暴力破解漏洞
1、暴力破解&暴力破解漏洞概述
1.1 什么是暴力破解攻击?
连续性尝试 字典 自动化
1.2 暴力破击概述-字典
一个有效是字典,可以大大提高暴力破解的效率
- 常用的账号密码(弱口令),比如常用用户名/密码TOP 500等。
- 互联网上被脱裤后账号密码(社工库),比如CSDN当年泄露的约600w用户信息。
- 使用指定的字符使用工具按照指定的规则进行排列组合算法生成密码。
脱库:是指黑客入侵有价值的网络站点,把注册用户的资料数据库全部盗走的行为。
撞库:是黑客通过收集互联网已泄露的用户和密码信息,生成对应的字典表,尝试批量登陆其他网站后,得到一系列可以登录的用户。很多用户在不同网站使用的是相同的账号密码,因此黑客可以通过获取用户在A网站的账户从而尝试登录B网址,这就可以理解为撞库攻击。
1.3 暴力破解漏洞概述
如果一个网站没有对登录接口实施暴力破解的措施,或者实施了不合理的措施。则称该网站存在暴力破解漏洞。
是否要求用户设置了复杂的密码?
是否每次认证都使用安全的验证码?
是否对尝试登陆的行为进行判断和限制?
是否在必要的情况下采用了双因素认证?
等等…
存在暴力破解漏洞的网站可能会遭受暴力破解,但是成功的可能性并不是100%!
所以有些网站即使存在暴力破解漏洞,但其管理员可能会忽略它的危害。
但作为一个搞安全的,我们应该在系统设计的时候,就应该将这些措施加入到对应的认证场景中,绝不能为了妥协开发人员或者是业务人员,有半点侥幸心理,否则被干的就是你了!
2、暴力破解漏洞测试流程
2.1 暴力破解漏洞测试流程
①确认登录接口的脆弱性
确认目标是否存在暴力破解的漏洞。(确认被暴力破解的“可能性”)
比如:尝试登陆一抓包—观察验证元素和response信息,判断是否存在被暴力破解的可能。
② 对字典进行优化
根据实际情况对字典进行优化,提高爆破过程的效率。
③工具自动化操作
配置自动化工具(比如线程、超时时间、重试次数等),进行自动化操作。
2.2 暴力破解漏洞测试流程-字典优化技巧
技巧一、
根据注册提示信息进行优化
对目标站点进行注册,搞清楚账号密码的一些限制,比如目标站点要求密码必须是6位数字以上,字母数字组合,则可以按照此优化字典,比如去掉不符合要求的密码。
技巧二、
如果爆破的是管理后台,往往这种系统的管理员是admin/administrator/root的几率比较高,可以使用这三个账号 随便一个密码,尝试登陆,观察返回的结果,确定用户名。
比如:
输入xxx/yyy返回“用户名或密码错误”
输入admin/yyy返回“密码错误”,则基本可以确定用户名是admin;
因此可以只对密码进行爆破即可,提高效率。
3、基于表单的暴力破解(基于burpsuite)
实验环境:pikachu
测试目标:Pikachu-暴力破解-基于表单的暴力破解
测试工具:burpsuite的free版本 edition-intruder
只要打开proxy,就处于监听状态
注意:Burp Suite不能拦截localhost,127.0.0.1
抓包——》字典攻击
4、暴力破解的绕过和防范(验证码&Token)
聊一聊验证码
CAPTCHA,“Completely Automated Public Turing test to tell Computers and Humans Apart”
全自动区分计算机和人类的公开图灵测试(英语:Completely Automated Public Turing test to tell Computers and Humans Apart,简称CAPTCHA),俗称验证码,是一种区分用户是机器或人类的公共全自动程序。在CAPTCHA测试中,作为服务器的计算机会自动生成一个问题由用户来解答。这个问题可以由计算机生成并评判,但是必须只有人类才能解答。由于机器无法解答CAPTCHA的问题,回答出问题的用户即可视为人类。
我们一般用验证码来做什么?
1、登录暴力破解
2、防止机器恶意注册
验证码认证流程
验证码可以防止暴力破解,但是你的验证码安全嘛?
