Complete explanation of PHP vulnerabilities-cross-site request forgery

Abstract: This article mainly introduces cross-site request forgery for PHP websites. Among all CSRF attack methods, the attacker forges an HTTP request that appears to be initiated by another user. In fact, tracking the HTTP request sent by a user is the attacker's purpose. ...

Reprinted, please indicate: PHP vulnerability full solution (6) -The cross-website request forgery
CSRF (Cross Site Request Forgeries), which means forgery of cross-website requests, and also written as XSRF. The attacker forges the target user's HTTP request, and then sends this request to a website with a CSRF vulnerability. After the website executes this request, it triggers a cross-site request forgery attack. The attacker uses a covert HTTP connection to allow the target user to click this link without noticing. Since the user clicked it himself and is a legitimate user with legitimate permissions, the target user can execute specific HTTP commands within the website. link to achieve the attacker's purpose.
For example: When purchasing goods on a shopping website, use http://www.shop.com/buy.php?item=watch&num=1. The item parameter determines what item is to be purchased, and the num parameter determines the quantity to be purchased. If the attacker Send the link to the target user in a hidden way, then if the target user accidentally accesses it, the purchased quantity will become 1000
Example
Suiyuan Network PHP Message Board V1.0
Delete the message at will
//delbook.php This page Used to delete messages
include_once("dlyz.php"); //dlyz.php user verification permissions, only when the permission is admin can delete messages
include_once("../conn.php");
$del= $_GET["del"];
$id=$_GET["id"];
if ($del=="data")
{
$ID_Dele= implode(",",$_POST['adid'] );
$sql=”delete from book where id in (“.$ID_Dele.”)”;
mysql_query($sql);
}
else
{
$sql=”delete from book where id=”.$ id; //Pass the message ID to be deleted
mysql_query($sql);
}
mysql_close($conn);
echo “”;
echo “alert('Delete successfully!');”;
echo ” location= 'book.php';";
echo "";
?>
When we have admin permissions and submit http://localhost/manage/delbook.php?id=2, the message with id 2 will be deleted
Usage method:
We use ordinary users to leave messages (source code method), the content is
"delbook.php?id=2" />
"delbook.php?id=3" />
"delbook.php? id=4” />
“delbook.php?id=5” />
Insert 4 picture links and delete 4 id messages respectively. Then we return to the homepage to browse and see that there is no change. . The picture cannot be displayed
Now we log in with the administrator account and refresh the homepage. We will find that there is only one message left, and all other messages with the ID number specified in the picture link have been deleted.
The attacker inserts a hidden picture link in the message. This link has the effect of deleting the message. When the attacker accesses these picture links himself, he does not have permission, so he cannot see any effect. However, when the administrator logs in, , after viewing this message, the hidden link will be executed, and his authority is large enough, so these messages will be deleted
Change the administrator password
//pass.php
if($_GET["act"] )
{
$username=$_POST[“username”];
$sh=$_POST[“sh”];
$gg=$_POST[“gg”];
$title=$_POST[“title”] ;
$copyright=$_POST[“copyright”].”
Design and production: Hacker Contract Security Network”;
$password=md5($_POST[“password”]);
if(emptyempty($_POST[“password” ]))
{
$sql=”update gly set username=’”.$username.”’,sh=”.$sh.”,gg=’”.$gg.”’,title=’”.$ title."',copyright='".$copyright."' where id=1″;
}
else
{
$sql=”update gly set username=’”.$username.”’,password=’” .$password.”',sh=”.$sh.”,gg=’”.$gg.”’,title=’”.$title.”’,copyright=’”.$copyright.”’ where id =1″;
}
mysql_query($sql);
mysql_close($conn);
echo “”;
echo “alert('Modification successful!');”;
echo ” location='pass.php'; ";
echo "";
}
This file is used to modify some information about the management password and website settings. We can directly construct the following form: