prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );$data->bindParam( ':user', $user, PDO。「黑客工具」Web渗透测试-DVWA的暴力破解操作( 三 )。" />

江苏龙网

  1. 主页 > 生活百科 > >

「黑客工具」Web渗透测试-DVWA的暴力破解操作( 三 )

DVWA

< $timeout ) {$account_locked = true;// print "The account is locked
";}}// Check the database (if username matches the password)$data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );$data->bindParam( ':user', $user, PDO::PARAM_STR);$data->bindParam( ':password', $pass, PDO::PARAM_STR );$data->execute();$row = $data->fetch();// If its a valid login...if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) {// Get users details$avatar = $row[ 'avatar' ];$failed_login = $row[ 'failed_login' ];$last_login = $row[ 'last_login' ];// Login successfulecho "

Welcome to the password protected area {$user}

";echo "「黑客工具」Web渗透测试-DVWA的暴力破解操作";// Had the account been locked out since last login?if( $failed_login >= $total_failed_login ) {echo "

Warning: Someone might of been brute forcing your account.

";echo "

Number of login attempts: {$failed_login}.
Last login attempt was at: ${last_login}.

";}// Reset bad login count$data = $db->prepare( 'UPDATE users SET failed_login = "0" WHERE user = (:user) LIMIT 1;' );$data->bindParam( ':user', $user, PDO::PARAM_STR );$data->execute();} else {// Login failedsleep( rand( 2, 4 ) );// Give the user some feedbackecho "

Username and/or password incorrect.

Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.
";// Update bad login count$data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' );$data->bindParam( ':user', $user, PDO::PARAM_STR );$data->execute();}// Set the last login time$data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' );$data->bindParam( ':user', $user, PDO::PARAM_STR );$data->execute(); }// Generate Anti-CSRF token generateSessionToken();?>当输入错误3次,锁定15分钟的可靠方式防止了爆破,同时采用PDO(PHP Data Object,PHP数据对象)机制更为安全,不会在本地对SQL进行拼接 。当调用prepare()时,将SQL模板传给MySQL Server,传过去的是占位符“?”,不包含用户数据,当调用execute()时,用户的变量值才传递到MySQL Server,分开传递,阻止了SQL语句被破坏而执行恶意代码 。
转自:https://blog.csdn.net/lujie_1996/article/details/79054656




推荐阅读


上一篇:岁月中的茶

下一篇:选择对的茶