[基本实验] Web漏洞演示系统中的CSRF漏洞

LOW LEVEL:
首先，正常更改密码，看看URL的结构是什么样子，关键看里面的参数。
http://10.0.3.9/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change#

攻击者可以伪装构造一个类似的URL。
将此URL让受害者直接在浏览器中执行，也可以直接改密码。但是此处必须是用户与web程序还持续着对话。
如果关闭了浏览器，即会话结束了，这种方法就失败，可见此处的cookie是临时cookie，而非third-party cookie


MID LEVEL:
在这个层级中，代码会Referer Check，即判断请求来源，比如检查其中是否包含127.0.0.1，也就是检查是否是本站发出的请求。

Referer: http://10.0.3.9/dvwa/vulnerabilities/csrf/

后记：

<?php 
#LOW LEVEL
    if (isset($_GET['Change'])) {      
        // Turn requests into variables 
        $pass_new = $_GET['password_new']; 
        $pass_conf = $_GET['password_conf']; 
        if (($pass_new == $pass_conf)){ 
            $pass_new = mysql_real_escape_string($pass_new); 
            $pass_new = md5($pass_new); 
            $insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';"; 
            $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );                          
            echo "<pre> Password Changed </pre>";         
            mysql_close(); 
        }      
        else{         
            echo "<pre> Passwords did not match. </pre>";             
        } 
    } 
?>


<?php 
#MID LEVEL             
    if (isset($_GET['Change'])) {      
        // Checks the http referer header 
        if ( eregi ( "127.0.0.1", $_SERVER['HTTP_REFERER'] ) ){      
            // Turn requests into variables 
            $pass_new = $_GET['password_new']; 
            $pass_conf = $_GET['password_conf']; 
            if ($pass_new == $pass_conf){ 
                $pass_new = mysql_real_escape_string($pass_new); 
                $pass_new = md5($pass_new); 
                $insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';"; 
                $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );                          
                echo "<pre> Password Changed </pre>";         
                mysql_close(); 
            }      
            else{         
                echo "<pre> Passwords did not match. </pre>";             
            }     
        }          
    } 
?>


<?php 
#HIGH LEVEL             
    if (isset($_GET['Change'])) {     
        // Turn requests into variables 
        $pass_curr = $_GET['password_current']; 
        $pass_new = $_GET['password_new']; 
        $pass_conf = $_GET['password_conf']; 
        // Sanitise current password input 
        $pass_curr = stripslashes( $pass_curr ); 
        $pass_curr = mysql_real_escape_string( $pass_curr ); 
        $pass_curr = md5( $pass_curr );          
        // Check that the current password is correct 
        $qry = "SELECT password FROM `users` WHERE user='admin' AND password='$pass_curr';"; 
        $result = mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>' ); 
        if (($pass_new == $pass_conf) && ( $result && mysql_num_rows( $result ) == 1 )){ 
            $pass_new = mysql_real_escape_string($pass_new); 
            $pass_new = md5($pass_new); 
            $insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';"; 
            $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );                          
            echo "<pre> Password Changed </pre>";         
            mysql_close(); 
        }     
        else{         
            echo "<pre> Passwords did not match or current password incorrect. </pre>";             
        } 
    } 
?>