LOW级别
源码如下:
<?php
if( isset( $_GET[ 'Change' ] ) ) {
$pass_new = $_GET[ 'password_new' ]; // 获取用户输入的新密码
$pass_conf = $_GET[ 'password_conf' ]; //获取用户输入的确认密码
// Do the passwords match?
if( $pass_new == $pass_conf ) { //判断输入的两个密码是否一致
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
//更新数据
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// 输出密码修改成功
echo "<pre>Password Changed.</pre>";
}
else {
// 输入的两个密码不一致
echo "<pre>Passwords did not match.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?> 代码中的函数解释:
$GLOBALS["___mysqli_ston"]
PHP中的全局变量;___mysqli_ston 代表和数据库链接的对象mysqli;包含数据库连接需要的所有信息;用户名、密码、host等信息;是实现数据库查询更新的基础
$mysqli = new mysqli("localhost", "username", "password", "database");
$result = $mysqli->query("SELECT * FROM table");
while ($row = $result->fetch_assoc()) {
echo $row["name"];
}isset()函数:返回值为bool值
该函数用于检测变量是否已经设置/变量是否存在;如果已设置则返回true;否则返回false
源码中isset($GLOBALS["___mysqli_ston"])是判断是否设置了和数据库连接的对象;
is_object()函数:返回值为bool值
该函数用于检测变量是否是一个对象;是的话返回true;否则返回false
mysqli_real_escape_string()函数:防止sql注入
对字符串中的特殊字符进行转义:单引号、双引号、反斜杠(\)、NULL字符
两个参数:mysql连接、要转义的字符串
源码中mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new )是转义输入的新密码字符串;防止查询时sql注入
trigger_error()函数:返回值为bool类型
用于触发一个错误;并将错误记录到PHP的日志中;也可以发到屏幕上;成功触发则返回true,失败则返回false(这里失败是指的是错误类型设置错误)
两个参数:错误消息、错误类型
错误类型如下:
E_ERROR:致命错误
E_WARNING:警告
E_NOTICE:通知
E_USER_ERROR:用户错误
E_USER_WARNING:用户警告
E_USER_NOTICE:用户通知
源码中的意思是触发一个用户错误;信息为使用了已失效的转义函数,返回值都为空
mysqli_query()函数
执行一个sql语句,并返回一个mysqli_result对象;包含查询的结果
两个参数:mysql连接、查询的语句
mysqli_error()函数
返回最近一次mysql操作错误信息
一个参数:mysql连接
mysqli_connect_error()函数
返回最近一次操作错误信息
一个参数:mysql连接
$___mysqli_res :用于接收mysql_close的返回值
mysqli_close()函数:返回值为bool类型
关闭一个mysql连接并释放相关的资源
一个参数:mysql连接
成功关闭mysql连接则返回true;否则返回false
is_null()函数:返回值为bool类型
判断是否为空;是则返回true;否则返回false
源码中((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);用于确认mysql连接被正常的关闭了;如果关闭了则返回true;没有关闭则会返回false
Medium级别
源码如下:
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// 检查referer字段的内容
if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) {
// Get input
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Do the passwords match?
