CSRF(Cross—site request forgery),跨站请求伪造,是指利用受害者未失效的身份认证信息(cookie,会话等),诱骗其点击恶意链接或者访问包含攻击代码的页面,在受害人不知情的情况下,以受害者的身份向(身份认证信息所对应的)服务器发送请求,从而完成非法操作(如转账,改密等)。
CSRF属于业务逻辑漏洞,在服务器看来,所有的请求都是合法正常的;
XSS,SQL注入等等都是属于技术漏洞;
XSS:客户信任服务器;
CSRF:服务器信任客户(经过身份认证的);
用户必须登录;
黑客必须懂得一些发包的请求;
服务器端不会有二次认证;
被害者是不知情的;
修改用户信息,如用户头像、发货地址等
个人隐私泄露,机密资料泄露
执行恶意操作,如修改密码,购买商品,转账等(盗用受害者身份,受害者能做什么攻击者就能以受害者身份)
具体操作请看这篇文章pikachu靶场-csrf_pikachu csrf黑名单-CSDN博客
-
- if( isset( $_GET[ 'Change' ] ) ) {
- // Get input
- $pass_new = $_GET[ 'password_new' ];
- $pass_conf = $_GET[ 'password_conf' ];
-
- // Do the passwords match?
- if( $pass_new == $pass_conf ) {
- // They do!
- $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
- $pass_new = md5( $pass_new );
-
- // Update the database
- $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
- $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '
'
. ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); -
- // Feedback for the user
- $html .= "
Password Changed.
"; - }
- else {
- // Issue with passwords matching
- $html .= "
Passwords did not match.
"; - }
-
- ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
- }
-
- ?>
只是对输入的pass_new和pass_conf进行了==比较,没有进行其他的防御,因此,只要用户在cookie还有效的时间内在相同的浏览器访问我们给定的url(该操作是服务器对请求的发送者进行了身份验证,检查cookie),就可以实现CSRF 攻击,最终修改密码。
-
- if( isset( $_GET[ 'Change' ] ) ) {
- // Checks to see where the request came from
- if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {
- // Get input
- $pass_new = $_GET[ 'password_new' ];
- $pass_conf = $_GET[ 'password_conf' ];
-
- // Do the passwords match?
- if( $pass_new == $pass_conf ) {
- // They do!
- $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
- $pass_new = md5( $pass_new );
-
- // Update the database
- $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
- $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '
'
. ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); -
- // Feedback for the user
- $html .= "
Password Changed.
"; - }
- else {
- // Issue with passwords matching
- $html .= "
Passwords did not match.
"; - }
- }
- else {
- // Didn't come from a trusted source
- $html .= "
That request didn't look correct.
"; - }
-
- ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
- }
-
- ?>
- 使用$_SERVER['HTTP_REFERER']获取请求的来源页面URL。
- 使用$_SERVER['SERVER_NAME']获取当前服务器的域名。
- 使用stripos()函数(不区分大小写地查找字符串首次出现的位置)来检查请求来源URL是否包含当前服务器的域名。
假如服务器地址为192.168.101.66,即为SERVER_NAME,我们只需要把我们构造的恶意页面文件名改为192.168.101.66.html,HTTP_REFERER就会包含192.168.101.66.html,就可以绕过stripos了。
这个对于本地搭建的DVWA是无效的
-
- $change = false;
- $request_type = "html";
- $return_message = "Request Failed";
-
- if ($_SERVER['REQUEST_METHOD'] == "POST" && array_key_exists ("CONTENT_TYPE", $_SERVER) && $_SERVER['CONTENT_TYPE'] == "application/json") {
- $data = json_decode(file_get_contents('php://input'), true);
- $request_type = "json";
- if (array_key_exists("HTTP_USER_TOKEN", $_SERVER) &&
- array_key_exists("password_new", $data) &&
- array_key_exists("password_conf", $data) &&
- array_key_exists("Change", $data)) {
- $token = $_SERVER['HTTP_USER_TOKEN'];
- $pass_new = $data["password_new"];
- $pass_conf = $data["password_conf"];
- $change = true;
- }
- } else {
- if (array_key_exists("user_token", $_REQUEST) &&
- array_key_exists("password_new", $_REQUEST) &&
- array_key_exists("password_conf", $_REQUEST) &&
- array_key_exists("Change", $_REQUEST)) {
- $token = $_REQUEST["user_token"];
- $pass_new = $_REQUEST["password_new"];
- $pass_conf = $_REQUEST["password_conf"];
- $change = true;
- }
- }
-
- if ($change) {
- // Check Anti-CSRF token
- checkToken( $token, $_SESSION[ 'session_token' ], 'index.php' );
-
- // Do the passwords match?
- if( $pass_new == $pass_conf ) {
- // They do!
- $pass_new = mysqli_real_escape_string ($GLOBALS["___mysqli_ston"], $pass_new);
- $pass_new = md5( $pass_new );
-
- // Update the database
- $insert = "UPDATE `users` SET password = '" . $pass_new . "' WHERE user = '" . dvwaCurrentUser() . "';";
- $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert );
-
- // Feedback for the user
- $return_message = "Password Changed.";
- }
- else {
- // Issue with passwords matching
- $return_message = "Passwords did not match.";
- }
-
- mysqli_close($GLOBALS["___mysqli_ston"]);
-
- if ($request_type == "json") {
- generateSessionToken();
- header ("Content-Type: application/json");
- print json_encode (array("Message" =>$return_message));
- exit;
- } else {
- $html .= "
"
. $return_message . ""; - }
- }
-
- // Generate Anti-CSRF token
- generateSessionToken();
-
- ?>
设置了token限制,它是在每次访问此页面时,会随机生成一个token,当发起服务器请求时服务器会检查它的值。
思路:先获取token的值,再构造链接并诱骗受害者访问。
利用以下payload在反射型xss中获取到token值,不要点确认(否则会重新生成新的token)
- [0].value)">
在 bp抓包中替换掉已经抓到的token即可实现修改密码
-
- if( isset( $_GET[ 'Change' ] ) ) {
- // Check Anti-CSRF token
- checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
-
- // Get input
- $pass_curr = $_GET[ 'password_current' ];
- $pass_new = $_GET[ 'password_new' ];
- $pass_conf = $_GET[ 'password_conf' ];
-
- // Sanitise current password input
- $pass_curr = stripslashes( $pass_curr );
- $pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
- $pass_curr = md5( $pass_curr );
-
- // Check that the current password is correct
- $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
- $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
- $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
- $data->execute();
-
- // Do both new passwords match and does the current password match the user?
- if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) {
- // It does!
- $pass_new = stripslashes( $pass_new );
- $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
- $pass_new = md5( $pass_new );
-
- // Update database with new password
- $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
- $data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
- $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
- $data->execute();
-
- // Feedback for the user
- $html .= "
Password Changed.
"; - }
- else {
- // Issue with passwords matching
- $html .= "
Passwords did not match or current password incorrect.
"; - }
- }
-
- // Generate Anti-CSRF token
- generateSessionToken();
-
- ?>
- 使用token机制
- 使用PDO(PHP 数据对象)来执行数据库查询和准备语句,以防止 SQL 注入攻击。
- 在处理密码更改请求时,首先验证当前用户输入的原始密码是否正确。