4.1 暴力破解之不安全的验证码-on client-绕过实验演示
查看一下源码:E:\XAMPP\htdocs\pikachu\vul\burteforce\bf_client.php
不安全的验证码-on client-常见问题
1、使用前端js实现验证码(纸老虎);
2、将验证码在cookie中泄露,容易被获取;
3、将验证码在前端源代码中泄露,容易被获取;
4.2不安全的验证码- on server-实验演示
不安全的验证码-on server常见问题
1、验证码在后台不过期,导致可以长期被使用;
2、验证码校验不合格,逻辑出现问题;
3、验证码设计的太过简单和有规律,容易被猜解
验证码没过期
4.3暴力破解常见防范措施
1、设计安全的验证码(安全带流程 复杂而又可用的图形)
2、对认真错误的提交进行计数并给出限制,比如连续5次密码错误,锁定两小时;
3、必要情况下,使用双因素认证
4.4 聊一聊Token对防暴力破解的意义
<?php
/**
* Created by runner.han
* There is nothing new under the sun
*/
$PIKA_ROOT_DIR = "../../";
include_once $PIKA_ROOT_DIR.'inc/config.inc.php';
include_once $PIKA_ROOT_DIR.'inc/mysql.inc.php';
include_once $PIKA_ROOT_DIR.'inc/function.php';
$SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/') 1);
if ($SELF_PAGE = "bf_client.php"){
$ACTIVE = array('','active open','','','','','active',"","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","");
}
include_once $PIKA_ROOT_DIR.'header.php';
$link=connect();
$html="";
if(isset($_POST['submit']) && $_POST['username'] && $_POST['password'] && $_POST['token']){
$username = $_POST['username'];
$password = $_POST['password'];
$token = $_POST['token'];
$sql = "select * from users where username=? and password=md5(?)";
$line_pre = $link->prepare($sql);
$line_pre->bind_param('ss',$username,$password);
if($token == $_SESSION['token']){
if($line_pre->execute()){
$line_pre->store_result();
if($line_pre->num_rows>0){
$html.= '<p> login success</p>';
} else{
$html.= '<p> username or password is not exists~</p>';
}
}else{
$html.= '<p>执行错误:'.$line_pre->errno.'错误信息:'.$line_pre->error.'</p>';
}
}else{
$html.= '<p> csrf token error</p>';
}
}
//生成token
set_token();
?>
<div class="main-content" xmlns="http://www.w3.org/1999/html">
<div class="main-content-inner">
<div class="breadcrumbs ace-save-state" id="breadcrumbs">
<ul class="breadcrumb">
<li>
<i class="ace-icon fa fa-home home-icon"></i>
<a href="burteforce.php">暴力破解</a>
</li>
<li class="active">token防爆破?</li>
</ul><!-- /.breadcrumb -->
<a href="#" style="float:right" data-container="body" data-toggle="popover" data-placement="bottom" title="tips(再点一下关闭)"
data-content="token了解下,后面搞CSRF会用到....虽然这里并没有什么鸟用.">
点一下提示~
</a>
</div>
<div class="page-content">
<div class="bf_form">
<div class="bf_form_main">
<h4 class="header blue lighter bigger">
<i class="ace-icon fa fa-coffee green"></i>
Please Enter Your Information
</h4>
<form id="bf_client" method="post" action="bf_token.php" ">
<!-- <fieldset>-->
<label>
<span>
<input type="text" name="username" placeholder="Username" />
<i class="ace-icon fa fa-user"></i>
</span>
</label>
</br>
<label>
<span>
<input type="password" name="password" placeholder="Password" />
<i class="ace-icon fa fa-lock"></i>
</span>
</label>
</br>
<input type="hidden" name="token" value="<?php echo $_SESSION['token'];?>" />
<label><input class="submit" name="submit" type="submit" value="Login" /></label>
</form>
<?php echo $html;?>
</div><!-- /.widget-main -->
</div><!-- /.widget-body -->
</div><!-- /.page-content -->
</div>
</div><!-- /.main-content -->
<?php
include_once $PIKA_ROOT_DIR.'footer.php';
?>
好博客要分享O(∩_∩)O哈哈~:https://jwt1399.top/posts/30313.html#toc-heading-1