PHP代码审计-Brute Force-dvwa靶场

low

<?php
	if(isset($_GET['login'])){
		$user=$_GET['username'];
		$pass=$_GET['password'];
		$pass=md5($pass);
		echo $user."<br>",$pass."<br>";
		//链接数据库
		$con = mysqli_connect("localhost","root","root","code");
		if($con){
			$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
			$result = mysqli_query($con,$query) or  die(mysql_error());
			if($result && mysqli_num_rows( $result ) >= 1){
				echo "success";
			}else {
				echo "false";
			}
		// $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
		//or 前世true,不执行后,为什么要判断object			
		}
		else{

			echo "数据库链接失败";
		}

		if(!mysqli_close($con)){
			echo mysqli_connect_error();
		}

	}
?>

medium

<?php
	if(isset($_GET['login'])){
		$con = mysqli_connect("localhost","root","root","code");
		$user = mysqli_real_escape_string($con,$_GET['username']);
		$pass = $_GET['password'];
		$pass=md5($pass);
		$pass = mysqli_real_escape_string($con,$pass);
		echo $user."<br>",$pass."<br>";
		//链接数据库
		if($con){
			$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
			$result = mysqli_query($con,$query) or  die(mysql_error());
			if($result && mysqli_num_rows( $result ) >= 1){
				echo "success";
			}else {
				echo "false";
			}
		// $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
		//or 前世true,不执行后,为什么要判断object			
		}
		else{

			echo "数据库链接失败";
		}

		if(!mysqli_close($con)){
			echo mysqli_connect_error();
		}

	}
?>

high

<?php
@session_start();
if(isset($_GET['login'])){
	if($_GET['token'] == $_SESSION['token']){
		unset($_SESSION['token']);
		echo '合法提交';
	}else{
		echo '非法提交';
	}
	$con = mysqli_connect("localhost","root","root","code");
	$user = mysqli_real_escape_string($con,$_GET['username']);
	$pass = $_GET['password'];
	$pass=md5($pass);
	echo $pass;
	$pass = mysqli_real_escape_string($con,$pass);
	//echo $user."<br>",$pass."<br>";
	//链接数据库
	if($con){
		$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
		$result = mysqli_query($con,$query) or  die(mysql_error());
		if($result && mysqli_num_rows( $result ) >= 1){
			echo "success";
		}else{
			echo "false";
		}
	// $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
	//or 前世true,不执行后,为什么要判断object			
	}
	else{
		echo "数据库链接失败";
	}

	if(!mysqli_close($con)){
		echo mysqli_connect_error();
	}
	}
$token = md5(getrandcode());
$_SESSION['token'] = $token;
function getrandcode(){
	return md5(time()."#$@%!^*".rand(100000,999999));
}
?>

brute

<?php
//自己修改要test的demo
include 'xxx.php'
?>
<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>form</title>
</head>
<body>
<form action='brute-high.php' method='GET'>
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" name="login" value="login">
<input type="hidden" name="token" value="<?php echo $token;?>"/>
</form>
</body>
</html>

PHP知识点

mysqli_connect()
mysql_error()
mysqli_num_rows()
mysqli_fetch_assoc()
mysqli_real_escape_string() 转义字符串中的特殊字符
mysqli_query()执行SQL语句
stripslashes() 函数删除反斜杠

数据库字段插入数据
insert into users value(2,'123',"202cb962ac59075b964b07152d234b70");

参考链接

PHP基于Token的身份验证的方法

posted @ 2021-01-25 15:22  renblog  阅读(182)  评论(0编辑  收藏  举报