实验道具:wordpress <=4.7.4 burpsuite
实验危害
CVSS Score 6.8
Confidentiality Impact Partial (There is considerable informational disclosure.)
Integrity Impact Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) CSRF
CWE ID 352
实验场景:当管理员用户登录时,点击了攻击者事先构建好的url中的提交按钮时就会被盗取用户。
漏洞存在位置,如下
图 28
抓包后信息如下
发现并没有token参数,没有不可预料的认证信息用post方式传递,我们用burpsuite自带的CSRF工具进行构建html,添加用户testtest
当用户点击这个提交按钮就会生成一个新的用户,如下
防御方式
1.REferer头防御
2.加验证码
3.token
4.自定义请求头
绕过方式
5.referer绕过把我们的csrf文件名改为信任的域名
6.看验证码是否生效第二看验证码是否多次请求都不会过期
7.第一找token加密规则,第二xss打token
8.抓包查看私有请求头,然后通过xmlhttprequest来创建请求头