概述
Cross Site Request Forgery简称“CSRF”,中文名为跨站请求伪造。在CSRF的攻击场景中攻击者会伪造一个请求(这个请求一般是一个链接),然后欺骗目标用户进行点击,用户一旦点击了这个请求,整个攻击也就完成了。所以CSRF攻击也被称为"one click"攻击。
Low级别
源代码:
<?php if( isset( $_GET[ 'Change' ] ) ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); // Feedback for the user echo "<pre>Password Changed.</pre>"; } else { // Issue with passwords matching echo "<pre>Passwords did not match.</pre>"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?>
可以看到源代码中,后台服务器收到修改密码的请求后,会去检查password_new和password_conf的参数是否相同,如果相同,则会修改密码成功。这里并没有做任何的防CSRF机制。
可以看到,每次我们修改密码成功后,浏览器的URL都会显示出来,我们可以利用这个漏洞,通过修改用户的密码后构造成一个链接,把链接发送给目标用户。目标用户点击链接后,他的密码就会被修改为链接中的密码
http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#
可以看到,用户点击链接后,就会跳转到DVWA页面,显示密码修改成功。
很多人会说这个链接那么明显,不会有人点击,确实,所以我们可以通过短链接的形式来隐藏URL,一点击这个短链接就会跳转到URL的指定页面
http://suo.im/67SSid
但可以发现,每次点击链接后,都会跳转到指定的页面,页面都会显示Password Changed.(密码修改成功),这会很容易让受害者知道自己受到了攻击,所以这种方法并不好用。
我们可以通过构造一个HTML页面去模拟真实的攻击场景,诱导用户点击从而对其攻击
<html> <body> <img src="http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=admin&password_conf=admin&Change=Change#" border="0" style="display:none;"/> <h1>404</h1> <h2>file not found.</h2> </body> </html>
当用户点击这个HTML文件后,页面不会跳转到DVWA页面,但实际上用户已经被SCRF攻击了
Medium级别
在dvwa靶场中使用low级别的方法,在浏览器URL修改,页面显示That request didn't look correct.,说明low级别的方法在这里不行了
源代码:
<?php if( isset( $_GET[ 'Change' ] ) ) { // Checks to see where the request came from if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); // Feedback for the user echo "<pre>Password Changed.</pre>"; } else { // Issue with passwords matching echo "<pre>Passwords did not match.</pre>"; } } else { // Didn't come from a trusted source echo "<pre>That request didn't look correct.</pre>"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } ?>
从上图的红框中可以看到,后台的服务器会去检查HTTP_REFERER函数是否包含SERVER_NAME(host参数、主机名等),用此方法来抵御CSRF攻击
使用burp suite来抓包,发送到Repeater模块
因为后台服务器检查的是HTTP_REFERER函数是否包含SERVER_NAME,所以我们可以把抓包中的referer的参数改为host的参数
提交后,显示密码修改成功
High级别
源代码:
<?php if( isset( $_GET[ 'Change' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; // Do the passwords match? if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update the database $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' ); // Feedback for the user echo "<pre>Password Changed.</pre>"; } else { // Issue with passwords matching echo "<pre>Passwords did not match.</pre>"; } ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } // Generate Anti-CSRF token generateSessionToken(); ?>
从源代码中,可以看到high级别增加了Anti-CSRF token机制,后台会随机生成一个token参数,每次用户提交改密时,后台都会优先检查token参数是否正确,然后才会去处理用户的请求,这样子很大程度上抵御了CSRF攻击。
因为high级别需要token去认证,然而实力还是菜鸟级别,还不懂的怎样去获取token值,所以只能另辟蹊径来绕过token。
每次我们抓包的时候,都可以看到cookie的参数,而每次dvwa靶场更换级别时,cookie的参数会随着去改变,我们可以通过改变cookie的参数来绕过token!
仔细观察抓到的包里面的内容,cookie里的PHPSESSID参数其实都是一样的,而security的值会随着dvwa靶场的级别而去改变,我们可以把security的值改为low,从而去绕过token。
保持burp suite的抓包状态,在dvwa靶场的CSRF页面中修改密码,然后打开bp,把抓到的包发送到Repeater模块
把Cookie里面的security的值修改为low,也可以修改password_new和password_conf的值
提交后,可以看到绕过token,密码修改成功
Impossible级别
源代码:
<?php if( isset( $_GET[ 'Change' ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $pass_curr = $_GET[ 'password_current' ]; $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ]; // Sanitise current password input $pass_curr = stripslashes( $pass_curr ); $pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_curr = md5( $pass_curr ); // Check that the current password is correct $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR ); $data->execute(); // Do both new passwords match and does the current password match the user? if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) { // It does! $pass_new = stripslashes( $pass_new ); $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new ); // Update database with new password $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' ); $data->bindParam( ':password', $pass_new, PDO::PARAM_STR ); $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); $data->execute(); // Feedback for the user echo "<pre>Password Changed.</pre>"; } else { // Issue with passwords matching echo "<pre>Passwords did not match or current password incorrect.</pre>"; } } // Generate Anti-CSRF token generateSessionToken(); ?>
可以看到Impossible级别的源代码中,不仅使用Anti-CSRF token机制,还使用了PDO技术来防御SQL注入,关键是还要求用户输入原始密码(很nice),攻击者在不知道原始密码的情况下,无论如何都无法进行CSRF攻击!