文章目录
- 1. Low
- 1) 源码分析
- 2)实操
- 2. Medium
- 1) 源码分析
- 2)实操
- 3. High
- 1) 源码分析
- 2)实操
- 4. Impossible
- 1) 源码分析
1. Low
1) 源码分析
<?php
if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key'],
$_POST['g-recaptcha-response']
);
// Did the CAPTCHA fail?
if( !$resp ) {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
}
else {
// CAPTCHA was correct. Do both new passwords match?
if( $pass_new == $pass_conf ) {
// Show next stage for the user
echo "
<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
<form action=\"#\" method=\"POST\">
<input type=\"hidden\" name=\"step\" value=\"2\" />
<input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
<input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
<input type=\"submit\" name=\"Change\" value=\"Change\" />
</form>";
}
else {
// Both new passwords do not match.
$html .= "<pre>Both passwords must match.</pre>";
$hide_form = false;
}
}
}
if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check to see if both password match
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for the end user
echo "<pre>Password Changed.</pre>";
}
else {
// Issue with the passwords matching
echo "<pre>Passwords did not match.</pre>";
$hide_form = false;
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
-
首先,代码检查是否有名为"Change"的POST参数,并且"step"参数的值为1。这意味着该代码是用于处理提交更改密码表单的第一步请求。
-
代码将变量$hide_form设置为true。这个变量用于控制是否隐藏验证码表单。
-
代码获取输入的新密码和确认密码,并进行比较。如果两个密码不匹配,代码将输出一条错误消息,并将$hide_form设置为false,以便显示密码更改表单供用户重新尝试。
-
如果两个密码匹配,代码将调用recaptcha_check_answer函数来验证第三方提供的验证码。这里假设存在一个名为$_DVWA[‘recaptcha_private_key’]的变量用于存储私钥,并且用户在表单中提供了名为g-recaptcha-response的验证码响应。
-
如果验证码验证失败(即! r e s p ),代码会输出一条错误消息,并将 resp),代码会输出一条错误消息,并将 resp),代码会输出一条错误消息,并将hide_form设置为false,以便显示验证码表单供用户重新尝试。
-
如果验证码验证成功,代码将显示下一步的表单给用户确认密码更改。这个表单包含了一个隐藏的step字段,值为2,以及新密码和确认密码的隐藏字段。
-
如果用户点击了确认更改的按钮,代码将进行第二步的处理。
-
在第二步中,代码再次将变量$hide_form设置为true。
-
代码获取输入的新密码和确认密码,并进行比较。如果两个密码不匹配,代码将输出一条错误消息,并将$hide_form设置为false,以便显示密码更改表单供用户重新尝试。
-
如果两个密码匹配,代码将对新密码进行MySQL转义和md5哈希处理,并将密码更新到数据库中。
-
如果密码更改成功,代码将输出一条成功的消息。
-
如果两个密码不匹配,代码将输出一条失败的消息,并将$hide_form设置为false,以便显示密码更改表单供用户重新尝试。
可以在代码中看出,修改密码时对验证码的验证仅仅是验证了step的值是否为2
2)实操
由于本地环境配置的原因,此处验证码没有显示,但是我们本来就是要绕过验证码,因此不用管这里
若不做任何操作,会显示验证码错误
随后我们重新输入密码并进行抓包,得到的数据包如下
可以看到最后一行step=1,那这样的话肯定过不了验证码验证
于是我们发送到repeater中将step修改为2重新发包
可以看到密码修改成功
2. Medium
1) 源码分析
<?php
if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key' ],
$_POST['g-recaptcha-response']
);
// Did the CAPTCHA fail?
if( !$resp ) {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
}
else {
// CAPTCHA was correct. Do both new passwords match?
if( $pass_new == $pass_conf ) {
// Show next stage for the user
echo "
<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
<form action=\"#\" method=\"POST\">
<input type=\"hidden\" name=\"step\" value=\"2\" />
<input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
<input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
<input type=\"hidden\" name=\"passed_captcha\" value=\"true\" />
<input type=\"submit\" name=\"Change\" value=\"Change\" />
</form>";
}
else {
// Both new passwords do not match.
