In the background of the Public Account administrator, click the message link that I sent. The public account introduction and other settings will be modified (bypassing csrf protection)
The public account administrator clicks the link I sent to him in the background. His profile, profile picture, privacy settings, address and other settings will be modified. You can also add user groups.
There are some CSRF protection in the public account background, and the token protection is subject to referrer restrictions, which looks perfect.
However, due to some unreasonable design, it can still be attacked by csrf. The following is the details:
1. Questions about token design in the public account background
The tokens protected by csrf in the background of the public account are displayed directly in the URLs of all operations in the background. In this way, tokens may be leaked when the referer field in the http packet is sent to a third party. I also raised the risk of this issue in my previous article http://drops.wooyun.org/web/7112, when I said it weakened the protection system. This issue will be exploited once other protection issues occur.
2. Steal TOKEN first
Send an https (the public background is https, only the referrer is passed to the https) url of the controllable content to the public account. once clicked, the tokens in the management background url will be sent to us.
The url is directly sent to the Public Account, which is not recognized by the background. You need a tip to send a link to the background
Access the link to the chat box, and then the built-in browser will open the page, and then add the page to favorites.
Then, send the public account to the page in the favorites folder. In this way, the administrator can see a link in rich media format in the background.
3. referrer can be bypassed in some places
The operations on the public account background are post, and the referrer is restricted to this domain.
However, there are some operations, such as descriptions in the public account settings, Avatar modification, adding groups, address modification, and privacy settings that allow others' search settings. Although they are post requests
However, if you change the post request to get and put the body content in the get parameter, the request server also accepts
Modification request:
https://mp.weixin.qq.com/cgi-bin/setuserinfo?action=intro&t=ajax-response&token=589115843&lang=zh_CN&f=json&ajax=1&random=0.3911454190965742&intro=hacked%20by%20shidada
Add Group
https://mp.weixin.qq.com/cgi-bin/modifygroup?t=ajax-friend-group&token=589115843&lang=zh_CN&f=json&ajax=1&random=0.0741190540138632&func=add&name=helloasasas
Disable settings that allow others to search
https://mp.weixin.qq.com/cgi-bin/setuserinfo?t=ajax-response&token=589115843&lang=zh_CN&f=json&ajax=1&random=0.5444546448998153&action=search&open=0
In addition, after the get request is changed, the referrer limit allows null referrer conditions, so that our use is more difficult to detect, because we do not need to directly send this link to the victim to point out
4. How to Use
Construct an https page with disguised content and send a get request with a token (you can use iframe to dynamically load the form to send a get request) for the above sensitive operations.
Send a link to a public account
After clicking this button, I changed it to "hacked by koreans"
Because she was attacked by me, she asked me to compensate her for promoting the public number for her. Her number and photo are as follows:
Add your public account.
Solution:
Token protection. Do not put it in get.
Do not allow get to send post requests