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update the database
$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Feedback for the user
echo "<pre>Password Changed.</pre>";
}
else {
// Issue with passwords matching
echo "<pre>Passwords did not match.</pre>";
}
}
else {
// Didn't come from a trusted source
echo "<pre>That request didn't look correct.</pre>";
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?> 其中函数解释
相比LOW级别而言,里面多了一个检查referer字段的验证
stripos()函数
在一个字符串中查找另一个字符串是否存在;如果存在则返回位置;如果不存在则返回false
两个参数:用于搜索的字符串、用于查找的字符串
$_SERVER[]:获取当前运行脚本的信息
$_SERVER[ 'HTTP_REFERER' ]
获取http中referer字段的信息
$_SERVER[ 'SERVER_NAME' ]
获取当前访问的域名信息
High级别
源代码如下:
<?php
$change = false;
$request_type = "html";
$return_message = "Request Failed";
//采用post请求发送数据,指定文本类型
if ($_SERVER['REQUEST_METHOD'] == "POST" && array_key_exists ("CONTENT_TYPE", $_SERVER) && $_SERVER['CONTENT_TYPE'] == "application/json") {
$data = json_decode(file_get_contents('php://input'), true);
$request_type = "json";
if (array_key_exists("HTTP_USER_TOKEN", $_SERVER) &&
array_key_exists("password_new", $data) &&
array_key_exists("password_conf", $data) &&
array_key_exists("Change", $data)) {
$token = $_SERVER['HTTP_USER_TOKEN'];
$pass_new = $data["password_new"];
$pass_conf = $data["password_conf"];
$change = true;
}
} else {
if (array_key_exists("user_token", $_REQUEST) &&
array_key_exists("password_new", $_REQUEST) &&
array_key_exists("password_conf", $_REQUEST) &&
array_key_exists("Change", $_REQUEST)) {
$token = $_REQUEST["user_token"];
$pass_new = $_REQUEST["password_new"];
$pass_conf = $_REQUEST["password_conf"];
$change = true;
}
}
//通过token进行检测
if ($change) {
// Check Anti-CSRF token
checkToken( $token, $_SESSION[ 'session_token' ], 'index.php' );
// Do the passwords match?
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = mysqli_real_escape_string ($GLOBALS["___mysqli_ston"], $pass_new);
$pass_new = md5( $pass_new );
// Update the database
$insert = "UPDATE `users` SET password = '" . $pass_new . "' WHERE user = '" . dvwaCurrentUser() . "';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $insert );
// Feedback for the user
$return_message = "Password Changed.";
}
else {
// Issue with passwords matching
$return_message = "Passwords did not match.";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
if ($request_type == "json") {
generateSessionToken();
header ("Content-Type: application/json");
print json_encode (array("Message" =>$return_message));
exit;
} else {
echo "<pre>" . $return_message . "</pre>";
}
}
// Generate Anti-CSRF token
generateSessionToken();
?> 代码函数解析:
checkToken( $token, $_SESSION[ 'session_token' ], 'index.php' );
检查http中的token和session中的token是否一致;如果一致则返回true;如果不一致则重定向到index.php界面
generateSessionToken();
重新获取token
该源码只接收POST请求的数据,然后检查token来验证身份
Impossible级别
源代码如下:
<?php
if( isset( $_GET[ 'Change' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$pass_curr = $_GET[ 'password_current' ];
$pass_new = $_GET[ 'password_new' ];
$pass_conf = $_GET[ 'password_conf' ];
// Sanitise current password input
$pass_curr = stripslashes( $pass_curr );
$pass_curr = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_curr ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_curr = md5( $pass_curr );
// Check that the current password is correct
$data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
$data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
$data->execute();
// Do both new passwords match and does the current password match the user?
if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) {
// It does!
$pass_new = stripslashes( $pass_new );
$pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
$pass_new = md5( $pass_new );
// Update database with new password
$data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
$data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
$data->execute();
// Feedback for the user
echo "<pre>Password Changed.</pre>";
}
else {
// Issue with passwords matching
echo "<pre>Passwords did not match or current password incorrect.</pre>";
}
}
// Generate Anti-CSRF token
generateSessionToken();
?> 代码中函数解析:
stripslashes()函数
去除字符串中的反斜杠转义字符(\)
$data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); //准备一条语句并放到服务器端进行编译;固定语句的格式;方便使用
$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); //绑定用户名
$data->bindParam( ':password', $pass_curr, PDO::PARAM_STR ); //绑定密码
$data->execute(); //执行mysql语句
rowCount():返回上一次mysql语句执行变化的行数
该源码通过token+原密码验证确保了csdf无法渗透
10
