Insecure CAPTCHA
不安全的验证码
这个题目最近几天做不了,因为验证码需要使用Google验证码,客户端这边还好说,可以挂个代理得到,服务器却怎么都连接不到Google的服务器,所以干脆看代码分析漏洞吧!
代码如下所示:
<?php
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) {
$hide_form = true;
$user = $_POST['username'];
$pass_new = $_POST['password_new'];
$pass_conf = $_POST['password_conf'];
$resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'],
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
// What happens when the CAPTCHA was entered incorrectly
echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
$hide_form = false;
return;
} else {
if (($pass_new == $pass_conf)){
echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>";
echo "
<form action=\"#\" method=\"POST\">
<input type=\"hidden\" name=\"step\" value=\"2\" />
<input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" />
<input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" />
<input type=\"submit\" name=\"Change\" value=\"Change\" />
</form>";
}
else{
echo "<pre> Both passwords must match </pre>";
$hide_form = false;
}
}
}
if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2' ) )
{
$hide_form = true;
if ($pass_new != $pass_conf)
{
echo "<pre><br />Both passwords must match</pre>";
$hide_form = false;
return;
}
$pass = md5($pass_new);
if (($pass_new == $pass_conf)){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );
echo "<pre> Password Changed </pre>";
mysql_close();
}
else{
echo "<pre> Passwords did not match. </pre>";
}
}
?>
通过分析以上代码,发现一个很明显的漏洞,修改密码分为两个步骤,step1和step2,正常流程是用户输入账号密码和验证码,验证通过后被定向到step2,但step2并未对是否由step1过来,因此也就可以绕过step1,直接访问step2,这样也就绕过了验证码的验证,因此验证码也就没有任何作用了。
通过截取数据包发现,修改请求通过POST方法提交,而且其中带有step参数,因此可直接将step修改为2,提交相应的参数即可。
修改成功!
