DVWA靶场——CSRF(跨站请求伪造)

概述

Cross Site Request Forgery简称“CSRF”,中文名为跨站请求伪造。在CSRF的攻击场景中攻击者会伪造一个请求(这个请求一般是一个链接),然后欺骗目标用户进行点击,用户一旦点击了这个请求,整个攻击也就完成了。所以CSRF攻击也被称为"one click"攻击

Low级别

源代码:

<?php

if( isset( $_GET[ 'Change' ] ) ) {
    // Get input
    $pass_new  = $_GET[ 'password_new' ];
    $pass_conf = $_GET[ 'password_conf' ];

    // Do the passwords match?
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );

        // Update the database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        // Feedback for the user
        echo "<pre>Password Changed.</pre>";
    }
    else {
        // Issue with passwords matching
        echo "<pre>Passwords did not match.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?> 

 可以看到源代码中,后台服务器收到修改密码的请求后,会去检查password_newpassword_conf的参数是否相同,如果相同,则会修改密码成功。这里并没有做任何的防CSRF机制

可以看到,每次我们修改密码成功后,浏览器的URL都会显示出来,我们可以利用这个漏洞,通过修改用户的密码后构造成一个链接,把链接发送给目标用户。目标用户点击链接后,他的密码就会被修改为链接中的密码

http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#

可以看到,用户点击链接后,就会跳转到DVWA页面,显示密码修改成功。

很多人会说这个链接那么明显,不会有人点击,确实,所以我们可以通过短链接的形式来隐藏URL,一点击这个短链接就会跳转到URL的指定页面

http://suo.im/67SSid

但可以发现,每次点击链接后,都会跳转到指定的页面,页面都会显示Password Changed.密码修改成功),这会很容易让受害者知道自己受到了攻击,所以这种方法并不好用。

 我们可以通过构造一个HTML页面去模拟真实的攻击场景,诱导用户点击从而对其攻击

<html>
<body>
    <img src="http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=admin&password_conf=admin&Change=Change#"
border="0" style="display:none;"/>
<h1>404</h1>
    <h2>file not found.</h2>

</body>
</html>

当用户点击这个HTML文件后,页面不会跳转到DVWA页面,但实际上用户已经被SCRF攻击了

Medium级别

在dvwa靶场中使用low级别的方法,在浏览器URL修改,页面显示That request didn't look correct.,说明low级别的方法在这里不行了

源代码:

<?php

if( isset( $_GET[ 'Change' ] ) ) {
    // Checks to see where the request came from
    if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {
        // Get input
        $pass_new  = $_GET[ 'password_new' ];
        $pass_conf = $_GET[ 'password_conf' ];

        // Do the passwords match?
        if( $pass_new == $pass_conf ) {
            // They do!
            $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
            $pass_new = md5( $pass_new );

            // Update the database
            $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

            // Feedback for the user
            echo "<pre>Password Changed.</pre>";
        }
        else {
            // Issue with passwords matching
            echo "<pre>Passwords did not match.</pre>";
        }
    }
    else {
        // Didn't come from a trusted source
        echo "<pre>That request didn't look correct.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?> 

从上图的红框中可以看到,后台的服务器会去检查HTTP_REFERER函数是否包含SERVER_NAME(host参数、主机名等),用此方法来抵御CSRF攻击

使用burp suite来抓包,发送到Repeater模块

因为后台服务器检查的是HTTP_REFERER函数是否包含SERVER_NAME,所以我们可以把抓包中的referer的参数改为host的参数

提交后,显示密码修改成功

High级别

源代码:

<?php

if( isset( $_GET[ 'Change' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $pass_new  = $_GET[ 'password_new' ];
    $pass_conf = $_GET[ 'password_conf' ];

    // Do the passwords match?
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );

        // Update the database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        // Feedback for the user
        echo "<pre>Password Changed.</pre>";
    }
    else {
        // Issue with passwords matching
        echo "<pre>Passwords did not match.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

// Generate Anti-CSRF token
generateSessionToken();

?>

从源代码中,可以看到high级别增加了Anti-CSRF token机制,后台会随机生成一个token参数,每次用户提交改密时,后台都会优先检查token参数是否正确,然后才会去处理用户的请求,这样子很大程度上抵御了CSRF攻击。

因为high级别需要token去认证,然而实力还是菜鸟级别,还不懂的怎样去获取token值,所以只能另辟蹊径来绕过token

每次我们抓包的时候,都可以看到cookie的参数,而每次dvwa靶场更换级别时,cookie的参数会随着去改变,我们可以通过改变cookie的参数来绕过token

仔细观察抓到的包里面的内容,cookie里的PHPSESSID参数其实都是一样的,而security的值会随着dvwa靶场的级别而去改变,我们可以把security的值改为low,从而去绕过token

保持burp suite的抓包状态,在dvwa靶场的CSRF页面中修改密码,然后打开bp,把抓到的包发送到Repeater模块

Cookie里面的security的值修改为low,也可以修改password_newpassword_conf的值

 提交后,可以看到绕过token,密码修改成功

Impossible级别

源代码:

<?php

if( isset( $_GET[ 'Change' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $pass_curr = $_GET[ 'password_current' ];
    $pass_new  = $_GET[ 'password_new' ];
    $pass_conf = $_GET[ 'password_conf' ];

    // Sanitise current password input
    $pass_curr = stripslashes( $pass_curr );
    $pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass_curr = md5( $pass_curr );

    // Check that the current password is correct
    $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
    $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
    $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
    $data->execute();

    // Do both new passwords match and does the current password match the user?
    if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) {
        // It does!
        $pass_new = stripslashes( $pass_new );
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );

        // Update database with new password
        $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
        $data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
        $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
        $data->execute();

        // Feedback for the user
        echo "<pre>Password Changed.</pre>";
    }
    else {
        // Issue with passwords matching
        echo "<pre>Passwords did not match or current password incorrect.</pre>";
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?> 

可以看到Impossible级别的源代码中,不仅使用Anti-CSRF token机制,还使用了PDO技术来防御SQL注入,关键是还要求用户输入原始密码(很nice),攻击者在不知道原始密码的情况下,无论如何都无法进行CSRF攻击!

posted on 2020-08-16 19:26  青日GO(*/ω\*)  阅读(361)  评论(0编辑  收藏  举报