网站地图    收藏   

主页 > 后端 > 网站安全 >

web常见攻击四 –不安全的验证码机制(Insecure

来源:自学PHP网    时间:2015-04-16 23:15 作者: 阅读:

[导读] 我是在dvwa(Damn Vulnerable Web App)上学到的这些东西,我把dvwa安装在了我的免费空间上,有兴趣的可以看看。DVWA想要用户名和密码的可以联系我:sq371426@163 comdvwa 用的验证是google提供的,...

 
我是在dvwa(Damn Vulnerable Web App)上学到的这些东西,我把dvwa安装在了我的免费空间上,有兴趣的可以看看。DVWA
 
想要用户名和密码的可以联系我:sq371426@163.com
 
dvwa 用的验证是google提供的,详情见google CAPCTHE
 
这里所谓的不安全的验证码机制是指对前台获得的验证码在后台验证不够全面引起的安全问题,呵呵,这里比较绕口是吧
 
下面我们来看一下不安全的代码吧

<?php 
 
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) { 
 
    $hide_form = true; 
    $user = $_POST['username']; 
    $pass_new = $_POST['password_new']; 
    $pass_conf = $_POST['password_conf']; 
    $resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'], 
        $_SERVER["REMOTE_ADDR"], 
        $_POST["recaptcha_challenge_field"], 
        $_POST["recaptcha_response_field"]); 
 
    if (!$resp->is_valid) { 
        // What happens when the CAPTCHA was entered incorrectly 
        echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; 
        $hide_form = false; 
        return;     
    } else { 
            if (($pass_new == $pass_conf)){ 
            echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>";
            echo " 
            <form action=\"#\" method=\"POST\"> 
                <input type=\"hidden\" name=\"step\" value=\"2\" /> 
                <input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" /> 
                <input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" /> 
                <input type=\"submit\" name=\"Change\" value=\"Change\" /> 
            </form>"; 
            }     
 
            else{ 
                    echo "<pre> Both passwords must match </pre>"; 
            $hide_form = false; 
            } 
    } 
} 
 
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2' ) )  
{ 
    $hide_form = true; 
        if ($pass_new != $pass_conf) 
        { 
                echo "<pre><br />Both passwords must match</pre>"; 
        $hide_form = false; 
                return; 
        } 
        $pass = md5($pass_new); 
        if (($pass_new == $pass_conf)){ 
               $pass_new = mysql_real_escape_string($pass_new); 
               $pass_new = md5($pass_new); 
 
               $insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
               $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); 
 
               echo "<pre> Password Changed </pre>"; 
               mysql_close(); 
        } 
 
        else{ 
               echo "<pre> Passwords did not match. </pre>"; 
        } 
} 
 
?> 



 

也许初学者都会这样的代码,但是自习看一看,这段代码存在一个致命的漏洞——虽然在第一步对验证码进行了验证,但是在第二部分却没有对验证码的有效性进行验证。
 
下面这段代码修复了这个漏洞
 
<?php 
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) { 
 
    $hide_form = true; 
    $user = $_POST['username']; 
    $pass_new = $_POST['password_new']; 
    $pass_conf = $_POST['password_conf']; 
    $resp = recaptcha_check_answer($_DVWA['recaptcha_private_key'], 
        $_SERVER["REMOTE_ADDR"], 
        $_POST["recaptcha_challenge_field"], 
        $_POST["recaptcha_response_field"]); 
 
    if (!$resp->is_valid) { 
        // What happens when the CAPTCHA was entered incorrectly 
        echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; 
        $hide_form = false; 
        return;     
    } else { 
            if (($pass_new == $pass_conf)){ 
            echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>";
            echo " 
            <form action=\"#\" method=\"POST\"> 
                <input type=\"hidden\" name=\"step\" value=\"2\" /> 
                <input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" /> 
                <input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" /> 
                <input type=\"hidden\" name=\"passed_captcha\" value=\"true\" /> 
                <input type=\"submit\" name=\"Change\" value=\"Change\" /> 
            </form>"; 
            }     
 
            else{ 
                    echo "<pre> Both passwords must match </pre>"; 
            $hide_form = false; 
            } 
    } 
} 
 
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2' ) )  
{ 
    $hide_form = true; 
    if (!$_POST['passed_captcha']) 
    { 
                echo "<pre><br />You have not passed the CAPTCHA. Bad hacker, no doughnut.</pre>"; 
        $hide_form = false; 
        return; 
    } 
        $pass = md5($pass_new); 
        if (($pass_new == $pass_conf)){ 
               $pass_new = mysql_real_escape_string($pass_new); 
               $pass_new = md5($pass_new); 
 
               $insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
               $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); 
 
               echo "<pre> Password Changed </pre>"; 
               mysql_close(); 
        } 
 
        else{ 
               echo "<pre> Passwords did not match. </pre>"; 
        } 
} 
?> 



到这里这段代码算是比较安全的了,但是仔细想想还是觉得这段代码哪里不对劲,是否过于冗余了呢。
 
下面我们来看精简安全的代码

<?php 
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) { 
 
    $hide_form = true; 
 
    <!--DVFMTSC-->$pass_new = $_POST['password_new']; 
    $pass_new = stripslashes( $pass_new ); 
    $pass_new = mysql_real_escape_string( $pass_new ); 
    $pass_new = md5( $pass_new ); 
 
    <!--DVFMTSC-->$pass_conf = $_POST['password_conf']; 
    <!--DVFMTSC-->$pass_conf = stripslashes( $pass_conf ); 
    $pass_conf = mysql_real_escape_string( $pass_conf ); 
    $pass_conf = md5( $pass_conf ); 
 
        $resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'], 
        $_SERVER["REMOTE_ADDR"], 
        $_POST["recaptcha_challenge_field"], 
        $_POST["recaptcha_response_field"]); 
 
    if (!$resp->is_valid) { 
        // What happens when the CAPTCHA was entered incorrectly 
        echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; 
        $hide_form = false; 
        return;     
    } else { 
                // Check that the current password is correct 
        $qry = "SELECT password FROM `users` WHERE user='admin' AND password='$pass_curr';"; 
        $result = mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>' ); 
 
                if (($pass_new == $pass_conf)  && ( $result && mysql_num_rows( $result ) == 1 )){ 
                       $insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
                       $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); 
 
                       echo "<pre> Password Changed </pre>"; 
                       mysql_close(); 
                } 
 
                else{ 
                       echo "<pre> Either your current password is incorrect or the new passwords did not match. Please try again. </pre>"; 
                } 
    } 
} 
?>

 


自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论