【DVWA】19. Insecure CAPTCHA 不安全的验证码（全等级）

1. Low

1) 源码分析

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check CAPTCHA from 3rd party
    $resp = recaptcha_check_answer(
        $_DVWA[ 'recaptcha_private_key'],
        $_POST['g-recaptcha-response']
    );

    // Did the CAPTCHA fail?
    if( !$resp ) {
        // What happens when the CAPTCHA was entered incorrectly
        $html     .= "

The CAPTCHA was incorrect. Please try again.
";
        $hide_form = false;
        return;
    }
    else {
        // CAPTCHA was correct. Do both new passwords match?
        if( $pass_new == $pass_conf ) {
            // Show next stage for the user
            echo "
                

You passed the CAPTCHA! Click the button to confirm your changes.

                

                    
                    {$pass_new}\" />
                    {$pass_conf}\" />
                    
                
";
        }
        else {
            // Both new passwords do not match.
            $html     .= "
Both passwords must match.
";
            $hide_form = false;
        }
    }
}

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check to see if both password match
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );

        // Update database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' );

        // Feedback for the end user
        echo "
Password Changed.
";
    }
    else {
        // Issue with the passwords matching
        echo "
Passwords did not match.
";
        $hide_form = false;
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

1. 首先，代码检查是否有名为"Change"的POST参数，并且"step"参数的值为1。这意味着该代码是用于处理提交更改密码表单的第一步请求。

2. 代码将变量$hide_form设置为true。这个变量用于控制是否隐藏验证码表单。

3. 代码获取输入的新密码和确认密码，并进行比较。如果两个密码不匹配，代码将输出一条错误消息，并将$hide_form设置为false，以便显示密码更改表单供用户重新尝试。

4. 如果两个密码匹配，代码将调用recaptcha_check_answer函数来验证第三方提供的验证码。这里假设存在一个名为$_DVWA[‘recaptcha_private_key’]的变量用于存储私钥，并且用户在表单中提供了名为g-recaptcha-response的验证码响应。

5. 如果验证码验证失败（即!$resp），代码会输出一条错误消息，并将$hide_form设置为false，以便显示验证码表单供用户重新尝试。

6. 如果验证码验证成功，代码将显示下一步的表单给用户确认密码更改。这个表单包含了一个隐藏的step字段，值为2，以及新密码和确认密码的隐藏字段。

7. 如果用户点击了确认更改的按钮，代码将进行第二步的处理。

8. 在第二步中，代码再次将变量$hide_form设置为true。

9. 代码获取输入的新密码和确认密码，并进行比较。如果两个密码不匹配，代码将输出一条错误消息，并将$hide_form设置为false，以便显示密码更改表单供用户重新尝试。

10. 如果两个密码匹配，代码将对新密码进行MySQL转义和md5哈希处理，并将密码更新到数据库中。

11. 如果密码更改成功，代码将输出一条成功的消息。

12. 如果两个密码不匹配，代码将输出一条失败的消息，并将$hide_form设置为false，以便显示密码更改表单供用户重新尝试。

可以在代码中看出，修改密码时对验证码的验证仅仅是验证了step的值是否为2

2）实操

由于本地环境配置的原因，此处验证码没有显示，但是我们本来就是要绕过验证码，因此不用管这里

若不做任何操作，会显示验证码错误

随后我们重新输入密码并进行抓包，得到的数据包如下

可以看到最后一行step=1，那这样的话肯定过不了验证码验证
于是我们发送到repeater中将step修改为2重新发包

可以看到密码修改成功

2. Medium

1) 源码分析

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check CAPTCHA from 3rd party
    $resp = recaptcha_check_answer(
        $_DVWA[ 'recaptcha_private_key' ],
        $_POST['g-recaptcha-response']
    );

    // Did the CAPTCHA fail?
    if( !$resp ) {
        // What happens when the CAPTCHA was entered incorrectly
        $html     .= "

The CAPTCHA was incorrect. Please try again.
";
        $hide_form = false;
        return;
    }
    else {
        // CAPTCHA was correct. Do both new passwords match?
        if( $pass_new == $pass_conf ) {
            // Show next stage for the user
            echo "
                

You passed the CAPTCHA! Click the button to confirm your changes.

                

                    
                    {$pass_new}\" />
                    {$pass_conf}\" />
                    
                    
                
";
        }
        else {
            // Both new passwords do not match.
            $html     .= "
Both passwords must match.
";
            $hide_form = false;
        }
    }
}

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check to see if they did stage 1
    if( !$_POST[ 'passed_captcha' ] ) {
        $html     .= "

You have not passed the CAPTCHA.
";
        $hide_form = false;
        return;
    }

    // Check to see if both password match
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );

        // Update database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' );

        // Feedback for the end user
        echo "
Password Changed.
";
    }
    else {
        // Issue with the passwords matching
        echo "
Passwords did not match.
";
        $hide_form = false;
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

