dwva handgrip tutorial (3) - csrf vulnerability

Posted by millikan at 2020-03-04

Dwva handgrip tutorial (3) - CSRF vulnerability

Long time no see.

Weeping, don't fight, don't face,,

I haven't had a weekend on business recently,

I have to work overtime until nine,


It is also found in the process of work,

Many developers don't understand the CSRF vulnerability,

Let alone fix it,

It doesn't matter. Let's repeat it today.

Do we need to develop Amway's official account / manual commotion?

How many sentences do I want,

Security and development should not be enemies!

We are family!!!!

Why do you say that,

I always feel that I will be attacked by the developers in that room recently,

Especially in the last few days after the completion of the project,

Wu, if I can't be seen...

--------Hualalili's boundary----------

Welcome to the chapter of CSRF vulnerability, here, please allow to be the "soul painter"!! #I'd like to give you a brief introduction to the CSRF vulnerability

CSRF Cross Site Request Forgery

You can understand it as follows:

The attacker embezzled your identity and sent a malicious request in your name, which is completely legal for the server,

But it has completed an operation that the attacker expected, such as sending email and message in your name, stealing your account, adding system administrator, even purchasing goods, virtual currency transfer, etc.

Who is rabbitmask? It's a love letter.. Welcome to Baidu rabbitmask, parachute blog Park, and let's see the mood synchronization in the course~

1. User C opens the browser, accesses the trusted website a, and enters the user name and password to request to log in to website a;

2. After the user information is verified, website a generates the cookie information and returns it to the browser. At this time, the user logs in to website a successfully and can send the request to website a normally;

3. Before the user exits website a, open a tab page to visit website B in the same browser;

4. After receiving the user's request, site B returns some offensive codes and sends a request to visit the third party site a;

5. After receiving these aggressive codes, the browser, according to the request of website B, carries the cookie information without the user's knowledge and sends a request to website a. Website a does not know that the request is actually initiated by B, so it will process the request with the permission of C according to the cookie information of user C, resulting in the execution of malicious code from website B.

In the CSRF vulnerability of dwva, we can see that password reset is an operation that a website thinks is completely reasonable and the intention of the attacker.

Knock on the blackboard and draw the key points: determine the CSRF vulnerability: modify the referer header or delete the referer header directly to see whether the website responds normally.

The conclusion here is obvious: there is a CSRF vulnerability!

Let's briefly discuss the utilization of CSRF vulnerabilities,

I didn't mean to teach you bad. If you want to, please learn social workers well first

We construct a URL through the above packet capturing. Generate a web page and put it on the Internet for calling. Here I put it on my personal server (I will not expose it)

We use labels to improve our concealment.

Here I put it in the root directory of my personal website and execute it directly with IP / filename.

Upload to the server through FTP. If you want to learn from server-u to build an FTP server, please search for resources from the network. If you need to crack tools and tutorials, you can send me a private message (mark, not an advertisement, but a tutorial later)

It's just like peeking at you. It's funny~

Log in dwva, password of current user, open new tab, enter the URL we have constructed~

Then go back to our login interface and log in with the old password

Log in with the new password admin

Welcome back, CSRF vulnerability utilization, password modification succeeded.

The vulnerability here in dwva is get method submission

Here I will briefly talk about the utilization of CSRF vulnerability in post method submission

The steps are basically the same as the get method, except that the operation of constructing html is completely lost to burpsuite

(what? Why is it gray? Because I was lazy and didn't grab the bag)

Using the generate CSRF POC function

Burpsuite will generate HTML source code for you

Copy, paste and save, which is the HTML file we need

Just upload a third-party website like the get method above

I don't know the answer here! No Yes! Discussion:

Burpsuite automatically generates the CSRF exploit code of post method, in which the Chinese encoding problem leads to the exploit failure,

Failure: the server considers that there is a threat at the coding (random code), and returns the error message

Solution: delete the garbled code, or replace the garbled code with a pure number

Conclusion: Fortunately, my work is only penetration testing, and the above operations have proved the availability of CSRF,

But!!! I just want to write Chinese!! how to deal with it!!


Second attempt:

I've found the reason for the last time:

You can see that the HTML constructed by burpsuite is mercilessly modified when pasting

I asked a lot of big guys about this solution, but it didn't work out.

So here is another CSRF utility: csrftester

(for the time being, we will not explain how to use it)

When you see this, it's cool

Yes, two Chinese transcoding places, cool....


Third attempt:

It's a good manual method. Should I have thought about it for a long time?

Well, I'm stupid...

Ha? Does the server receive the data without decoding?

Come again! Submit decoded data directly

What the hell! What a mess! Can you decode it or not!

HTML transcoding, by the way, here is indeed HTML transcoding,

Because the Chinese character "light bulb" and the above strange HTML code server judge the result is the same

To sum up: the thinking is very clear and the result is very unfriendly,

I know from the work experience of the big guys

This is not the case with all Chinese

But I did, but I didn't use it successfully

Of course, the penetration test is enough here. As I said before, deleting the code can be verified successfully

But I'm still sorry for obsessive-compulsive disorder

I have no choice but to be blank in the field of server configuration and source code development

I can only leave blank for the big two in this field

Welcome to provide solutions, welcome to discuss