Form based brute force cracking

Briefly introduce the methods of violent cracking

Range environment: pikachu
The post login box for form based cracking generally does not have a verification code, and the login box for mobile phone number verification can be brutally cracked

We enter admin: admin at the front of the web page and find an error

username or password is not exists~

Capture packets

When the attack type is changed to cluster bomb type, you can perform cross blasting of two values at the same time. Add the location of username password and then add payload
Then click on the fourth options window

In options, in grep_match
After the front clear is removed, paste the reminder statement that just reminded us of the wrong password, because sometimes our dictionary is very large, and it is difficult to observe the length one by one, grep_matc can quickly help us return records with different information from your add information

The verification code bypasses the on server verification

Verification code can be used to prevent malicious registration, prevent brute force cracking, and common problems of server-side verification code
The verification code does not expire in the background, so it can be used for a long time
The validation of the verification code is not strict, and the logic is a problem
The verification code is set too simply or logically, which is easy to be guessed

Verification code generating component logic
When we refresh the page, we will send a request to the background. After receiving the request, the background will generate a verification code and save the verification code in the session

1. We can test the verification code
If you log in directly, you will be reminded that the user name cannot be empty
2. Enter the user and password and directly login will display the verification code, which cannot be empty
3. Enter the user name and password verification code normally, and the correct page will prompt:
username or password is not exists~
In other words, all conditions must be met and the verification code is correct before we can pass the detection
Directly use burp to capture packets for testing

You can see that the user name, password and verification code have been passed

Re enter a set of user names and passwords here

Remind us that the correct verification code is just the wrong user or password
We changed the user name and password. go found that we did not remind the user of the error of the verification code, but of the error of the user name and password
This proves that the verification code is valid for a long time, and we can send it directly to the intruder module
The subsequent settings are the same as above

It can be seen that we have sent a blasting on the basis of bypassing the verification code
It can be seen that the user is admin and the password is 123456
The above is the verification of the verification code on the server side

Critical code bypass on client

js validation on the client side is easier to bypass
When we look at the source code, we can find a section of js code

 var code; //Define verification codes globally
    function createCode() {
        code = "";
        var codeLength = 5;//Length of verification code
        var checkCode = document.getElementById("checkCode");
        var selectChar = new Array(0, 1, 2, 3, 4, 5, 6, 7, 8, 9,'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z');//Of course, all the candidate characters that make up the verification code can also be in Chinese
for (var i = 0; i < codeLength; i++) {
            var charIndex = Math.floor(Math.random() * 36);
            code += selectChar[charIndex];
        if (checkCode) {
            checkCode.className = "code";
            checkCode.value = code;
function validate() {
        var inputCode = document.querySelector('#bf_client .vcode').value;
        if (inputCode.length <= 0) {
            alert("Please enter the verification code!");
            return false;
        } else if (inputCode != code) {
            alert("Verification code input error!");
            createCode();//Refresh verification code
            return false;
        else {
            return true;

It is found that the verification code generated by javascript and verification are used
When you use burP to capture packets, if you find that the front-end input verification code is wrong, you will be reminded that it is the front-end verification

It can be seen that the data we sent did not prompt us that the verification code was wrong, but that the account password was wrong, so we can still enter the user name or password is not exists

After setting, the blasting can be carried out. It can't explode at one time. The reason is not clear. Try twice more and it will come out

Check this option when blasting

The location of the feature must be added

Simple sharing, big man, don't spray

Tags: Cyber Security

Posted on Mon, 29 Nov 2021 11:54:17 -0500 by mahenderp