Insecure CAPTCHA

Insecure CAPTCHA 简介

Insecure CAPTCHA，意为不安全的验证码，CAPTCHA 全称是 Completely Automated Public Turing Test to Tell Computers and Humans Apart (全自动区分计算机和人类的图灵测试)

相信以往在访问网页的时候，大家或多或少地接触过如下的人机验证

Insecure-CAPTCHA

验证码的确是解决 CSRF 漏洞的一大利器，不过这里的不安全验证码我个人觉得更偏向于描述不安全的验证逻辑，谷歌提供的验证码服务的确很好地区别开了人与机器，而且无漏洞利用可言，只有当网站服务器验证思路不严谨时才会导致该种安全事件的发生

所以 DVWA 的这一分栏更多的是偏向代码审计，找到服务器验证流程的逻辑缺陷

Low

在开始之前，因为我们没有配置过谷歌该应用接口的秘钥，所以会在网页中报错，并让你去下面的那个网站里申请

Insecure-CAPTCHA

我们也没必要科学上网，怪麻烦的，直接在 config.inc.php 里随便改个值就好了，毕竟验证系统本身是没有问题的，我们要找的是网站自身代码的问题

Insecure-CAPTCHA

返回到 DVWA 中重新访问该分栏，就显示了一个和 CSRF 差不多的改密码对话框，Change 按钮的上面应该还有个验证码区域，因为没有科学上网，所以显示不出来

Insecure-CAPTCHA

那么直接来看源码

// vulnerabilities/captcha/source/low.php
// step 1

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_conf = $_POST[ 'password_conf' ];

	// Check CAPTCHA from 3rd party
	$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
		$_SERVER[ 'REMOTE_ADDR' ],
		$_POST[ 'recaptcha_challenge_field' ],
		$_POST[ 'recaptcha_response_field' ] );

	// Did the CAPTCHA fail?
	if( !$resp->is_valid ) {
		// What happens when the CAPTCHA was entered incorrectly
		$html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
		$hide_form = false;
		return;
	}
	else {
		// CAPTCHA was correct. Do both new passwords match?
		if( $pass_new == $pass_conf ) {
			// Show next stage for the user
			$html .= "
				<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
				<form action=\"#\" method=\"POST\">
					<input type=\"hidden\" name=\"step\" value=\"2\" />
					<input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
					<input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
					<input type=\"submit\" name=\"Change\" value=\"Change\" />
				</form>";
		}
		else {
			// Both new passwords do not match.
			$html     .= "<pre>Both passwords must match.</pre>";
			$hide_form = false;
		}
	}
}

可以看出，除了需要 POST 修改的密码以外，还要 POST 用于验证码判断的参数和一个 step 参数来表明现在的操作是第几步

第一步就是调用 recaptcha_check_answer 在第三方服务那里进行人机验证，如果验证通过且新密码与确认密码相同，就允许进行第二步

// step 2

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_conf = $_POST[ 'password_conf' ];

	// Check to see if both password match
	if( $pass_new == $pass_conf ) {
		// They do!
		$pass_new = mysql_real_escape_string( $pass_new );
		$pass_new = md5( $pass_new );

		// Update database
		$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
		$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );

		// Feedback for the end user
		$html .= "<pre>Password Changed.</pre>";
	}
	else {
		// Issue with the passwords matching
		$html .= "<pre>Passwords did not match.</pre>";
		$hide_form = false;
	}

	mysql_close();
}

第二步就直接将修改值更新到数据库中了

那么我们抓包直接把 step 改成 2，是不是就可以绕过验证了呢

Insecure-CAPTCHA

因此，CSRF 漏洞在这里仍可以无脑利用，创建个钓鱼网站欺骗受害者点击，神不知鬼不觉中修改用户密码

Medium

源码

步骤一加了个 passed_captcha 隐藏域，步骤二里加了一个判断

// vulnerabilities/captcha/source/medium.php
// step 1 部分代码
$html .= "
	<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
	<form action=\"#\" method=\"POST\">
		<input type=\"hidden\" name=\"step\" value=\"2\" />
		<input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
		<input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
		<input type=\"hidden\" name=\"passed_captcha\" value=\"true\" />
		<input type=\"submit\" name=\"Change\" value=\"Change\" />
	</form>";

// step 2 部分代码
if( !$_POST[ 'passed_captcha' ] ) {
	$html     .= "<pre><br />You have not passed the CAPTCHA.</pre>";
	$hide_form = false;
	return;
}

