记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

web常见攻击四 –不安全的验证码机制(Insecure CAPCTHE)

2014-03-10 02:40
 
我是在dvwa(Damn Vulnerable Web App)上学到的这些东西,我把dvwa安装在了我的免费空间上,有兴趣的可以看看。DVWA
 
想要用户名和密码的可以联系我:sq371426@163.com
 
dvwa 用的验证是google提供的,详情见google CAPCTHE
 
这里所谓的不安全的验证码机制是指对前台获得的验证码在后台验证不够全面引起的安全问题,呵呵,这里比较绕口是吧
 
下面我们来看一下不安全的代码吧


<?php

if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) {

$hide_form = true;
$user = $_POST['username'];
$pass_new = $_POST['password_new'];
$pass_conf = $_POST['password_conf'];
$resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'],
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);

if (!$resp->is_valid) {
// What happens when the CAPTCHA was entered incorrectly
echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
} else {
if (($pass_new == $pass_conf)){
echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>";
echo "
<form action=\"#\" method=\"POST\">
<input type=\"hidden\" name=\"step\" value=\"2\" />
<input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" />
<input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" />
<input type=\"submit\" name=\"Change\" value=\"Change\" />
</form>";
}

else{
echo "<pre> Both passwords must match </pre>";
$hide_form = false;
}
}
}

if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2' ) )
{
$hide_form = true;
if ($pass_new != $pass_conf)
{
echo "<pre><br />Both passwords must match</pre>";
$hide_form = false;
return;
}
$pass = md5($pass_new);
if (($pass_new == $pass_conf)){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);

$insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );

echo "<pre> Password Changed </pre>";
mysql_close();
}

else{
echo "<pre> Passwords did not match. </pre>";
}
}

?>



 

也许初学者都会这样的代码,但是自习看一看,这段代码存在一个致命的漏洞——虽然在第一步对验证码进行了验证,但是在第二部分却没有对验证码的有效性进行验证。
 
下面这段代码修复了这个漏洞
 

<?php
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) {

$hide_form = true;
$user = $_POST['username'];
$pass_new = $_POST['password_new'];
$pass_conf = $_POST['password_conf'];
$resp = recaptcha_check_answer($_DVWA['recaptcha_private_key'],
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);

if (!$resp->is_valid) {
// What happens when the CAPTCHA was entered incorrectly
echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
} else {
if (($pass_new == $pass_conf)){
echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>";
echo "
<form action=\"#\" method=\"POST\">
<input type=\"hidden\" name=\"step\" value=\"2\" />
<input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" />
<input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" />
<input type=\"hidden\" name=\"passed_captcha\" value=\"true\" />
<input type=\"submit\" name=\"Change\" value=\"Change\" />
</form>";
}

else{
echo "<pre> Both passwords must match </pre>";
$hide_form = false;
}
}
}

if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2' ) )
{
$hide_form = true;
if (!$_POST['passed_captcha'])
{
echo "<pre><br />You have not passed the CAPTCHA. Bad hacker, no doughnut.</pre>";
$hide_form = false;
return;
}
$pass = md5($pass_new);
if (($pass_new == $pass_conf)){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);

$insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );

echo "<pre> Password Changed </pre>";
mysql_close();
}

else{
echo "<pre> Passwords did not match. </pre>";
}
}
?>



到这里这段代码算是比较安全的了,但是仔细想想还是觉得这段代码哪里不对劲,是否过于冗余了呢。
 
下面我们来看精简安全的代码


<?php
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) {

$hide_form = true;

<!--DVFMTSC-->$pass_new = $_POST['password_new'];
$pass_new = stripslashes( $pass_new );
$pass_new = mysql_real_escape_string( $pass_new );
$pass_new = md5( $pass_new );

<!--DVFMTSC-->$pass_conf = $_POST['password_conf'];
<!--DVFMTSC-->$pass_conf = stripslashes( $pass_conf );
$pass_conf = mysql_real_escape_string( $pass_conf );
$pass_conf = md5( $pass_conf );

$resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'],
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);

if (!$resp->is_valid) {
// What happens when the CAPTCHA was entered incorrectly
echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
} else {
// Check that the current password is correct
$qry = "SELECT password FROM `users` WHERE user='admin' AND password='$pass_curr';";
$result = mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>' );

if (($pass_new == $pass_conf) && ( $result && mysql_num_rows( $result ) == 1 )){
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );

echo "<pre> Password Changed </pre>";
mysql_close();
}

else{
echo "<pre> Either your current password is incorrect or the new passwords did not match. Please try again. </pre>";
}
}
}
?>

 


知识来源: www.2cto.com/Article/201403/284296.html

阅读:238875 | 评论:1 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“web常见攻击四 –不安全的验证码机制(Insecure CAPCTHE)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云