Insecure CAPTCHA(不安全的验证码)

最新推荐文章于 2023-11-19 21:05:02 发布
最新推荐文章于 2023-11-19 21:05:02 发布
阅读量1.5k 收藏 3
点赞数 1
分类专栏: DVWA 文章标签: 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42176207/article/details/116659218
版权

Insecure CAPTCHA

Insecure CAPTCHA,意思是不安全的验证码,CAPTCHA是Completely Automated Public Turing Test to Tell Computers and Humans Apart (全自动区分计算机和人类的图灵测试)的简称。验证码是没有问题的,关键是代码写的有问题,可以绕过。

环境需要把config.inc.php中的recaptcha_public_key \recaptcha_private_key补充。

在这里插入图片描述
在这里插入图片描述

reCAPTCHA验证流程
在这里插入图片描述

LOW

代码情况

Unknown Vulnerability Source
vulnerabilities/captcha/source/low.php
<?php

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check CAPTCHA from 3rd party
    $resp = recaptcha_check_answer(
        $_DVWA[ 'recaptcha_private_key'],
        $_POST['g-recaptcha-response']
    );

    // Did the CAPTCHA fail?
    if( !$resp ) {
        // What happens when the CAPTCHA was entered incorrectly
        $html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
        $hide_form = false;
        return;
    }
    else {
        // CAPTCHA was correct. Do both new passwords match?
        if( $pass_new == $pass_conf ) {
            // Show next stage for the user
            echo "
                <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
                <form action=\"#\" method=\"POST\">
                    <input type=\"hidden\" name=\"step\" value=\"2\" />
                    <input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
                    <input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
                    <input type=\"submit\" name=\"Change\" value=\"Change\" />
                </form>";
        }
        else {
            // Both new passwords do not match.
            $html     .= "<pre>Both passwords must match.</pre>";
            $hide_form = false;
        }
    }
}

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check to see if both password match
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );

        // Update database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        // Feedback for the end user
        echo "<pre>Password Changed.</pre>";
    }
    else {
        // Issue with the passwords matching
        echo "<pre>Passwords did not match.</pre>";
        $hide_form = false;
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

recaptcha_check_answer( p r i v k e y , privkey, privkey,remoteip, c h a l l e n g e , challenge, challenge,response)参数 p r i v k e y 是 服 务 器 申 请 的 p r i v a t e k e y , privkey是服务器申请的private key , privkeyprivatekeyremoteip是用户的ip, c h a l l e n g e 是 r e c a p t c h a c h a l l e n g e f i e l d 字 段 的 值 , 来 自 前 端 页 面 , challenge 是recaptcha_challenge_field 字段的值,来自前端页面 , challengerecaptchachallengefieldresponse是 recaptcha_response_field 字段的值。

通过代码,发现step=2,和2个密码相同就可以直接写入数据库更新。不需要验证码正确。

step=1时需要匹配验证码,所以验证失败,无法修改密码。

在这里插入图片描述

step=2时,无需通过谷歌验证码验证。2个密码一样即可通过验证,修改密码。

在这里插入图片描述

验证漏洞时,需要开个梯子。

Medium

Unknown Vulnerability Source
vulnerabilities/captcha/source/medium.php
<?php

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check CAPTCHA from 3rd party
    $resp = recaptcha_check_answer(
        $_DVWA[ 'recaptcha_private_key' ],
        $_POST['g-recaptcha-response']
    );

    // Did the CAPTCHA fail?
    if( !$resp ) {
        // What happens when the CAPTCHA was entered incorrectly
        $html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
        $hide_form = false;
        return;
    }
    else {
        // CAPTCHA was correct. Do both new passwords match?
        if( $pass_new == $pass_conf ) {
            // Show next stage for the user
            echo "
                <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
                <form action=\"#\" method=\"POST\">
                    <input type=\"hidden\" name=\"step\" value=\"2\" />
                    <input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
                    <input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
                    <input type=\"hidden\" name=\"passed_captcha\" value=\"true\" />
                    <input type=\"submit\" name=\"Change\" value=\"Change\" />
                </form>";
        }
        else {
            // Both new passwords do not match.
            $html     .= "<pre>Both passwords must match.</pre>";
            $hide_form = false;
        }
    }
}

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check to see if they did stage 1
    if( !$_POST[ 'passed_captcha' ] ) {
        $html     .= "<pre><br />You have not passed the CAPTCHA.</pre>";
        $hide_form = false;
        return;
    }

    // Check to see if both password match
    if( $pass_new == $pass_conf ) {
        // They do!
        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        $pass_new = md5( $pass_new );

        // Update database
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        // Feedback for the end user
        echo "<pre>Password Changed.</pre>";
    }
    else {
        // Issue with the passwords matching
        echo "<pre>Passwords did not match.</pre>";
        $hide_form = false;
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