$html .= "<pre>Both passwords must match.</pre>";
$hide_form = false;
}
}
}
if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check to see if they did stage 1
if( !$_POST[ 'passed_captcha' ] ) {
$html .= "<pre><br />You have not passed the CAPTCHA.</pre>";
$hide_form = false;
return;
}
// Check to see if both password match
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for the end user
echo "<pre>Password Changed.</pre>";
}
else {
// Issue with the passwords matching
echo "<pre>Passwords did not match.</pre>";
$hide_form = false;
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
与Low相比多了一步验证,加了对参数passed_captcha的检查,如果为true,则认为已经通过了验证码检查
2)实操
可以尝试加上这个字段passed_captcha=true绕过,成功
3. High
1) 源码分析
<?php
if( isset( $_POST[ 'Change' ] ) ) {
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_conf = $_POST[ 'password_conf' ];
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key' ],
$_POST['g-recaptcha-response']
);
if (
$resp ||
(
$_POST[ 'g-recaptcha-response' ] == 'hidd3n_valu3'
&& $_SERVER[ 'HTTP_USER_AGENT' ] == 'reCAPTCHA'
)
){
// CAPTCHA was correct. Do both new passwords match?
if ($pass_new == $pass_conf) {
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for user
echo "<pre>Password Changed.</pre>";
} else {
// Ops. Password mismatch
$html .= "<pre>Both passwords must match.</pre>";
$hide_form = false;
}
} else {
// What happens when the CAPTCHA was entered incorrectly
$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
// Generate Anti-CSRF token
generateSessionToken();
?>
只要g-recaptcha-response和请求头的HTTP_USER_AGENT是符合约定的就行
2)实操
抓包直接改成这两个值就行g-recaptcha-response=hidd3n_valu3,HTTP_USER_AGENT=reCAPTCHA
修改g-recaptcha-response参数以及User-Agent
4. Impossible
1) 源码分析
<?php
if( isset( $_POST[ 'Change' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Hide the CAPTCHA form
$hide_form = true;
// Get input
$pass_new = $_POST[ 'password_new' ];
$pass_new = stripslashes( $pass_new );
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
$pass_conf = $_POST[ 'password_conf' ];
$pass_conf = stripslashes( $pass_conf );
$pass_conf = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_conf ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_conf = md5( $pass_conf );
$pass_curr = $_POST[ 'password_current' ];
$pass_curr = stripslashes( $pass_curr );
$pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_curr = md5( $pass_curr );
// Check CAPTCHA from 3rd party
$resp = recaptcha_check_answer(
$_DVWA[ 'recaptcha_private_key' ],
$_POST['g-recaptcha-response']
);
// Did the CAPTCHA fail?
if( !$resp ) {
// What happens when the CAPTCHA was entered incorrectly
echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
}
else {
// Check that the current password is correct
$data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
$data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
$data->execute();
// Do both new password match and was the current password correct?
if( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) {
// Update the database
$data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
$data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
$data->execute();
// Feedback for the end user - success!
echo "<pre>Password Changed.</pre>";
}
else {
// Feedback for the end user - failed!
echo "<pre>Either your current password is incorrect or the new passwords did not match.<br />Please try again.</pre>";
$hide_form = false;
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
首先,代码检查是否有名为"Change"的POST参数。这意味着该代码是用于处理提交更改密码表单的请求。
然后,代码调用checkToken函数来验证防跨站请求伪造(Anti-CSRF)令牌。checkToken函数接受三个参数: R E Q U E S T [ ′ u s e r t o k e n ′ ] , _REQUEST['user_token'], REQUEST[′usertoken′],_SESSION[‘session_token’]和’index.php’。这里的目的是确保提交的请求是合法的,并且用户已经通过先前的身份验证。
代码将变量$hide_form设置为true。这个变量用于控制是否隐藏验证码表单。
代码获取输入的新密码,并对其进行处理。它首先从$_POST[‘password_new’]获取密码,然后使用stripslashes函数去除可能的反斜杠转义,接着使用mysqli_real_escape_string函数对密码进行MySQL转义,最后使用md5函数进行哈希处理。
代码获取确认密码,并对其进行与新密码相同的处理过程。
代码获取当前密码,并对其进行与新密码相同的处理过程。
代码调用recaptcha_check_answer函数来验证第三方提供的验证码。这里假设存在一个名为$_DVWA[‘recaptcha_private_key’]的变量用于存储私钥,并且用户在表单中提供了名为g-recaptcha-response的验证码响应。
如果验证码验证失败(即! r e s p ),代码会输出一条错误消息,并将 resp),代码会输出一条错误消息,并将 resp),代码会输出一条错误消息,并将hide_form设置为false,以便显示验证码表单供用户重新尝试。
如果验证码验证成功,代码将查询数据库以验证当前密码是否正确。它使用准备好的语句来选择users表中与当前用户和当前密码匹配的记录。如果查询返回一行结果(即$data->rowCount() == 1),则表示当前密码正确。
如果新密码与确认密码匹配并且当前密码正确,代码将更新数据库中的密码。它使用准备好的语句将新密码更新到与当前用户匹配的记录中。
如果密码更改成功,代码将输出一条成功的消息。
如果新密码与确认密码不匹配或当前密码不正确,代码将输出一条失败的消息,并将$hide_form设置为false,以便显示密码更改表单供用户重新尝试。
最后,代码调用generateSessionToken函数生成一个新的防跨站请求伪造(Anti-CSRF)令牌,以便在下一次请求中使用。