Complete explanation of PHP vulnerabilities (6) - Cross-site request forgery

CSRF (Cross Site Request Forgeries), which means cross-site request forgery, is also written as XSRF. The attacker forges the target user's HTTP request, and then sends this request to a website with a CSRF vulnerability. After the website executes this request, it triggers a cross-site request forgery attack. The attacker uses a covert HTTP connection to allow the target user to click this link without noticing. Since the user clicked it himself and is a legitimate user with legitimate permissions, the target user can execute specific HTTP commands within the website. link to achieve the attacker's purpose.
For example: When purchasing goods on a shopping website, use http://www.shop.com/buy.php?item=watch&num=1. The item parameter determines what item is to be purchased, and the num parameter determines the quantity to be purchased. If the attacker Send the link to the target user in a hidden way, then if the target user accidentally accesses it, the purchased quantity will become 1000
Example
Suiyuan Network PHP Message Board V1.0
Delete the message at will
//delbook.php This page Used to delete messages
include_once("dlyz.php"); //dlyz.php user verification permissions, only when the permission is admin can delete messages
include_once("../conn.php");
$del= $_GET["del"];
$id=$_GET["id"];
if ($del=="data")
{
$ID_Dele= implode(",",$_POST['adid'] );
$sql=”delete from book where id in (“.$ID_Dele.”)”;
mysql_query($sql);
}
else
{
$sql=”delete from book where id=”.$ id; //Pass the message ID to be deleted
mysql_query($sql);
}
mysql_close($conn);
echo “”;
echo “alert('Delete successfully!');”;
echo ” location= 'book.php';";
echo "";
?>
When we have admin permissions and submit http://localhost/manage/delbook.php?id=2, the message with id 2 will be deleted
Usage method:
We use ordinary users to leave messages (source code method), the content is
"delbook.php?id=2" />
"delbook.php?id=3" />
"delbook.php?id=4" />
"delbook.php?id=5" />
Insert 4 picture links and delete 4 id messages respectively. Then we return to the homepage to browse and see that there is no change. . The picture cannot be displayed
Now we log in with the administrator account and refresh the homepage. We will find that there is only one message left, and all other messages with the ID number specified in the picture link have been deleted.
The attacker inserts a hidden picture link in the message. This link has the effect of deleting the message. When the attacker accesses these picture links himself, he does not have permission, so he cannot see any effect. However, when the administrator logs in, , after viewing this message, the hidden link will be executed, and his authority is large enough, so these messages will be deleted
Change the administrator password
//pass.php
if($_GET["act"] )
{
$username=$_POST[“username”];
$sh=$_POST[“sh”];
$gg=$_POST[“gg”];
$title=$_POST[“title”] ;
$copyright=$_POST[“copyright”].”
Design and production: Hacker Contract Security Network”;
$password=md5($_POST[“password”]);
if(emptyempty($_POST[“password” ]))
{
$sql=”update gly set username=’”.$username.”’,sh=”.$sh.”,gg=’”.$gg.”’,title=’”.$ title."',copyright='".$copyright."' where id=1″;
}
else
{
$sql=”update gly set username=’”.$username.”’,password=’” .$password.”',sh=”.$sh.”,gg=’”.$gg.”’,title=’”.$title.”’,copyright=’”.$copyright.”’ where id =1″;
}
mysql_query($sql);
mysql_close($conn);
echo “”;
echo “alert('Modification successful!');”;
echo ” location='pass.php'; ”;
echo “”;
}
This file is used to modify the management password and some information about website settings. We can directly construct the following form:

Welcome to install and use Suiyuan Network PHP message board V1.0 (with audit function)! textarea><br><textarea name="”copyright”" rows="”6″" cols="”80″">Suiyuan Network PHP Guestbook V1.0 Copyright: Xiamen Suiyuan Network Technology 2005-2009<br> Undertake website construction and system customization Save the preferential host domain name textarea><br>form><br>body><br> as attack.html and put it on your own website http://www.sectop.com/attack.html. After accessing this page, it will automatically pass.php of the target program. Submit the parameters, change the username to root, and change the password to root. Then we go to the message board to send a message and hide the link. After managing access, his username and password are all changed to root<br>Prevention methods<br>Preventing CSRF is better than preventing Other attacks are more difficult, because although the HTTP request of CSRF is forged by the attacker, it is issued by the target user. Common prevention methods are as follows: <br>1. Check the source of the web page <br>2. Check the built-in hiding Variables<br>3. Use POST, do not use GET<br>Check the source of the webpage<br>Add the following code in red font to the //pass.php header to verify data submission<br>if($_GET["act"])<br>{<br>if(isset( $_SERVER["HTTP_REFERER"]))<br>{<br>$serverhost = $_SERVER["SERVER_NAME"];<br>$strurl = str_replace("http://","",$_SERVER["HTTP_REFERER"]);<br>$ strdomain = explode(“/”,$strurl);<br>$sourcehost = $strdomain[0];<br>if(strncmp($sourcehost, $serverhost, strlen($serverhost)))<br>{<br>unset($_POST);<br> echo "";<br>echo "alert('Data source abnormal!');";<br>echo ” location='index.php';";<br>echo "";<br>}<br>}<br>$username=$_POST["username ”];<br>$sh=$_POST[“sh”];<br>$gg=$_POST[“gg”];<br>$title=$_POST[“title”];<br>$copyright=$_POST[“copyright”] ."<br>Design and production: Xiamen Suiyuan Network Technology";<br>$password=md5($_POST["password"]);<br>if(emptyempty($_POST["password"]))<br>{<br>$sql="update gly set username='".$username."',sh=".$sh.",gg='".$gg."',title='".$title."',copyright='".$copyright .”' where id=1″;<br>}<br>else<br>{<br>$sql=”update gly set username=’”.$username.”’,password=’”.$password.”’,sh=”.$ sh.",gg='".$gg."',title='".$title."',copyright='".$copyright."' where id=1″;<br>}<br>mysql_query($sql) ;<br>mysql_close($conn);<br>echo “”;<br>echo “alert('Modification successful! ');";<br>echo ” location='pass.php';";<br>echo "";<br>}<br>Check the built-in hidden variables<br>We build a hidden variable and a session variable in the form, and then check the hidden variable and Whether the session variables are equal is used to determine whether the same web page is called <br>php<br>include_once("dlyz.php");include_once("../conn.php");if($_GET["act"]){ if (!isset($_SESSION["post_id"])){// Generate a unique ID and use MD5 to encrypt $post_id = md5(uniqid(rand(), true));// Create Session variable $_SESSION[ "post_id"] = $post_id;}// Check for equality if (isset($_SESSION["post_id"])){// Not equal if ($_SESSION["post_id"] != $_POST["post_id"] ){// Clear the POST variable unset($_POST);echo "<script language="javascript">";echo "alert('Data source abnormal!');";echo " location='index.php' ;";echo "script>";}}......<input type="reset" name="Submit2" value="Reset"><input type="hidden" name="post_id" value=" php echo $_SESSION["post_id"];?>">td>tr>table>form>php}mysql_close($conn);?><br/></script>