CSRF example

[razta]

Hello,

Im trying to implement a Cross Site Request Forgery example into an open source project called Damn Vulnerable Web App.

 

I am trying to implement a page that is vulnerable to CSRF that allows the admin to change his password.

 

if (isset($_GET['Login'])) {

		// Admin login form

		$pass = $_GET['password'];
		$pass = mysql_real_escape_string($pass);
		$pass = md5($pass);

		$qry="SELECT * FROM `users` WHERE user='admin' AND password='$pass';";

		$result=mysql_query($qry) or die('<pre>' . mysql_error() . '</pre>' );

		if($result && mysql_num_rows($result) == 1){

			// Login Successful

			$html .= '
			<br><hr><br>
			Welcome to the password protected area admin.
			<br><br><br>
			<h3>Change your password:</h3>
			<br>
			<form action="#" method="GET">
			New password:<br>
			<input type="password" AUTOCOMPLETE="off" name="password_new"><br>
			Confirm new password: <br>
			<input type="password" AUTOCOMPLETE="off" name="password_conf">
			<br>
			<input type="submit" value="Change" name="Change">
			</form>';

			if (isset($_GET['Change'])) {

				// Change password 

				$pass_new = $_GET['password_new'];
				$pass_conf = $_GET['password_conf'];

				if ($pass_new == $pass_conf){
					$pass_new = mysql_real_escape_string($pass_new);
					$pass_new = md5($pass_new);

					$insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';";
					$result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );

					$html .= "<pre> Password Changed </pre>";

					mysql_close();
					}

				else{

					$html .= "<pre> Passwords did not match. </pre>";

					}

				}
			}

		else{
			//Login failed
			$html .= "<pre><br>Password incorrect.</pre>";
			mysql_close();
		}


	}

 

The problem being that when the 'Change' form is submitted the form reverts back to the admin login rather than displaying the $html variables.

 

Thank you in advance,

Ryan

[Daniel0]

A form is not vulnerable to CSRF if it requires a password like yours does.