Medium级别的代码增加了passed_captcha=ture的验证,本质上没有区别。依旧可以通过参数step、passed_captcha进行绕过。
在这里插入图片描述
在这里插入图片描述

step=2成功绕过passed_captcha=ture

在这里插入图片描述

High

Unknown Vulnerability Source
vulnerabilities/captcha/source/high.php
<?php

if( isset( $_POST[ 'Change' ] ) ) {
    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_conf = $_POST[ 'password_conf' ];

    // Check CAPTCHA from 3rd party
    $resp = recaptcha_check_answer(
        $_DVWA[ 'recaptcha_private_key' ],
        $_POST['g-recaptcha-response']
    );

    if (
        $resp || 
        (
            $_POST[ 'g-recaptcha-response' ] == 'hidd3n_valu3'
            && $_SERVER[ 'HTTP_USER_AGENT' ] == 'reCAPTCHA'
        )
    ){
        // CAPTCHA was correct. Do both new passwords match?
        if ($pass_new == $pass_conf) {
            $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
            $pass_new = md5( $pass_new );

            // Update database
            $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";
            $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

            // Feedback for user
            echo "<pre>Password Changed.</pre>";

        } else {
            // Ops. Password mismatch
            $html     .= "<pre>Both passwords must match.</pre>";
            $hide_form = false;
        }

    } else {
        // What happens when the CAPTCHA was entered incorrectly
        $html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
        $hide_form = false;
        return;
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

// Generate Anti-CSRF token
generateSessionToken();

?>

可以看到,服务器的验证逻辑是当$resp(这里是指谷歌返回的验证结果)是false,并且参数g-recaptcha_response_field不等于hidd3n_valu3(或者http包头的User-Agent参数不等于reCAPTCHA)时,就认为验证码输入错误,反之则认为已经通过了验证码的检查。

在这里插入图片描述

$resp不可控,修改UA头和g-recaptcha-response绕过

在这里插入图片描述

Impossible

Unknown Vulnerability Source
vulnerabilities/captcha/source/impossible.php
<?php

if( isset( $_POST[ 'Change' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Hide the CAPTCHA form
    $hide_form = true;

    // Get input
    $pass_new  = $_POST[ 'password_new' ];
    $pass_new  = stripslashes( $pass_new );
    $pass_new  = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass_new  = md5( $pass_new );

    $pass_conf = $_POST[ 'password_conf' ];
    $pass_conf = stripslashes( $pass_conf );
    $pass_conf = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_conf ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass_conf = md5( $pass_conf );

    $pass_curr = $_POST[ 'password_current' ];
    $pass_curr = stripslashes( $pass_curr );
    $pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
    $pass_curr = md5( $pass_curr );

    // Check CAPTCHA from 3rd party
    $resp = recaptcha_check_answer(
        $_DVWA[ 'recaptcha_private_key' ],
        $_POST['g-recaptcha-response']
    );

    // Did the CAPTCHA fail?
    if( !$resp ) {
        // What happens when the CAPTCHA was entered incorrectly
        echo "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
        $hide_form = false;
    }
    else {
        // Check that the current password is correct
        $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
        $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
        $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
        $data->execute();

        // Do both new password match and was the current password correct?
        if( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) {
            // Update the database
            $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
            $data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
            $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
            $data->execute();

            // Feedback for the end user - success!
            echo "<pre>Password Changed.</pre>";
        }
        else {
            // Feedback for the end user - failed!
            echo "<pre>Either your current password is incorrect or the new passwords did not match.<br />Please try again.</pre>";
            $hide_form = false;
        }
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>

Impossible级别的代码增加了Anti-CSRF token 机制防御CSRF攻击,利用PDO技术防护sql注入,验证码无法绕过,同时要求用户输入旧密码,hacker不知道旧密码的情况下无法通过认证。

