Shulou(Shulou.com)06/01 Report--

Having previously analyzed the Brute Force code at the low level, let's take a look at the code at the medium and high levels, respectively.

Medium level Code:

You can clearly see the difference between the medium and low levels, where the variables $user and $pass that are responsible for receiving user parameters are filtered, still using the mysql_real_escape_string () function. In this way, password bypass won't work, but it has no effect on brute force cracking. You can still crack the password quickly with Burpsuite.

Let's take a look at the code at the high level:

The high level still filters the $user and $pass variables first, of course, using the stripslashes () function to clear the escape of magic quotes before filtering. If you take a closer look at the difference from the medium-level code, you will see that a line of code "sleep (3)" has been added to the else part of the if statement, which means that if you enter the password incorrectly, you will have to wait three seconds before you can continue typing. This design is obviously designed to protect against brute force cracking. If you test it in Burpsuite, you can find that the password cracking time has been greatly extended, so that if you set the password a little more complicated, coupled with the appropriate pause time, you can basically effectively prevent brute force cracking.

Of course, the most effective way to defend against brute force cracking is to add CAPTCHA to the login page, although some CAPTCHA can also be broken, but if the CAPTCHA is also set a little more complicated, like the 12306 CAPTCHA that has recently been complained about, then brute force cracking is basically impossible.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.