使用burpsuite對基礎認證進行爆破 2016-12-07

很多小伙伴不知道怎么使用burpsuite對基礎認證進行報錯,這次工作中遇到了,剛好寫篇文章記錄一下,更是為了分享給不知道的小伙伴。

基礎認證

有的人可能不知道基礎認證是啥,但我相信你一定在實戰中遇到過,比如tomcat的manager平臺的登錄驗證:

4023401861

基礎認證的數據包跟往常的POST和GET的包認證方式不一樣,他的請求包是像下面這樣的格式:

GET /manager/html HTTP/1.1
Host: www.xxx.com
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic YWRtaW46MTIzNDU2
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4,ko;q=0.2
Cookie: JSESSIONID=xxxxxxxxx;

其中Authorization這一行才是認證的重點:

Authorization: Basic YWRtaW46MTIzNDU2

我們可以看到他的數據包是經過加密以后才發送出去的,并且前面有加上Basic字樣。

并且加密方式是base64:

1615691261

解密以后的格式是:

賬號:密碼

這樣的認證方式可是難倒了很多人,也有一些人問過我,今天剛好寫篇博文科普一下。

用burpsuite爆破

burpsuite簡單的爆破如果都不會的話,還是建議看一看官方文檔,再來看我這個吧。

首先我們把認證的請求包發送到intruder中,然后設置好要爆破的地方,這里直接把整個base64選中,然后點add $

3373222932

設置payload這里跟平常爆破POST包和get包的有一丁點不一樣,payload type選擇Custom iterator

1328176673

Custom iterator翻譯成中文就是自定義迭代器,官方文檔上有詳細的描述,我這里摘抄過來給大家:

Custom Iterator

This payload type lets you configure multiple lists of items, and
generate payloads using all permutations of items in the lists. It
provides a powerful way to generate custom permutations of characters
or other items according to a given template. For example, a payroll
application may identify individuals using a personnel number of the
form AB/12; you may need to iterate through all possible personnel
numbers to obtain the details of all individuals.

The custom iterator defines up to 8 different “positions” which are
used to generate permutations. Each position is configured with a list
of items, and an optional “separator” string, which is inserted
between that position and the next. In the example already mentioned,
positions 1 and 2 would be configured with the items A - Z, positions
3 and 4 with the items 0 - 9, and position 2 would be set with the
separator character /. When the attack is executed, the custom
iterator iterates through each item in each position, to cover all
possible permutations. Hence, in this example, the total number of
payloads is equal to 26 26 10 * 10.

The list items can be edited in the same way as described for the
simple list payload type. The “Clear all” button removes all
configuration from all positions of the custom iterator.

The “Choose a preset scheme” drop-down menu can be used to select a
preconfigured setup for the custom iterator. These can be used for
various standard attacks or modified for customized attacks. Available
schemes are “directory / file . extension”, which can be used to
generate URLs, and “password + digit” which can be used to generate an
extended wordlist for password guessing attacks.

官方文檔大意是說我們可以靈活的組合payload,官方舉得例子是我們可以組合類似于AB/12這樣的payload,

當然這也就剛好適用于我們要爆破的基礎認證,把AB/12中間的/換成:,再base64加密一下,不就是基礎認證了嗎?

基礎認證的格式如下:

username:password

一共分為三個部分:

  1. 用戶名
  2. :(冒號)
  3. 密碼

我們一個一個來設置,我們先設置自定義迭代器的第一組payload,設置為賬號:

2072609307

我這里使用load功能從文件中載入了一些賬號,也可以自己手動添加,這樣第一組payload就設置好了。

第二組payload只有一個值,就是冒號,所以我們如下設置:

924677974

第二組就設置OK了。

第三組的設置跟第一組幾乎是一模一樣的,按自己需求就可以:

2619797660

現在三組payload都設置好了,還有最后最重要的一步:base64加密!

3008055962

Payload Processing中點擊add添加相應的加密就可以。

在最后的Payload Encoding中可以選擇是否urlencode加密特殊字符,基礎認證是不需要urlencode的,所以可以取消掉這個對號。

1084919665

最后點擊Start Attack開始攻擊即可!

1762175088

使用burpsuite對基礎認證進行爆破 bingo !!

這里只是對intruder功能的一個小擴展,可以靈活運用在實戰中

參考文檔

一级A片不卡在线观看