DVWA之弱會話IDs（Weak Session IDs）弱會話IDs（Weak Session IDs）Security Level: lowSecurity Level: mediumSecurity Level: highSecurity Level: impossible

2023-06-23 02:22:58

弱會話IDs（Weak Session IDs）

Security Level: low

源碼

<?php

$html = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    if (!isset ($_SESSION['last_session_id'])) {
        $_SESSION['last_session_id'] = 0;
    }
    $_SESSION['last_session_id']++;
    $cookie_value = $_SESSION['last_session_id'];
    setcookie("dvwaSession", $cookie_value);
}
?>

分析

，清楚一下浏覽器的cookie值，送出後發現直接登入dvwa，繞過密碼驗證：

進行下方的實驗

DVWA之弱會話IDs（Weak Session IDs）弱會話IDs（Weak Session IDs）Security Level: lowSecurity Level: mediumSecurity Level: highSecurity Level: impossible

Security Level: medium

源碼

<?php

$html = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    $cookie_value = time();
    setcookie("dvwaSession", $cookie_value);
}
?>

分析

通過設定時間戳，可知誘騙受害者在某個時間點基進行點選

進行下方實驗

DVWA之弱會話IDs（Weak Session IDs）弱會話IDs（Weak Session IDs）Security Level: lowSecurity Level: mediumSecurity Level: highSecurity Level: impossible

可以僞造登陸時間了

DVWA之弱會話IDs（Weak Session IDs）弱會話IDs（Weak Session IDs）Security Level: lowSecurity Level: mediumSecurity Level: highSecurity Level: impossible

Security Level: high

源碼

<?php

$html = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    if (!isset ($_SESSION['last_session_id_high'])) {
        $_SESSION['last_session_id_high'] = 0;
    }
    $_SESSION['last_session_id_high']++;
    $cookie_value = md5($_SESSION['last_session_id_high']);
    setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], false, false);
}

?>

進行下方實驗

DVWA之弱會話IDs（Weak Session IDs）弱會話IDs（Weak Session IDs）Security Level: lowSecurity Level: mediumSecurity Level: highSecurity Level: impossible

這看着好像md5

DVWA之弱會話IDs（Weak Session IDs）弱會話IDs（Weak Session IDs）Security Level: lowSecurity Level: mediumSecurity Level: highSecurity Level: impossible

下面步驟同low

Security Level: impossible

源碼

<?php

$html = "";

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    $cookie_value = sha1(mt_rand() . time() . "Impossible");
    setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], true, true);
}
?>

分析

采用随機數+時間戳+固定字元串"Impossible"，再進行sha1運算

DVWA之弱會話IDs（Weak Session IDs）弱會話IDs（Weak Session IDs）Security Level: lowSecurity Level: mediumSecurity Level: highSecurity Level: impossible

弱會話IDs（Weak Session IDs）

Security Level: low

Security Level: medium

Security Level: high

Security Level: impossible

繼續閱讀

DVWA-XSS(Reflected)Vulnerability: Reflected Cross Site Scripting (XSS)

Reflected Cross Site Scripting (XSS)前言LowMediumHighImpossible

DVWA的使用5–XSS（Reflected）（反射型跨站腳本）

【DVWA】Session ID 介紹

dvwa之Weak Session IDs

DVWA學習暴力破解low級别

DVWA--檔案上傳漏洞

DVWA之CSRF攻擊（Low&medium&High）

DVWA靶機-File Upload（檔案上傳漏洞）一

Web篇(6.3) 12. 檔案包含 ❀ FortiWeb 攻防演練

DVWA -SQL Injection (low)

【fairy】DVWA sql注入——等級：low

DVWA之指令注入（Command Injection）指令注入（Command Injection）Security Level: lowSecurity Level: mediumSecurity Level: highSecurity Level: impossible

linux centos6.5 搭建自己的滲透測試練習環境Damn Vulnerable Web Application

【滲透測試-web安全】DVWA-CSRF一、登入DVWA、設定安全級别為Low、進入CSRF二、CSRF構造解析三、防範與破解進階