PHP vulnerability Full Solution-cross-site request forgery

Abstract: This article mainly introduces cross-site request forgery for PHP Web sites. In CSRF all attack modes include an attacker who forges an HTTP request that looks like another user initiated, in fact, tracking an HTTP request sent by a user is the attacker's purpose. ...

Reprint please specify source: Php vulnerability Full solution (vi)-cross-site request forgery
CSRF (Cross site request forgeries), which is intended to be spoofed across Web sites, is also written as XSRF. The attacker forges the HTTP request of the target user and then sends the request to a Web site with a CSRF vulnerability, which causes a cross-site request forgery attack after the Web site executes the request. The attacker uses a covert HTTP connection to allow the target user to click on the link without notice, because the user clicks on it, and the legitimate user has legal rights, so the target user can execute a specific HTTP link within the site to achieve the attacker's purpose.
For example, when buying a product on a shopping site, use the Http://www.shop.com/buy.php?item=watch&num=1,item parameter to determine what item to buy, num parameter determines the quantity to buy, If the attacker sends the link to the target user in a hidden way, the number of purchases will be 1000 if the target user is accidentally accessed.
Instance
V1.0 Network PHP Message Board
Delete any message
delbook.php This page to delete messages
Include_once ("dlyz.php"); dlyz.php user authentication permission, when the permission is admin, can delete message
Include_once (".. /conn.php ");
$del =$_get["Del"];
$id =$_get["id"];
if ($del = = "Data")
{
$ID _dele= implode (",", $_post[' Adid ');
$sql = "Delete from book where ID in (". $ID _dele. ")";
mysql_query ($sql);
}
Else
{
$sql = "Delete from book where id=". $id; Pass the message ID you want to delete
mysql_query ($sql);
}
Mysql_close ($conn);
echo "";
echo "Alert (' Delete succeeded! ’);”;
echo "location= ' book.php ';";
echo "";
?>
When we have admin permission, we will delete the message with ID 2 when we submit http://localhost/manage/delbook.php?id=2.
How to use:
We use a regular user message (source code), the content is
"Delbook.php?id=2"/>
"Delbook.php?id=3"/>
"Delbook.php?id=4"/>
"Delbook.php?id=5"/>
Insert 4 Pictures link to delete 4 ID messages Separately, then we go back to the homepage to see, there is no change. The picture doesn't show.
Now we re-login with the administrator account, to refresh the home page, you will find a message left one, the other in the image link designated ID number of the message, all are deleted.
The attacker inserted a hidden picture link in the message, this link has the function of deleting the message, and the attacker's own access to these image links, is not a permission, so see no effect, but when the administrator login, check this message, will execute the hidden link, and his permission is large enough, So the messages were deleted.
Modify Administrator Password
pass.php
if ($_get["Act"])
{
$username =$_post["username"];
$sh =$_post["sh"];
$gg =$_post["GG"];
$title =$_post["title"];
$copyright =$_post["Copyright"].
Design and production: Hacker contract safety net ";
$password =md5 ($_post["password"]);
if (Emptyempty ($_post["password"))
{
$sql = "Update gly set Username= '". $username. "', sh=". $sh. ", gg= '". $gg. "', title= '". $title. "', copyright= '". $copyright. " where Id=1″;
}
Else
{
$sql = "Update gly set Username= '". $username. "', password= '". $password. "', sh=". $sh. ", gg= '". $gg. "', title= '". $title. " , copyright= ' ". $copyright." ' where Id=1″;
}
mysql_query ($sql);
Mysql_close ($conn);
echo "";
echo "Alert (' modified successfully! ’);”;
echo "location= ' pass.php ';";
echo "";
}
This file is used to modify some information about managing passwords and site settings, and we can directly construct the following form:

