The tiger sniffing main site is successfully played blindly (already in the background)

The tiger sniffing main site is successfully played blindly (already in the background)

It's time to show the power of XSS!

0x01

Run a question first ..

WooYun: Tiger sniffing main site design defects lead to weak password user risks

The Credential stuffing vulnerability vendor has not been confirmed yet. Previously, we used top500 to blindly hit the database. after submitting the database, we found that we could actually hit the database targeted by all tiger sniffing users. You only need to traverse the connection address ID to obtain the nickname of all users. This nickname is the login user name. This will increase the efficiency of credential stuffing.
 

0x02

I can see that many of the xss that were previously launched by Daniel are on the bright side. This time I found a relatively biased place for blind playing. This is the position below. Remember to filter all input boxes from step 1 to step 4.
 

After a while, the cookie will come.
 

However, the connection address is the address I applied for and the access status is still under review.
 

When you modify the cookie, a user is displayed and has the permission to view the content of my application.
 

I browsed the information and found that it was an editor or something.
 

0x03

In fact, the second-level domain name has been obtained from the background management address, and there is no verification code in the background. However, the dictionary in the hand is too weak and fruitless, and it has been depressing for a long time. The edited cookie cannot be used to log on to the background. Just to give up, I found a link. I should say that it is hard work and hard work.
 

 

0x04

After entering the background, I found that the number of users is still quite large, and the background permissions are also very large. Basically, all the functions of the website are included. I believe the vendors should understand the specific permissions better than I do. There are products such as ADD and modify. If the time is too late, can getshell not try. However, csrf is found to be sent for the ticket increase.
 

The request parameters are as follows.

goods_id=1025&num=1&name=wooyun&phone=18888888888&email=test%40wooyun.com&company=test&position=test

There is no token or other defense. In the future, I will not become a handsome guy in the xss + csrf sales promotion.



0x05

All the above operations are only for viewing and testing, and no modification has been made. If there is any sensitive information, please review and help to lay down the code.
 

  Solution:

Filter