Dvwa教程之跨站伪造请求(三)

 

 

Dvwa教程之跨站伪造请求(三)_第1张图片

 

 

 

Low CSRF Source

php

if( isset( $_GET[ 'Change' ] ) ) {
    // Get input
    $pass_new  = $_GET[ 'password_new' ];
    $pass_conf = $_GET[ 'password_conf' ];

    // Do the passwords match?
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );

        // Update the database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' ); // Feedback for the user echo "
Password Changed.
"; } else { // Issue with passwords matching echo "
Passwords did not match.
"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); }

 

 可以看到,服务器收到修改密码的请求后,会检查参数password_newpassword_conf是否相同,如果相同,就会修改密码,并没有任何的防CSRF机制

直接利用

http://192.168.0.115/dvwa-master/vulnerabilities/csrf/?password_new=aaa&password_conf=aaa&Change=Change#

诱导受害者直接点击这个连接就可以修改密码

Medium CSRF Source

 1 php
 2 
 3 if( isset( $_GET[ 'Change' ] ) ) {
 4     // Checks to see where the request came from
 5     if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {
 6         // Get input
 7         $pass_new  = $_GET[ 'password_new' ];
 8         $pass_conf = $_GET[ 'password_conf' ];
 9 
10         // Do the passwords match?
11         if( $pass_new == $pass_conf ) {
12             // They do!
13             $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
14             $pass_new = md5( $pass_new );
15 
16             // Update the database
17             $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
18             $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' ); 19 20 // Feedback for the user 21 echo "
Password Changed.
"; 22 } 23 else { 24 // Issue with passwords matching 25 echo "
Passwords did not match.
"; 26 } 27 } 28 else { 29 // Didn't come from a trusted source 30 echo "
That request didn't look correct.
"; 31 } 32 33 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); 34 } 35 36 ?>

Medium 级别的代码加入了来源检查

设置了来源检查

用burp查看数据包

多了一个字段Referer, 服务端代码中会去对比这个字段判断一下来源,

可以直接在burp直接添加这个字段就可以修改成功

Dvwa教程之跨站伪造请求(三)_第2张图片

 

 

 

 

 

High CSRF Source

' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' ); // Feedback for the user echo "
Password Changed.
"; } else { // Issue with passwords matching echo "
Passwords did not match.
"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } // Generate Anti-CSRF token generateSessionToken(); ?>

 

 

 

可以看到,High级别的代码加入了Anti-CSRF token机制,用户每次访问改密页面时,服务器会返回一个随机的token,向服务器发起请求时,需要提交token参数,而服务器在收到请求时,会优先检查token,只有token正确,才会处理客户端的请求。
漏洞利用
由于跨域是不能实现的,所以我们要将攻击代码注入到目标服务器localhost中,才有可能完成攻击。所以单纯从CSRF未能突破High级别。

Impossible CSRF Source

Dvwa教程之跨站伪造请求(三)_第3张图片

 

 可以看到,Impossible级别的代码利用PDO技术防御SQL注入,至于防护CSRF,则要求用户输入原始密码(简单粗暴),攻击者在不知道原始密码的情况下,无论如何都无法进行CSRF攻击。

 

你可能感兴趣的:(Dvwa教程之跨站伪造请求(三))