PHP vulnerability: cross-site request forgery and methods to prevent forgery_PHP tutorial
WBOY
Release: 2016-07-21 14:58:57
Original
985 people have browsed it
Introduction to forged cross-site requests Forged cross-site requests are difficult to prevent and are extremely harmful. Attackers can use this method to play pranks, send spam messages, delete data, etc. Common forms of this attack include: Forging links to lure users to click, or allowing users to access without their knowledge Forging forms to lure users to submit. Forms can be hidden, disguised with images or links. A common and cheap prevention method is to add a random and frequently changing string to all forms that may involve user writing operations, and then check this string when processing the form. If this random string is associated with the current user identity, it will be more troublesome for the attacker to forge requests. If the attacker sends the link to the target user in a hidden way , then if the target user accidentally accesses it later, the purchased The number becomes 1000 Instances Suiyuan Network PHP Message Board V1.0
Copy code The code is as follows:
Delete messages at will //delbook.php This page is used to delete messages include_once("dlyz.php"); //dlyz.php user verification authority, when authority You can only delete messages when you are an admin include_once("../conn.php"); $del=$_GET["del"]; $id=$_GET["id"] ; if ($del=="data") { $ID_Dele= implode(",",$_POST['adid']); $sql="delete from book where id in (".$ID_Dele.")"; mysql_query($sql); } else { $sql="delete from book where id=".$id ; //Pass the message ID to be deleted mysql_query($sql); } mysql_close($conn); echo ""; ?>
When we have admin permissions and submit http://localhost/manage/delbook.php?id=2, the message with id 2 will be deleted Utilization method: We use ordinary User message (source code mode), the content is
Copy code The code is as follows:
Insert 4 picture links and delete 4 id messages respectively. Then we return to the homepage to browse and see that there is no change. . . The picture cannot be displayed Now when we log in with the administrator account and refresh the homepage, we will find that there is only one message left, and all other messages with the ID number specified in the picture link have been deleted. The attacker inserts a hidden picture link in the message. This link has the effect of deleting the message. When the attacker accesses these picture links himself, he does not have permission, so he cannot see any effect. However, when the administrator After logging in, if you view this message, the hidden link will be executed, and his authority is large enough, so these messages will be deleted Change the administrator password
Copy the code The code is as follows:
//pass.php if($_GET["act"]) { $username=$_POST["username"]; $sh=$_POST ["sh"]; $gg=$_POST["gg"]; $title=$_POST["title"]; $copyright=$_POST["copyright"]."< ;br/>Website:Script Home"; $password=md5($_POST["password"]); if(empty($_POST["password"])) { $sql="update gly set username='".$username."',sh=".$sh.",gg ='".$gg."',title='".$title."',copyright='".$copyright."' where id=1"; } else { $sql="update gly set username='".$username."',password='".$password."',sh=".$sh.",gg='".$gg."' ,title='".$title."',copyright='".$copyright."' where id=1"; } mysql_query($sql); mysql_close($conn); echo ""; } This file is used to modify some information about the management password and website settings. We can directly construct the following form:
< form action="http://localhost/manage/pass.php?act=xg" method="post" name="form1" id="form1">
Save as attack.html and put it on yourself After accessing the page http://www.jb51.net on the website, parameters will be automatically submitted to pass.php of the target program. The user name is changed to root and the password is changed to root. Then we go to the message board and send a message to hide this link. , after managing access, his username and password were all changed to root Prevent forged cross-site requests Yahoo’s way of dealing with fake cross-site requests is to add a random string called .crumb to the form; and Facebook also has Similar solutions, there are often post_form_id and fb_dtsg in its form. Implementation of random string code We follow this idea and copy the implementation of crumb. The code is as follows:
$uid in the code represents the user’s unique identifier, and $ttl represents the validity time of this random string. Application example Constructing a form Insert a hidden random string crumb into the form
Copy code The code is as follows:
Process form demo.php Check the crumb
Copy the code The code is as follows:
if(Crumb::verifyCrumb($uid, $_POST['crumb'])) { //Process the form according to the normal process } else { // Crumb verification failed, error prompt process } ?>
http://www.bkjia.com/PHPjc/328172.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/328172.htmlTechArticleIntroduction to Forged Cross-site Requests: Forged cross-site requests are difficult to prevent and are very harmful. Attackers can use this method Play pranks, send spam messages, delete data, etc. This attack is common...
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn