PHP vulnerability: cross-site request forgery and methods to prevent forgery_PHP tutorial

Introduction to forged cross-site requests
Forged cross-site requests are difficult to prevent and are extremely harmful. Attackers can use this method to play pranks, send spam messages, delete data, etc. Common forms of this attack include:
Forging links to lure users to click, or allowing users to access without their knowledge
Forging forms to lure users to submit. Forms can be hidden, disguised with images or links.
A common and cheap prevention method is to add a random and frequently changing string to all forms that may involve user writing operations, and then check this string when processing the form. If this random string is associated with the current user identity, it will be more troublesome for the attacker to forge requests.
If the attacker sends the link to the target user in a hidden way
, then if the target user accidentally accesses it later, the purchased The number becomes 1000
Instances
Suiyuan Network PHP Message Board V1.0

Copy code The code is as follows:

Delete messages at will
//delbook.php This page is used to delete messages
include_once("dlyz.php"); //dlyz.php user verification authority, when authority You can only delete messages when you are an admin
include_once("../conn.php");
$del=$_GET["del"];
$id=$_GET["id"] ;
if ($del=="data")
{
$ID_Dele= implode(",",$_POST['adid']);
$sql="delete from book where id in (".$ID_Dele.")";
mysql_query($sql);
}
else
{
$sql="delete from book where id=".$id ; //Pass the message ID to be deleted
mysql_query($sql);
}
mysql_close($conn);
echo "";
?>

When we have admin permissions and submit http://localhost/manage/delbook.php?id=2, the message with id 2 will be deleted
Utilization method:
We use ordinary User message (source code mode), the content is

Copy code The code is as follows:

Insert 4 picture links and delete 4 id messages respectively. Then we return to the homepage to browse and see that there is no change. . . The picture cannot be displayed
Now when we log in with the administrator account and refresh the homepage, we will find that there is only one message left, and all other messages with the ID number specified in the picture link have been deleted.
The attacker inserts a hidden picture link in the message. This link has the effect of deleting the message. When the attacker accesses these picture links himself, he does not have permission, so he cannot see any effect. However, when the administrator After logging in, if you view this message, the hidden link will be executed, and his authority is large enough, so these messages will be deleted
Change the administrator password

Copy the code The code is as follows:

//pass.php
if($_GET["act"])
{
$username=$_POST["username"];
$sh=$_POST ["sh"];
$gg=$_POST["gg"];
$title=$_POST["title"];
$copyright=$_POST["copyright"]."< ;br/>Website:Script Home";
$password=md5($_POST["password"]);
if(empty($_POST["password"]))
{
$sql="update gly set username='".$username."',sh=".$sh.",gg ='".$gg."',title='".$title."',copyright='".$copyright."' where id=1";
}
else
{
$sql="update gly set username='".$username."',password='".$password."',sh=".$sh.",gg='".$gg."' ,title='".$title."',copyright='".$copyright."' where id=1";
}
mysql_query($sql);
mysql_close($conn);
echo "";
}
This file is used to modify some information about the management password and website settings. We can directly construct the following form:

< form action="http://localhost/manage/pass.php?act=xg" method="post" name="form1" id="form1">





Welcome to install and use Suiyuan Network PHP message board V1.0 (with audit function)!
Suiyuan Network PHP Guestbook V1.0 Copyright: Xiamen Suiyuan Network Technology 2005-2009<br/> ; Undertake website construction and system customization and provide preferential host domain names

Save as attack.html and put it on yourself After accessing the page http://www.jb51.net on the website, parameters will be automatically submitted to pass.php of the target program. The user name is changed to root and the password is changed to root. Then we go to the message board and send a message to hide this link. , after managing access, his username and password were all changed to root
Prevent forged cross-site requests
Yahoo’s way of dealing with fake cross-site requests is to add a random string called .crumb to the form; and Facebook also has Similar solutions, there are often post_form_id and fb_dtsg in its form.
Implementation of random string code
We follow this idea and copy the implementation of crumb. The code is as follows:

Copy the code The code is as follows:

class Crumb {
CONST SALT = "your-secret-salt";
static $ttl = 7200;
static public function challenge($data) {
return hash_hmac('md5', $data, self::SALT);
}
static public function issueCrumb($uid, $action = -1) {
$i = ceil( time() / self::$ttl);
return substr(self::challenge($i . $action . $uid), -12, 10);
}
static public function verifyCrumb( $uid, $crumb, $action = -1) {
$i = ceil(time() / self::$ttl);
if(substr(self::challenge($i . $action . $uid), -12, 10) == $crumb ||
substr(self::challenge(($i - 1) . $action . $uid), -12, 10) == $crumb)
return true;
return false;
}
}

$uid in the code represents the user’s unique identifier, and $ttl represents the validity time of this random string.
Application example
Constructing a form
Insert a hidden random string crumb into the form

Copy code The code is as follows:

Process form demo.php
Check the crumb

Copy the code The code is as follows:

if(Crumb::verifyCrumb($uid, $_POST['crumb'])) {
//Process the form according to the normal process
} else {
// Crumb verification failed, error prompt process
}
?>

http://www.bkjia.com/PHPjc/328172.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/328172.htmlTechArticleIntroduction to Forged Cross-site Requests: Forged cross-site requests are difficult to prevent and are very harmful. Attackers can use this method Play pranks, send spam messages, delete data, etc. This attack is common...