WEB brute force–I used the wvs fuzzer-vulnerability warning-the black bar safety net

2008-12-25T00:00:00
ID MYHACK58:62200821626
Type myhack58
Reporter 佚名
Modified 2008-12-25T00:00:00

Description

Writer: demonalex[at]dark2s[dot]org

Speak to WEB brute-force by everyone with a small tree to the Su snow, but not all WEB crack su snow are handle it, don't say I say small Rong his old cuss recently because the working relationship, came across a network-type device WEBPORTAL need to do WEB crack, look at the HTML source:

... <script language=javascript> function login_send() { var f, p, page, url, option; f = document. form_login. forced_in. value; u = document. form_login. username. value; p = document. form_login. passwd. value; pg = document. form_login. page. value; url = "atm_login? username="+u+"&passwd="+p+"&forced_in="+f+"&page="+pg; option = "toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,favorites=no,resizable=no,left=2 3 0,width=5 2 0,top=1 2 0,height=3 0 0"; window. open(url, '_blank', option); } </script> ... <form name='form_login' action='__Javascript:login_send();'> <input type='hidden' name='forced_in' value='false'><input type='hidden' name=page value="><input type='hidden' name='redirect_portal_ip' value="> <tr height=2 5%><td colspan='2'><img src='images/login-men.gif' width='1 7 7' height='2 2'></td> <td width='2 7%' rowspan='4'><img src='images/l-hand.gif' width='1 4 8' height='1 4 1'></td></tr> <tr height=2 5%><td width='2 8%' class='inputlabel'>Username:</td> <td width='4 5%'><input name='username' type='text' value=" style='width:120px' class='inputbox'></td></tr> <tr height=2 5%><td class='inputlabel'>Password:</td> <td><input type='password' name='passwd' value=" style='width:120px' class='inputbox'></td></tr> <tr height=2 5%><td> </td> <td><input type=image src=images/login-go.gif width='7 1' height='2 2'></td></tr> </from> ... Here the form action is to a local javascript custom functions– login_send to complete, with traced the snow with the words: ! It seems that because the call to the javascript.... What should I do? So give up? It's also easy to bring up the wvs(Acunetix Web Vulnerability Scanner, believe are a lot of comrades have ever used it? I use the 4. 0, the latest version is 5. x, select it in the HTTP fuzzer function: ! wvs2 And then how to use it? I'm finishing up what process is actually and su the snow principle the same, but may need a deeper understanding of HTTP-related knowledge: the The definition of HTTP request Request-defined storm breaking operation parameters, Add generator-The of insert storm breaking operation parameters, the Insert into request-defined success trigger characteristics Fuzzer Filters-the on scan Start The following will be the specific practical operation, we first from the target's HTML code you can see that in fact the login process is through the POST the four parameters of the[–two hidden parameters forced_in with a page with two submit the parameters username and passwd)]to this page login_send function, then go through the GET atm_login this page to submit the authentication data. Therefore, in the use of the wvs fuzzer before, we first need to define a submit an HTTP request to the content, specifically such as: GET http://xxx.xxx.xxx.xxx/ atm_login? username=alex&passwd=demon&forced_in=false&page= HTTP/1.1 User-Agent: WVS/4.0 Accept: / The following is added to the storm breaking operation parameters to the HTTP request content, based on our present goal is to account the username field and the password to the passwd field, and therefore need to define two operational parameters, in this example I'm going to make username for brute force, and passwd is a dictionary crack. Cut the crap, first create one based on brute force the username of the operational parameters: click on the“Add generator”-on the“Random string generator”after get: ! wvs3 In the“String length”fill in the value of the length, I here select 5; The“Character set”in the input might need to use the character, I here Select 2 of 6 lowercase letters; select the“Allow repetitions”—allows the repeated use of each character. Then join the one used by the dictionary to crack the passwd field of the operational parameters: click on the“Add generator”-on the“File generator”after get: ! wvs4 “Filename”as a dictionary file path;“Filetype”is to read the content of format, the majority of text Text in. The following work to be done is that the two operation parameters added to the HTTP request. First, in choosing this example, the username value to the example of alex, and then select Gen_1, and click“Insert into request”button, and get: ! wvs5 From the top right corner you can see that the current number of requests 1 1 8 8 1 3 7 6 in other words, there are 1 1 8 8 1 3 7 6 a combination. Then in the same manner with Gen_2 replace the passwd field value in this example is a demon, and get: ! wvs6 Hey Hey, now the number of requests is large almost equal to the infinite? it???... The next step is the definition of confirmation‘successful landing’of the filter Fuzzer Filter on. Click on the“Fuzzer filters”into the definition of the filter interface, by default only the“2 0 0”the filter is active, remove it in front of Gogo, and then define a named success of the filter, since the present embodiment, if the landing is successful, then it should be not return to the original login screen, so only need to define an‘exclude landing page feature’of the filter and activate on it: ! wvs7 Here, press the“OK”button to confirm just the filter settings. Finally back to the HTTP Fuzzer the main interface, click the“Start”button to start the fuzz the task, the remaining work is to‘sit back and wait’—wait for the“Results”tab of fuzz as a result, Hey Hey, Good Luck