own flag in most cases:
Click Start attack, brute force began:
Then we look for Length and the other was different and unique and distinct values from the returned results, and the corresponding Payload1 Payload2 is the user name and password:
Login with admin / 123456 it (remember to lift the agency, more convenient and will not get caught, will return immediately):
login successful.
Second, bypassing verification code (on client)
The codes in the foreground is bypassed, only the process at the front end.
Open burp suite, open PHP study, open Pikachu, click on client option, we enter the wrong user name and password correct verification code (123/456), returns to prompt the user name or password error:
Enter the correct user name and password, an error code (admin / 123456/11111), returns a pop:
The agent, entered a correct code, free to enter the account password, perform packet capture (123/456):
Select content, sent right to Repeater:
In the Raw among random change it a verification code (I changed it to 11111) and click "Go", if the right of the user name or password error, namely "username or password is not exists" message, rather than a verification code error ( Finally, looking directly onto the upside, you will find faster), the code only deals with the front end:
So we will packet sent to the intruder, direct brute force, regardless of the verification code, other steps with forms-based brute force the same, not repeat them (there is one that one of this code is to go through the motions, with the js code to do in the foreground verification, bypassing the front desk that are not used).
Third, bypassing verification code (on server)
This code will fly more, we can not be like on client as to bypass the front desk will be able to freely blasting, in general, background processing check verification code is very reliable, but there are loopholes you can exploit. Let's look at the source of it (the path as follows):
Observation source, this is the back end of the detection of this code, we bypass the idea is to observe the verification code he has produced no expiration settings (used once refresh), if there is no default session is 24min refresh, you can see, enter error codes will be detected, since detection is done at the rear end. It appears to be very strict, but after we enter the correct verification code, verification code and has not expired, you can continue to use.
We have to test, we hope that the result is, once again using the correct code, the result returned is found user name or password is incorrect that "username or password is not exists", which represents the code can be reused.
Of course, still need to use Burp Suite, so we are still the same agent, enter the user name and password (123/456) just inside the text box, but you want to enter the correct code, simulate the real situation because you will not see the code, then Ethereal:
Then sent to the Repeater, click Go to refresh the page to get a new verification code:
In the Raw among random change what user name and password (I changed 137/246), click on "Go", if the right of the user name or password error, namely "username or password is not exists" message, rather than verification code is wrong, then that can continue to use this code, not expired:
This is quite terrible, and we can use this code brute force, steps reference forms-based brute force, just to release the results:
Enter the text box login:
login successful.
Four, token anti-blast it?
What is the token:
Simply put token is generated by the service end of a string of a string, an identifier of a client request to a server. In the front-end user name / password authentication sends a request to the server, the server authentication is successful, the server returns the token to the front end, the front end of each request will bring the server to send the token to prove their legitimacy .
In DVWA, we have to get the next token logged by Burp Suite, and thus break the user name and password, so the answer is obvious:
token can not be anti-blast!
We look at the source code of the page, look to the token:
Found from the form in addition to the username and password submitted, also submitted a hidden attribute value token, authentication token so that each commit to value (updated every time), on the surface can be prevented from bursting. But the back-end token generated each time reached the front in clear text, there is a loophole
We do agents get caught, just enter the user name admin password, the user name, password and token are set variable attack mode selection Clster bomb, options of grep extract added token (I'm here to write a single password dictionary) :
Specific steps please refer to my blog: DVWA: introduction, structures and environment for all the levels brute, High-level steps in detail. Here are the final results:
With this password:
login successful.