目录
[2、bp inception设置为on](#2、bp inception设置为on)
本文详细讲解CTF-PTE靶场日志分析关卡的渗透实战全流程。本文通过分析CTF-PTE靶场日志文件,展示了完整的渗透测试流程。首先基于IP地址172.16.12.12分析攻击行为,发现大量目录扫描和404响应;随后通过200响应值发现针对adminlogin.php的暴力破解尝试。实战部分使用Burp Suite对登录页面进行暴力破解,最终成功获取管理员凭证(admin/please)并获取flag。整个案例演示了如何通过日志分析和工具配合完成渗透测试,包括信息收集、日志分析和暴力破解等关键步骤。
一、渗透准备
1、打开靶场
打开靶场,页面提示"最近管理员很苦恼,发现自己的服务器被人入侵了,但是不知道原因,你能帮帮他吗? 管理员把日志保存下来了,大概分析了一下,有两个IP对服务器进行了攻击, 感觉攻击者的IP是 172.16.12.12 。 日志下载地址:当前目录下的 access.log",如下所示。
2、开始答题
点击开始答题,进入到如下日志页面下载页面。
http://d82d1369.clsadp.com/access.log
3、分析日志
(1)基于ip地址分析
根据本关卡页面的提示ip地址(172.16.12.12),在日志中搜索172.16.12.12关键字,如下所示。
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /nothisexistpage.html HTTP/1.1" 404 296 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /robots.txt HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /guadmin/login.asp HTTP/1.1" 404 293 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /!admin!/ HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /%23sql.asp HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /%23sql.aspx HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /%23sql.php HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /../admin HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /houtai HTTP/1.1" 404 282 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /../admin.asp HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /../admin.aspx HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /../admin.php HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:55 +0800] "GET /../admin/default HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/default.asp HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/default.aspx HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/default.php HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/index HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/index.asp HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/index.aspx HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/index.php HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/login HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/login.asp HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/login.aspx HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/login.php HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/manage HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/manage.asp HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/manage.aspx HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /../admin/manage.php HTTP/1.1" 400 304 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:56 +0800] "GET /admin/login.asp HTTP/1.1" 404 291 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /admin/login.aspx HTTP/1.1" 404 292 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /admin/login.php HTTP/1.1" 404 291 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /szwyadmin/login.asp HTTP/1.1" 404 295 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /szwyadmin/login.aspx HTTP/1.1" 404 296 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /szwyadmin/login.php HTTP/1.1" 404 295 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /_Admin HTTP/1.1" 404 282 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /_admin.asp HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /_admin.aspx HTTP/1.1" 404 287 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /_admin.php HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /_Admin/ HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /_database/ HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /1.asa HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /1.asp HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /1.aspx HTTP/1.1" 404 282 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /1.php HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:57 +0800] "GET /1.rar HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /1.txt HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /11.asa HTTP/1.1" 404 282 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /11.asp HTTP/1.1" 404 282 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /11.aspx HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /11.php HTTP/1.1" 404 282 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /11.rar HTTP/1.1" 404 282 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /11/ HTTP/1.1" 404 279 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /111.asa HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /111.asp HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /111.aspx HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /111.php HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /111.rar HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /111/ HTTP/1.1" 404 280 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /11111/ HTTP/1.1" 404 282 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /11111/index.asp HTTP/1.1" 404 291 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:58 +0800] "GET /11111/index.aspx HTTP/1.1" 404 292 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /11111/index.php HTTP/1.1" 404 291 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /115cn.asp HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /115cn.aspx HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /115cn.php HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /123.asa HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /123.asp HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /123.aspx HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /123.php HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /123.rar HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /123.txt HTTP/1.1" 404 283 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /123/ HTTP/1.1" 404 280 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /1234.asa HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /1234.asp HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /1234.aspx HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /1234.php HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:32:59 +0800] "GET /1234.rar HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /12345.asa HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /12345.asp HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /12345.aspx HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /12345.php HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /12345.rar HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /123456.asa HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /123456.asp HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /123456.aspx HTTP/1.1" 404 287 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /123456.php HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /123456.rar HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /12912.asp HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /12912.aspx HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /12912.php HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /1ndex.asp HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /1ndex.aspx HTTP/1.1" 404 286 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:00 +0800] "GET /1ndex.php HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2.txt HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2/ HTTP/1.1" 404 278 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2001/ HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2002/ HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2003/ HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2004/ HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2005/ HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2005kycj/ HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2006.asp HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2006.aspx HTTP/1.1" 404 285 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2006.php HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2006/ HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2007/ HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2008/ HTTP/1.1" 404 281 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /2088shop HTTP/1.1" 404 284 "-" "-"
172.16.12.12 - - [31/Oct/2017:15:33:01 +0800] "GET /22.asa HTTP/1.1" 404 282 "-" "-"
......
