Practical pre-statement
The procedures (methods) involved in the article may be offensive and are only for security research and learning purposes. If readers use the information for other purposes, the user shall bear all legal and joint liability. The author of the article does not assume any legal and joint liability.
1. Introduction to BurpSuite
The explosive tool Burp Suite is an integrated platform for attacking web applications. It contains many tools and has designed many interfaces for these tools to speed up the process of attacking applications. All tools share a powerful, extensible framework for processing and displaying HTTP messages.
Brute force cracking mainly uses the Intruder module, which is used to automatically customize attacks on Web applications. You can use Intruder to easily perform many tasks and can be used for defect testing: SQL injection, cross-site scripting, path traversal, brute force attack authentication system, Manipulate parameters, drag out hidden content and functionality, data mining, concurrency attacks, application-layer denial-of-service attacks, and more.
The Intruder blasting module mainly consists of 4 modules:
1. Target: used to configure the detailed information of the target server for attack;
2. Positions: Set the insertion point and attack type (attack mode) of Payloads;
3. Payloads: Set payload and configure dictionary
4. Options: Details of sending and receiving packets, speed of sending packets, whether records are saved, whether to update request headers after sending packets, proactively declare that the request connection is closed, record matching data, etc.
2. Brute force cracking [verification code bypass, token blast-proof] shooting range experiment
Brute force cracking can be divided into 4 categories: simple brute force cracking, front-end JS detection verification code, back-end server detection verification code and Token explosion-proof detection. The first type has been shared in “Authentication Crash (Part 2) Brute Force Cracking and Shooting Range Experiment 1”. This article shares the remaining three categories, taking the pikachu shooting range as an example. Use Firefox to turn on burp, and BurpSuite turns on the interceptor during the verification process.
1. Form-based brute force cracking
For detailed cracking process, please refer to “Authentication Crash (Part 2) Brute Force Cracking and Shooting Range Experiment 1”
2. Verification code bypass (on server)
2.1, Ideas
Use burpsuite to capture packets and use repeater to verify the request. Check whether the verification code is correct on the server side and whether it is cleared after verification. It is found that the correctness of the verification code is verified on the server side, but the correct verification code is not cleared. Sustainable use.
2.2. Submit page input information
2.3. BurpSuite sends Repeater
2.4, BurpSuite sends Intruder
Right-click on the information intercepted by BurpSuite and select Send to Intruder. In the Positons under the Intruder tab, clear the default specified parameter points, reset and specify the attack type.
2.5. Set payload
2.6. Attack and analyze the results
2.7, web login verification
Note: Turn off the Burp proxy in Firefox, enter the username and password cracked in the previous step to log in, and verification is available.
3. Verification code bypass (on client)
3.1, Ideas
I intentionally entered the wrong verification code, and found that a pop-up message appeared on the page, but no action was initiated to submit the request. Only after entering the correct verification code did the request action occur.
Right-click: View the page source code, search for the keyword: Please Enter Your Information, find the validate(); method code in the form’s οnsubmit=”return validate();”
<script language="javascript" type="text/javascript">
var code; //Define verification code globally
function createCode() {<!-- -->
code = "";
var codeLength = 5;//The length of the verification code
var checkCode = document.getElementById("checkCode");
var selectChar = new Array(0, 1, 2, 3, 4, 5, 6, 7, 8, 9,'A','B','C','D', 'E','F','G','H','I','J','K','L',' M','N','O','P','Q','R','S','T','U\ ','V','W','X','Y','Z');//All candidate characters that make up the verification code, of course, Chinese can also be used
for (var i = 0; i < codeLength; i + + ) {<!-- -->
var charIndex = Math.floor(Math.random() * 36);
code + = selectChar[charIndex];
}
//alert(code);
if (checkCode) {<!-- -->
checkCode.className = "code";
checkCode.value = code;
}
}
function validate() {<!-- -->
var inputCode = document.querySelector('#bf_client .vcode').value;
if (inputCode.length <= 0) {<!-- -->
alert("Please enter the verification code!");
return false;
} else if (inputCode != code) {<!-- -->
alert("Input error in verification code!");
createCode();//Refresh verification code
return false;
}
else {<!-- -->
return true;
}
}
createCode();
</script>
From the validate() method, we can see that the verification code is generated at the front end, and the verification is also at the front end. If the verification fails during submission, the post request will not be initiated directly.
So the cracking is the same as [1. Form-based brute force cracking].
3.2. Detailed steps
Refer to 1. Form-based brute force cracking.
4. Token explosion-proof
4.1, Ideas
First enter the username and password casually on the interface, click the button to submit, look at the request parameters, and find that the parameters have a token.
Refresh the page, right-click: View the page source code, search for the keyword: Please Enter Your Information, and see that there is an input tag in the form content, type=hidden, and the value has a string of numbers. It will be different once the page is refreshed.
Next, refer to [2. Verification code bypass (on server)], first use burpsuite to capture the packet, use repeater to verify the request, whether the token is verified on the server side for correctness, and whether it is cleared after verification. It is found that there is verification on the server side. The correctness of the token, but the correct token also undergoes a clearing action and cannot be used continuously and must be reacquired each time.
4.2. Submit page input information
4.3. BurpSuite sends Repeater
Refer to step 2.4, BurpSuite sends Repeater
4.4, BurpSuite sends Intruder
Right-click on the information intercepted by BurpSuite and select Send to Intruder. In the Positons under the Intruder tab, clear the default specified parameter points, reset and specify the attack type.
Attack type selection: Pitchfork, assuming that the user name is already known, set password and token to mark the blast point
4.4.1. Set payload
Set the password book, click payload, and select the first item’s password book to be the same as the low-level one;
For the second item, select Recursive grep to search recursively and paste the previously obtained token value into the box below.
4.4.2, Setting Options-Regular Extraction
Check grep-extract in options and click add to add filter conditions
Click refetch response to find the token in the response packet. Select the copy token value and click OK.
4.4.3, Set Options-Redirect
Redirect is set to: always, which is used to dynamically obtain token and parameter values for the next request.
4.4.4, Setting up Resource Pool
Note: The thread must be set to 1 because the token needs to be obtained from the response for the parameter value of the next request.
4.6. Attack and analyze the results
4.7, web login verification
Note: Turn off the Burp proxy in Firefox, enter the password cracked in the previous step to log in, and the verification is available.
3. Data acquisition
The Burp Suite tool has been provided before. If you need it, please follow my official account: Elephant is only for you. Reply: [BP Installation] to obtain it.
For shooting range environment construction, please refer to “Shooting Range Environment Construction [XP, pikachu, dvwa, sqli-labs]”