DVWA学习-Insecure CAPTCHA-Level Low

Insecure CAPTCHA

不安全的验证码

这个题目最近几天做不了,因为验证码需要使用Google验证码,客户端这边还好说,可以挂个代理得到,服务器却怎么都连接不到Google的服务器,所以干脆看代码分析漏洞吧!

代码如下所示:

<?php 

if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) { 
     
    $hide_form = true; 
    $user = $_POST['username']; 
    $pass_new = $_POST['password_new']; 
    $pass_conf = $_POST['password_conf']; 
    $resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'], 
        $_SERVER["REMOTE_ADDR"], 
        $_POST["recaptcha_challenge_field"], 
        $_POST["recaptcha_response_field"]); 

    if (!$resp->is_valid) { 
        // What happens when the CAPTCHA was entered incorrectly 
        echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; 
        $hide_form = false; 
        return;     
    } else { 
            if (($pass_new == $pass_conf)){ 
            echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>"; 
            echo " 
            <form action=\"#\" method=\"POST\"> 
                <input type=\"hidden\" name=\"step\" value=\"2\" /> 
                <input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" /> 
                <input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" /> 
                <input type=\"submit\" name=\"Change\" value=\"Change\" /> 
            </form>"; 
            }     

            else{ 
                    echo "<pre> Both passwords must match </pre>"; 
            $hide_form = false; 
            } 
    } 
} 

if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2' ) )  
{ 
    $hide_form = true; 
        if ($pass_new != $pass_conf) 
        { 
                echo "<pre><br />Both passwords must match</pre>"; 
        $hide_form = false; 
                return; 
        } 
        $pass = md5($pass_new); 
        if (($pass_new == $pass_conf)){ 
               $pass_new = mysql_real_escape_string($pass_new); 
               $pass_new = md5($pass_new); 

               $insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; 
               $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); 

               echo "<pre> Password Changed </pre>"; 
               mysql_close(); 
        } 

        else{ 
               echo "<pre> Passwords did not match. </pre>"; 
        } 
} 

?>

通过分析以上代码,发现一个很明显的漏洞,修改密码分为两个步骤,step1和step2,正常流程是用户输入账号密码和验证码,验证通过后被定向到step2,但step2并未对是否由step1过来,因此也就可以绕过step1,直接访问step2,这样也就绕过了验证码的验证,因此验证码也就没有任何作用了。

DVWA-captcha

 

 

通过截取数据包发现,修改请求通过POST方法提交,而且其中带有step参数,因此可直接将step修改为2,提交相应的参数即可。

DVWA-captcha1修改成功!

DVWA-captcha2