Low等级
![](https://upload-images.jianshu.io/upload_images/10969538-1468cff7567bbfe9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/337/format/webp)
image
抓包
![](https://upload-images.jianshu.io/upload_images/10969538-fd37f06e368e1164.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/695/format/webp)
image
正常跳转
![](https://upload-images.jianshu.io/upload_images/10969538-a7b1efc940846fad.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/459/format/webp)
image
![](https://upload-images.jianshu.io/upload_images/10969538-5281656182f3f5f0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/797/format/webp)
image
在这里我们把密码改为qwer
![](https://upload-images.jianshu.io/upload_images/10969538-0962e4ddcd4017f9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/725/format/webp)
image
![](https://upload-images.jianshu.io/upload_images/10969538-b8756a7eb298436f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/620/format/webp)
image
![](https://upload-images.jianshu.io/upload_images/10969538-d1a93148ae5f9c75.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/521/format/webp)
image
![](https://upload-images.jianshu.io/upload_images/10969538-894b8c9be6452f9b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/899/format/webp)
image
![](https://upload-images.jianshu.io/upload_images/10969538-065b8c94a2f8b83e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/781/format/webp)
image
成功进入了DVWA
![](https://upload-images.jianshu.io/upload_images/10969538-091c7548a70dc1cb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/826/format/webp)
image
CSRF Medium等级:
开始,抓包
![](https://upload-images.jianshu.io/upload_images/10969538-23797feaccc33e29.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/506/format/webp)
image.png
![](https://upload-images.jianshu.io/upload_images/10969538-2cb011a10b11d268.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1000/format/webp)
image.png
很显然,网站对referer做了验证,绕过referer验证有以下几种方法:
1)空Referer绕过:
在referer字段后添加:http:// https:// ftp:// file://,在发送,看是否可以绕过referer验证。
2)判断referer是否存在某个关键词。
在本示例中用第二种方法绕过referer验证:
![](https://upload-images.jianshu.io/upload_images/10969538-860105d03503d5e0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1000/format/webp)
image.png
构造csrf poc:
![](https://upload-images.jianshu.io/upload_images/10969538-4b7e8e8a9d8024c9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/713/format/webp)
image.png
![](https://upload-images.jianshu.io/upload_images/10969538-3b8b56cc3a3586dc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/625/format/webp)
image.png
![](https://upload-images.jianshu.io/upload_images/10969538-54d062959be2e4ea.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/747/format/webp)
image.png
![](https://upload-images.jianshu.io/upload_images/10969538-95dc3184a65bd32a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/586/format/webp)
image.png
CSRF High等级:
![](https://upload-images.jianshu.io/upload_images/10969538-5ba71a9d7dfa2e07.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/877/format/webp)
image.png
所以像medium和low等级那样的方法是不能用的了,但是我们可以利用burp的插件CSRF Token Tracker绕过token验证:
![](https://upload-images.jianshu.io/upload_images/10969538-c6c0986598c90174.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/912/format/webp)
image.png
![](https://upload-images.jianshu.io/upload_images/10969538-b98d38177addfc20.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1000/format/webp)
image.png
![](https://upload-images.jianshu.io/upload_images/10969538-2330a9ae8bef9a90.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1000/format/webp)
image.png
然后来到repeater选项下:
![](https://upload-images.jianshu.io/upload_images/10969538-d7281ac97214901f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1000/format/webp)
image.png