Insecure CAPTCHA
不安全的验证码
这个题目最近几天做不了,因为验证码需要使用Google验证码,客户端这边还好说,可以挂个代理得到,服务器却怎么都连接不到Google的服务器,所以干脆看代码分析漏洞吧!
代码如下所示:
<?php if( isset( $_POST['Change'] ) && ( $_POST['step'] == '1' ) ) { $hide_form = true; $user = $_POST['username']; $pass_new = $_POST['password_new']; $pass_conf = $_POST['password_conf']; $resp = recaptcha_check_answer ($_DVWA['recaptcha_private_key'], $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) { // What happens when the CAPTCHA was entered incorrectly echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { if (($pass_new == $pass_conf)){ echo "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes. <br /></pre>"; echo " <form action=\"#\" method=\"POST\"> <input type=\"hidden\" name=\"step\" value=\"2\" /> <input type=\"hidden\" name=\"password_new\" value=\"" . $pass_new . "\" /> <input type=\"hidden\" name=\"password_conf\" value=\"" . $pass_conf . "\" /> <input type=\"submit\" name=\"Change\" value=\"Change\" /> </form>"; } else{ echo "<pre> Both passwords must match </pre>"; $hide_form = false; } } } if( isset( $_POST['Change'] ) && ( $_POST['step'] == '2' ) ) { $hide_form = true; if ($pass_new != $pass_conf) { echo "<pre><br />Both passwords must match</pre>"; $hide_form = false; return; } $pass = md5($pass_new); if (($pass_new == $pass_conf)){ $pass_new = mysql_real_escape_string($pass_new); $pass_new = md5($pass_new); $insert="UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; $result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' ); echo "<pre> Password Changed </pre>"; mysql_close(); } else{ echo "<pre> Passwords did not match. </pre>"; } } ?>
通过分析以上代码,发现一个很明显的漏洞,修改密码分为两个步骤,step1和step2,正常流程是用户输入账号密码和验证码,验证通过后被定向到step2,但step2并未对是否由step1过来,因此也就可以绕过step1,直接访问step2,这样也就绕过了验证码的验证,因此验证码也就没有任何作用了。
通过截取数据包发现,修改请求通过POST方法提交,而且其中带有step参数,因此可直接将step修改为2,提交相应的参数即可。