web安全三——跨站请求伪造攻击(Cross Site Request Forgery (CSRF))

  1. 暴力破解(Brute Force)
  2. 命令注入攻击(Command Injection Execution)

CSRF就是跨站请求伪造攻击,你这可以这么理解CSRF攻击:攻击者盗用了你的身份,以你的名义发送恶意请求。CSRF能够做的事情包括:以你名义发送邮件,发消息,盗取你的账号,修改你的密码,甚至于购买商品,虚拟货币转账……造成的问题包括:个人隐私泄露以及财产安全。

这里以修改您的密码介绍CSRF。

一、先看看没有任何安全防御的代码。

<?php 
                 
    if (isset($_GET['Change'])) { 
     
        // Turn requests into variables 
        $pass_new = $_GET['password_new']; 
        $pass_conf = $_GET['password_conf']; 


        if (($pass_new == $pass_conf)){ 
            $pass_new = mysql_real_escape_string($pass_new); 
            $pass_new = md5($pass_new); 

            $insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';"; 
            $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); 
                         
            echo " Password Changed ";         
            mysql_close(); 
        } 
     
        else{         
            echo " Passwords did not match. ";             
        } 

    } 
?>

这段代码直接将新密码写进数据库,没有验证用户的旧密码,也没有对http引用进行确认,这样任何别的网站都可以用你cookies对你的帐户进行CSRF攻击。

二、下面这段代码对http引用进行确认,然后再写数据库。

<?php 
             
    if (isset($_GET['Change'])) { 
     
        // Checks the http referer header 
        if ( eregi ( "127.0.0.1", $_SERVER['HTTP_REFERER'] ) ){ 
     
            // Turn requests into variables 
            $pass_new = $_GET['password_new']; 
            $pass_conf = $_GET['password_conf']; 

            if ($pass_new == $pass_conf){ 
                $pass_new = mysql_real_escape_string($pass_new); 
                $pass_new = md5($pass_new); 

                $insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';"; 
                $result=mysql_query($insert) or die('' . mysql_error() . '' ); 
                         
                echo " Password Changed ";         
                mysql_close(); 
            } 
     
            else{         
                echo " Passwords did not match. ";             
            }     

        } 
         
    } 
?>

这段代码虽然确认了http引用,但是还是看着不爽是吧。

三、下面这段代码就比较爽了。

<?php 
             
    if (isset($_GET['Change'])) { 
     
        // Turn requests into variables 
        $pass_curr = $_GET['password_current']; 
        $pass_new = $_GET['password_new']; 
        $pass_conf = $_GET['password_conf']; 

        // Sanitise current password input 
        $pass_curr = stripslashes( $pass_curr ); 
        $pass_curr = mysql_real_escape_string( $pass_curr ); 
        $pass_curr = md5( $pass_curr ); 
         
        // Check that the current password is correct 
        $qry = "SELECT password FROM `users` WHERE user='admin' AND password='$pass_curr';"; 
        $result = mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>' ); 

        if (($pass_new == $pass_conf) && ( $result && mysql_num_rows( $result ) == 1 )){ 
            $pass_new = mysql_real_escape_string($pass_new); 
            $pass_new = md5($pass_new); 

            $insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';"; 
            $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); 
                         
            echo "<pre> Password Changed </pre>";         
            mysql_close(); 
        } 
     
        else{         
            echo " Passwords did not match or current password incorrect. ";             
        } 

    } 
?>
JackSun

JackSun

I'm a coder.

You may also like...

2 Responses

  1. 东方神起 says:

    好东西

  2. 李雪儿 says:

    支持你加分

  1. 2013年12月1日

    […] web安全三——跨站请求伪造攻击(Cross Site Request Forgery (CSRF)) […]

Leave a Reply

Your email address will not be published.