• PHP代码审计-Brute Force-dvwa靶场


    low

    <?php
    	if(isset($_GET['login'])){
    		$user=$_GET['username'];
    		$pass=$_GET['password'];
    		$pass=md5($pass);
    		echo $user."<br>",$pass."<br>";
    		//链接数据库
    		$con = mysqli_connect("localhost","root","root","code");
    		if($con){
    			$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    			$result = mysqli_query($con,$query) or  die(mysql_error());
    			if($result && mysqli_num_rows( $result ) >= 1){
    				echo "success";
    			}else {
    				echo "false";
    			}
    		// $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
    		//or 前世true,不执行后,为什么要判断object			
    		}
    		else{
    
    			echo "数据库链接失败";
    		}
    
    		if(!mysqli_close($con)){
    			echo mysqli_connect_error();
    		}
    
    	}
    ?>
    

    medium

    <?php
    	if(isset($_GET['login'])){
    		$con = mysqli_connect("localhost","root","root","code");
    		$user = mysqli_real_escape_string($con,$_GET['username']);
    		$pass = $_GET['password'];
    		$pass=md5($pass);
    		$pass = mysqli_real_escape_string($con,$pass);
    		echo $user."<br>",$pass."<br>";
    		//链接数据库
    		if($con){
    			$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    			$result = mysqli_query($con,$query) or  die(mysql_error());
    			if($result && mysqli_num_rows( $result ) >= 1){
    				echo "success";
    			}else {
    				echo "false";
    			}
    		// $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
    		//or 前世true,不执行后,为什么要判断object			
    		}
    		else{
    
    			echo "数据库链接失败";
    		}
    
    		if(!mysqli_close($con)){
    			echo mysqli_connect_error();
    		}
    
    	}
    ?>
    

    high

    <?php
    @session_start();
    if(isset($_GET['login'])){
    	if($_GET['token'] == $_SESSION['token']){
    		unset($_SESSION['token']);
    		echo '合法提交';
    	}else{
    		echo '非法提交';
    	}
    	$con = mysqli_connect("localhost","root","root","code");
    	$user = mysqli_real_escape_string($con,$_GET['username']);
    	$pass = $_GET['password'];
    	$pass=md5($pass);
    	echo $pass;
    	$pass = mysqli_real_escape_string($con,$pass);
    	//echo $user."<br>",$pass."<br>";
    	//链接数据库
    	if($con){
    		$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    		$result = mysqli_query($con,$query) or  die(mysql_error());
    		if($result && mysqli_num_rows( $result ) >= 1){
    			echo "success";
    		}else{
    			echo "false";
    		}
    	// $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
    	//or 前世true,不执行后,为什么要判断object			
    	}
    	else{
    		echo "数据库链接失败";
    	}
    
    	if(!mysqli_close($con)){
    		echo mysqli_connect_error();
    	}
    	}
    $token = md5(getrandcode());
    $_SESSION['token'] = $token;
    function getrandcode(){
    	return md5(time()."#$@%!^*".rand(100000,999999));
    }
    ?>
    

    brute

    <?php
    //自己修改要test的demo
    include 'xxx.php'
    ?>
    <!doctype html>
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>form</title>
    </head>
    <body>
    <form action='brute-high.php' method='GET'>
    <input type="text" name="username">
    <input type="password" name="password">
    <input type="submit" name="login" value="login">
    <input type="hidden" name="token" value="<?php echo $token;?>"/>
    </form>
    </body>
    </html>
    

    PHP知识点

    mysqli_connect()
    mysql_error()
    mysqli_num_rows()
    mysqli_fetch_assoc()
    mysqli_real_escape_string() 转义字符串中的特殊字符
    mysqli_query()执行SQL语句
    stripslashes() 函数删除反斜杠
    
    数据库字段插入数据
    insert into users value(2,'123',"202cb962ac59075b964b07152d234b70");
    
    

    参考链接

    PHP基于Token的身份验证的方法

  • 相关阅读:
    Ajax三
    Ajax二
    【Verilog】组合逻辑写法
    【电路】LVDS 差分接口
    【C】数据类型定义
    【Flash】nv-ddr2接口Flash的ODT
    【vivado】clocking wizard 时钟配置
    【Linux】linux学习资料
    【Linux】ubuntu系统安装及软件依赖库
    【vivado】PL通过axi_hp接口控制PS的DDR
  • 原文地址:https://www.cnblogs.com/renhaoblog/p/14325416.html
Copyright © 2020-2023  润新知