弱会话 on 知识带给我们自由 https://yuexuan521.github.io/zh/tags/%E5%BC%B1%E4%BC%9A%E8%AF%9D/ Recent content in 弱会话 on 知识带给我们自由 知识带给我们自由 https://yuexuan521.github.io/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://yuexuan521.github.io/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo -- 0.160.1 en-us See this site&rsquo;s source code here, licensed under GPLv3 · Sat, 21 Sep 2024 12:25:16 +0000 网络安全 DVWA通关指南 DVWA Weak Session IDs(弱会话) https://yuexuan521.github.io/zh/posts/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8-dvwa%E9%80%9A%E5%85%B3%E6%8C%87%E5%8D%97-dvwa-weak-session-ids%E5%BC%B1%E4%BC%9A%E8%AF%9D/ Sat, 21 Sep 2024 12:25:16 +0000 https://yuexuan521.github.io/zh/posts/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8-dvwa%E9%80%9A%E5%85%B3%E6%8C%87%E5%8D%97-dvwa-weak-session-ids%E5%BC%B1%E4%BC%9A%E8%AF%9D/ <h2 id="dvwa-weaksessionids弱会话">DVWA WeakSessionIDs(弱会话)</h2> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="https://cdn.jsdelivr.net/gh/yuexuan521/image/20251225165536613.jpeg"> <img src="https://cdn.jsdelivr.net/gh/yuexuan521/image/20251225165536613.jpeg" alt="在这里插入图片描述" loading="lazy" /> </a> </div></p> <hr> <p>参考文献</p> <ul> <li><a href="https://www.cnblogs.com/linfangnan/p/13994655.html#dvwa-%E9%9D%B6%E5%9C%BA"target="_blank" rel="noopener noreferrer">WEB 安全靶场通关指南</a></li> </ul> <hr> <h3 id="low-level">Low Level</h3> <p>1、分析网页源代码</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="o">&lt;?</span><span class="nx">php</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$html</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">&#39;REQUEST_METHOD&#39;</span><span class="p">]</span> <span class="o">==</span> <span class="s2">&#34;POST&#34;</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">isset</span> <span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">&#39;last_session_id&#39;</span><span class="p">]))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">&#39;last_session_id&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">&#39;last_session_id&#39;</span><span class="p">]</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$cookie_value</span> <span class="o">=</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">&#39;last_session_id&#39;</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="nx">setcookie</span><span class="p">(</span><span class="s2">&#34;dvwaSession&#34;</span><span class="p">,</span> <span class="nv">$cookie_value</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="cp">?&gt;</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Low级别的cookie生成方式:如果 $cookie_value不存在就设为0,存在则$ cookie_value加1,最后以dvwaSession=$cookie_value呈现。</p> DVWA WeakSessionIDs(弱会话)

在这里插入图片描述

参考文献

Low Level

1、分析网页源代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

<?php

$html = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    if (!isset ($_SESSION['last_session_id'])) {
       $_SESSION['last_session_id'] = 0;
    }
    $_SESSION['last_session_id']++;
    $cookie_value = $_SESSION['last_session_id'];
    setcookie("dvwaSession", $cookie_value);
}
?>

Low级别的cookie生成方式:如果 $cookie_value不存在就设为0,存在则$ cookie_value加1,最后以dvwaSession=$cookie_value呈现。

2、使用BurpSuite抓包,如下:

image-20240517140744204

每重放一次,dvwaSession值加1。

image-20240517141306684

image-20240517142357483

构造Payload:

1

dvwaSession=4; PHPSESSID=i2p425277d67521jah1hpkh3hr; security=low

使用火狐浏览器的hackbarV2,粘贴URL和cookie,提交(Execute),实现免密码登录。

image-20240517142320371

Medium Level

1、分析网页源代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

<?php

$html = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    $cookie_value = time();
    //time() 函数返回自 Unix 纪元(January 1 1970 00:00:00 GMT)起的当前时间的秒数。
    setcookie("dvwaSession", $cookie_value);
}
?>

Medium Level的cookie值由时间戳生成。抓包如下:

image-20240517143656163

image-20240517143721534

2、获取对应时间的时间戳,拼接到cookie中提交,即可登录成功

image-20240517144322688

image-20240517144204048

High Level

1、分析网页源代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

<?php

$html = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    if (!isset ($_SESSION['last_session_id_high'])) {
       $_SESSION['last_session_id_high'] = 0;
    }
    $_SESSION['last_session_id_high']++;
    $cookie_value = md5($_SESSION['last_session_id_high']);
    setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], false, false);
}

?>

cookie值的初始生成与Low level一致,对cookie值进行MD5加密后作为cookie值。抓包如下:

image-20240517145842879

image-20240517145810334

2、将从0增加的整数进行MD5加密,MD5值作为cookie值,构造Payload提交:

1

dvwaSession=cfcd208495d565ef66e7dff9f98764da; dvwaSession=1715928053; PHPSESSID=26ks0v1tpvqsu15da00mn3i2cq; security=high

image-20240517150947017

我的是新的页面,所以cookie值为0

image-20240517151113764

Impossible Level

1
2
3
4
5
6
7
8
9

<?php

$html = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    $cookie_value = sha1(mt_rand() . time() . "Impossible");
    setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], true, true);
}
?>
]]>