(2)基于响应值200分析
继续搜索响应值为200的日志记录,如下所示发现海量POST /adminlogin.php报文,猜测是对login页面进行暴力破解。
172.16.12.12 - - [31/Oct/2017:15:45:20 +0800] "GET /adminlogin.php HTTP/1.1" 200 1888 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:45:20 +0800] "GET /css/normalize.css HTTP/1.1" 200 7546 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:45:20 +0800] "GET /css/grid.css HTTP/1.1" 200 14433 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:45:21 +0800] "GET /css/style.css HTTP/1.1" 200 51433 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:45:21 +0800] "GET /css/jquery-ui.js HTTP/1.1" 200 153706 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:45:21 +0800] "GET /css/jquery.js HTTP/1.1" 200 247165 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:45:21 +0800] "GET /css/typecho.js HTTP/1.1" 200 40629 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:45:21 +0800] "GET /img/typecho-logo.svg HTTP/1.1" 404 296 "http://172.16.12.11:84/css/style.css" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:45:28 +0800] "POST /login.php HTTP/1.1" 404 285 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:46:43 +0800] "GET /adminlogin.php HTTP/1.1" 200 1893 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:46:50 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:46:50 +0800] "GET /img/typecho-logo.svg HTTP/1.1" 404 296 "http://172.16.12.11:84/css/style.css" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:42 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
172.16.12.12 - - [31/Oct/2017:15:47:43 +0800] "POST /adminlogin.php HTTP/1.1" 200 1893 "http://172.16.12.11:84/adminlogin.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
......二、暴力破解
1、firefox打开adminlogin.php页面
http://d82d1369.clsadp.com/adminlogin.php
firefox打开adminlogin.php页面,注意启动burpsuite,同时浏览器开启代理并指向burpsuite,如下所示进入了登陆页面,和我们日志分析的结果一样,这是一个登录页面且无需验证码,接下来我们需要对其暴力破解。
2、bp inception设置为on
firefox的代理配置为指向burpsuite,同时开启bp并将inception设置为on,如下所示。
3、输入用户名密码登录
用户名输入admin,密码随机输入mooyuan,如下所示点击登录。
4、bp抓包发送到intruder
浏览器点击登录,如下所示报文被bp抓到,右键将其发送到intruder。
发送到intruder后,点击clear,使左下角的payload postion数量为0,如下所示。
5、配置intruder的positon
选中password对应的mooyuan,将其加入到payload positon中,如下所示。
6、配置intruder的payload并开启攻击
Payload选择密码字典top1000.txt,配置完毕点击Start attack开始攻击。
7、分析攻击结果
攻击结束后,可以发现响应报文的长度绝大多数都是2246,效果如下所示。
观察每一个攻击结果的长度,并对其进行排序,发现有一个长度与其他的都不同,点击此报文如下所示。
8、正确密码登录
输入用户名admin和密码please登录,如下所示。
点击登录后,成功进入了显示flag的页面,具体如下所示。