Roderick_R
关注
  • 1
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
django-insecure:不安全的Django应用程序示例
05-16
具有许多内置安全漏洞的简单Django应用程序 带有示例和解释的相应文章: 其中一些被 像这样运行它: bandit -r ./insecure/security ...不安全的反序列化(不安全使用Python pickle ) 跨站点脚本(XSS)
5、DVWA、Vulnerability: Insecure CAPTCHA
qq_44598397的博客
09-25 803
5、Vulnerability: Insecure CAPTCHA 以上代码的作用为判断新的代码和验证的代码是否相同,相同则更改成功,否则报错。 具体函数可参考暴力破解: 主要用处之一有:mysqli_real_escape_string()会将转义特殊字符,一定程度上防止SQL注入。 Low 这里我们还是直接来看代码 1、服务器通过调用recaptcha_check_answer函数检查用户...
DVWA之Insecure Captcha
谢公子的博客
08-05 5356
Insecure CAPTCHA Insecure CAPTCHA,意思是不安全验证码CAPTCHA是Completely Automated Public Turing Test to Tell Computers and Humans Apart (全自动区分计算机和人类的图灵测试)的简称。但个人觉得,这一模块的内容叫做不安全的验证流程更妥当些,因为这块主要是验证流程出现了逻辑漏洞,谷歌...
DVWA:Insecure CAPTCHA(不安全验证码绕过)
shmilyzmy的博客
10-22 1170
low 1.首先在burpsuite中打开代理,即图中的第一步,登录dvwa 2.修改安全等级 ,分析源码 3.返回burpsuite开启代理之后,回到dvwa界面,(切记记住输入的密码)点击change提交,之后再返回burpsuite,可看见服务器返回的表单 检查用户输入的验证码验证码通过后服务器返回表单 客户端提交post请求,服务器完成更改密码的操作 全选后鼠标右击,点击send to repeater medium 前面步骤...
DVWA 之 Insecure CAPTCHA(不安全验证码
RexHa的博客
10-03 1240
DVWA 不安全验证码
DVWA通关详解
weixin_45808483的博客
11-19 3435
Vulnerability: Brute Force Security level is currently: low. 分析源码: 没有做身份验证 <?php //检查变量是否设置(先看有没有Login参数) if( isset( $_GET[ 'Login' ] ) ) { //获取密码,存入pass变量中 $user = $_GET[ 'username' ]; //获取密码 $pass = $_GET[ 'password' ]; //将密码使用md5加密 $
Insecure CAPTCHA
angry_program的博客
02-07 418
前言 Insecure CAPTCHA,意思是不安全验证码CAPTCHA是Completely Automated Public Turing Test to Tell Computers and Humans Apart (全自动区分计算机和人类的图灵测试)的简称。但个人觉得,这一模块的内容叫做不安全的验证流程更妥当些,因为这块主要是验证流程出现了逻辑漏洞, 并不是验证码API本身的漏洞...
DVWA11_Insecure CAPTCHA(不安全验证码
weixin_44193247的博客
03-12 3356
DVWA漏洞复现练习篇
DVWA通关攻略之不安全验证码
勿山几已
05-22 377
简单介绍不安全验证码漏洞及其利用方式
Insecure CAPTCHA——黑盒测试
2301的博客
11-19 212
DVWA-不安全的验证全级别教程
#笔记(二十七)#dvwa漏洞Insecure CAPTCHA 小结
vircorns的博客
02-23 538
Insecure CAPTCHA
信息安全_数据安全_The_Insecure_Software_Developmen.pdf
08-22
信息安全_数据安全_The_Insecure_Software_Developmen 安全威胁 安全威胁 安全对抗 移动安全 安全运营
webappsec-upgrade-insecure-requests:WebAppSec升级不安全请求
05-05
规范“ webappsec升级不安全请求” 这是webappsec-upgrade-insecure-requests的存储库。 欢迎您来贡献! 让我们摆脱困境吧!
详解HTTP Upgrade-Insecure-Requests
12-22
浏览器Upgrade-Insecure-Requests详解 搭建HTTPS服务器时经常会遇到该请求头
adbd Insecure 2.0
01-07
adbd Insecure(超级adbd)能让您在已经ROOT的设备上强制以ROOT模式运行adbd(注意,如果您运行的是第三方内核,则可能已经具备了这项功能)。如果您的设备上运行的是原生(设备制造商的)内核,那么adbd就会以...
File Upload(文件上传)
qq_42176207的博客
05-06 3123
File Upload(文件上传) File Upload,即文件上传漏洞,指用户上传了一个可执行的脚本文件,并通过此脚本文件获得了执行服务器端命令的能力。通常是由于对上传文件的类型、内容没有进行严格的过滤、检查,使得攻击者可以通过上传木马获取服务器的webshell权限。 Low File Upload Source vulnerabilities/upload/source/low.php <?php if( isset( $_POST[ 'Upload' ] ) ) { // Wher
Command Injection(命令注入)
qq_42176207的博客
05-05 1749
Command Injection(命令注入) Command Injection,即命令注入,是指攻击者可以能够控制操作系统上的一些命令。和RCE不同,命令注入执行的是一个命令,而RCE是执行代码。 LOW Command Injection Source vulnerabilities/exec/source/low.php <?php if( isset( $_POST[ 'Submit' ] ) ) { // Get input $target = $_REQUEST[
Brute Force(暴力破解)
qq_42176207的博客
05-05 569
Brute Force 暴力破解,是指攻击者使用账号或密码字典,使用穷举法猜解出用户账号或口令,是广泛使用的攻击手法。理论上利用这种方法可以破解任何一种密码,问题只在于如何缩短试误的时间。有些人运用计算机来增加效率,有些人辅以字典来缩小密码组合的范围。 可以在DVWA Security设置等级 Low 后端的代码 //Brute Force Source //vulnerabilities/brute/source/low.php <?php //获取账号密码时,未对用户的输入做过滤和限制,很明显
Insecure CAPTCHA修复建议
最新发布
12-20
Insecure CAPTCHA修复建议如下: 1. 使用更强大的验证码:考虑使用更复杂和难以破解的验证码,例如图像验证码、滑动验证码或者数学题验证码。这些验证码可以提高安全性,防止自动化脚本和机器人攻击。 2. 添加时间...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值