与Low相比多了一步验证，加了对参数passed_captcha的检查，如果为true，则认为已经通过了验证码检查

2）实操

可以尝试加上这个字段passed_captcha=true绕过，成功

3. High

1) 源码分析

if( isset( $_POST[ 'Change' ] ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check CAPTCHA from 3rd party
    $resp = recaptcha_check_answer(
        $_DVWA[ 'recaptcha_private_key' ],
        $_POST['g-recaptcha-response']
    );

    if (
        $resp || 
        (
            $_POST[ 'g-recaptcha-response' ] == 'hidd3n_valu3'
            && $_SERVER[ 'HTTP_USER_AGENT' ] == 'reCAPTCHA'
        )
    ){
        // CAPTCHA was correct. Do both new passwords match?
        if ($pass_new == $pass_conf) {
            $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
            $pass_new = md5( $pass_new );

            // Update database
            $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '
' );

            // Feedback for user
            echo "
Password Changed.
";

        } else {
            // Ops. Password mismatch
            $html     .= "
Both passwords must match.
";
            $hide_form = false;
        }

    } else {
        // What happens when the CAPTCHA was entered incorrectly
        $html     .= "

The CAPTCHA was incorrect. Please try again.
";
        $hide_form = false;
        return;
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

// Generate Anti-CSRF token
generateSessionToken();

?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

只要g-recaptcha-response和请求头的HTTP_USER_AGENT是符合约定的就行

2）实操

抓包直接改成这两个值就行g-recaptcha-response=hidd3n_valu3，HTTP_USER_AGENT=reCAPTCHA
修改g-recaptcha-response参数以及User-Agent

4. Impossible

1) 源码分析

if( isset( $_POST[ 'Change' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_new  = stripslashes( $pass_new );
    $pass_new  = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass_new  = md5( $pass_new );

    $pass_conf = $_POST[ 'password_conf' ];
    $pass_conf = stripslashes( $pass_conf );
    $pass_conf = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_conf ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass_conf = md5( $pass_conf );

    $pass_curr = $_POST[ 'password_current' ];
    $pass_curr = stripslashes( $pass_curr );
    $pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass_curr = md5( $pass_curr );

    // Check CAPTCHA from 3rd party
    $resp = recaptcha_check_answer(
        $_DVWA[ 'recaptcha_private_key' ],
        $_POST['g-recaptcha-response']
    );

    // Did the CAPTCHA fail?
    if( !$resp ) {
        // What happens when the CAPTCHA was entered incorrectly
        echo "

The CAPTCHA was incorrect. Please try again.
";
        $hide_form = false;
    }
    else {
        // Check that the current password is correct
        $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
        $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
        $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
        $data->execute();

        // Do both new password match and was the current password correct?
        if( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) {
            // Update the database
            $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
            $data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
            $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
            $data->execute();

            // Feedback for the end user - success!
            echo "
Password Changed.
";
        }
        else {
            // Feedback for the end user - failed!
            echo "
Either your current password is incorrect or the new passwords did not match.
Please try again.
";
            $hide_form = false;
        }
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

首先，代码检查是否有名为"Change"的POST参数。这意味着该代码是用于处理提交更改密码表单的请求。

然后，代码调用checkToken函数来验证防跨站请求伪造（Anti-CSRF）令牌。checkToken函数接受三个参数：${}_{R}EQUEST{[}^{\prime }use{r}_{t}oke{n}^{\prime }]，$_SESSION[‘session_token’]和’index.php’。这里的目的是确保提交的请求是合法的，并且用户已经通过先前的身份验证。

代码将变量$hide_form设置为true。这个变量用于控制是否隐藏验证码表单。

代码获取输入的新密码，并对其进行处理。它首先从$_POST[‘password_new’]获取密码，然后使用stripslashes函数去除可能的反斜杠转义，接着使用mysqli_real_escape_string函数对密码进行MySQL转义，最后使用md5函数进行哈希处理。

代码获取确认密码，并对其进行与新密码相同的处理过程。

代码获取当前密码，并对其进行与新密码相同的处理过程。

代码调用recaptcha_check_answer函数来验证第三方提供的验证码。这里假设存在一个名为$_DVWA[‘recaptcha_private_key’]的变量用于存储私钥，并且用户在表单中提供了名为g-recaptcha-response的验证码响应。

如果验证码验证失败（即!$resp），代码会输出一条错误消息，并将$hide_form设置为false，以便显示验证码表单供用户重新尝试。

如果验证码验证成功，代码将查询数据库以验证当前密码是否正确。它使用准备好的语句来选择users表中与当前用户和当前密码匹配的记录。如果查询返回一行结果（即$data->rowCount() == 1），则表示当前密码正确。

如果新密码与确认密码匹配并且当前密码正确，代码将更新数据库中的密码。它使用准备好的语句将新密码更新到与当前用户匹配的记录中。

如果密码更改成功，代码将输出一条成功的消息。

如果新密码与确认密码不匹配或当前密码不正确，代码将输出一条失败的消息，并将$hide_form设置为false，以便显示密码更改表单供用户重新尝试。

最后，代码调用generateSessionToken函数生成一个新的防跨站请求伪造（Anti-CSRF）令牌，以便在下一次请求中使用。