可以说是没有什么改进，同样抓包加个 passed_captcha 参数，就可以修改密码了，CSRF 稳吃

Insecure-CAPTCHA

High

源码

// vulnerabilities/captcha/source/high.php

<?php

if( isset( $_POST[ 'Change' ] ) ) {
	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_conf = $_POST[ 'password_conf' ];

	// Check CAPTCHA from 3rd party
	$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
		$_SERVER[ 'REMOTE_ADDR' ],
		$_POST[ 'recaptcha_challenge_field' ],
		$_POST[ 'recaptcha_response_field' ] );

	// Did the CAPTCHA fail?
	if( !$resp->is_valid && ( $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' || $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' ) ) {
		// What happens when the CAPTCHA was entered incorrectly
		$html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
		$hide_form = false;
		return;
	}
	else {
		// CAPTCHA was correct. Do both new passwords match?
		if( $pass_new == $pass_conf ) {
			$pass_new = mysql_real_escape_string( $pass_new );
			$pass_new = md5( $pass_new );

			// Update database
			$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";
			$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );

			// Feedback for user
			$html .= "<pre>Password Changed.</pre>";
		}
		else {
			// Ops. Password mismatch
			$html     .= "<pre>Both passwords must match.</pre>";
			$hide_form = false;
		}
	}

	mysql_close();
}

// Generate Anti-CSRF token
generateSessionToken();

?>

现在不分步了，合在一起处理，来看关键判断代码

1	if( !$resp->is_valid && ( $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' \|\| $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' ) )

若人机验证返回结果为失败（!$resp->is_valid）且 recaptcha_response_field 或请求头中的 User-Agent 其中一个参数不为其应为的值，即为验证失败，直接 return

这里有逻辑漏洞，如果我们让 $_POST[ ‘recaptcha_response_field’ ] = ‘hidd3n_valu3’ 且 $_SERVER[ ‘HTTP_USER_AGENT’ ] = ‘reCAPTCHA’，这条判断句就不成立了

Insecure-CAPTCHA

正确的逻辑应该是这样的

1	if( !$resp->is_valid && $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' && $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' )

或者说这样

1	if( !( $resp->is_valid && $_POST[ 'recaptcha_response_field' ] == 'hidd3n_valu3' && $_SERVER[ 'HTTP_USER_AGENT' ] == 'reCAPTCHA' ) )

PS. 有一个可以吐槽的地方，最后调用 generateSessionToken 生成 token，前面又没有 checkToken，生成来干嘛……估计是用 Impossible 的代码来改没删干净？

Impossible

源码

// vulnerabilities/captcha/source/impossible.php

<?php

if( isset( $_POST[ 'Change' ] ) ) {
	// Check Anti-CSRF token
	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_new  = stripslashes( $pass_new );
	$pass_new  = mysql_real_escape_string( $pass_new );
	$pass_new  = md5( $pass_new );

	$pass_conf = $_POST[ 'password_conf' ];
	$pass_conf = stripslashes( $pass_conf );
	$pass_conf = mysql_real_escape_string( $pass_conf );
	$pass_conf = md5( $pass_conf );

	$pass_curr = $_POST[ 'password_current' ];
	$pass_curr = stripslashes( $pass_curr );
	$pass_curr = mysql_real_escape_string( $pass_curr );
	$pass_curr = md5( $pass_curr );

	// Check CAPTCHA from 3rd party
	$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
		$_SERVER[ 'REMOTE_ADDR' ],
		$_POST[ 'recaptcha_challenge_field' ],
		$_POST[ 'recaptcha_response_field' ] );

	// Did the CAPTCHA fail?
	if( !$resp->is_valid ) {
		// What happens when the CAPTCHA was entered incorrectly
		$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
		$hide_form = false;
		return;
	}
	else {
		// Check that the current password is correct
		$data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
		$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
		$data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
		$data->execute();

		// Do both new password match and was the current password correct?
		if( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) {
			// Update the database
			$data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
			$data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
			$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
			$data->execute();

			// Feedback for the end user - success!
			$html .= "<pre>Password Changed.</pre>";
		}
		else {
			// Feedback for the end user - failed!
			$html .= "<pre>Either your current password is incorrect or the new passwords did not match.<br />Please try again.</pre>";
			$hide_form = false;
		}
	}
}

// Generate Anti-CSRF token
generateSessionToken();

?>

相比之前有几大改进

改密码时需要输入当前密码
判断条件只有 $resp->is_valid
使用 PDO 技术防止 SQL 注入
加入 token 机制