我是在dvwa(Damn Vulnerable Web App)上学到的这些东西,我把dvwa安装在了我的免费空间上,有兴趣的可以看看。DVWA
想要用户名和密码的可以联系我:sq371426@163.com
dvwa 用的验证是google提供的,详情见google CAPCTHE
这里所谓的不安全的验证码机制是指对前台获得的验证码在后台验证不够全面引起的安全问题,呵呵,这里比较绕口是吧
下面我们来看一下不安全的代码吧 <?php if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) { $hide_form = true; $user = $_POST['username']; $pass_new = $_POST['password_new']; $pass_conf = $_POST['password_conf']; $resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'], $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) { // What happens when the CAPTCHA was entered incorrectly echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { if (($pass_new == $pass_conf)){ echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>"; echo " <form action=\"#\" method=\"POST\"> <input type=\"hidden\" name=\"step\" value=\"2\" /> <input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" /> <input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" /> <input type=\"submit\" name=\"Change\" value=\"Change\" /> </form>"; } else{ echo "<pre> Both passwords must match </pre>"; $hide_form = false; } } } if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2' ) ) { $hide_form = true; if ($pass_new != $pass_conf) { echo "<pre><br />Both passwords must match</pre>"; $hide_form = false; return; } $pass = md5($pass_new); if (($pass_new == $pass_conf)){ $pass_new = mysql_real_escape_string($pass_new); $pass_new = md5($pass_new); $insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); echo "<pre> Password Changed </pre>"; mysql_close(); } else{ echo "<pre> Passwords did not match. </pre>"; } } ?>
也许初学者都会这样的代码,但是自习看一看,这段代码存在一个致命的 漏洞 ——虽然在第一步对验证码进行了验证,但是在第二部分却没有对验证码的有效性进行验证。
下面这段代码修复了这个漏洞
<?php if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) { $hide_form = true; $user = $_POST['username']; $pass_new = $_POST['password_new']; $pass_conf = $_POST['password_conf']; $resp = recaptcha_check_answer($_DVWA['recaptcha_private_key'], $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) { // What happens when the CAPTCHA was entered incorrectly echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { if (($pass_new == $pass_conf)){ echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>"; echo " <form action=\"#\" method=\"POST\"> <input type=\"hidden\" name=\"step\" value=\"2\" /> <input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" /> <input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" /> <input type=\"hidden\" name=\"passed_captcha\" value=\"true\" /> <input type=\"submit\" name=\"Change\" value=\"Change\" /> </form>"; } else{ echo "<pre> Both passwords must match </pre>"; $hide_form = false; } } } if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2' ) ) { $hide_form = true; if (!$_POST['passed_captcha']) { echo "<pre><br />You have not passed the CAPTCHA. Bad hacker, no doughnut.</pre>"; $hide_form = false; return; } $pass = md5($pass_new); if (($pass_new == $pass_conf)){ $pass_new = mysql _real_escape_string($pass_new); $pass_new = md5($pass_new); $insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); echo "<pre> Password Changed </pre>"; mysql_close(); } else{ echo "<pre> Passwords did not match. </pre>"; } } ?> 到这里这段代码算是比较安全的了,但是仔细想想还是觉得这段代码哪里不对劲,是否过于冗余了呢。
下面我们来看精简安全的代码
<?php if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) { $hide_form = true; <!--DVFMTSC-->$pass_new = $_POST['password_new']; $pass_new = stripslashes( $pass_new ); $pass_new = mysql_real_escape_string( $pass_new ); $pass_new = md5( $pass_new ); <!--DVFMTSC-->$pass_conf = $_POST['password_conf']; <!--DVFMTSC-->$pass_conf = stripslashes( $pass_conf ); $pass_conf = mysql_real_escape_string( $pass_conf ); $pass_conf = md5( $pass_conf ); $resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'], $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) { // What happens when the CAPTCHA was entered incorrectly echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { // Check that the current password is correct $qry = "SELECT password FROM `users` WHERE user='admin' AND password='$pass_curr';"; $result = mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>' ); if (($pass_new == $pass_conf) && ( $result && mysql_num_rows( $result ) == 1 )){ $insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); echo "<pre> Password Changed </pre>"; mysql_close(); } else{ echo "<pre> Either your current password is incorrect or the new passwords did not match. Please try again. </pre>"; } } } ?>
查看更多关于web常见攻击四 –不安全的验证码机制(Insecure的详细内容...